Cyber fraudsters now stealing millions in single transactions

More businesses are being tricked into sending millions of dollars to cybercriminals, but the criminals often betray themselves through lax operational security.
Written by Stilgherrian , Contributor
(Image: SARINYAPINNGAM, Getty Images/iStockphoto)

Business email compromise (BEC) attacks are continuing to rise in both frequency and severity, with victims now losing millions of dollars in single transactions, according to law enforcement agencies.

A BEC attack, also known as a senior executive impersonation attack, is where an organisation's staff are manipulated into sending money to criminals. Typically, the criminals breach the corporate email system, and spend some time learning the organisation's business, structure, and communication style to improve their chances of success.

"They'll insert themselves by putting a socially engineered piece of communication there," said Special Agent Ryan Brogan of the US Federal Bureau of Investigation (FBI). "Those emails are very, very convincing."

In one recent case, a local car dealership lost $7 million after an employee received an email, purportedly from his CEO, saying he needed to wire then money to a new account to fund a new special project.

"The actor sort of implied that the dealership manager's promotion would be on the line if this didn't happen," Brogan told the Australian Cyber Security Centre (ACSC) Conference in Canberra last week.

"He goes and wires this money. He actually broke all of their internal controls."

It was three days before anyone realised it had all been a fraud, when the employee happened to ask his real boss whether he'd received the money.

$7 million is by no means a record for BEC cases investigated by the FBI. Australia has also seen single-transaction BEC frauds in the millions of dollars.

"The most recent one we had was AU$26 million," said Detective Senior Sergeant Colin Keen, the manager for cybercrime investigations and covert online operations for the Western Australian Police Force.

In that particular case, the money was recovered, but recent BEC cases in Western Australia have included an automotive conglomerate losing AU$3.1 million, and a large mining company losing $2.1 million.

These figures are well up from the AU$900,000 stolen from a WA company in 2015.

Charities are also being targeted, with one WA charity recently losing AU$615,000.

See also: Trend Micro finds CEOs are spoofed the most by business email compromise

Keen said the cybercriminals are becoming more sophisticated.

"They'll do all this research on the background of the company, and then they'll do the research on the person they want to target. That will include social media. We've had incidents where they've found them on dating sites, and they've groomed them to the point that they've sent them emails at work just to get into the business," he said.

As ZDNet has previously reported, the best defence against BEC is a resilient corporate culture where employees feel able to question instructions. Brogan would agree.

"They best way I've seen to combat this is if you do see something that's out of the normal, pick up the phone and do some sort of out-of-band communications with where you're thinking that money needs to be sent," he said.

Criminals get caught because they make mistakes

Brogan currently works on global cyber investigations, focusing on apprehending individuals responsible for zero day development and botnet deployment. Malicious cyber actors across the spectrum all tend to use the same tools, he said.

He's apprehended and spoken with around 25 malware writers, and the way they talk about how they run their operations "very much mirrors" how a nation-state would run its cyber activities -- including relying on the fact that humans make mistakes.

In one operation, for example, attackers were able to bridge the air gap into an industrial control network, thanks to a poorly configured laptop.

"The adversary knew that there's a laptop a SCADA engineer was using that had two NIC [network] cards. One was Wi-Fi and the other was wired, and the engineer never turned the Wi-Fi off," Brogan said.

"When the laptop gets plugged into the SCADA network, it just beaconed out to the adversary, and you could jump the gap ... So that was pretty wild."

Brogan was also involved with the apprehension and arrest of hackers known as K33lhaul aka Faust, and p4nda, part of an Anonymous splinter group called MalSec. Amongst other things, malware created by that group was used to compromise 450,000 computers.

"Until the robots come and kill us, we're still chasing people, so there's that human element in play, that I very much enjoy using to defeat these actors," Brogan said.

The FBI had "really, really good human intelligence, as well as some of the technical collections that we were able to obtain through legal process". That included some 250,000 lines of intercepted communication.

"Even though they were heavily utilising things like Tor to anonymise themselves, I was able still to find out where [one hacker] came from, because he still needed to leak little personal details about where he was, and some of the activity he was doing," Brogan said.

"[Meanwhile, p4nda] started talking about different legal statutes that he was breaking, which was great, 'cos now he's already saying he's doing illegal activities ... but I didn't know what area of the world that he was quoting legal process from."

But Brogan did know from the intercepts that p4nda hated his child's foster mother.

"He would complain about her obsessively. I was like, oh, I've got a fantastic idea. Why don't we offer to hack his child's foster mother's email account? Oh, it took him a whole like about five seconds to give us that email account. Boom!"

Failures of operation security (OPSEC) aren't always that complex, however. Detective Senior Sergeant Keen described three recent cases where the WA Police could quickly identify the suspect.

In the first, an online drug seller maintained a "high level of technical anonymity", but posted photographs of bags of marijuana held in his hand -- where his fingerprints could be seen and identified.

In the second, a video posted online showed a motor vehicle performing burnouts at traffic lights. The vehicle's license plate had been blurred out -- but not the reflection of the license plate in the following vehicle's hood.

And in the third, a proudly posted photograph of a healthy marijuana crop still included its EXIM metadata, including GPS coordinates.

Brogan said that some cybercriminals don't even realise they're committing crimes.

One malware writer apprehended by the FBI claimed that writing malware wasn't a crime in the US, so what had he done wrong? They told him that he was knowingly providing the malware to individuals committing crimes.

"There's this thing called 'conspiracy' that we have, where you're going to be wrapped up into it," Brogan said. "That was kind of a lightbulb moment for him."

Related Coverage

It's time for cyber weather and traffic bulletins

The internet is such a core part of our lives that we all deserve real-time information about outages and safety hazards. It wouldn't be difficult.

Caught short by NotPetya, Australia to establish 24/7 'cyber newsroom'

The Australian Cyber Security Centre's expanded role will include more proactive advice to a wider range of stakeholders, while cyber incidents are becoming 'much more destructive'.

Blaming Russia for NotPetya was coordinated diplomatic action

Australian is developing international partnerships to help deter 'inappropriate behaviour' in cyberspace. Naming and shaming is part of its deterrence framework.

Technical solutions won't stop the real threats to elections

Democracy is best kept safe by creating an educated, engaged, and digitally-experienced citizenry.

Refrigergeddon has to happen: Intel (TechRepublic)

Human nature being what it is, the Internet of Things will need to experience a number of security incidents before people realise that like every other computing platform in history, security is important for it too.

Editorial standards