The French subsidiary of the BeIN Sports chain suffered an attack involving fraudulent funds transfers, which cost the company €2.4 million in February 2013. The attack commenced with the use of a malware.
- The fraud started with a booby-trapped e-mail sent to the accountant of a TV station. In a relatively conventional fashion, a link gave access to an “invoice” which in reality concealed malware to capture the station’s data.
- The hacker used the stolen data in order to understand how BeIN processes funds transfers, and thus to set up the fraud. First, he identified HSBC as BeIN’s bankers. Then, he called the employee responsible for the BeIN account. Claiming to be the company’s financial director, he asked for six urgent international transfers. When the HSBC employee called the number of the BeIN finance department to confirm the legitimacy of the transfer request, she was connected to the hacker, who in fact had re-routed the telephone lines. By the time the finance department realised that a fraud was taking place, the funds had already been sent to banks in Cyprus and Romania. It is very difficult to recover an international transfer.
- BeIN has recently obtained a court judgement against HSBC, the judge finding that the bank had “fallen seriously short of its obligations in terms of surveillance, control and vigilance”.
For hackers as clever as this, a simple piece of malware sent in an e-mail attachment can permit the theft of sufficient information to mount a large-scale fraud. Corporate data concerning finance departments are manna from heaven for skilled senior-employee impersonation fraudsters.