Fake Zoom invite warning: The click that cost a hedge fund $8.7 million

Image / 123rf

Sydney hedge fund Levitas Capital has collapsed after one of its founders clicked on a link in a fake Zoom invite - which triggered a malicious software program to be planted on the company's network. This, in turn, allowed cyber-criminals to take control of its email system and fire-off A$8.7 million ($8.73m) in bogus invoices. (See below for a guide to spotting fake invites.)

Government agency Cert NZ and experts warn the same thing is happening on this side of the Tasman, with cyber crims exploiting security gaps that have emerged amid Covid work-from-home surge.

Levitas Capital had A$75m under management before the incident, which took place in September but was only revealed this week.

In the end, a stop was put on the scam after a chance check on accounts discovered the invoices were being paid to an ANZ account, which Levitas had never previously dealt with.

A Pakistani national walked into an ANZ branch and withdrew A$240,000 via a bank cheque on the account, then went on a 60-purchase shopping spree. He also withdrew cash from 64 ATMs around Sydney before fleeing the country.

Despite the offender's energetic efforts, all bar A$800,000 of the stolen funds were recovered. Regardless, Levitas was forced to close after its largest institutional client, Australian Catholic Super, lost confidence and withdrew all its money (some A$16m) in the wake of the attack, according to a News.com.au report.

Malicious links in email are nothing new, but the Zoom angle is - and it's part of a trend toward exploiting workplace trend in the age of Coronavirus. New South Wales police say there has been a spike in attacks on hedge funds and private equity firms this year, as informal checks were weakened due to staff working at home as a result of the pandemic.

CertNZ tracks spike

Here, Crown cybersecurity agency Cert NZ is seeing the same trend.

"We've seen a significant rise in reports of unauthorised access to organisations' networks within the last six months as more and more people work remotely," Cert NZ response manager Nadia Yousef says.

"The incidences of fake Zoom invitations is one example of this."

The agency is due to release its next quarterly report tomorrow, and Yousef says it will reveal a jump in the type of scam that hit Levitas.

"Business email compromise has been on the increase since quarter two, and has led to significant financial loss to businesses and organisations throughout July, August and September," the Cert NZ manager says.

"It appears that while New Zealanders' working dynamic has shifted, their cybersecurity measures haven't followed suit.

"For example, where businesses and organisations had previously treated sensitive information with kid gloves some are now sharing it with colleagues via unsecured messenger services," she says.

"Now is not the time to be complacent. New Zealanders have to look at the new ways they're working, and match their cybersecurity accordingly.

"This means getting into the habit of having long strong, unique passwords, using two-factor authentication as an extra layer of protection when logging into accounts. It's also really important to think about how and where you share business information."

Double whammy

AUT computer science professor Dave Parry said Covid was a double-whammy. It has spurred a working-from-home boom, often involving much lower security, as the same time that lockdowns around the globe had reduced many of organised crimes' usual "real-life" avenues - leading to a spike in cybercrime.

And if you're going to indulge in cyber-crime, it makes sense to target those who have a lot of lettuce.

"We've seen a rise in phishing and spearphishing [scams targetted at an individual organisation or person] during the Covid pandemic," says NortonLifeLock senior director Mark Gorrie.

"Cybercriminals have learned that social engineering - hacking us - is easier than hacking our machines," says NortonLifeLock senior director Mark Gorrie. Photo / Supplied

"And we're not surprised to see high-value banks, hedge funds and private equity firms are in the crosshairs.

"As Willie Sutton once quipped, 'That's where the money is'."

Cybercriminals are sophisticated, financially motivated and are willing to invest significant resources on high-value targets in the financial services space, Gorrie says.

"These firms need to do two things. One, have a reputable cybersecurity partner. And two, educate employees about scams, phishing and other attack vectors. At NortonLifeLock we're seeing the education component become increasingly more important. Cybercriminals have learned that social engineering – hacking us – is easier than hacking our machines."

How to avoid fake Zoom invites

• Most fake Zoom invites purport to be from Zoom itself. A genuine Zoom invite will always come from the person who is hosting the meeting.

• Don't click on Zoom invite links from people you don't know.

• To be ultra-careful, don't click on a link in an invite in any email. Instead, go to Zoom's website or app and paste in the meeting ID number.

• Enable two-factor authentication. Zoom, like nearly all video chat services, supports 2fa - or the option to have a code sent to a smartphone as an extra layer of security