Water tap

An unnamed UK-based regional water supply company lost over £500,000 ($645,000) in a sophisticated scam that involved social engineering, an inside man, and international bank transfers.

The story behind the scam was included in this year's Verizon Data Breach Digest report, a mash-up of short stories from various data breach investigations. In the report, the water supply company's name was removed.

Mysterious attacker steals over £500,000

In one particular story, the report reveals the timeline of a data breach investigation carried out by a global law firm which was called in to investigate an incident reported by the UK water supplier.

The story starts when the company discovered that several SMB (Small-to-Medium Business) clients had been locked out of their accounts. When those customers regained access to their dashboard, they found new bank account details attached to their profiles.

An investigation on the water supply company's side revealed that for all accounts, someone had requested refunds for previous business transactions.

With the help of law enforcement, the water supply company discovered that the refunds — totaling over £500,000 — were all sent to two bank accounts in England. An investigation at the banks revealed that the account owner had socially engineered the bank to transfer 90% of these funds to new accounts overseas, in Dubai and the Bahamas.

Attacker converts stolen funds to Bitcoin

At this point, the money was converted to Bitcoin and sent to new accounts via a Bitcoin tumbler service, which helped the crook hide his tracks under thousands of small transactions.

An investigation at the breached water supply company didn't reveal any trace of a malware infection that could have aided the attacker.

With no other trail, the law firm investigating the data breach then decided to research how the accounts were managed internally. This led investigators to a call center in Mumbai, India, where the water supply company had outsourced its customer support operations.

After reviewing CRM software logs, it soon became apparent that only one call center employee had accessed all the business accounts that requested refunds. Despite this, that employee never initiated the refunds.

A call center employee was the "inside man"

After an interview with the suspected employee during which the accused denied any involvement, investigators got him to sign an affidavit that allowed them to search his home computer.

"An initial review of the user’s home computer system revealed very little data," investigators said. "In fact, so little was found on the system that it appeared to have been systematically cleaned using data wiping software."

But the call center employee made a mistake. That mistake was forgetting to wipe the hard drive's shadow volume copies. Here is where investigators found copies of email exchanges between the employee and a UK-based individual, which later turned out to be his cousin.

Call center employee was taking photos of customer details

The call center employee was taking photos with his phone of his work PC's screen and sending the images to his cousin. These images were of the CRM profiles of the SMB clients who were locked out of their accounts.

The cousin would then initiate a password reset for those accounts, or where this wouldn't be possible, pass as the customer and request the password reset via phone.

Once he had access to the accounts, he would change the customer's bank account details, and initiate a refund to his own account. The money would reach the UK banks, where the crook tricked bank employees to make them believe these were foreign deposits, and ask them to forward the money to his Dubai or Bahamas accounts.

Seeing no other way out, the call center employee eventually ended up working with law enforcement and helped them initiate and record another refund, confirming his details, and helping officials secure a conviction for his cousin.

Verizon's yearly Data Breach  Digest report

The Verizon Data Breach Digest is a yearly report that includes some of the newest, weirdest, or original data breach stories collected by the company's cyber-security team called in to investigate various incidents.

The report is one of the most interesting things a cyber-security expert can read. For example, last year's Verizon Data Breach Report included some fascinating stories, such as how African sea pirates have collaborated with a hacker to breach an international shipment company and used the info to hijack only ships carrying high-value cargo, such as jewelry or expensive electronics.

Another story from last year's report is the tale of another water supply company, which had its ICS-SCADA systems hacked, but the hacker didn't know what to do and altered water treatment parameters at random. Nobody was harmed in the incident.

This year's Verizon Data Breach Digest also includes the story of how a university got DDoSed by its own IoT devices and the story of an IT admin that planted a "time bomb" in his company's database.

For in-depth statistics about data breaches, in general, you can also check out Verizon’s 2017 Data Breach Investigations Report, which is a different report, released two weeks ago.