Cybercriminals now target payroll, invoicing, and superannuation systems: AFP

The cybercriminals attacking financial systems are smarter, more subtle, and better organised, and they're stealing unprecedented amounts of money. Businesses need processes that can spot the signs of fraud.
Written by Stilgherrian , Contributor

Cybercriminals targeting Australia are shifting their focus to second-tier targets such as payroll systems, invoicing systems, and superannuation brokers, according to federal agent Scott Mellis, team leader of cybercrime operations with the Australian Federal Police (AFP) in Melbourne.

"I blame the banks for all this. They've done a really good job of securing their retail banking platforms, God bless 'em," Mellis told the Australian Cyber Security Centre (ACSC) Conference in Canberra on Wednesday.

With banks becoming harder targets, attackers have of course moved down the food chain.

"We need to turn our focus to where money is held, and where there is poor security, or weak security and poor design," Mellis said.

Another trend is that the amounts of money cashed out through money mules has been "much higher" in the last year, Mellis said. Some were more than AU$500,000. The biggest amount was AU$900,000 transferred to a mule in Western Australia "in one hit".

"That was unheard of two or three years ago ... Cash-out has moved to extremely damaging levels. We haven't seen a single million-dollar transfer yet, but I think we're really on the cusp of it. Who's liable for the loss is a fair question as well."

At the smaller end, funds were often transferred through secondary money mules to further protect the criminals. Many of these secondary mules were older people, pensioners, and stay-at-home mothers.

"Some of these people who we wouldn't normally be dealing with actually thought they had a serious financial services job," Mellis said.

"There are some people out there who don't think like we do. Obviously."

The AFP has seen "multiple victims" hit with payroll system attacks, which follow a standard methodology.

The criminals log in using stolen credentials, check the date of the next pay run, and log out. They log back in just before the pay run, change employees' bank details to those of multiple money mules so there's no single point of failure, and the payroll run proceeds.

"Employee rebellion is probably the first sign the organisation will have that there's been a problem." Mellis said.

The AFP has noticed some subtleties to the methodology. Attackers don't change the accounts of HR department employees, because they're more likely to notice the problem. Often, they'll make a small change and wait to see if anyone notices before making the large-scale changes. And they only access the systems during business hours, just like employees would.

"We're seeing long periods of reconnaissance, that [once] were probably more related to the work of state-based actors. The smash-and-grab isn't there as much as it used to be," Mellis said.

The attackers also stole employees' tax information, intending to use it to submit false income tax returns and divert the tax refunds to through their money mules.

"There were very few successful instances of this," said Mellis, because the Australian Tax Office's systems detected the fraud, but attempts were made.

Similar attacks are being made against accounting systems, which are often linked to HR payroll systems, or at least use a shared login. Money intended to pay suppliers' invoices is diverted to the mules.

"That was quite rampant at the end of last year," Mellis said.

Unlike the payroll attacks, invoicing attacks take weeks to detect, because suppliers are generally paid more slowly than employees.

The AFP now calls these attacks "driftnetting", because they're set-and-forget.

"The crooks change something, wait for a natural process to run on the platform, and then cash out," Mellis said.

The AFP has also uncovered attacks against superannuation brokers who manage super on behalf of employers. "We noticed suspicious sums of money being transferred from Australian financial institutions into mule accounts, and one of those institutions operated a superannuation fund management platform," Mellis said.

The AFP eventually found two superannuation broking firms with access to this platform whose PCs showed signs of having been infected with malware, and which had been logging into the platform at unusual times, including weekends.

Superannuation platforms often lacked user verification for high-risk transactions.

"For example, if money was transferred out of an investor's account, there was an email sent to the investor, but only after the money had been transferred, so it was all a bit late. The target mail that that email goes to was also unverified, so anyone with the compromised credentials could access the account and change the target email, to email the criminal for example," Mellis said.

One platform did require investors to provide an Australian Business Number (ABN), but the criminals simply searched online for the ABN of a company that sounded like it might be related to the investor somehow.

Another flaw was an online form which allowed logged-in users to transfer unlimited funds without any human verification such as a phone call.

A continuing problem is what the AFP calls "CEO impersonation" or "senior executive impersonation", and the FBI calls "business email compromise", where an organisation's staff are manipulated into sending money to criminals.

The sophistication of these attacks varies, from simply creating a generic ceoname@gmail.com account or ceoname@company1.com, to compromising an executive's real email account to learn their lifestyle and craft a more realistic impersonation.

The AFP has seen impersonation attacks net between AU$20,000 and AU$900,000. The offenders are mostly based in West Africa.

Earlier this month, the FBI's Phoenix Division said that $2.3 billion has been lost to business email compromise scams over the past three years.

Some criminals are still attacking banks, however -- and they too demonstrate plenty of sophistication.

Supervisory special agent Chad Hunt and special agent Mark Ray of the FBI walked the conference through a $6 million bank heist where the criminals conducted reconnaissance on the target's network for more than a month before finally making their move.

Even though the target organisation had encrypted the credit card numbers it stored, chat logs obtained by the FBI showed the criminals discussing their ability to decrypt 550,000 card numbers per hour.

These criminals were clearly part of a wider network. They were aware of the weaknesses of their own operational security (OPSEC). It was they who decided when they'd extracted enough money from the target, and when it was time to pull the plug on their operation, wipe their computers, and change their online identities.

The FBI agents said there's been a shift away from cybercrime being conducted by exclusively cybercrime networks, towards old-school crime networks "using hacker skills to further their white-collar schemes".

"They're all very well connected," said Ray, who works in the FBI's Cyber Division in their Atlanta Field Office.

"They all know each other, and they know the services, whether it's money-moving services, or [knowing] the right people to pay off in different governments. It is an upper echelon that is in some ways untouchable."

So why are so many of these attacks successful?

One issue with the financial system attacks investigated by the AFP was that victims' systems had been built over a long time by many people. Combined with staff turnover, that meant no-one really knew how the systems were meant to work.

Some superannuation brokers were even running BitTorrent and gaming software on the very PCs used to manage clients' accounts, Mellis said.

Mellis also recited the familiar litany of basic technical mistakes: lack of system patching, passwords stored in unprotected documents, single-factor authentication, shared passwords, VPNs not being used, and staff not following established processes. But many attacks were successful because of human failure.

"The human element is the toughest element of all. It's so hard, because there's a lot of really silly people out there."

The FBI agents had a further comment on the human factors.

"Threat intelligence is a big buzzword now, but I think there's a difference between tactical threat intelligence, the right indicators, and all that stuff that we have, and then really strategic [intelligence]," Ray said.

"All the best tools, IDSs [intrusion detection systems] and SIGINT [signals intelligence] out there still doesn't replace old-school human int."

Editorial standards