E-mail scam steals €3 million in carbon credits

The phishing scheme resulted in losses of up to €3 million from companies

A clever phishing scheme launched last week may have stolen more than €3 million (US$4.1 million) worth of carbon emission permits from companies.

At least seven companies with carbon emission permits registered with the German Emissions Trading Authority saw some 250,000 certificates moved out of their accounts, according to a spokesman with Germany's Federal Environment Agency.

The certificates allow companies to emit pollution within certain limits and are meant as incentives for companies to invest in cleaner technologies. As of Thursday, certificates traded for around €2.50 each, putting the losses at around €3.2 million.

The attack is believed to be the first ever targeting the emissions-trading program, administered in part by the United Nations.

"We have the impression that they acted very professionally as regards to IT procedures, and of course they had to know how emissions trading works," said Julie Steinen, spokeswoman for German Emissions Trading Authority, the country's registry for carbon emissioin certificates.

Last week, companies whose certificates are tracked by German Emissions Trading Authority receiving e-mails saying they needed to register again due to security problems. The e-mail contained a link to a fraudulent Web site, Steinen said. Other national registries were also targeted.

Once the fraudsters obtained the companies' account details, they quickly moved the certificates to accounts tracked by other national registries and presumably sold them, Steinen said.

Different national registries track the movement of certificates, but the financial transactions are separate from the registry system, she said. Certificates can be sold on the open market.

Once electronic certificates are moved to another registry, it's more difficult to track them, although the certificates do carry a unique code. Germany's Federal Criminal Police Office and prosecutors in Berlin are investigating, Steinen said.

The German Emissions Trading Authority halted certificate trading last Friday to ensure no other companies were victimized, and other national registries also temporarily closed. Germany's registry, which advised its 2,000 companies to change their passwords, is going to resume allowing transactions today, she said.

The agency has also published a screenshot of what the security certificate for its Web site should look like. Web sites can create a security certificate that is then verified by a third party to show the site isn't a fake one. Web browsers should alert users when a certificate is invalid.

Germany's registry has several security measures in place that companies have the option of implementing that would make it more difficult for the phishers.

One of those is a so-called "four-eyes" system, where if one person initiates a certificate transaction, a second person gets a notification of that request and must log in to approve it. Companies can also opt to receive an e-mail every time their account is logged into, a feature that could prompt a fast alert of an unexpected account access.

Those features may have helped prevent greater losses, Steinen said. Many companies called the agency after seeing the fraudulent e-mail, and asked if it was really from the agency. "The e-mails were not that professional -- other users easily smelled the rat," she said.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycarbon creditsscamsphishingfraud

More about United Nations

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts