Expert Analysis: What It Takes To Catch a Thief

By Baselinemag  |  Posted 2006-06-05 Print this article Print
As managing director of the electronic discovery practice at LECG, which provides independent expert testimony and strategic advisory services to clients on legal, business and regulatory matters, Shane Shook is well aware of the potential for an information-technology director, acting alone or in combination with a chief financial officer--to strip assets from a corporation by use of a shadow or alter ego entity.

Here's his take on the topic:

Many schemes are enabled by a fraudulent electronic portal, or "back door," within a company, or one established to penetrate a corporation's technology infrastructure from outside. Fraudulent back doors are, unfortunately, a rather common situation due to system administrators wanting remote access for management and incident response to their systems--including financial and other networked systems.

Once inside the system, a fraudster can create a purchase order as a valid line item in a company's accounting system. With that, a crook can electronically transfer payment to a shell company.

Some of the methods used to create these pathways include port scanning software to detect and hijack user credentials. This usually provides sufficient access to networked systems to set up and facilitate payments. Other rudimentary software back doors can be provided through Trojan horses such as the infamous Back Orifice or Nimda, which automatically propagate throughout a network to ensure multiple hosts are available. In many cases, hackers simply utilize public knowledge of software deficiencies to create their own access to systems--buffer overflows, Sendmail obfuscation, port knocking, etc.

It is nearly impossible, using technology alone, to protect financial systems that must necessarily be networked with other company operating systems from intruders and malicious or fraudulent activity. This is why operating procedures are audited in financial audits in addition to technical capabilities.

Shook says he actually had a case that involved recurring payments to what was determined to be a fraudulent entity. The CFO was recorded in the transactions (on the financial accounting payment system) as the approving authority. The CFO, however, swore that he had no knowledge of the authorizations or the transactions themselves--in fact, he generated the request for investigation of the payments.

Shook was able to determine, through log analysis of the various points in the networked systems that recorded activity logs, that an information-technology administrator had in fact used a sniffer to collect encrypted passwords between the CFO's computer and the networked financial system, and through publicly available freeware was able to crack the password and log in as the CFO to create the bogus invoices. The invoices were being paid to a valid bank account that was in turn routing the payments to an offshore account in the Bahamas that was actually a front company for the I.T. administrator.

The only thing Shook was able to find in this series of events was the logged system and network accesses; he then uncovered the fact that invoices were created using the CFO's account of the invoice and recurring payment schedule. Shook thought this odd since, typically, an accounts payable clerk performs that function. And that's what really tipped him off that someone might have hijacked the credentials.

Shook interviewed the information-technology staff and found that one of the administrators had previously been an I.T. auditor and was familiar with the accounting procedures. He provided this information to the police, who were able to discover the rest of the picture through interrogation and forensic analysis of the person's home PC, where his Bahama bank transactions were available once the password was located on his system.


Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.