Cyber criminals take money directly from a solicitor’s trust account
29 April 2020
The first sign of trouble for a regional Queensland law firm was that they were unable to log into their trust account. The culprit was not a Covid-19 network problem but sophisticated malware (“Gozi Injects”) that had come into the firm’s network attached to an invoice.
Most trust fund diversion relies upon tricking the sender into depositing funds to the wrong destination, but this new form of attack is more insidious. The malware allowed the attackers direct access to the trust account. The first thing they did was lock the firm’s staff out, then they started the process of emptying the account. The trial transfer was modest - $40,000 to avoid alerting the bank’s anti-fraud systems. However, with uninterrupted access and a few hours head start there was little to stop the attackers stealing the entire balance, several million dollars in this case.
Luckily the story has a happy ending – this time. Rather than assuming that the inability to access the account was a temporary anomaly, the firm immediately contacted the bank and warned them something was wrong. When the unauthorized withdrawal was identified the bank was able to trace and recover the money while it was still in transit (it had left Australia but was still in the UK). As the ILP director is a full QLS Member, the QLS Cyber Essentials insurance will fund an expert team from one of Australia’s leading IT security firms to undertake what can otherwise be a very expensive removal and repair process.
Every law firm must treat this as a warning. Specialist cybercriminal gangs target particular industries and once they have a formula that works they will run protracted campaigns to exploit the vulnerability. It is possible that this is only the first of many targeted attacks on Queensland law firms using this method.
Such attacks can be much worse. Not only could the thieves have escaped with the money, some variants of this malware change the keystrokes in a legitimate transfer: the practitioner transfers $100 to account no 123, but the malware in the browser changes this to $100,000 to account 456.
The malware then deletes itself, making it very hard to track what has happened and it’s very hard to prove that you are not a party to the theft.
What can you do to make your firm more resistant to banking trojans ?
- First and foremost: ensure all software is up to date. Most crucially, this includes operating systems, browsers and all Microsoft products.
- When the software on a computer can no longer be updated, ask your IT provider if a newer device will run the latest and most secure software; consider making the upgrade now. Do not do allow banking from insecure home devices, and make sure any document edited or opened on a home network is checked before entering the work environment.
- Check your trust account at least daily, following up quickly on any unexplained transactions or anomalies.
- Install and maintain a good quality anti-malware & virus suite on all work devices, including any phones that might be used to operate bank accounts.
- Train staff to inspect attachments carefully, in particular that the last three letters in the file name are what you would expect: eg, an invoice is .pdf not .pdf.exe
- Talk to your IT support about how feasible it is to limit macros and PowerShell on your network.
- Consider a web filtering technology to prevent malware from accessing malicious sites on the internet.
For more information contact David Bowles, QLS Ethics & Practice Support: (07) 3842 5843
 Banking Trojans have been around for a long time, but they are constantly evolving and being re-weaponized. This is the first time a Queensland firm’s trust account has been directly accessed in this way.