What are some of the latest cyber-security threats affecting organizations?
Cyber-crime is a constantly evolving enterprise. Cyber-security threats are becoming more sophisticated, as cyber-criminals refine their methods of intrusion and attack. However, the past year has seen a resurgence in certain types of low-tech cyber-attacks that are nonetheless incredibly effective. Let’s discuss some of these resurgent types of attacks.
Business Email Compromise (BEC) is a type of scam that targets businesses working with foreign customers and suppliers, and/or businesses that regularly perform wire transfer payments. This sophisticated scam is carried out by fraudsters compromising email accounts through social engineering or computer intrusion techniques to conduct the unauthorized transfer of funds.
Corporate Data Breaches refer to the release of business data from a secure location to an untrusted environment. The term may also refer to a data breach within a corporation or business where sensitive, protected, or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.
In 2019 Business Email Compromise represented $1.78 billion in losses, with $53.4 billion coming specifically from Corporate Data Breaches.
How do BEC scams work?
BEC attacks take a variety of forms and target companies in many different industries, but the basic aim is the same: to gain access to a company’s network, often through a combination of phishing attacks and malware. This malware is then used to carry out surveillance on the organization and its senior executives. Later, at a time of their choosing, criminals can initiate the scam by sending emails, purportedly from senior executives, to someone in the organization (typically the finance department), and requesting an immediate transfer of funds.
BEC scams, also known as email account compromise (EAC), CEO fraud, or whaling, have been around since at least 2013. Between October 2013 and May 2018, more than $12 billion in domestic and international losses were attributed to BEC scams by the FBI.
When first conceived, BEC scams typically began with the hacking of email accounts belonging to CEOs or CFOs. Fraudulent emails would then be sent to employees in the organization requesting a transfer of funds, typically via wire payments, to fraudulent locations. Over the years, however, the scam evolved to include compromise of personal emails, compromise of vendor emails, spoofed lawyer email accounts, requests for financial and tax information, and fraudulent requests for large amounts of gift cards. Unfortunately, BEC scams are constantly evolving as fraudsters become more sophisticated and find new ways to carry out these attacks.
The FBI’s Internet Crime Complaint Center, IC3, which is tasked with handling internet and cyber-crime, received 23,775 Business Email Compromise (BEC) complaints in the 2019 calendar year, with adjusted losses of over $1.78 billion. These figures are for the US alone! The IC3 also observed an increase in the number of BEC complaints related to the diversion of payroll funds for that same year. In this type of scheme, a company’s human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period. The new direct deposit information generally routes to a pre-paid card account.
According to the FBI’s latest Internet Crime Report (ICR), losses from BEC scams amounted to almost $1.3 billion in 2018. This was double the losses in 2017, which stood at $676 million. That number has again risen by over half-a-billion dollars for 2019. Additionally, IC3 recorded 1,795 Corporate Data Breaches in 2019, with the top 3 victim countries being the US, UK, and Canada. Unsurprisingly, the top industry that scammers targeted was the financial sector.
A large insurance firm has also commented on the impact of claims originating from BEC attacks, indicating that they accounted for about 23% of all their cyber-insurance claims for losses in Europe, the Middle East, and Asia in 2018. This figure was more than the total from claims for losses arising from ransomware or data breaches (based on the latest figures available).
When BEC attacks first began showing up as a problem the FBI warned that the scam relied on the “oldest trick in the con-artist’s handbook: deception”. These types of scams may not be very sophisticated but they are very effective.
What are some common BEC email themes?
Security firms have noted recent changes in BEC message composition, with scammers using certain themes in order to pass these emails as legitimate business requests. Let’s take a closer look at some of the recent themes that BEC emails have contained:
- Requests from high-level executives to buy gift cards, both physical and electronic
- Requests from employees to update salary or direct deposit account details
- Requests for personal/work cellular/landline number to provide further instructions
- Requests from Human Resources to update payroll information
These observations align with those of the FBI, as the IC3 report found that there was an increase in the number of BEC complaints that asked victims to purchase pre-paid gift cards in 2018. According to the report, the victims received a spoofed email, call, or text from a person in authority, such as a CEO or business owner, requesting that the victim purchase multiple pre-paid gift cards for either personal or business reasons. The victim would then send the card numbers to the scammer by replying to the spoofed email.
Business email compromise (BEC) scams are not going away anytime soon. For such a relatively low-tech type of financial fraud, they have proven to be a high-yield and lucrative enterprise for scammers.
Speaking of scams: Phishing remains one of the most effective entry points for cyber-attacks.
More than a dozen banks in the US and Canada recently found themselves on the receiving end of a mobile phishing scam that claimed approximately 4,000 victims. In this case, scammers duped victims with messages containing links to phishing pages made to appear like legitimate mobile banking pages. Clicking on these links gave the phishers access to users’ banking credentials as well as their personal details, including dates of birth. All of that information can potentially be sold on the Dark Web or used in other fraudulent schemes at any time.
That campaign was based around SMS/Text messages which attempted to lure the victim into visiting a fake website purporting to be that of a major US or Canadian financial institution. The phishing messages claimed that the bank’s security system had detected unusual activity on the user’s account and urged them to follow a URL to check the activity. Of course, this was merely a trick to lure victims into giving up their details.
The criminals behind those attacks didn’t even have to know which financial institutions their potential victims were customers of. All they had to do was spam out multiple messages with the names of different financial institutions to enough unsuspecting users, undoubtedly some of the attacks would match the right victims with their financial institutions. Some of those customers would then follow the malicious links to the fake websites that had been created to steal sensitive information.
These fake banking websites were designed to look like the actual mobile versions of the institutional sites. They featured everything from the correct fonts, layouts, and sizing, to authentic links to related pages that users would expect on a banking website, including notices about security and privacy.
Consumers are increasingly using mobile banking applications as their primary means to manage their finances, transfer funds, deposit checks, and pay bills. Unfortunately, this trend has not gone unnoticed by cybercriminals who are starting to exploit it as a new attack vector.
By implementing additional security measures, such as strong passwords and the use of multi-factor authentication, users can prevent credentials from being compromised and avoid falling victim to these types of phishing attacks.
What are some of the trends being observed for Q1, 2020?
The latest phishing scam involves sending fake invoices loaded with ‘Emotet’ malware to an organization. Emotet is a Trojan that is primarily spread through spam emails. The infection may arrive either via a malicious script, macro-enabled document files, or malicious links. Emotet emails may contain familiar branding designed to look like a legitimate email. These emails will try to persuade users to click the malicious files by using familiar language, such as “Your Invoice”, “Payment Details”, or “Parcel Delivery”.
Emotet uses several tricks to try and prevent detection and analysis. Notably, Emotet knows if it’s running inside a virtual machine and will lay dormant if it detects a sandbox environment. Emotet also uses Command & Control servers to receive updates, which occur seamlessly and without any outward signs. These capabilities allow attackers to install updated versions of the software, install additional malware (such as other banking Trojans), or act as a dumping ground for stolen information (such as financial credentials, usernames, passwords, and email addresses).
If a machine falls victim to Emotet, not only does the malware provide a backdoor into the system, allowing attackers to steal sensitive information, it also allows the attackers to use the machine to spread additional malware (or allow other hackers to exploit compromised PCs for their own gain).
Recent attacks have been directed at financial institutions, with 75% of these attacks being directed towards organizations in the US or UK. Like previous Emotet attacks, the malware is delivered via phishing emails that contain a malicious document. This time the email subject lines were based around invoices, bank details, and other financial subjects, all of which are common terms that would attract the normal attention of workers in the finance sector.
The attachments claimed that a user needed to ‘enable content’ to see the document; if this was done it would allow malicious macros and malicious URLs to deliver Emotet to the machine. Because Emotet is such a prolific botnet, the malicious emails didn’t come from any one particular source but rather infected Windows machines around the world.
This campaign spiked towards the end of January 2020 and, while activity has dropped, for now, financial institutions are still being targeted with Emotet phishing campaigns. This prolific malware turned botnet shows no signs of slowing down, as campaigns in the first quarter of 2020 were launched against financial institutions in the US and UK.
Emotet is so insidious because it includes functionality that helps the malware evade detection by some anti-malware products. It uses worm-like capabilities to spread to other connected computers, this then helps the distribution of the malware. Its worm-like features result in rapidly spreading network-wide infections, which are difficult to combat.
This functionality has led the Department of Homeland Security to conclude that Emotet is one of the most costly and destructive malware types. It has equally affected the government, the private sector, individuals and organizations. According to the DOHS, Emotet infections have cost state and local governments up to $1 million per incident to remediate.
Why does any of this matter?
Financial loss, reputational damage, time, resources, these types of attacks can create incalculable harm throughout an organization. Banks and other financial institutions have long been in the cross-hairs of scammers and these attacks are just the latest incident in a long line of cybercriminals targeting financial institutions. For example, the Carnegie Endowment’s Cyber Policy Initiative (an internationally based foreign-policy think tank) put together a list of all cyber-attacks against financial institutions since 2007. That year it logged 3 cyber-attacks; last year that number was a startling 29 recorded cyber-attacks. Odds are that the number of cyber-attacks will increase again this year.
What can you do to minimize these types of security threats?
These attack campaigns, whether via BEC, Phishing or Emotet, are a low-risk/high-reward type of cyber-crime for hackers. This makes them a persistent threat to all businesses, especially financial institutions. There are many steps which can be taken to ensure that sensitive information is kept safe, including the use of strong passwords, the use of a mobile password manager to help keep passwords strong and unique across all of devices and accounts, locking applications when not in use, and signing out of accounts not being used.
Organizations must also employ diverse measures to ensure data security. These include ensuring the latest operating system updates are installed, backing up data, and encrypting data. Of course, anti-malware software and advanced firewalls are necessary security elements, as are vulnerability tests, but without user authentication, the proverbial “front door” is left wide open to intruders. The sobering reality is that, even with strong password requirements, if multi-factor authentication (MFA) is not in place, these other security measures can easily be bypassed.
The ability to verify a user’s claimed identity through various authentication factors has become crucial for NonStop systems, especially for users that will be logging-on to business-critical applications. Ineffective authentication comes with significant direct and indirect risks, including compliance penalties, data theft, loss of customer trust, and significant loss of revenue. There is an over-reliance on insecure forms of authentication, such as passwords and security questions, this can lead to security gaps that create opportunities for intruders.
Minimize security gaps with Multi-Factor Authentication
Modern authentication methods represent a more robust security structure, and also provide a better user experience when logging into applications. MFA also makes it easier for auditors to get answers to critical compliance questions; providing information such as which users are granted access to which system, and also how the access policy is being reliably enforced. Additionally, some of the modern MFA applications available today also include reporting capabilities, which ensure that compliance standards, such as PCI DSS, are being met.
CSP Authenticator+™ supports numerous authentication factors for NonStop. It provides a RESTful interface that supports multi-factor authenticated logins on NonStop systems. CSP Authenticator+ resides on the NonStop Platform and uses an OSS “bridge” to connect to the RESTful interface of the CSP Authenticator+ web server.
CSP Authenticator+ can provide authentication services via Safeguard Authentication SEEP, or Pathway and Non-Pathway servers. Almost any application, including TACL, can now easily support multi-factor authentication (MFA).
Authentication methods such as RADIUS, RSA Cloud, Active Directory and Open LDAP are supported. Additional authentication methods include RSA SecurID, Email, Text Message, and Google Authenticator. You can now enable MFA logins for different applications, making them more secure!
CSP Authenticator+ Key Features:
- Support for various authentication methods
- Browser-based user-friendly interface
- Standardized authentication across platforms
- Configurable for all or selected users
- Support for virtual addressing
For complimentary access to CSP-Wiki®, an extensive repository of NonStop security knowledge and best practices, please visit wiki.cspsecurity.com
We Built the Wiki for NonStop Security ®
The CSP Team