Scammers who bilked Mobile Housing Board (MHB) of almost $500,000 through an email phishing scam left several clues to their identity that could have been detected, a local information technology and cybersecurity expert told Lagniappe last week.
Scammers were able to infiltrate the email system of either MHB or the vendor in question, Hunt Companies, Abe Harper, president of Harper Technologies, said. The scammers hacked into one of the accounts and watched the email correspondence referencing payments for the demolition of Roger Williams Homes and were able to craft a message similar in tone, using a different account, to ultimately bilk $478,000 in federal funds from MHB.
Phishing scams are not unusual, Harper said, and can be more complex than the example with MHB. The reason it keeps happening, he said, is because it’s effective and often very lucrative for the “bad guys.”
In cases like this, the life cycle is similar, Harper said. Before “day zero,” or when a victim learns of the scam, scammers can spend days or weeks executing their plan. For instance, he said, there’s what is referred to as an “initial exploit,” where scammers will “attach themselves to a network or device.” There are different methodologies scammers can use to do this, but one of the most common is through what is called a “clear-text” password. If a system uses a “clear-text” password, scammers can see the password used at several different points, Harper said.
There is also some reconnaissance involved to assess the value of a given target, Harper said.
“By the time it gets to a point where someone knows something is wrong, [scammers] have profited from it somewhere,” Harper said. “It’s a very, very nasty game these guys play.”
In some cases, scammers steal and sell personal data and in others they take money.
Lagniappe acquired some of the MHB emails in question through a records request and asked Harper to review them. Among other services, Harper Technologies provides forensic analysis and expert witness testimony to cyber crimes.
Harper pointed to two inconspicuous changes to the name of the sender’s email account, a telltale sign of phishing that could have tipped off former MHB chief financial officer Lori Shackelford. Shackelford retired shortly after the incident.
In a May 7 email referencing payment for the demolition of the Roger Williams Homes complex, someone using the address email@example.com looks to have taken over an email exchange with Shackelford. This is important because that address was a change from firstname.lastname@example.org and also from a previous address of email@example.com.
While the first change seems legitimate, Harper said, the second address change — replacing the “o” in companies with a zero — seems to be where scammers took over the conversation.
“The average person is not going to verify every character of an address if they recognize the name,” Harper said.
Another calling card is the relatively rapid pace at which the emails were sent once the rogue account had control of the conversation, Harper said.
The frequency of emails increased dramatically May 10. While messages before that in the ongoing conversation appeared to be sent maybe daily, starting on May 10 messages from firstname.lastname@example.org began appearing in Shackelford’s inbox almost hourly. Between 9:25 a.m. and 12:25 p.m. there were six emails that came through the fake account. Harper said scammers do this in order to keep victims from thinking clearly.
“The emails get extremely close together,” Harper said. “This is part of the M.O. because it gives recipients less time to think. It gives the recipient they interact with less time to create a response.”
Another issue is the change in the number of people to whom the messages reply. At first, the exchange between Shackelford and Boucher included former Mobile Development Enterprises employee Cole Appleman, Mark Straub with Pennrose Properties, Robert Kelly and Russell McSpedden, but the number of recipients dwindles from there. By the end of May 7, the chain had been reduced to the scam emailer replying only to Shackelford.
Phishing and other scams can be hard to defend, Harper said. They are becoming more common as well. Harper cited an FBI report indicating scammers have stolen $12.5 billion since 2003, including $9 billion over the past three years.
“Talk to anyone within a federal department and they’ll say it’s like whack-a-mole,” Harper said. “If you knock one down, three more pop up.”
Anti-virus software does not pick up on these types of scams because the email will appear to be normal, Harper said.
There are companies that specialize in protection against phishing and other scams, Harper said, but it’s important users know the signs and help guard against it themselves. It can be tough, too, because scammers use a type of social engineering to get what they want.
“Looking at it, you’re fighting against someone who is not fighting fair,” Harper said.
In matters where a large sum of money is being exchanged, Harper suggests simply making a phone call to verify.
“We encourage our clients to not send any type of financial information over email,” he said. “Request and submit the wire information verbally, then follow up with written documentation. These guys are very, very intelligent and aggressive.”