In a planned operation akin to a blockbuster film script, a group of fraudsters conned Norwegian state-owned investment fund Norfund out of $10 million (£8.1 million) by hacking into the company's email system and falsifying communications with a Cambodian institution.
Owned by the Norwegian Ministry of Foreign Affairs and funded from the state budget, Norfund is a private equity company engaged in funding insititutions in developing countries to fight poverty and support economic growth. In 2019, the investment fund had committed investments of up to 24.9 billion Kronas (over £2 billion).
On 13th May, Norfund announced via a press release that it has been exposed to a serious case of fraud through an advanced data breach. According to the company, a group of fraudsters was able to access information concerning a loan of $10 million from Norfund to a microfinance institution in Cambodia.
Following an investigation, it was identified that Norfund’s email system was compromised by hackers for several months. They patiently monitored Norfund's email communications with its clients, gathered information, and created an account impersonating a member of staff authorised to make payments.
“The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content, and use of language. Documents and payment details were falsified,” the announcement read.
Norfund said that that the fraud took place on 16th March when the hackers extensively manipulated email communications between Norfund and th Cambodian institution and were successful in diverting funds to an account not belonging to the intended recipient. However, the account holder bore the exact same name as the Cambodian institution, a fact that delayed the discovery of the fraud by as long as two weeks.
According to Bitdefender, the scammers used Norfund’s email system to notify the LOLC that that the payment had been delayed due to the Coronavirus pandemic and Norfund received fake emails claiming to come from LOLC in Cambodia. This resulted in a missing $10,000,000 loan and no one realised this until the scammers attempted another fraud on April 30.
“This is a grave incident. The fraud clearly shows that we, as an international investor and development organisation, through active use of digital channels are vulnerable. The fact that this has happened shows that our systems and routines are not good enough. We have taken immediate and serious action to correct this,” said CEO of Norfund, Tellef Thorleifsson.
“This is a very unfortunate situation. We now have to get a full overview of the chain of events in order to get to the bottom of this. Based on findings, we will introduce further measures and strengthen routines to prevent this from happening again,” said Olaud Svara, Chair of Norfund's board of directors.
So far, Norfund has not uncovered any further fraud attempts apart from the two above mentioned incidents. It is working closely with The Norwegian Centre for Information Security, the Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime and DNB to get a full overview of the situation and has already introduced measures to strengthen routines and halted all payments.
“Fraud cases of this kind are performed by very sophisticated criminals. With access to e-mail communication between two parties, they can familiarize themselves with how the parties correspond. The payments they initiate therefore deviate very little from ordinary payments performed by the victimized company and become very hard to detect and prevent,” said Terje A. Fjeldvær, head of fraud prevention at DNB (Norway's largest financial services group).
The fraudulent operation involving Norfund is eerily similar to an elaborate phishing scam from 2017 that involved cyber criminals duping Google and Facebook employees into transferring up to $100 million to their offshore bank accounts. In those two years, Evaldas Rimasauskas, a Lithuanian national, targeted employees at Google and Facebook with spear-phishing attacks by impersonating a vendor company and swindled $121 Million (£92 million) from both companies.
Once he received the said payments, he transferred the money to a number of banks located in countries like Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong. He was sentenced to five years in prison and fined over $49.7 million by the Manhattan federal court in December 2019.
In November last year, Nikkei also announced that an employee at its US subsidiary was duped by a cyber criminal into transferring as much as $29 million (£22.6 million) to the latter's account. The phisher reportedly posed as a management executive of Nikkei to convince the unsuspecting employee into transferring the funds.