Thursday 13th December, 2012

When finance and accounting professionals worry about computer security, they may think about stolen laptops, purloined passwords, or lost backup drives. But few worry about hacker attacks against their accounting system software, the kind of attacks that could be devastating for a businesses.

A pair of security experts, Tom Eston and Brett Kimmell at SecureState, a US based computer security company, revealed ‘Project Mayhem’ at the Black Hat event, a proof of concept tool that makes accounting fraud easy and potentially undetectable.

Kimmell and Eston showed Project Mayhem attacking the world’s most popular accounting system for small to large size businesses, Microsoft Dynamics Great Plains (GP). The company are planning a white paper taking in-depth look at how Project Mayhem allows attackers to enter information into an accounting system, enabling mass systems fraud and resulting in devastating and long term consequences for the company that would be very difficult for technical security controls to detect.

Tom Eston said: “If an attacker can control and manipulate the accounting system of the company to commit mass systems fraud, changing or manipulating financial data is just the beginning. As professional penetration testers, we must demonstrate more advanced attacks to show real impact to the business.”

Brett Kimmell said: “Even with proper bank reconciliation, funds can be diverted without immediate detection. Fraud attacks like the ones described in our talk and whitepaper could last for months or years. Uncovering a fraud depends on the skills and resources available and whether an audit is performed or not.”