How $500,000 was stolen via a PC from Estate Agent’s Trust Account

Home / Blog / IT security news / How $500,000 was stolen via a PC from Estate Agent’s Trust Account
How $500,000 was stolen via a PC from Estate Agent’s Trust Account

It’s a business owner’s nightmare scenario—malware innocently downloaded onto a work computer starts recording keystrokes and soon, company bank account details and passwords are in the hands of a thief.

For one Perth real-estate agent yesterday, it was only his well establish business processes, an astute staff member and lucky timing that stopped the $500,000 from being transferred out of the bank’s system after it had left their bank account. The alarm was raised just in time for the bank to freeze and reverse the transaction Acting Commissioner for Consumer Protection David Hillyard said yesterday. Here’s a link to the Department of Commerce warning about this to local Australian businesses.

Hackers directly targeting online banking account is on the rise. Last week, Andrew ‘Twiggy’ Forrest warned Australians to be careful after hackers installed malware and redirect a payment $615,000 from his accounts to the scammer’s control.

Online scammers are increasingly targeting businesses that are known to process financial payments like real estate agents (and mining magnates). But in fact all businesses are equal targets. Where money is moving around, online accounts are being accessed by people in the business, and often these people presume their security is adequate and so it becomes an afterthought. Most organisations can only afford generalist IT staff, or they outsource the security problem to their IT provider or cloud providers. Specialist security services are costly and good security advice is hard to find.

To realistically avoid attacks like this it requires vigilance, awareness, up to date security software, good business processes and a long list of sound online behaviours. Ultimately, even with good security software and practices, it can still only take one person to unknowingly click the wrong link and the malware gets in—it’s an error anyone can make.

The IT security industry is now warning organisations to presume the perimeter of the network is impossible to lock down fully. The fall back position is to provide tigher internal security to protect core information assets, such as bank login details.

It’s why BankVault Business makes sense for many organisations who can’t afford the risk of cash flow issues caused by a cyber hacker.

Attackers are continually evolving fresh approaches that any of us can fall for.

It is likely the attacks on Twiggy and the real estate agent were targeted. An attacker may use email to deliver the malware payload to someone they’ve been softening up. They will study an organisation and will often call its customer contact numbers over a period of time gathering intelligence, learning names, positions and useful business information, which can then be used to craft a targeted email which is convincing.

The simplest example of this might be someone who phones into your organisation pretending to be a potential customer, introduces themselves and proposes sending you a follow up email with some relevant personal information. They use clever psychology and develop an email which you’d naturally be inclined to open and click. The malware downloads and executes.

A more sophisticated way is to deliver a hackers payload is via your browser when you simply visit a website. The hack is embedded in one of the images. Anti-virus software will never pick this up. This year Google Research announced that Trend Micro anti-virus was the attack vector allowing remote hackers to install any packages they want onto your PC.

So how do you avoid attacks when the hackers are forever evolving better techniques?

Do the basics well. And use BankVault to be safe.

The ‘security advice’ you hear all the time is still really important—use reputable security software, keep it up to date, implement good security and business processes, incorporate your bank’s security capabilities like 2-factor authentication and security tokens—and foster a security culture amongst your colleagues. Suspicions and instincts are worth acting on—in both these examples, people’s instincts resulted in the attack being stopped.

Most attacks focus on the bank account end users, not the banks, because end user is by far the weakest point.

This article was first published by BankVault CEO, Graeme Speak, on LinkedIn.