Anti-Phishing, DMARC , Business Continuity Management / Disaster Recovery , Email Threat Protection

Silicon Valley Firm Coupa Hit by W-2 Fraudsters

Fraudsters Fake Out HR by Pretending to be the CEO as Related Attacks Continue
Silicon Valley Firm Coupa Hit by W-2 Fraudsters
Coupa employees pictured in Times Square on Oct. 6, 2016.

Silicon valley firm Coupa on March 6 fell victim to a phishing attack that resulted in sensitive details for all of its 2016 employees falling into a fraudster's hands.

See Also: When Malware Attacks Your IBM i, AIX, and Linux Servers; True Stories From the Field

The company is one of many that have been recently compromised by so-called W-2 attacks, which security experts say can only be reliably prevented by continuing to train their employees properly and regularly testing that training.

Coupa, based in San Mateo, California, provides cloud-based, spending-management software for businesses, and counts Caterpillar, NEC, Salesforce and Staples among its customers. The publicly traded company with 625 employees has confirmed the attack, which it says targeted its human resources department seeking W-2 federal income tax-related documents.

"Coupa was one of numerous companies recently targeted by this 'phishing' scam," a spokesman tells Information Security Media Group. "Upon awareness of the scam, we immediately mitigated the isolated incident and implemented measures to protect affected individuals."

Excerpt from a notification letter received by a breach victim.

The breach-notification letter sent to victims, obtained by ISMG, apologizes for the breach and offers all victims two years of prepaid identity theft monitoring services. It also says exposed information includes a victim's name, Coupa employee ID, Social Security number, state of residence and work, 2016 wages earned, as well as additional information relating to benefits and taxes. It says no bank account information was exposed.

Coupa says the breached data involved only 2016 employee information relating to individuals employed by the firm that year, and that no customer data was accessed or otherwise compromised. It also says that it immediately alerted the FBI and the Internal Revenue Service to the breach.

"We have not seen any evidence that any data has actually been misused," the company adds in its statement.

But identity theft experts say that stolen W-2 data - including Social Security numbers, which individuals rarely change - could be used at any point in the future by fraudsters.

Coupa told breach victims in its notification letter that the company is already conducting training against phishing attacks, but that it would be "supplementing ... with additional training."

Training remains the best defense against such attacks, says Chris Pierson, CSO and general counsel for financial tech payment firm Viewpost. "Training your HR and finance teams is absolutely critical and highly effective at stopping these scams since these functions must be targeted," says Pierson, who also advises the Department of Homeland Security on data privacy and cybersecurity matters. "Technical controls are much less effective, especially if these scams are highly targeted."

Breach Notification: Nine Days Later

In terms of the elapsed time following the successful phishing attack, Coupa took nine days to notify victims. In the meantime, it announced earnings results for the previous quarter - covering a period before the phishing attack occurred.

One breach victim, speaking with ISMG, questioned the delay between when the breach was discovered and when the company alerted victims, as well as whether it breached Securities and Exchange Commission rules relating to informing investors about security events.

In terms of notifying victims, Eva Casey Velasquez, president and CEO of Identity Theft Resource Center, a non-profit organization based in San Diego that assists U.S. data breach victims, says there are no hard and fast timing rules.

"Most - if not all - breach notification laws do not have specific time limits," she tells ISMG. "In the case of California, the standard is to disclose in the most expedient time possible and without unreasonable delay. There is also language that speaks to the need for law enforcement to determine that the notification will not compromise an investigation."

Many information security experts warn that there's no "one size fits all" when it comes to notifications.

"You want 'prompt' but not premature disclosure," says cybersecurity attorney Mark Rasch, who in 1991 created the Computer Crime Unit at the U.S. Department of Justice. He warns that notifying too soon carries increased risk of reporting inaccurate information as well as stoking panic.

Viewpost's Pierson says notifying victims within 30 to 45 days is a good benchmark, because it allows time for digital forensic investigators to deliver at least initial findings. He also says Coupa's choice to not report the breach during its earnings call also appears to be acceptable. "Nothing strikes me as unusual about Coupa reporting a breach on this given timeline for two reasons," the attorney says. "First, it is unlikely a forensic report would be done in time for the Q4 date. Second, earnings reports are very well planned, and a late entry would be unlikely to make it."

Coupa Breach Timeline

  • Phishing attack (March 6): A Coupa Software HR employee sends W-2 forms for all 2016 employees to an attacker who poses as the CEO.
  • Earnings call (March 13): Coupa announces its fourth quarter 2016 results in an earnings call after markets close. It makes no mention of the attack. The company announced a 44 percent increase in sales revenue but has yet to make a profit; shares of its stock fell 11 percent in March 14 trading.
  • Breach notification (March 15): Company sends a breach-notification letter to affected current and former employees: "A scammer impersonated our Chief Executive Officer and requested that payroll information (Form W-2) for the 2016 tax year be sent via email," it reads.

Identity Thieves Love W-2 Forms

In its breach notification letter, Coupa says that the attack it suffered "is currently being broadly perpetrated, with numerous companies affected very recently."

Fraudsters continue to double down on W-2 phishing scams, also known as business email compromise - BEC - or CEO fraud attacks. These involve attackers, often pretending to be the CEO, tricking someone in a company into giving them W-2 tax records or other useful information.

Why steal W-2 forms? Because they contain employees' names, addresses, Social Security numbers and wages. Accordingly, they serve as an easy, one-stop shop for fraudsters, who can use the information to file fake tax returns and obtain a refund, among other types of identity theft.

"Dissent," the administrator of the breach-analysis site Databreaches.net, in 2016 counted at least 175 W-2 phishing incidents, and so far in 2017 counts 130, with the 128th being the Coupa phishing attack.

Arrests related to business email compromises may seem rare, but they do occur. Last week, as part of an FBI investigation, authorities in Latvia arrested Vilnius-based Evaldas Rimasauskas, 48, on suspicion of CEO fraud. He's charged with "orchestrating a fraudulent business email compromise scheme that induced two U.S.-based internet companies ... to wire a total of over $100 million to bank accounts" that he allegedly controlled, according to the U.S. Justice Department.

IRS Suspends Tool

Meanwhile, attackers continue to explore new ways of committing fraud. Last week, for example, the IRS and the U.S. Department of Education, citing security concerns, announced that they had suspended the IRS Data Retrieval Tool, which is integral to websites used for applying for federal student aid as well as repayment plans. It says non-online application options remain available.

The IRS expects DRT to be unavailable for several weeks as it works to "further strengthen the security of information provided by the DRT." The agency says the suspension is "a precautionary step following concerns that information from the tool could potentially be misused by identity thieves," although it may be downplaying the severity of related fraud, because there appear to be cases in which individuals whose W-2 forms were stolen have seen Federal Student Aid applications fraudulently registered in their name.

The FSA tool suspension follows the IRS last month issuing a W-2 phishing attack alert, warning that not just businesses but also school districts, not-for-profit organizations, tribal casinos, chain restaurants and temporary staffing agencies were at risk. It said some individual businesses had lost thousands of dollars to related attacks (see IRS: New Email Phishing Combines W-2 Theft, Wire Fraud).

Hackers Traffic in Stolen Medical Information

Stolen W-2 forms, however, are only part of the story. Vitali Kremez, director of research for cybercrime intelligence firm Flashpoint, says attackers have also been targeting U.S. individuals' healthcare data to launch the same types of attacks, and says 2016 was a banner year for related breaches.

"Stolen medical information is a hotly desired commodity in criminal communities and marketplaces, largely due to its ability to support a variety of fraud schemes. Actors procuring so-called 'fullz,' or full listings of personally identifiable information, utilize this data to attempt insurance, medical, tax, among other types of fraud," Kremez writes in a recently released report.

A dark web marketplace listing for stolen 2016 tax records for use in tax fraud schemes. Source: Flashpoint

Kremez, whose job involves infiltrating darknet marketplaces, says there's been a recent increase in chatter from fraudsters discussing ways of cashing out, as well as looking for ways of routing around new anti-fraud measures, such as IRS-driven 16-digit code and new "verification code" that some payroll service providers include on W-2 forms they issue to employees. But he notes that this is a cat-and-mouse game, and that "it is often only a matter of time before clever and dedicated cybercriminals discover workarounds to such mitigations," which will inevitably need to the introduction of new anti-fraud techniques.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.