Investment Firm Hit by BEC ScamNorway's Norfund Investigating Breach of Internal Network
Fraudsters have conned Norfund, a private equity investment firm based in Oslo, Norway, out of more than $10 million in what the company calls an "advanced data breach." But the incident bears the hallmarks of a business email compromise scam.
Scammers spent months within Norfund's internal IT network, gaining access to emails and other communications between the company executives and the partners and businesses in which the firm has made investments, CEO Tellef Thorleifsoon told the Norwegian newspaper Aftenposten. This provided fraudsters with knowledge of documents and other data, which enabled them to falsify payment details, he said.
The $10 million theft, which occurred on March 16, went undetected until April 30, when the fraudsters attempted a second, unsuccessful scam, according to a company statement.
The incident is now under investigation by Norfund's internal security, local police and the Norway Ministry of Foreign Affairs. In addition, the company as hired consulting firm PwC to review its internal security, Thorleifsoon notes in the company statement.
"The fact that this has happened shows that our systems and routines are not good enough. We have taken immediate and serious action to correct this," Thorleifsoon said.
Norfund, which is also known as the Norwegian Investment Fund and is owned by the country's Ministry of Foreign Affairs, invests in a range of clean energy, financial services and agribusinesses mainly in Africa, Asia and Latin America. At the end of 2019, it had invested over 24 billion Norwegian krone ($2.5 billion) in over 160 projects, according to its website.
Piecing the Scam Together
Although investigators are still piecing together just how the scam worked, it appears that after gaining access to Norfund's IT network and email communications, fraudsters began posing as a legitimate microfinance institution in Cambodia, sending emails and other financial and payment documents back to the investment firm, according to Norfund's statement and the Aftenposten account.
At the same time, the fraudsters sent fake Norfund emails to the Cambodian firm, telling that company that payments would be delayed due to the COVID-19 pandemic in Norway, according to the account in Aftenposten.
Because both Norfund and the Cambodian company believing they were receiving legitimate emails and documents from each other, Norfund sent the $10 million, which instead of going to the Cambodian firm was transferred by the fraudsters to an account in Mexico and disappeared before Norfund executives realized the payment was missing, according to the company statement.
"The fact that the defrauders were able to manipulate the communication between Norfund and the intended recipient was a major contributing factor in delaying detection," the statement notes.
Since that fraud was uncovered, Thorleifsoon says that no other fraudulent incidents have been found, according to Aftenposten.
Hallmarks of BEC
While not directly mentioned by Norfund, this incident appears to involve a business email compromise scheme. These scams typically start with attackers stealing the email credentials of a top executive through phishing or other methods before tricking lower-level employees into transferring funds or making fraudulent payments to accounts controlled by scammers.
"While details are limited, it appears the same attack patterns appear in the Norfund case - the interception of emails, diversion of funds, and obfuscation of the trail by owning email communications," Chris Pierson, CEO of cybersecurity firm BlackCloak tells Information Security Media Group. "In most cases, this includes forwarding emails based on keywords such as wire and ACH to hacker-controlled accounts, not delivering real emails to their intended parties, and creating a man-in-the-middle scenario for the transfer of funds."
Pierson notes that the risk of falling victim to this type of scheme can be mitigated by requiring two-factor authentication for email communication as well as applying anti-phishing controls and improving employee training.
Chris Hazelton, director of security solutions at security firm Lookout, says the incident should serve as a warning call to other companies that make large digital transactions.
"This speaks to the risks of digital communications and transactions, particularly where there is an immediate monetary gain for attackers," Hazelton says. "As more organizations move to digitization of banking and all other processes, there is a need to have multiple layers of security."
BEC on the Rise
Business email compromise fraud is a growing problem. In February, the FBI issued its annual Internet Crime Report, which reported that the bureau received over 24,000 complaints about BEC scams in 2019, with a total loss of $1.7 billion to U.S. citizens (see: FBI: BEC Losses Totaled $1.7 Billion in 2019).
In April, the FBI also warned of an uptick in BEC schemes, with fraudsters using COVID-19 as an excuse to request a fraudulent rescheduling of payments or a change to other plans in order to pilfer funds (see: FBI: COVID-19-Themed Business Email Compromise Scams Surge).