The question on a lot of people’s minds is how the City of Eagle Mountain gave away $1.13 million to an undiscovered person. I have been working in IT for over 25 years now, and the majority of that time I have been maintaining and administering corporate email systems. I have seen the error that the City made attempted at other companies several times. I will try to explain how it happens so that the public can understand.
This was not an attack by some Hacker sitting in a basement that hacked into systems or servers owned by the City. It was not someone breaking into secure systems by brute force attacks, or by using some special IT ninja knowledge. It was the result of someone making a mistake and falling for instructions from a dishonest person.
This is how it happened (I am guessing about the initial start, but have gotten enough information from the City to understand how it played out.)
Step 1
The dishonest person has to get the password and email address from either the city employee or the company they are doing business with. In this case, it was WW Clyde, the contractor that is working on several roads and has been awarded millions of dollars worth of bids over the years.
There are a couple of ways to do this, you can use social engineering to trick the person to give you the password, or you can use a phishing attempt to get them to enter their password on a bogus site. I do not know if it was an Eagle Mountain Employee that was duped or a WW Clyde employee and gave the person their login information.
Step 2
Watch and wait. Usually, the dishonest person (I am not using the term hacker because really no hacking skills were needed) sits and watches. They will watch the email that comes and goes from the account. Watching the replies and email threads. Waiting for something they can intercept and collect the money from. In the past, I have heard of phishing attackers waiting over a year before activating their plan. By the time they attack, most of the logs that are used to discover who they are and how they entered the systems would no longer be available after a year. I am not saying that this person has waited for a year, but they could have been watching for some time.
Step 3
Once they find what they are looking for, they will then copy the entire message thread, including signatures and all other data. They will then create a bogus account that looks like it is from the payee. For example, they would create an email address that is close to the WW Clyde employee’s address but is a totally different location. For example, if they use wwclyde.com they may register wvclyde.com instead. And then create a user account with the same name, etc as the employee from WW Clyde. They make it look like it is from the person that is communicating with the City Employee. And doing so the email comes from mike@wvclyde.com instead of mike@wwclyde.com. Then they copy the entire message thread to the Employee.
Step 4
The employee will then receive an email that looks like it is from the WW Clyde employee, and even has the employee’s signature and other data. By all accounts, the email looks like the dishonest person is the WW Clyde employee and they are responding to the email thread they have been in before. Then the dishonest person will include something like. “We are changing banks, we need the next payment to go to this bank account instead, here are the details.” The Eagle Mountain employee then changes the banking information in their system and then authorizes the $1.13 million to go to the dishonest person’s account.
Step 5
The dishonest person then has several days to accept the funds and then transfer them the same way to a different account that is usually offshore, so then the $1.13 million is gone and they are the only ones who have access to it, or maybe even know where it is.
Money Gone, NOW WHAT?
There are things the City could do and should do to make sure this does not happen again! First, the city should make it mandatory for ALL employees and contractors to reset all of their passwords and make sure they do not use one they have used before. WW Clyde needs to do the exact thing for all of its employees. Chances are if one employee was duped that other employees were also duped and resetting the passwords would stop them from still being able to access the other email accounts.
Second, why the heck was someone able to send $1.13 million dollars without a set of second eyes on it? There should be a policy in place that requires multiple checks on money that is sent via ACH for large sums of money.
Third, the policy needs to be changed so that if any banking information is changed, it is verified. A simple phone call asking the person to verify that the bank is changing would have stopped this entire thing.
Forth, more employee training needs to be implemented and maybe some type of email scanning device to prevent employees from being duped again. Even if it was a WW Clyde employee that was duped, this policy and hurdle should be in place.
Conclusion
I have made a few assumptions in this analysis. What information the City has provided led me to this conclusion, as well as what I have seen happen with my experience with stopping these types of attacks over the years. I am sorry, but WW Clyde and Eagle Mountain City could have stopped this from happening. Someone made a mistake which cause this. It was not the result of some worldwide hacker conspiracy that attacked. It could have been a single dishonest person that duped another person and convinced them to send $1.13 million dollars to them instead of to WW Clyde.
I would like the City of Eagle Mountain to release the following information
- Release information on how the passwords were exposed. Were they the result of social engineering, or was it the result of a phishing attempt?
- Specifically, tell us how they will prevent this from happening again. What policies have changed to prevent this from happening again?
- What technical changes are being made to remove the human element that cause the mistake?
Mike Kieffer is an IT geek by hobby and trade, with a BS in Information Systems & Technology. He is a proud father of 10, a grandpa, an author, a journalist, and internet publisher. His motto is to “Elevate, Inspire and Inform”, and he is politically conservative and a Christian. Mike has a passion for technology, writing, and helping others. With a wealth of experience, he is committed to sharing his knowledge with others to help them reach their full potential. He is known for his jackassery or his form of self-expression that encourages boldness, creativity, and risk-taking. It can be a way to push the boundaries and challenge traditional norms, leading to creative solutions and positive change.