Rogue Invoice – ZADIG Smart

Rogue Invoice

Sometimes, even a seemingly insignificant theft can have disastrous consequences for your business.
Working off-site can expose you to significant risks, however we’re here to help you to block IT-related ones.

The Stage

This celebrated contractor agency has earned a reputation for excellence in managing large-scale construction projects. With a portfolio of diverse ventures, their team of skilled professionals operates across multiple locations, constantly moving between construction sites to deliver exceptional results.

Embracing innovation and technology, the agency equips its employees with company-owned laptops that serve as a gateway to crucial resources. These devices enable seamless access to shared files and management software, empowering the team to stay updated on construction plans, collaborate effectively, and streamline communication with suppliers and stakeholders.

By leveraging technology as an integral part of their operations, this contractor agency remains at the forefront of the industry, consistently delivering exceptional projects while adapting to the demands of a dynamic and ever-changing construction landscape.

Day 1
Afternoon		Day 1 Afternoon At the end of the shift, the attacker steals a laptop from a worker's backpack, leaving the backpack untouched.
Evening		Evening Taking advantage of the absence of security measures like full disk encryption, the attacker easily installs a spyware on the stolen laptop.
Day 2
Morning		Day 2 Morning The owners reported the theft to the authorities. Following this, a complaint is filed with the local police station.
Afternoon		Afternoon The attacker returns the laptop to the local lost and found, where it is immediately matched with the filed complaint and the owner is notified.
Day 3
Morning		Day 3 Morning The laptop is retrieved and quickly inspected. Since there are no signs of tampering it is considered safe, and the incident is closed treating it as a simple incident rather than a theft.

Day 4		Day 4 Day 4 The laptop is returned to the worker, with a cautionary reminder to exercise greater vigilance in safeguarding their belongings in the future.

Day 5		Day 5 Day 5 Exploiting the spyware's capabilities, the attacker gains unauthorized access to the employee's email and shared drive credentials, opening a gateway to sensitive company information.

Day 5-30		Day 5-30 Day 5-30 Over the course of several weeks, the attacker meticulously studies the inner workings of the company, collecting valuable intelligence.

Day 32		Day 32 Day 32 Leveraging the information gathered earlier, the attacker initiates a social engineering attack on the secretary, convincing them that the client's phone number has changed.

Day 35		Day 35 Day 35 The attacker informs the secretary about a banking problem and requests a change in the payment's IBAN, along with a delay in the payment. The previously acquired insights enable the attacker to remain undetected, despite the secretary suspects.

Day 37		Day 37 Day 37 To finalize the attack, an urgent email is sent to the secretary, providing the new IBAN details and emphasizing the need for immediate payment to prevent potential new issues.

Day 53		Day 53 Day 53 Investigating the payment delay, the legitimate provider unravels the fraudulent scheme. The agency has to pay the bill once again.

The Consequencies

Financial Losses

Since the main goal of the attack was to hijack a payment the company obviosuly had a very big direct financial loss. We can't forget, however, that reputational damage can also easily produce economic damage, and this is clearly the case.

Privacy Violations

Having gained access to all the company systems, the attacker had also got access to loads personal data of providers and clients. This is clearly a problem as many contracts are NDA-protected.

Further Risks

Even if the main attack ended, the insight gathered by the attacker expose the company to the risk of others similar attacks in the future. And since insights remains to the attacker, a password change is not enough to mitigate this risk.

ZADIG Smart
provides at least three solutions to stop this attacks

OFF-SITE WORKING IS CLEARLY RISKIER THAN ON-SITE WORKING,
however there are few precautions that could have stopped this attack, like applying full disk encryption to the device, or handling permissions safely.
ZADIG Smart can give you at least three complete solutions to stop this attack.

Do you wish to prevent and eliminate these threats?

Mobile Device Management

A well configured MDM could have enforced full disk encryption and remotely locked the device immediately after the thief, thus preventing the attack from taking place. In addition, it will have also helped to easily reconfigure the device after the restitution, allowing the IT to just wipe it and get rid of the spyware

SSO

Instead of having a single credential for everyone, the SSO allow you to configure (in the service you are accessing) the same login you are already using for ZADIG Smart. This way, should a credential be compromised, it can easily be revoked for every service without impacting other users' workflow.

Compliant-Only Access

To further enhance your security, we support the option to restrict access to our login only to compliant devices. This means that a session reuse on another non-enrolled device would have been impossible, thus preventing the attacker to gain access to corporate resources