Arlington drained of several hundred thousand dollars in e-mail spoofing scam
Arlington Town Manager Jim Feeney reported yesterday that the town had $445,945.73 drained from a high-school construction account by the same sort of spoofing attack the left a Dorchester union nearly $6.4 million poorer.
In e-mail to residents, Feeney detailed what happened:
In September of 2023 Town employees received legitimate emails from a known vendor working on the Arlington High School Building Project to discuss issues with payment processing. Unbeknownst to the Town, threat actors had already compromised certain employee user accounts and were monitoring emails. They seized the opportunity to impersonate the vendor with an email domain that appeared genuine, requesting a change in their payment method from check to electronic funds transfer (EFT), a common method used by municipalities for on-going payments. The scam was aided by fabricating and subsequently deleting emails from employee accounts, as well as creating inbox rules to manage and hide incoming messages. Once the payment method was established, a series of four monthly payments were made. The monthly payments were diverted until the vendor reported not receiving payments in February 2024. It was immediately apparent that we had been defrauded, so we alerted law enforcement and our banking institution, began a digital forensics investigation, retained a breach coach, and instituted immediate response measures to secure our network. The investigation found that threat actor activity occurred in the Town’s Microsoft environment between September 12, 2023 and January 30, 2024. It was also discovered there were other attempts to intercept wire payments totaling approximately $5 million during this time period. Fortunately, these attempts were unsuccessful. It was further determined the threat actors had not infiltrated the network.
Feeney continued the town's bank was able to recover $3,308 and that the town has filed a claim for the rest with its insurer. He added that no personal information about town employees or residents was taken and that the high-school construction project is continuing.
He wrote that once the town learned of the problem:
The Town's Information Technology Department (IT) performed a force disconnection from the network, required a password change for all users, and enabled multi-factor authentication for key personnel. Unrelated to this incident, but due to an increase in phishing attempts, the IT Department had already begun to reconfigure email security settings in November to improve our email security. The Town reviewed other existing wire payments and also contracted a third-party auditor to bolster internal controls with a stricter policy related to wire transfer payments such as EFT and ACH (Automatic Clearing House).
As additional efforts to reduce the risk of falling victim to future cyberattacks, the Town has instituted mandatory cybersecurity training for all staff through the state's Municipal Cybersecurity Awareness Grant Program and has applied for additional state grant funding to be able to roll out multi-factor authentication for all staff. The Town was already in the process of rolling out an endpoint detection and response platform as part of the upcoming fiscal year. This platform will help prevent and detect malware, ransomware, and other advanced threats, providing security of critical systems and sensitive data.
H/t mcain.
Ad:
Comments
NOW we have adequate controls
We're just public servants and aren't like a rich private sector business.
Not the brightest bulbs
Not the brightest bulbs
Recovery is in progress...
Well that's good! So there's just... $442,637.73 still missing.
come again?
It is 2024. Multi-factor authentication (MFA) should be mandatory for everyone in an organization, including volunteers, interns, and temporary employees. These new controls sound woefully inadequate.
IT excellence would be looking at Microsoft passwordless access with biometrics and number matching, and I don't know that demanding excellence from a small municipality like this is fair.
At this point, MFA for everyone is IT competence, and Arlington taxpayers should at least require that.
So ...
who's taking responsibility for this?
Oh, yeah, "these things just happen".
I withhold judgment. These
I withhold judgment. These things actually DO happen because such crime becomes increasingly elaborate.
How were the accounts compromised?
While the information is probably not public understanding how the email accounts were compromised can be instructive. It's one thing to know how this compromises happen. But to be able to connect theory with actual events that can be related to could help.
Were keyloggers installed on the employee's computers? If so how? Via downloads to sites that installed malware or worse, through installing USB flash drives that came from outside? If compromised sites were visited what applications are used to monitor for compromised sites and prevent client computers from visiting the sites?
I work with our IT support
I work with our IT support and work in government functions and it happens a lot. We've been locking everything down and people get frustrated. If you want to use a usb drive our system has to encrypt it and wipe it before putting stuff on it which takes time. We have authentification systems and fail safes. We do the testing and the fake emails to try to see if people are clicking on them. Work phones are locked down and yet somehow someone still got hacked. We luckily we're able to quarantine it but still a shock.
I'm not sure if the federal government takes cyber crime seriously enough to be honest. Even with their own emails from federal agencies they use all sorts of weird extensions to seperate departments but if you are trying to catch fraud it's hard to white list them when the same department uses a dozen extensions and you wirk with dozens of departments.