Picture this. An executive assistant to a vice-president at a multinational company receives an email referencing an invoice hosted on a popular file sharing service. A few minutes later, the same administrative staff receives a phone call from another vice-president within the company, instructing her to examine and process the invoice. As soon as the invoice is processed, a cybercriminal takes control of the executive assistant’s infected computer and siphons the funds. The company was Francophoned—the invoice was a fake and the vice-president who called the assistant was an attacker.
This is how it happened. The supposed invoice was actually a remote access Trojan (RAT) that was configured to contact a command-and-control (C&C) server located in Ukraine. Once the systems were infected with the RAT, the attacker retrieved identifying information, including disaster recovery plans, of the organisation’s bank and telecom providers, its points of contact with both providers and its bank and telecom account data.
Using this data, the attacker was able to impersonate a company representative and called the organisation’s telecom provider. They proved their authenticity to the telecom provider, claimed that a physical disaster had occurred and said that they needed all of the organisation’s phone numbers to be redirected to attacker-controlled phones.
Immediately following the phone number redirection, the attacker faxed a request to the organisation’s bank, requesting multiple large-sum wire transfers to numerous offshore accounts. As this was an unusual transaction, the bank representative called the organisation’s number on record to validate the transaction. This call was redirected to the attacker who approved the transaction. The funds were successfully transferred to multiple offshore accounts, which were subsequently laundered further through other accounts and monetary instruments. Operation Francophone accomplished!
In May this year, 2013, IT security firm Symantec published details on the first attacks of this type targeting organisations in Europe. Further investigations have revealed additional details of the attack strategy. Francophoned is an example of how cybercriminal operations are becoming increasingly sophisticated, a trend that is likely to continue in the future.
If the above mentioned terminology has left you dumbfounded, here’s another one which will make you sit