The email said very little. Dated January 29, 2015, it was from Graham Lawton of Leeds district police, Yorkshire. Somewhere in Lower Parel, inside an office in Mumbai’s congested mill area, the person to whom the email was addressed to glanced through it. All it said was that the money has reached the bank accounts of two individuals—Fylling and Phan, probably a Vietnamese migrant —with Barclays.
For the man in Parel, a director at a large textile export firm, it was the only thing he could hold on to since the day half-a-million dollars that he was supposed to receive from one of his overseas clients mysteriously found its way into two unfamiliar accounts with a British bank.
The Man in Estonia
Sometime last November, he had sensed that something was amiss when his client, who he has been dealing with for years, informed him that the payment for the last consignment has been made. He was further told that following his advice, this time the money was remitted to another account to save tax. Hours later, the firm’s IT guy, who had by then roped in an ethical hacker, told him that the company was facing a cyber-attack.
Till then, he had thought that cyber crimes were of two kinds: credit card fraud—when the bank sends you a huge bill though you haven’t bought a thing—and, high-tech snooping by Chinese and Israeli hackers prying on energy companies and the government establishments—the variety you watch in movies or read in a Ludlum novel.
No one in the Indian export house had instructed the overseas buyer to wire the money to a different bank account. Then, who did? The man who did the mischief was sitting inside a room in Tallinn, Estonia, possibly identifying his next target, and far from the reaches of Inspector Lawton and the Mumbai Police.
“This guy was tracking the emails, transactions, client contacts of the firm in India, perhaps for months, before unleashing the attack…He hacked into firm’s systems, terminals by either phishing or planting a virus, and sent the email to the foreign client on identical letter head of the Indian firm along with the director’s signature… I have come across five similar cases in the past three months,” said Sahir Hidayatullah, a 32-year-old Mumbai-based ethical hacker who advises firms on cyber security.
A hacker may install a software that tracks a PC in a way that he gets to know even if the user changes the password frequently. “There are professional fraudsters and rivals carrying out corporate espionage with bugs that are easily available and randomly used. It’s just not big companies, even stock brokers try to snoop on one another,” said Sahir.
The Money Mules
The Estonian in the story had used the time zone smartly. He sent the mail to the Indian firm’s overseas client Friday late afternoon, betting that the Indian firm will not have a clue till Monday afternoon by when funds have moved to the wrong bank account. For him, Fylling and Phanare are just parking lots—better known as “money mules” in the world of cyber crime. All they do is lend their bank accounts, take a small cut and use the Western Union network to transfer the money to the Estonian or his agent.
Often, a chain of mules are at work to obfuscate the money trail. The smarter ones also use online games to mislead investigating agencies—using the cash to buy and then sell back through game sites like War of Warcraft. Mules are hired in India through innocuous part-time job ads. Some do it unwittingly, little realising the risk: when a fraud surfaces, they are the first to be picked up by the cops.
People like Sahir use their skills to build firewalls, spell out the dos and don’ts, and help cops track a slippery hacker. But things can be more complex if a corporate rival has a mole in the firm that’s under attack.
Keys to the Kingdom
“Many organisations don’t realise that their IT team literally holds the keys to the kingdom. They can reconfigure, access and control any system. Your most precious data is looked after by these teams, who are usually outsourced and not subject to much scrutiny. We have seen cases of IT administrators pillaging the senior management’s email inboxes to sell to the competition, or copying out customer databases for sale in the market,” said D Sivanandhan, former Director General of Police, Maharashtra and current chairman at Securus First, an organisation that provides investigation and security assessment consulting services.
“I recall the ease with which an employee of a BPO changed the address of the bank account and removed `90 lakh with the help of passwords from other employees. Of course, caught by the police, the person said with impunity that the same thing could be done in another 200 ways!.. Most organisations still view cyber-risks as something the IT department handles. It’s about time that C-level executives start actively understanding what can be an existential threat to businesses of any size…” said Shivanandan.
For business establishments— like the Lower Parel one or a pharma company which faced a similar attack—chances of recovering the money are very slim. They rarely go to the cops, fearing reputation loss; neither do they inform clients or JV partners to avoid further compliance issues and losing business. And, most mid-sized companies do not maintain Internet and electronic records that can be produced as evidence in court.
“In cases of targeted hacking, most suppliers and customers do not have a formal written contract and the supply of goods occurs on the basis of telephone conversations or email exchange. This makes it difficult on occurrence of disputes to affix liability and responsibility for the loss between the parties,” said Tushar Ajinkya, partner at the law firm DSK Legal.
Just as companies are unaware of how vulnerable their systems are, CEOs have no clue how tortuous salvaging the lost money can be. Cops lack advanced skill, manpower, technical tools and equipment to track a cyber crime complaint. Hackers, like the man in Estonia, who can change their strategy on an hourly basis, play around the system because they know that the police and lawyers can achieve very little in unfriendly jurisdictions. “In the ATM theft case that happened in the DGP office compound involving the accounts of policemen, the investigating team had gone to Greece to trace, without any success,” said Shivanandan.
Cops and enforcement agencies are also using the skills of techies in other ways—where the crime may be as old-fashioned as underinvoicing of imports to lower tax outgo. Vinod Bhattathiripad, a cyber forensic consultant who advises Directorate of Revenue Intelligence and the Kerala Police, has helped to nab several cases involving imports from China. “For every $100 import by one of the largest electrical equipment dealers, the invoice value showed $30. The balance was paid from its associates in Dubai and Malaysia. This is happening on a huge scale by importers of other items like kitchen utensils and bathroom fittings. Some of these companies reformat their hard discs every few months to escape. But so far we have been able to trace the frauds,” he said.
But unlike duty-evading firms or stupid money mules who leave behind their fingerprints, the Man in Estonia may remain a faceless, shadow crook for years. He will have the last laugh if he isn’t taken seriously.
Plug and Play Hacker
Think of cyber espionage and you image a nerd with thick glasses and frizzy hair in an underground secret lab. The world has changed from the ’90s thriller flicks—things are far from hush hush. Several bugs that rival corporates, foreign agencies and outright thugs use are devices that can be bought online for anything between a few thousand rupees and a few lakhs—one may even pick up a few from Mumbai’s Heera Panna Bazaar. Check the air-freshener or the adapter on your office wall; or, look behind the computer terminal—if your office is bugged, chances are you may come across one of these.
It’s like a hacker sitting at your desk and typing away, except it happens in microseconds. Less than an inch in size, it can be disguised as a flash drive. Like a normal pen drive, it’s plugged in to a USB port. A programmable micro controller, the device pretends to be a keyboard.
The cheapest bug, you can buy this toy at Mumbai’s Heera Panna market. Anyone would mistake it for an ordinary adapter. What no one notices is the SIM card inserted in the device. Plug it to a power point inside a board room. Once the board meeting begins, your rival from distant location calls up a particular GSM number. The call activates the SIM and the attacker overhears the entire conversation.
Just an inch long, it’s one of the deadliest audio recording bug that can be installed in any crevice of a large conference room. It is voice-activated, has a 600-hour recording time, and encrypts the data-so even if it is found, the information is inaccessible. Not available in the free market, used only by top professionals and government agencies.
A wireless keystroke e recorder, it can be plugged into the back of any desktop computer-the beauty is you may not discover it for days. The little device records anything that is typed, including passwords and emails. The attacker receives the information via its built-in Wi-Fi connection from up to 300 meters away.
A replica of a one of those thickframed glasses, this pair of high-definition spy glasses has built-in storage and no wires. It conceals a virtually invisible full HD camera and can RECORD BOTH AUDIO AND VIDEO for two hours. Can be used to record confidential information on whiteboards, paper and in meetings.
Identical to an air-freshener, you won’t give it a second look. Once planted on the wall, it can access the network, files,transactions—almost everything. The lethal, wireless device gives the attacker-who could be in another country -complete remote access through 3G. It’s equivalent to having an unauthorised laptop full of hacking software on your network.
This article was written by Sugata Ghosh from The Economic Times, India and was legally licensed through the NewsCred publisher network.