Cyber Threats – Views from the FBI Special Agent Keith Custer Federal Bureau of Investigation – Baltimore Division
Overview • Cyber Threat Overview • Cyber-enabled Fraud • Types of Cyber-enabled Fraud • Business Email Compromise (BEC) • Case Studies • Best Practices to Protect Against Cyber-enabled Fraud UNCLASSFIED 2
Cyber Threats • Cyber Division (CyD) – Intrusions – Major Infrastructure Defense – Nation State Attacks • Criminal Investigative Division (CID) – Cyber-enabled Crime • Fraud • Drugs • Money Laundering • Identity Theft UNCLASSFIED 3
UNCLASSIFIED The FBI’s Cybersecurity Mission To protect the United States against: Terrorist attack Foreign intelligence operations and espionage Cyber-based attacks and high technology crimes As the only U.S. agency with the authority to investigate both criminal and national security cybersecurity threats, the FBI is following a number of emerging trends. 4 UNCLASSFIED
5 Cyber Threats and Motivations
Cyber-Enabled Fraud • The advent of the Internet has made a lot of things easier for a lot of people • Unfortunately this includes fraudsters UNCLASSIFIED 6
Common Types of Cyber-enabled Fraud Targeting Businesses • Counterfeit Check scam (multiple varieties) – Attorney/CPA – Employment-based • Account Takeover • Business Email Compromise (BEC) UNCLASSFIED 7
Counterfeit Check Scam (Attorney/CPA) • Target is usually solicited by email – Often the fraudster “spoofs” the email of a real executive (e.g., jbsmith@acmefireworks.com vs. jbsmith@acmeflreworks.com ) • The fraudster requests assistance with an international business matter, such as an acquisition or contract dispute • If the target agrees the fraudster arranges for a high-quality counterfeit instrument to be delivered to the target as part of the engagement • The target is directed to deposit the check and immediately wire funds to a “drop account”, usually a shell corporation in a foreign country (China, Taiwan, Malaysia, Dubai, Japan, etc.) • The funds are immediately withdrawn or transferred out of the destination account • The check is eventually found to be fake and the target is sometimes on the hook for the loss. • Transactions are typically $100,000 to $500,000 UNCLASSFIED 8
Account Takeover • Frequently targets individuals or businesses after a compromise of personal information (email hack or PII stolen) • Fraudster identifies high value accounts – Home Equity Line of Credit (HELOC) – Brokerage – Money Market Savings • Fraudster contacts financial institution call center or email and attempts to initiate a wire transfer to a “drop account” – Fraudster will attempt to socially engineer verification – Fraudster will attempt to have the targets home phone forwarded to his burner cell phone – If business has been done by email in past, sometimes no verification is required • Usually the financial institution will take the loss in account takeovers after reimbursing the victim for any unauthorized withdrawals UNCLASSIFIED 9
Business Email Compromise (BEC) Definition BEC is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising or spoofing legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. Most victims report using wire transfers as the common method of transferring funds for business purposes; however, some victims report using checks as the common method of payment. The fraudsters will use the method most commonly associated with their victim’s normal business practices. This definition was revised to emphasize the different techniques used to compromise victim e-mail accounts. 10
Ubiquiti reported in August 2015 it was a BEC victim UNCLASSIFIED 11
BEC Descriptions Version 1 : Fraudster impersonates CEO or CFO to initiate a wire transfer • The fraudster hacks or spoofs a business executive’s e-mail account. • A request, seemingly on behalf of this business executive, is then forwarded to a second employee requesting a wire transfer to a fraudster controlled bank account. • The second employee complies with the business executive’s request and sends the payment. • Sometimes the fraudster compromises a business executive’s e-mail account and contacts the bank directly, asking for an “urgent wire transfer.” • This process is repeated every few days until discovered. Typical transactions are $100,000 to $200,000. 12
BEC Case Study: Version 1 • Victim A: A publicly traded, San Diego, CA-based educational resources firm with $638 million in revenues in 2014 • On April 7, 2014, Victim A’s corporate controller (Russell) was contacted by an individual purporting to be the CFO (Daniel) and directed to send an $85,050 wire, supposedly at the direction of the CEO (Andrew)
BEC Case Study: Version 1
BEC Case Study: Version 1 • On April 8, 2014, Victim A’s corporate controller (Russell) was again contacted by the same individual purporting to be the CFO (Daniel) and directed to send a $115,000 wire, again at the direction of the CEO (Andrew)
BEC Case Study: Version 1
BEC Case Study: Version 1 • On April 9, 2014, the fraud was discovered, but the funds could not be recalled • Contributing factors • Russell was a relatively new employee (4 months) • Wires had been done by email in the past infrequently (lack of controls) • Andrew and Dan were out of the office on April 7 th and 8 th • No evidence of malware • Source IP address had browsed company website on April 7, 2014
BEC Case Study: Version 1 • Funds were transferred to an unwitting non-profit in San Diego, that was told they had been wired money accidentally and agreed to redirect the funds when contacted by the fraudsters • $95,000 of the funds were redirected by bank wire to a shell company in the United States opened by an unemployed 28 year old Liberian female and withdrawn in cashier’s check shortly after
BEC Descriptions Version 2 : A business employee’s e-mail is hacked •An employee often in Accounts Receivable has their e-mail hacked, not spoofed. •Requests for invoice payments are sent from this employee’s e-mail to multiple vendors identified from this employee’s contact list. •These requests contain seemingly legitimate invoices with the payment instructions changed to fraudster controlled accounts. 19
BEC Case Study: Version #2 • Victim B: A privately held, San Francisco, California- based international shipping and logistics firm • On May 8, 2014, Victim B’s corporate controller (Tim) was contacted by an individual purporting to be the CFO (James) and directed to send a $176,081.46 wire, supposedly at the direction of the CEO (George)
BEC Case Study: Version #2 • Both wires were sent before the fraud was detected resulting in a loss of $343,613.38 • Wire 1 was sent to: XXXXXXXXX Entertainment Inc. Taichung Commercial Bank Taipei, Taiwan • Wire 2 was sent to: XXX LTD. Malayan Bank Kuala Lumpur, Malaysia
BEC Case Study: Version #2 • Victim B continued to be targeted. • In December 2014, a Victim B employee in Accounts Receivable (Catherine) was found to have opened an infected email attachment that compromised her email • Victim B customers then began to receive correspondence from a spoofed email using Catherine’s name and an outlook.com email address. • The customers were asked to redirect payments to an account in Victim B’s name (but not controlled by Victim B) at NATIONAL WESTMINSTER BANK in the United Kingdom • These attempts were unsuccessful with the exception of a single payment of $36,779.85 on 2/11/2015
BEC Case Study: Version #2 Malware Bytes Detection 1/16/15 ‐ Malware was detected ‐ � pidloc.txt (Malware.Trace.E) � Detecting Trace^ � The following symptoms signal that your computer is very likely to be infected with Trace: � PC is working very slowly � Trace can seriously slow down your computer. If your PC takes a lot longer than normal to restart or your Internet connection is extremely slow, your computer may well be infected with Trace. � New desktop shortcuts have appeared or the home page has changed � Trace can tamper with your Internet settings or redirect your default home page to unwanted web sites. Trace may even add new shortcuts to your PC desktop. � Annoying popups keep appearing on your PC � Trace may swamp your computer with pestering popup ads, even when you're not connected to the Internet, while secretly tracking your browsing habits and gathering your personal information. � E ‐ mails that you didn't write are being sent from your mailbox � Trace may gain complete control of your mailbox to generate and send e ‐ mail with virus attachments, e ‐ mail hoaxes, spam and other types of unsolicited e ‐ mail to other people.
BEC Case Study: Version #2
Recommend
More recommend