Social engineering

Update: Peterborough cyber attack ‘an old-fashioned con using computers’



Monadnock Ledger-Transcript

The Town of Peterborough handed over $2.3 million to internet scammers, who collected three large scheduled payment transfers and converted them to cryptocurrency. Town officials said the stolen funds can’t be recovered and it remained unclear whether the losses will be covered by the town’s insurance carrier.

Peterborough officials first got wind that something was wrong on July 26, when ConVal told the town their regular $1.2 million monthly payment hadn’t arrived. “Upon investigation we quickly realized that the town had been victim of an email-based fraud,” town officials said in Monday’s press release, and it was too late to stop the transfer. They immediately launched an investigation by alerting the U.S. Secret Service, cyber security consulting firm ATOM group, and NH Primex, the town’s insurer.

“Basically, they forged the emails and made it look like they were the employees of ConVal,” Town Administrator Nicole MacStay said Monday afternoon, describing the perpetrator’s work as “an incredibly good forgery job.” The thieves gave town staff new transfer and account information for the upcoming deposit, so although the town’s accounts remained secure, their payments went to a fraudulent account, MacStay said.

About a month later, on Aug. 18, the initial investigation was still ongoing when town finance department staff discovered that two more large transfers, both intended for Main Street Bridge project contractors Beck and Bellucci, had been diverted in a similar manner, according to the press release. Peterborough was ultimately defrauded on three payments: one intended for ConVal on July 23, and two intended for Beck and Bellucci, one on July 9 and the other on Aug. 13, MacStay said. The finance department has since canceled all Automatic Clearing House (ACH) transfers and the town is reviewing all electronic transaction policies and procedures, according to the press release.

Although it’s unclear at this point whether all the fraudulent emails were executed by the same perpetrator, the Secret Service has determined that all the fraudulent emails originated overseas, MacStay said. Although she wasn’t aware of any other towns that had been affected, Secret Service members said a town elsewhere in the country had $600,000 stolen from them in a “very similar manner” on Aug. 19, MacStay said.

The ConVal School District is also looking into the matter to determine how the theft occurred and whether there was a way to recoup the losses, according to a press release sent Monday evening. “District IT staff reviewed email and server access logs, as well as anti-virus logs and found no signs of malicious activity,” Superintendent Kimberly Rizzo Saunders said.

Although Peterborough officials don’t believe town staff were criminally involved in the transfers, the finance department staff members who were directly targeted are on leave until the Secret Service’s investigation is over, according to the town’s press release.

Although the Town Treasurer is the elected office that oversees the finance department and its operations, “the day-to-day operations of the Finance Department are given to the finance department staff,” MacStay said, in an arrangement laid out in town policy. MacStay confirmed that Leo Smith served as Director of Finance until his retirement on July 31, at which point the role transitioned to Lilli Gilligan. When asked whether the transition of the role factored into the scam, MacStay said she didn’t know, and even if she had a definitive answer, it would remain confidential while the investigation continued.

MacStay declined to answer specifics on the Finance Department’s protocol regarding ACH transactions, including who oversaw them, because it could potentially compromise the ongoing investigation or be used by criminals to target towns in the future, she said.

“What I can say is that we do have redundancy in our finance department,” she said. Vendors are being paid in paper checks for now, she said, and direct deposits and electronic fund transfers are ongoing, as they remain uncompromised. Town business can proceed and employees can continue to get paid, she said. “We do have controls set up, there’s also redundancy in those controls to make sure we can function in a safe way,” she said.

“We are public entities, and we do business very transparently,” MacStay said. “That is, unfortunately, the real downside of open government,” she said.

Coaching clients on how to avoid phishing scams is part of Sequoya Technologies Group co-owner Tom Strickland’s work. His Peterborough-based company provides managed IT services for 60 small businesses throughout northern New England, and he used to service several small towns.

“Unfortunately, the ACH banking technology is a bit behind the times,” Strickland said, and has missed out on security advances that are commonplace in other applications. “There’s not really a verification that the entity you’re sending money to is the entity you think it is,” he said, unlike, say, the exchanges that take place while logging onto secure websites. That means an extra level of vigilance is required for those transactions, he said.

“I wouldn’t accept – ever, ever, accept, ACH instructions by email, ever. That’s like a huge red flag,” Strickland said. It’s much safer to require that information be sent by postal mail, which is much harder to forge, he said, and any change in ACH instructions should be verified, he said. “You don’t just accept that on faith, you call and verify to make sure that information is correct,” he said.

Although there were technical elements, the existing public information suggests that Peterborough’s security breach had a human element, Strickland said. That’s true for the majority of cybersecurity compromises, whether it’s clicking on a phishing email or using a weak password, he said. “This is just an old-fashioned con using computers,” he said.

Strickland does believe there are certain factors that make a “social engineering attack” easier to execute on public entities rather than private businesses: For example, it was public knowledge that Peterborough was sending money to ConVal and Beck and Bellucci, whereas in a private business, a scammer would first need to hack a private email account or confidential records to figure out where money is going, he said.

However, Strickland also believes that taxpayers deserve more transparency about a town’s cybersecurity efforts, and there are ways to share a government entity’s protocol without compromising it, he said. “I think we deserve more information than we’re getting,” he said. Whereas a town obviously shouldn’t share their passwords, or the brand and model or antivirus or firewall software, they can safely report elements of their protocol, like whether they have an advanced security…


Read More:Update: Peterborough cyber attack ‘an old-fashioned con using computers’

Products You May Like