2 Cyber Incidents That Cost One Company’s Clients $6M+
2 votes, average: 4.50 out of 52 votes, average: 4.50 out of 52 votes, average: 4.50 out of 52 votes, average: 4.50 out of 52 votes, average: 4.50 out of 5 (2 votes, average: 4.50 out of 5, rated)
Loading...

2 Cyber Incidents That Cost One Company’s Clients $6M+

Industry experts share their takeaways from these incidents on how to avoid making similar mistakes

Two incidents, about seven months apart.

On Aug. 20, the U.S. Securities and Exchange Commission (SEC) settled charges against a New York City transfer agent whose cybersecurity failures cost its public-issuer clients millions via two unrelated incidents.

Equiniti Trust Company, LLC, which previously went by the name American Stock Transfer & Trust Company, LLC (AST) before its summer 2023 merger, agreed to pay $850,000 in civil penalties. The company also accepted a cease-and-desist order and censure “without admitting or denying the findings[.]”

But what led to all of this? We’ll break down these two real-world cybersecurity incidents to understand how they occurred and share insights from our three tech experts on what lessons can be learned from them.

Let’s hash it out.

TL;DR: A 20-Second Overview of What Occurred

  • AST suffered two incidents seven months apart. The first was an email reply chain hijacking; the second was a breach due to a poorly policed registration portal.
  • The company didn’t follow through on implementing specified protections and enforcing security actions.
  • The company was unaware the incidents had occurred and had to be informed by third parties after the fact.

Keep reading if you want the “deep dive” on both situations. Otherwise, you can jump to our experts’ takeaways on what could have been done differently and how to protect your business from similar cyber threats.

The Deep Dive: What Happened That Lead to These Two Incidents

AST found itself in the crosshairs of the U.S. Securities and Exchange Commission (SEC) after multiple serious security failures that resulted in $6.6+ million in client losses (although some of those funds were ultimately recovered). These failures can be seen in two separate incidents that happened approximately seven months apart.  

According to the SEC’s Aug. 20, 2024 filing about the case, the company violated Section 17A(D) of the Securities Exchange Act of 1934 and Rule 17Ad-12 for two key reasons:

An edited screenshot from the SEC's filing PDF document, which I've highlighted to call out a specific line of text.
Image caption: A highlighted screenshot we captured from the SEC’s previously cited filing.

Let’s examine these incidents more closely before our experts discuss what the company could have done differently to prevent or mitigate them.

Incident #1: Email Thread Hijacking Attack (September 2022)

A threat actor “hijacked a pre-existing email chain” between AST and one of its U.S.-based public-issuer clients. While impersonating the contact at the public-issuer client, the attacker instructed AST to issue “millions of new shares of the issuer, liquidate those shares, and send the proceeds to an overseas bank.”

So, how did the attacker manage to intercept the email chain? Likely through a combination of cunning social engineering tactics. The SEC’s filing on the incident states the attacker:

  • hid their identity using an email domain that was “almost identical to the real Issuer’s domain except for one letter” (a method of email spoofing)
  • imitated the verbal patterns and practices of the legitimate issuer client contact
  • sent instructions (over the course of a month) as a continuation of the existing email chain rather than as a new stand-alone request (likely so as to not raise suspicion)

Basically, they socially engineered the crap out of an unsuspecting AST employee and got away with it until the issuer eventually noticed a discrepancy in its outstanding market shares and called AST’s attention to it.

As it turns out, the cybercriminal(s) transferred approximately $4.78 million to bank accounts located in Hong Kong. AST recovered less than a quarter (~$1 million) of the stolen funds and reimbursed their clients for their losses.

Incident #2 (April 2023): Connecting to Legitimate Accounts Using Stolen Identities

An unknown threat actor used stolen Social Security numbers to create fake accounts via the company’s online platform, which allowed users to self-register accounts. Because the online platform was set up to link accounts automatically by matching the users’ Social Security numbers, the bad guy was able to link his fake accounts to existing legitimate American Stock Transfer accounts and control them from a central portal.

This default setting connected the fake accounts despite other pertinent information not matching — names, addresses, email accounts, etc. This gave the threat actor(s) the opportunity they needed to transfer legitimate account holders’ funds to a third-party bank account they controlled.

Unbeknownst to AST, the threat actors were able to liquidate ~$1.9 million from those legitimate accounts and transfer the proceeds to external bank accounts. Thankfully, the third-party bank flagged the transactions and reached out to confirm they were legitimate. Because of the bank’s awareness and prompt action, AST was able to recover most (~$1.6 million) of the stolen funds.

The Good: How AST Responded to the Incidents

Hindsight is 20/20. It’s easy to say what you would have done differently if you could go back and change the outcome of a situation. But let’s start by looking at what the SEC says the transfer agent did in response to the 2022 and 2023 incidents once they were made aware:

  • Cooperated with the authorities after the fact. Some would say that this is the basic thing that every company should do in light of a data breach or cyber incident. But as we’ve learned over the years (think Uber), that’s not always the case, as some companies try to sweep breaches and other incidents under the rug.
  • Hired a Chief Control Officer. The job of a CCO is to take the lead in overseeing the company’s cybersecurity initiatives.
  • Shut down the self-registration portal. Once it became apparent what happened, they took down the online portal, launched an investigation, and made security improvements to the system.
  • Used the services of a third-party cybersecurity vendor. This outside firm conducted a forensic review of AST’s systems to identify any vulnerabilities
  • Reimbursed clients and account holders. Losses that were incurred as a result of the cyber incidents were reimbursed by AST (as should be expected). 

The Bad: What the Company Could Have Done Better

Let’s consider how the company could have caught and stopped what was happening and what it could have done to prevent these issues from happening in the first place. I’ve asked our illustrious “Tech Trio” to share their insights:

  • Scott Barr, IT Administrator at TheSSLstore.com who used to work for the U.S. Department of Defense and military contractors
  • Jeremy Caban, DevOps Engineer who previously served as TheSSLstore.com’s IT Administrator
  • Bradley Jackson, Director of Software Engineering who worked for two trading companies

#1: Following Through on Implementing the Necessary Protections

Several months before the first incident, AST emailed employees warning about industry fraud concerns (including fake wire transfer requests) and providing key guidance on how to avoid falling for scams. The January 2022 email went out to relationship managers who interact directly with public-issuer clients and other employees involved with payment processing.

However, the company failed to implement the outlined safeguards and procedures despite knowing the steps that needed to be taken. As such, AST left itself — and the security of its public issuer clients’ investments — vulnerable to exploitation.

But even if the company had followed through, Jackson reminds us that simply implementing these things wouldn’t necessarily be enough. Enforcement is key:

“At the end of the day, no matter what precautions should have been taken, they’re negated if the company isn’t willing to enforce them. A lot of companies have a ‘security last’ mindset; they don’t care about it until it’s too late.” — Bradley Jackson, Director of Software Engineering

#2: Adopting a Zero-Trust Mindset and Approach Across Its Architecture

Zero trust is the idea of continuous authentication using verified digital identity. Having ways to verify that people are who they say they are crucial and can’t be taken for granted. This comes in many forms, including using client authentication certificates and multi-factor authentication apps.

An example screenshot I captured from an MFA solution that doesn't rely on SMS text notifications or alerts.
Image caption: A screenshot I captured of an app-based MFA solution.

But did you know that zero trust doesn’t only apply to your employees? This approach also applies to verifying the identity of your customers and other users. Jackson highlights the importance of having checks in place that verify customers’ personal data beyond one identifying factor.

“Just because some data matches up, you shouldn’t assume it’s ok to connect two systems together. Always verify. A simple 2FA to an email or SMS asking if this was a valid connection would have stopped it from happening.” — Bradley Jackson, Director of Software Engineering

While Caban agrees that implementing MFA is important, he takes it a step further, pointing out that traditional SMS-based text verification isn’t enough. “I’d avoid using text message-based MFA since we now know that it’s an unsecure method that can be spoofed. It’s better to use authentication apps that use push notifications.” 

Barr also voices concerns about using Social Security numbers as a single identifying factor to link accounts.

“Recently, virtually every Social Security number was stolen. So, any existing computer system that relies on an SSN for authentication or to enable action needs to be reviewed. As Social Security numbers are no longer a trusted verification method, they should no longer be regarded as having a golden key to get access to anything.” — Scott Barr, IT Administrator

#3: Training & Testing Employees on Phishing & Social Engineering Tactics

The first incident (September 2022) largely boils down to human error. When there are humans involved, there’s still always going to be risk. All it takes is one mistake for your company to find itself in a similar situation.

So, what can you do to reduce these risks?

  • Educate employees about social engineering techniques. Use real-world examples of phishing messages your organization has received, along with those shared by other companies, to demonstrate the types of messages they might receive in the wild. Teach your employees how to recognize phishing messages and email chain hijackings.
  • Implement continuous phishing simulation tests. Phishing simulations are key to determining the usefulness of your training sessions and whether employees are implementing the lessons learned. 
  • Teach employees how to report phishing communications. Whether it’s a phishing email or a phone call, inform employees about how they should report these cybersecurity incidents.
  • Encourage an environment of open communication. Penalizing employees for reporting a potential phishing scam will only encourage your employees to hide their mistakes. Instead, encourage employees to report security incidents immediately to mitigate potential damages. However, make it clear that there are consequences if a pattern of carelessness is demonstrated over time.  

Jackson reiterates that you must drive home the importance of phishing awareness by making it matter to your employees:

“Social engineering is a huge problem and there’s not a great solution… people are gullible. In my opinion, the best way to teach these things is to show that there are consequences for not doing them properly, ending in job termination for repeated offenses.” — Bradley Jackson, Director of Software Engineering

#4: Enforcing Security Processes and Procedures

You can have the best tools, rules, and processes in place. But if they’re not enforced, then they’re virtually useless. For example, the employee in the email thread hijacking situation failed to implement the call-back procedures to verify whether the request was legitimate through a phone call. Instead, they communicated with the threat actor via email instead.

Barr says that while having a call-back requirement in place, companies should go above the base minimum: “Yes, they have a verbal voice check. But then once that is complete, the transaction should still be forwarded to a senior for review before execution.”

Verify Employees Read & Agree to Adhere to the Company’s Security Procedures

AST failed to confirm whether its employees opened the security guidance email. One way it could have ensured they read it is to make reading and acknowledging those messages a mandatory part of their employment. This could involve:

  • posting the information on an internal page with a tracking link that tracks users
  • requiring the user to scroll down through the entire page
  • mandating employees sign an electronic form, acknowledging that they’ve read and agree to adhere to the requirements.

For the cherry on top, you could also require them to complete a brief quiz. This way, they’ll have to be able to recall the information to pass.

#5: Implementing Proper Web App Testing to Mitigate Risks

In the case of the April 2023 attack, the cybercriminal was able to exploit previously stolen national identity numbers (Social Security numbers) to create fake accounts that could be merged with legitimate ones in AST’s system. 

One way the company could have avoided this was to carry out some penetrating testing to identify vulnerabilities that bad guys could exploit. This can be done using automated testing tools you run in-house and by hiring outside human testers:

“As far as testing goes, you can hire gray/white hats to do testing and pen testing on your systems. This likely would have at least resulted in some discussion around linking accounts.” — Bradley Jackson, Director of Software Engineering

The Ideal: How to Make Your Organization More Secure

In addition to learning from AST’s mistakes, there are additional steps you can take to make improvements within your own environment.

Get Cozy With Your Third-Party Vendors and Partners

One crucial way to make your data and systems more secure is to get to know your partners, contractors, and other third parties who have access to them. Now, I’m not suggesting that you should hold slumber parties where you braid one another’s hair or play video games together. But it’s a good idea to learn more about how a company operates in terms of its security procedures and priorities.

Caban says it’s crucial to ask questions upfront before getting involved with another business:

“Ask questions on how a company handles security. Think of a few example questions to present to them before deciding to do business with them, and more importantly, before letting them handle their assets/money.

If I want to do business with company A to handle my money, I should first ask them how they handle back end security to make sure to avoid these types of attacks. If they don’t have at least some basic policies in place, find someone else.” — Jeremy Caban, DevOps Engineer

Demand More When It Comes to Security

No one wants to be the next data breach headline. Don’t be afraid to ask the hard questions or convey your expectations. If they want to do business with you, then every company worth its salt should strive to meet rigorous security expectations.

This includes asking them to implement certain security measures that will help to ensure your engagements with them are as secure as possible.

One such way Barr recommends is requiring companies to digitally sign their emails:

“There could be a burden placed on the clients to have an email account with an S/MIME certificate to conduct communications regarding transactions. This may seem to be a high burden, but it cuts a lot of the potential issues out. Digitally signing and encrypting emails, particularly when dealing with these types of high-value transactions, doesn’t seem too much of a burden.” — Scott Barr, IT Administrator

Set Up Email Protections to Fight Fraudulent Emails From Your Domain

In the September 2022 situation, it’s possible that the public-issuer’s account was compromised (although the SEC does not specify how the email chain hijacking occurred). In this situation, there’s not all that much you can do technically to prevent these phishing attacks involving compromised third-party accounts. However, there are steps you can take to prevent your company’s good name and domain from being used in similar attacks against partners and other stakeholders:

Set Up Domain Name System (DNS) Protections

Setting up email protocols such as DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), and Domain-based Message Authentication, Reporting & Conformance (DMARC) through your DNS adds another layer of security to your emails.

Are these methods foolproof? No, but then again, nothing is 100% foolproof. There are still ways bad guys can around these email security protocols. But every layer added to your security means another defense hurdle that bad guys must overcome in their efforts to scam your colleagues, customers, or vendors.

Use Email Signing Certificates

These digital certificates add a layer to email security through sender authentication and data integrity verification. This way, recipients know that your messages were sent by you and haven’t been manipulated since they were sent. 

An example of an email digital signature that was created using an S/MIME digital certificate (i.e., an email signing certificate)
Image caption: An example of what a digitally signed email looks like in Outlook 365. If you click on the ribbon, it’ll display the signer’s verified digital certificate and timestamp data.

Implement BIMI and use Verified Mark Certificates (VMCs)

These certificates enable you to see up front (in the inbox) whether an email has been sent from a domain’s legitimate account.

BIMI before and after comparison graphics
Image caption: An example comparison that displays emails in recipients’ inboxes that display verified trademarked logos (right) using Verified Mark Certificates in combination with BIMI versus emails that don’t.

Final Thoughts

Let’s let one of our experts help us draw final conclusions to wrap things up. The September 2022 incident is likely the most difficult to prevent because no matter how many protections you have in place, cybercriminals are always looking for the cracks in your human firewall. This is where phishing training and simulations can help.

“Social engineering is the most difficult thing to come up with solutions for because people are simultaneously incredibly smart and incredibly dumb,” said Jackson. “But using training solutions like KnowBe4, which mimic actual attacks in a safe sandbox, and creating a culture around zero trust would help tremendously.”

Author

Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.