Cyber frauds target GCC corporate sector?

A cyber attack targeting the corporate sectors across the GCC has been reported of late. Apart from the widely reported incident involving Saudi-based Aramco, in which the company prevented the fraudulent payment to a Bangkok-based bank account, a few more similar cases have come to light, revealed a cyber security firm in the region yesterday.

The fraudsters, who are impersonating C-level executives, send e-mail from addresses that bear a close resemblance to the original email, often only a difference of a single letter.

In the case of Aramco, the e-mail id of a top executive of its client, Indian oil behemoth ONGC, was mimicked to start a correspondence and initiate financial exchange. Even though unsuccessful, the incident sheds light on the vulnerability of the corporate sector to such acts.

The CEO of IT Matrix, an Information Security provider, Mirza Asrar Baig said that the region was increasingly being targeted by fraudsters and the latest incidents are a continuation of such activities.

IT Matrix has been sending out advisories regarding similar attacks. He added “many companies have informed us that they were/are also subject to similar attacks.”

At least 10 organisations in the GCC were subjected to this attack in the last two days. The advisory sent on October 19 says, “An Email impersonating the CEO, coming from Gmail accounts (ceoofficecontact@gmail.com ,ceoportal2@gmail.com , ceeofficial101@gmail.com,ceoofficial001@gmail.com  etc.....) is sent to a bank staff asking for confirmation on a same-day-transfer against some professional services. Once the staff sends back the confirmation, he will receive the account details from the same bogus CEO e-mail account.”

Mirza explained: “We are experiencing an exponential growth in cyberattacks in GCC, specifically the financial scams. I believe one of the biggest challenges in addressing cyberthreat is the human element where "social engineering" bypasses all security control. What can technology do if the target individual himself hands over the password or credit card data to a scammer?”

“Information Security should not be treated as the sole responsibility of the IT staff, but it is the responsibility of all individuals. All staff members in an organisation have to know and conduct their information security role,” added Mirza.