Ubiquiti Networks victim of $39 million social engineering attack

Ubiquiti Networks Inc., the San Jose based manufactured of networking high-performance networking technology for service providers and enterprises, announced in its fourth quarter fiscal results that it was the victim of an email business fraud incident resulting in the loss of $39.1 million dollars.

In its Form 8-K filings to the SEC the company stated it became aware on June 5^th 2015 that it was the victim of a “criminal fraud”. It appears a member of staff in one of its subsidiary companies based in Hong Kong fell victim to what is known as a “CEO scam” or a “Business Email Compromise (BEC) attack.

As outlined in this Brian Kreb’s post, CEO scam is where criminals either hijack or impersonate the email of a senior member of staff within the organization. They then target someone in the financial department, or who has authority to initiate wire transfers, and fool them into transferring large amounts of money from the company’s bank accounts into bank accounts controlled by the criminals. Very often the emails will state a vendor, or other entity the target company deals with, has changed their banking details and future payments should be transferred the accounts which the criminals control.

In its SEC filing, Ubiquiti Networks outlines how the fraud occurred and says “The incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.”

When it became aware of the breach, Ubiquiti Networks contacted their financial institutions and also law enforcement agencies. So far have recovered $8.1 million of the stolen money with an additional $6.8 million “currently subject to legal injunction and reasonably expected to be recovered by the Company in due course”.

Ubiquiti also conducted its own independent investigation with the assistance of external third parties which concluded on July 17^th. That investigation “uncovered no evidence that our systems were penetrated or that any corporate information, including our financial and account information, was accessed. The investigation found no evidence of employee criminal involvement in the fraud” but that “the company’s internal control over financial reporting is ineffective due to one or more material weaknesses.”  The company has subsequently “implemented enhanced internal controls over financial reporting since June 5, 2015 and is in the process of implementing additional procedures and controls pursuant to recommendations from the investigatioin”.

Ubiquiti are not the first company to fall victim to such an attack. These type of attacks have become so common that in January of this year the FBI issued a warning to businesses to be aware of these attacks. In its warning the FBI state that there were 2126 victims of this type of fraud in 2013, with 1198 being in the United States,  with losses totalling up to $214,972,503.

The FBI gives the following advice to avoid falling victim to this scam

• Avoid Free Web-Based E-mail: Establish a company web site domain and use it to establish company e-mail accounts in lieu of free, web-based accounts.
• Be careful what is posted to social media and company websites, especially job duties/descriptions, hierarchal information, and out of office details.
• Be suspicious of requests for secrecy or pressure to take action quickly.
• Consider additional IT and Financial security procedures and 2-step verification processes. For example -Significant Changes: Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been on a company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
  • Out of Band Communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this second-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
  • Digital Signatures: Both entities on either side of transactions should use digital signatures. However, this will not work with web-based e-mail accounts. Additionally, some countries ban or limit the use of encryption.
  • Delete Spam: Immediately delete unsolicited e-mail (spam) from unknown parties. Do NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
  • Forward vs. Reply: Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.

Given the impact such an attack can have on a businesses it would be prudent for companies to review their internal financial controls and ensure effective security awareness training is given to staff with key roles in the organisation.