How to Monetize a Phishing Trip, Fort Worth Style

Last week's posting (read it here) on how one hacker bilked the city of Fort Worth out of $700K is a cookbook for any hackers, like the ones who hacked 8,013 Oregon Construction Contractors Board (read the story here) accounts.  Easy steps, even for cities with DMARC progection (of which there are darned few):

  1. Phish at the account of a major contractor doing business with any municipality;
  2. Set up a bank account with the same or similar company name in another bank (make sure that firm is not doing business at that bank);
  3. Send an email from account #1 above to the city, telling them to change account number of the bank to which they pay said contractor;
  4. Do a funds transfer from account #2 above; and
  5. Get out of town before the authorities lower the boom (a mistake made by the Nigerian who nailed the City of Fort Worth.
Moral of the story: Use DMARC and telephone authentication of changes in bank account numbers. The weak link in the chain is the non-DMARC enforcement/authentication entity.

Sincerely Yours,

Mad Max

#phishing #dmarc #phishfry #fortworth #oregonconstructioncontracorsboard


Popular Posts