The AFP has seen multiple victims hit with payroll system attacks, which follow a standard methodology. The criminals log in using stolen credentials, check the date of the next pay run and log out. They log back in just before the pay run, change employees bank details to those of multiple money mules so theres no single point of failure, and the payroll run proceeds.
The AFP also noticed some subtleties to the methodology. Attackers do not change the accounts of HR department employees, because they are more likely to notice the problem. Often, they will make a small change and wait to see if anyone notices before making the large-scale changes. And they only access the systems during business hours, just like employees would.
Similar attacks are being made against accounting systems, which are often linked to HR payroll systems, or at least use a shared login. Money intended to pay suppliers invoices is diverted to the mules. Unlike the payroll attacks, invoicing attacks take weeks to detect, because suppliers are generally paid more slowly than employees.
The AFP has also uncovered attacks against superannuation brokers who manage super on behalf of employers. The AFP found two superannuation broking companies with access to this platform whose PCs showed signs of having been infected with malware, and which had been logging into the platform at unusual times, including weekends. Superannuation platforms often lacked user verification for high-risk transactions.
One issue with the financial system attacks investigated by the AFP was that victims systems had been built over a long time by many people. Combined with staff turnover, that meant no one really knew how the systems were meant to work.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now