Ubiquiti Networks Victim of $39 Million Social Engineering Attack

Ubiquiti Networks Inc., the San Jose based manufactured of networking high-performance networking technology for service providers and enterprises, announced in its fourth quarter fiscal results that it was the victim of an email business fraud incident resulting in the loss of $39.1 million dollars.

In its Form 8-K filings to the SEC the company stated it became aware on June 5th 2015 that it was the victim of a "criminal fraud". It appears a member of staff in one of its subsidiary companies based in Hong Kong fell victim to what is known as a "CEO scam" or a "Business Email Compromise (BEC) attack.

As outlined in this Brian Kreb's post, CEO scam is where criminals either hijack or impersonate the email of a senior member of staff within the organization. They then target someone in the financial department, or who has authority to initiate wire transfers, and fool them into transferring large amounts of money from the company's bank accounts into bank accounts controlled by the criminals. Very often the emails will state a vendor, or other entity the target company deals with, has changed their banking details and future payments should be transferred the accounts which the criminals control.

In its SEC filing, Ubiquiti Networks outlines how the fraud occurred and says "The incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company's finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties."

When it became aware of the breach, Ubiquiti Networks contacted their financial institutions and also law enforcement agencies. So far have recovered $8.1 million of the stolen money with an additional $6.8 million "currently subject to legal injunction and reasonably expected to be recovered by the Company in due course".

Ubiquiti also conducted its own independent investigation with the assistance of external third parties which concluded on July 17th. That investigation "uncovered no evidence that our systems were penetrated or that any corporate information, including our financial and account information, was accessed. The investigation found no evidence of employee criminal involvement in the fraud" but that "the company's internal control over financial reporting is ineffective due to one or more material weaknesses." The company has subsequently "implemented enhanced internal controls over financial reporting since June 5, 2015 and is in the process of implementing additional procedures and controls pursuant to recommendations from the investigation".

Ubiquiti are not the first company to fall victim to such an attack. These type of attacks have become so common that in January of this year the FBI issued a warning to businesses to be aware of these attacks. In its warning the FBI state that there were 2126 victims of this type of fraud in 2013, with 1198 being in the United States, with losses totalling up to $214,972,503.

The FBI gives the following advice to avoid falling victim to this scam

Given the impact such an attack can have on a businesses it would be prudent for companies to review their internal financial controls and ensure effective security awareness training is given to staff with key roles in the organisation.


Brian Honan

Zur Startseite