PORTLAND, Ore. (KOIN) – More than a million dollars of city fund is gone, and a month later, the City of Portland said they are working to find out where it went after an outside entity hacked a city email account and made a fraudulent transaction of $1.4 million.
Portland State University computer science professor Wu-chang Feng says while he doesn’t know the specifics, it appears to be a growing cyber crime known as business email compromise.
“It’s actually quite common,” said Feng. “An adversary manages to get a username and password to an email account and then sits there and monitors messages going by.”
Feng says the hacker will usually target someone dealing with finances and who has access to bank accounts like accounts payable or the CFO, waiting for that perfect moment to reroute a large payment.
“At the very moment a transfer happens, the adversary will take the message and change maybe an account number or that kind of thing,” said Feng. “When I’m in an email stream, I’m not checking the sender addresses on every single message. If that thing says it’s your name, I’m not checking the email address. But that’s basically how business email compromise works. You’re slipping into the stream and sending a message and it looks really believable in the context of that email thread and so nobody thinks anything.”
The city says that first transaction of $1.4 million was made in late April. However, it wasn’t flagged until the same account tried another fraudulent transaction on May 17.
“In this particular case, they detected it a month after so I’m guessing that money has gone to a gazillion other bank accounts,” said Feng. “Typically, with this amount of time, it would be hard to trace.”
While it’s unclear what this particular money was originally intended for, it is a valuable amount for many city services — most recently funding Portland Parks and Recreation to hire 24 more park rangers in efforts to reduce gun violence. It could also pay a year of starting salary for around 18 new Portland Police Bureau officers — and is the same amount council could soon vote on to head to the general fund and be allocated for a proposed Summer Cease Fire initiative.
“We all rely on email to do a lot of really important things and maybe we shouldn’t,” said Feng. “Because it’s so lucrative and because the gain the adversary gets is so instant, it’s actually one of the most common ways companies will lose money.”
The city says they’re investing in technology and policies to minimize future threats. Feng says “zero trust architecture” is a growing security measure and encourages practices like multi-factor identification and device keys.
The city declined to answer KOIN 6 News’ questions Friday night, including whether any of that money was recovered. However, the city did say they notified the FBI, U.S. Secret Service and PPB and have brought in a cyber incident response team to investigate.