Spear Phishing — A Threat to Hedge Funds & Private Equity Firms

The U.S. government recently confirmed Russian agents continue to use simple, yet effective spear phishing tactics against political targets, and it remains a looming threat to us all. As long as individuals make simple mistakes like clicking on a malicious link in an email, bad actors will stick with the same basic spear phishing schemes.

A federal indictment handed down from Robert S. Mueller III, former director of the F.B.I., unveiled how Russian agents carried out spear phishing attacks to trick Democratic party workers into sharing their login credentials. The Russian agents used real-looking email addresses to send messages with malicious links designed to collect sensitive information, which allowed them to access the Democratic party, and polling office computer networks. Once inside, the bad actors installed malware and additionally stole confidential political documents and emails. The agents later released the documents and emails to the public to interfere with the 2016 U.S. Presidential election. One spear phishing attack dictated in the indictment involved bad actors who sent a fake Google security notification to John Podesta, the chairman of Hillary Clinton’s 2016 presidential campaign, which resulted in his assistant clicking on the link and typing in Podesta’s login credentials.

Hedge Fund Spear Phishing

Bad actors also use these tried-and-true spear phishing attacks against Hedge Fund and Private Equity firms to steal their cash by compromising the internal wire transfer process. 

According to some legal filings, Tillage Commodities Hedge Fund lost nearly $6 million to a spear phishing attack when SS&C, their outsourced third-party fund administrator, was duped into handing over Tillage’s funds to Chinese bad actors. Again, according to some of the legal filings, SS&C—who had policies in place to prevent successful Business Email Compromise cyberattacks—failed to follow them and helped the bad actors correct their wire transfer instructions so their fraudulent request would work.

What is Business Email Compromise?

Business Email Compromise (BEC) is a sophisticated scheme where bad actors target organizations and individuals who perform wire transfer payments. BEC involves bad actors who either compromise a business email account or create a similar-looking email account to wire fraudulent accounts across the globe. According to the FBI, Business Email Compromise is a nearly $3.5 billion global problem annually, cumulating in $12.5 billion in losses since 2013.

Even though Tillage Commodities never wired money outside of the U.S. previously, SS&C hedge fund administrators didn’t pick up on the anomaly. When the first wire transfer—headed to a “Haoran Technologies” account at Hang Seng Bank in Hong Kong—failed, SS&C admins cooperated with bad actors to amend the instructions with a new bank, HSBC, in the same region, allowing it to go through.

To obtain the $6 million, bad actors created an email address similar to Tillage’s, with the addition of a third “L,” and sent an amateur spear phishing message, “Can you please process the attached International Business Establishment. We are funding HAORAN TECHNOLOGY LIMITED. Please leave me a mail to confirm this and the wire will go out today.”

Armed with only a computer and internet access, bad actors send personalized spear phishing emails to our hedge fund and private equity clients. Using publicly available info, bad actors craft real-looking spear phishing emails which prompt the recipient to click on a malicious link or open a malware-ridden file attachment. Once the target’s login credentials are obtained, and the email account is compromised, the bad actor looks for the key players in the wire transfer process, and hunts down any pending financial transactions. When the timing is right, the bad actor either initiates or intervenes in the firm’s wire transfer process. They do this by sending an email from the compromised account, or by using a fictitious email address which looks similar to the intended party’s. They also reroute and hide email messages to prevent getting caught.

Phishing Awareness Training for Hedge Funds

Instead of the firm’s funds going where it’s intended, it goes right into the bad actor’s account, highly unlikely to ever be recovered. 

To defend against Business Email Compromise and spear phishing attacks, you must test, reinforce, and provide education around your incident response policies and procedures regularly. Cybersecurity training on the risks and warning signs of spear phishing attacks is crucial for all employees, especially those involved in the wire transfer process. And don’t forget about third-parties who have a role in the process. Agio works with clients every day to strengthen their defenses against Business Email Compromise and spear phishing attacks. Contact us to discuss how we can work together.

 

Sources: 

    1. The Cybersecurity 202: Russia hacking tactics exposed in Mueller indictment still a threat, election officials say
      https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/07/17/the-cybersecurity-202-russia-hacking-tactics-exposed-in-mueller-indictment-still-a-threat-election-officials-say/5b4cc4fd1b326b1e646953dd/?noredirect=on&utm_term=.b29752f58e00
    2. Investment fund loses $6 million in BEC scam, suspends operations
      https://www.csoonline.com/article/3121684/security/investment-fund-loses-6-million-in-bec-scam-suspends-operations.html
    3. Business E-mail Compromise the 12 Billion Dollar Scam
      https://www.ic3.gov/media/2018/180712.aspx