Networking Manufacturer Ubiquiti Lost $46.7M after Falling for Elaborate Impersonation Scam

Digital bandits faked communications from executives at the firm by studying the company, and then tricked personnel through these communications into initiating unauthorized international wire transfers.

This gambit is known as “CEO fraud,” or the “business email compromise,” and is increasingly common among companies working with foreign suppliers and/or businesses that regularly perform wire transfer payments.  

The attack against Ubiquiti, a maker of networking technology for service providers and enterprises, involved employee impersonation and fraudulent requests from an outside entity targeting the company’s finance department.

“This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties,” Ubiquiti wrote in an Aug. 4 quarterly financial report disclosure. 

There is no evidence that Ubiquiti's technology was penetrated or that any corporate information was compromised. 

Ubiquiti didn’t disclose the mechanics of the scheme, but “CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name,” Krebs reports.

For instance, if the target company’s domain was “example.com” the thieves might register “examp1e.com” (substituting the letter “L” for the numeral 1) or “example.co,” and send messages from that domain.

The fraudsters will type in the sender’s actual email address, so that the email appears to be coming from example.com. In all cases, however, the “reply-to” address is the spoofed domain (e.g. examp1e.com), ensuring that any replies are sent to the fraudster.

"Spoofed emails used in CEO fraud schemes are unlikely to set off spam traps, because these are targeted phishing scams that are not mass e-mailed. Also, the crooks behind them take the time to understand the target organization’s relationships, activities, interests and travel and/or purchasing plans," Krebs says. 

They do this by looking at employee email addresses and other information on the target’s website to help make the messages look authentic. 

In traditional phishing scams, the attackers interact with the victim’s bank directly, but in the business email compromise scam the crooks trick the victim into doing that for them.