The Federal Bureau of Investigation has issued an alert to law enforcement regarding a business email hack that nearly resulted in the theft of $1m USD from an Indian casino in the state of Washington. The FBI warns that other casinos are potentially at risk given that the spearphishing attack appears to have originated from a vendor servicing multiple casinos. According to the FBI:
“FBI Seattle Field Office is releasing this report to alert law enforcement of a Business Email Compromise (BEC) scheme targeting an Indian casino located in the State of Washington, as of March 2016. FBI Seattle was in receipt of information indicating an unidentified actor sent phishing emails to the identified Indian casino, likely hacked an associated project management company and generated fraudulent emails impersonating the former Controller of the Indian casino in order to send a request for the wire transfer of nearly $1 million to two bank accounts in Hong Kong.
The bank that housed the Indian casino’s accounts stopped the wire transfer after it called to confirm the wire request with the casino’s Director of Finance. A review of the wire transfer request
indicated it was sent using the former casino Controller’s email account and altered wire transfer request forms.
The casino’s Information Security Officer believed two separate phishing emails were used to gain access to the casino’s computer network. The first phishing email appeared to be sent internally from the casino’s scanner to the casino’s Director of Finance’s email account. The casino’s Director of Information Technology believed the email contained a malicious attachment which was opened and allowed unauthorized access to the computer which housed prior wire transfer requests.
Several employees of the tribe’s Office of Legal Counsel received a second phishing email with a malicious attachment on 30 March 2016 from what appeared to be the president of the project management company who worked on the casino’s expansion project. The subject line of the email was “IMPORTANT AND CONFIDENTIAL,” the body of the email stated, “I’ve shared an item with you. Please find the shared document checklist for your reference.” The attached file was titled “List.pdf.” The casino’s Information Security Officer believed legitimate forms previously sent to the project management company were altered to add the casino’s logo and the intended recipients of the fraudulent transfer.
The casino’s Information Security Officer assessed the project management company’s computer network likely also was hacked by the unidentified actor. The project management company was known to
work with several Indian-owned casinos throughout the United States; potentially putting other Indian-owned casinos at risk to be targeted by the same BEC Scheme. According to the project management company’s website, the company worked on Indian casino projects in Idaho, Washington, New York, and New Mexico but also claimed to be active in other regions.”