Tuesday, January 8, 2013

Hackers and Human Risk Factors (Canadian Firm Theft in the "Large Six Figures")

A reader sent word of this story reported in LawTimes: "Law firm’s trust account hacked, ‘large six figure’ taken" --
  • "In a scam never seen before in Ontario, a Toronto-area law firm lost “a large six figure” over the holidays after a virus gave hackers backdoor access to its bookkeeper’s computer. The virus copied bank account passwords as she typed them."
  • "The level of sophistication of this one was unbelievable,” says Dan Pinnington, LawPRO’s vice president of claims prevention and stakeholder relations...The virus 'tricked the [bookkeeper] into giving the trust account’s password to the fraudsters, allowing them essentially full access to the trust account, including the ability to go in, monitor it, and wire money to foreign countries shortly after deposits were made,'"
  • [via an ABA summary]: "the hackers used a Trojan banker virus to replicate a Web page for the Ontario law firm's actual bank. Then, when the bookkeeper entered the law firm's password, as prompted, the hackers, who were watching through their computer program, obtained it in real time and very soon logged onto the firm's actual trust account themselves...."
  • "Pinnington believes the hacking took place after the bookkeeper clicked on a link, opened an e-mail attachment or downloaded something as mundane as a screen saver from the Internet."
  • "The Trojan virus is known to realistically mimic U.S. bank web sites, but this time it was 'a major Canadian bank,' says Pinnington. It appears the swindlers also knew the firm had done banking with another Canadian bank, he adds, noting there was evidence they sought information on another bank account as well."
This example highlights a number of very real risks. The first is the stark reality that malicious forces are focusing specifically on law firms -- in our recent Los Angeles Risk Roundtable, the consulting team from Carlson and Wolf spoke specifically about information security threats facing law firms. These include malware like Trojan horses, spear phishing (email attacks that target a specific firm and contain key information like sender contact information, or bank details, to make them appear accurate and relevant), and Ransomware.

The second, of course, is the "human factor" -- this bank heist succeeded because at one point or another, someone likely clicked or downloaded something they shouldn't have...

No comments:

Post a Comment