Currently at large somewhere in the world are cybercriminals who have drained the bank accounts of several French companies—all without brandishing guns or cracking safes. They’re highly sophisticated, rather audacious, and too mobile to trace.

Symantec, a computer security software firm, investigated the thieves’ methods as practiced over the course of this year and uncovered an innovative “social engineering” operation. Introducing a remote access Trojan (RAT) to a company’s network, the hackers can harvest all the data they need to transfer funds to offshore accounts, from which they siphon their haul.

Deploying the RAT is tricky, and human error often plays a role, as a case from April revealed: An administrative assistant at a multinational corporation received a link to a suspicious-looking invoice, but this was followed up with a phone call from an alleged company vice president, who in fluent French instructed her to open and process the file. Once she had downloaded the Trojan, it was all over, as Security Watch explained.

The RAT harvested company information, including the company’s disaster plan and its telecom provider details. Using the stolen information, the crooks invoked the disaster plan, claiming a physical disaster. This let them redirect all of the organization’s phones to a new set of phones under their control. Next they faxed a request to the company’s bank for multiple large fund transfers to offshore accounts. Naturally the bank representative called to confirm; the crooks intercepted the call and approved the transaction.

Because phone calls and convincing French are such critical pieces of the puzzle, Symantec labeled the criminal enterprise “Operation Francophone.” Other jobs have seen them pose as IT employees who need to “upgrade” computer systems (which inevitably requires the “temporary” disabling of certain security factors). In at least one attack, they didn’t even use malware. Again pretending to be IT staff, they emailed requesting a “test” wire transfer of funds that turned out to be real.

It doesn’t look as though OF’s cybercrime spree will come to an end anytime soon, either. “By examining emails and C&C traffic, we were able to determine that the attacker is located in, or routing their attacks through Israel,” Symantec wrote. “Even more surprising, the traffic analysis indicates that the attacker was on the move when they were conducting the attacks. These operational security techniques make the attacker extremely difficult to trace.”

If the architects of OF are ever caught, it should make for a great movie. Until then, employees at large companies should keep security measures robust, and mistrust anyone who calls, emails, or otherwise tries to contact them.

Photo by Will__Martin/Flickr