Rant and PSA - hackers stole A LOT from me

Related:
Create New Tag

11/14/2017 8:47 AM

Hey guys,

First of all, things happen, I know. I'm moving forward, but thought I should share since apparently this is becoming much more prevalent and don't want anyone else getting robbed.

I work for a small company that contracts with much larger companies for consulting services. They invoice my work and then I get paid. Usually, the payments come in large lump sums. Well, someone hacked our system and sent my client a change of account form. My client didn't follow proper procedure and changed it without verification.

End result - they paid the hackers and I'm out $68K and change, and there is no insurance or digital trail to get it back. Now lawyers are involved, along with the FBI, but my chance of getting the money back is probably about 1%.

That said, I wanted to make everyone here aware of this issue. According to my friend who works in digital security, and our contacts with the FBI, this has become a huge problem. Hackers target small companies that make large transactions. Apparently title companies are a big target, and about 50% of companies that get hit go bankrupt within the next year. What they do is infiltrate your system and create a means of communicating as if they were you, while intercepting any return messages, so you will never know that they are in contact with someone as if they were you, unless you proactively call or do something else.

Last year, the NSA was hacked and the hackers stole code for many of the cyber weapons that the NSA was using to hack foreign governments and companies for info. So in the last year, hackers have been happily targeting US companies using our own technology, and basic anti-virus doesn't stand a chance.

Be extra vigilant guys. Keep an eye out for anything suspicious. Whether you are the one invoicing, or the one making large payments, be careful. They could just as easily target someone like a dealer who makes large payments to suppliers and get them to pay the wrong account.

Be careful out there guys

|

11/14/2017 9:01 AM

Wow. That's F'ed up.

If the client didn't follow proper procedures to verify the change, why do you not think they are still liable for the payment?

Especially with such large transactions, a small debit/credit transaction should have been done to verify with you that the account was legit.

|

11/14/2017 9:01 AM

Sounds like you and the client need to have a talk in a court room in front of a judge. Maybe the judge could help your percentage out of seeing that money again.... even if comes out of their pocket. That is a chunk of change to only have 1% chance of getting back. Thanks for the heads up and hope it works out

|

11/14/2017 9:23 AM
Edited Date/Time: 11/14/2017 9:30 AM

OP do you know what is available on the darknet???
TOR on down sometime and have a look around.

If anything hackers steal $1 from a million people, no one notices.

Sounds like an inside job to me.....how well do you know your computer admin there???

|

11/14/2017 10:02 AM
Edited Date/Time: 11/14/2017 10:03 AM

We get daily threats where I work. It's usually BEC (business email compromise) or some variant of that. People think these hackers and thiefs are using super sophisticated tools and methods. They are not. They use what's called social engineering. No need to hack a password when you can talk someone into giving it to you.

Just yesterday we had an exec assistant receive an email from our what looked like our CEO asking for her to process a wire transfer for 19k. We have processes in place that prevented it from happening thankfully. But basically she did not follow her training and responded back saying she would get it setup. They sent her the Wire instructions back. She tried to get wire setup through our accounting group. That's where our internal procedures kicked in and it was determined it was a fraudulent request. Now mind you if you just look at the reply address when she hits reply it clearly switches as having come from our CEO and switches to going to back to whoever the fuck at a comcast account, Plain as day but she did not bother to check this. Second time she has been burned on this.

Anyways....

It's a huge problem for companies of all sizes.

But that's usually how it's done. We also get change of address requests constantly. Have to have a procedure in place to change any place where a check goes.

And it gets really tricky because a vendor we pay may have had their own email hacked and the change of request comes from a truly verified vendor account.

I could go on and on.....

|

11/14/2017 10:06 AM

We are working with them and the lawyers are figuring it out. Fact is the hacker broke into our system, and they made a payment in good faith. They didn't follow procedure, but the procedure isn't in the contract, only on our invoices. There is definitely fault in both parties. At best I'll get some of it back, and hopefully it will be more than the lawyers fees.

The thing complicating this is that I have a pretty good relationship with them, and don't want to burn any bridges from potential future work by dragging this into litigation. This is a small industry, and sometimes the best bet is the long one.

Ohio, I know, I'm suspicious too. Problem is I have zero evidence of anything malicious on our end, and whoever it was covered their tracks really damn well.

|

11/14/2017 11:58 AM

this happens way more than you would think. The company I work for pays for https://www.knowbe4.com/ training and assistance. They offer a lot of free info too. Our security team tests our users with fake emails weekly. We also use proofpoint to block spam\phishing emails. Last month was ~700,000 spam emails.

|

11/15/2017 10:46 AM

http://siskiyou.sou.edu/2017/06/08/sou-loses-1-9-million-in-email-fraud-fbi-investigation-launched/

The college down the street just took a $1.9 million hit from the same scam! Money is GONE!

|

11/15/2017 5:02 PM

That fucking sucks.
In the early days, security experts (young hackers) told Congress- "don't do this." Online commerce and transactions will never be safe. They were completely right. Everybody has been hacked, pretty much. (Equifax for me). It's a fucking disaster, all for convenience.

|

It's impossible for a corporation or government to love you or care about you.

11/15/2017 7:14 PM

NorCal 50+ wrote:

That fucking sucks.
In the early days, security experts (young hackers) told Congress- "don't do this." Online commerce and transactions will never be safe. They were completely right. Everybody has been hacked, pretty much. (Equifax for me). It's a fucking disaster, all for convenience.

I agree. What I wouldn't do to go back to paper checks and fax machines right about now.

And now they want me to hand over the steering wheel to connected, autonomous cars. Yeeeah, right.

|

11/15/2017 7:50 PM

NorCal 50+ wrote:

That fucking sucks.
In the early days, security experts (young hackers) told Congress- "don't do this." Online commerce and transactions will never be safe. They were completely right. Everybody has been hacked, pretty much. (Equifax for me). It's a fucking disaster, all for convenience.

TriRacer27 wrote:

I agree. What I wouldn't do to go back to paper checks and fax machines right about now.

And now they want me to hand over the steering wheel to connected, autonomous cars. Yeeeah, right.

The internet, smart phones, email, electronic banking. Technology has improved our life's so much and if I wasn't an unwilling to change stuck in the past grouch I would see that. T his is what I hear all the time.
In my work I have to accept some electronic payments for govt jobs and do payroll taxes electronically. Other than that I do all invoicing, accounts payable and receivable with mailed checks. We avoid everything possibe online.

I could go back to pay phones, pagers and fax machines tomorrow morning and not miss a beat.

Sorry to hear you got burned. At this point everyone is exposed I think. Just a matter of time.

|

11/16/2017 7:24 AM

So many wrongs in all this. As in , it's just wrong screwing people out of money like that. You would think if the NSA got hacked like that , they would hold some type of accountability. They held all the tools to prevent this from happening , and they failed.

|

And there goes Jeffro. One of God's own prototypes. A super high-powered mutant of some kind never even considered for mass production. Too weird to live, and too rare to die.

Pimpin' Ho's , Rollin' fatty's......drinkin' beers , beers , beers!! ~ Ja

11/16/2017 10:51 AM

jeffro503 wrote:

So many wrongs in all this. As in , it's just wrong screwing people out of money like that. You would think if the NSA got hacked like that , they would hold some type of accountability. They held all the tools to prevent this from happening , and they failed.

I have the same sentiment. There should be some kind of harsh penalty for failing to protect clients.

About 10 years ago, I was informed by my mortgage holder that some rogue employee made off with 20,000 people's SSNs, mine included. They were happy to offer me a year of free credit monitoring, though. ermm pinch

|

Braaapin' aint easy.

11/16/2017 11:38 AM

I used your example in a discussion I had earlier today with our general counsel as it relates to cyber crimes.

Just going by what you said above, and assuming it's entirely accurate.

The company you work for owes you the $68k. You should not be the one to take that on the chin. It was their mistake.

Think of it this way. If they wrote a check for $68k and gave it to the wrong person. And that person then cashes the check and leaves the country, would they be off the hook from paying you what they owe? Absolutely not.

They owe you the $68k. Regardless of who they accidentally paid. They will have to sort that out. That's on them but you are entitled to every penny of the $68k from them.

Just passing it along....

|