Thursday, January 21, 2016

$54.5 million stolen in probable phishing scheme

Today we learned that $54.5 million was stolen from the aerospace manufacturing company FACC. The company manufactures parts for Boeing, so it would normally be considered to be at risk for IP theft rather than financial crime, but the latter appears to have happened here.

The announcement from FACC reads:
On January 19, 2016 FACC AG announced that it became a victim of fraudulent
activities involving communication- an information technologies. To the current
state of the forensic and criminal investigations, the financial accounting
department of FACC Operations GmbH was the target of cyber fraud. FACC's IT
infrastructure, data security, IP rights as well as the operational business of
the group are not affected by the criminal activities. The damage is an outflow
of approx. EUR 50 mio of liquid funds. The management board has taken immediate
structural measures and is evaluating damages and insurance claims.
Earlier FACC noted that they had contact authorities in the matter. 
Today, it became evident that FACC AG has become a victim of a crime act
using communication- an information technologies. The management board has
immediately involved the Austrian Criminal Investigation Department and engaged
a forensic investigation. The correct amount of damage is under review. The
damage can amount to roughly EUR 50 million. The cyberattack activities were
executed from outside of the company.
This announcement had a real world impact on FACC's stock price, although the stock is rebounding some this morning.

FACC Stock Graph

Although details on the exact mechanism of theft are light in this case, at Rendition Infosec, we predict that the initial intrusion vector was probably phishing.  We frequently see fraudulent invoices sent to companies, many of which are paid.  These attacks (usually for smaller dollar amounts than seen with FACC) are often paid and then only discovered later during an audit.

With FACC's misfortune in the news, today would be a great time to reinforce phishing awareness to your employees.  Don't think it can't happen to you too.  If you don't have a phishing or general infosec awareness program already in place, contact me and I'll be happy to help you set one up using proven techniques used across many of our clients. 

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.