Business email compromise (BEC) attacks are continuing to rise in both frequency and severity, with victims now losing millions of dollars in single transactions, according to law enforcement agencies.
A BEC attack, also known as a senior executive impersonation attack, is where an organisation's staff are manipulated into sending money to criminals. Typically, the criminals breach the corporate email system, and spend some time learning the organisation's business, structure, and communication style to improve their chances of success.
"They'll insert themselves by putting a socially engineered piece of communication there," said Special Agent Ryan Brogan of the US Federal Bureau of Investigation (FBI). "Those emails are very, very convincing."
In one recent case, a local car dealership lost $7 million after an employee received an email, purportedly from his CEO, saying he needed to wire then money to a new account to fund a new special project.
"The actor sort of implied that the dealership manager's promotion would be on the line if this didn't happen," Brogan told the Australian Cyber Security Centre (ACSC) Conference in Canberra last week.
"He goes and wires this money. He actually broke all of their internal controls."
It was three days before anyone realised it had all been a fraud, when the employee happened to ask his real boss whether he'd received the money.
$7 million is by no means a record for BEC cases investigated by the FBI. Australia has also seen single-transaction BEC frauds in the millions of dollars.
"The most recent one we had was AU$26 million," said Detective Senior Sergeant Colin Keen, the manager for cybercrime investigations and covert online operations for the Western Australian Police Force.
In that particular case, the money was recovered, but recent BEC cases in Western Australia have included an automotive conglomerate losing AU$3.1 million, and a large mining company losing $2.1 million.
Keen said the cybercriminals are becoming more sophisticated.
"They'll do all this research on the background of the company, and then they'll do the research on the person they want to target. That will include social media. We've had incidents where they've found them on dating sites, and they've groomed them to the point that they've sent them emails at work just to get into the business," he said.
"They best way I've seen to combat this is if you do see something that's out of the normal, pick up the phone and do some sort of out-of-band communications with where you're thinking that money needs to be sent," he said.
Criminals get caught because they make mistakes
Brogan currently works on global cyber investigations, focusing on apprehending individuals responsible for zero day development and botnet deployment. Malicious cyber actors across the spectrum all tend to use the same tools, he said.
He's apprehended and spoken with around 25 malware writers, and the way they talk about how they run their operations "very much mirrors" how a nation-state would run its cyber activities -- including relying on the fact that humans make mistakes.
In one operation, for example, attackers were able to bridge the air gap into an industrial control network, thanks to a poorly configured laptop.
"The adversary knew that there's a laptop a SCADA engineer was using that had two NIC [network] cards. One was Wi-Fi and the other was wired, and the engineer never turned the Wi-Fi off," Brogan said.
"When the laptop gets plugged into the SCADA network, it just beaconed out to the adversary, and you could jump the gap ... So that was pretty wild."
Brogan was also involved with the apprehension and arrest of hackers known as K33lhaul aka Faust, and p4nda, part of an Anonymous splinter group called MalSec. Amongst other things, malware created by that group was used to compromise 450,000 computers.
"Until the robots come and kill us, we're still chasing people, so there's that human element in play, that I very much enjoy using to defeat these actors," Brogan said.
The FBI had "really, really good human intelligence, as well as some of the technical collections that we were able to obtain through legal process". That included some 250,000 lines of intercepted communication.
"Even though they were heavily utilising things like Tor to anonymise themselves, I was able still to find out where [one hacker] came from, because he still needed to leak little personal details about where he was, and some of the activity he was doing," Brogan said.
"[Meanwhile, p4nda] started talking about different legal statutes that he was breaking, which was great, 'cos now he's already saying he's doing illegal activities ... but I didn't know what area of the world that he was quoting legal process from."
But Brogan did know from the intercepts that p4nda hated his child's foster mother.
"He would complain about her obsessively. I was like, oh, I've got a fantastic idea. Why don't we offer to hack his child's foster mother's email account? Oh, it took him a whole like about five seconds to give us that email account. Boom!"
Failures of operation security (OPSEC) aren't always that complex, however. Detective Senior Sergeant Keen described three recent cases where the WA Police could quickly identify the suspect.
In the first, an online drug seller maintained a "high level of technical anonymity", but posted photographs of bags of marijuana held in his hand -- where his fingerprints could be seen and identified.
In the second, a video posted online showed a motor vehicle performing burnouts at traffic lights. The vehicle's license plate had been blurred out -- but not the reflection of the license plate in the following vehicle's hood.
And in the third, a proudly posted photograph of a healthy marijuana crop still included its EXIM metadata, including GPS coordinates.
Brogan said that some cybercriminals don't even realise they're committing crimes.
One malware writer apprehended by the FBI claimed that writing malware wasn't a crime in the US, so what had he done wrong? They told him that he was knowingly providing the malware to individuals committing crimes.
"There's this thing called 'conspiracy' that we have, where you're going to be wrapped up into it," Brogan said. "That was kind of a lightbulb moment for him."
Human nature being what it is, the Internet of Things will need to experience a number of security incidents before people realise that like every other computing platform in history, security is important for it too.