How Hackers Use Business Email Compromise to Harm You · • Investigation reveals a keylogging t...

11/15/2017

How Hackers Use Business Email Compromise to Harm YouNovember 15, 2017

P R E S E N T E D B Y : L A N N Y M O R R O W , M A N A G I N G C O N S U L T A N T O F B K D ’ S F O R E N S I C S & V A L U A T I O N S S E R V I C E S

• Participate in entire webinar

• Answer polls when they are provided

• If you are viewing this webinar in a group Complete group attendance form with All group attendance sheets must be submitted to [email protected] within 24

hours of live webinar Answer polls when they are provided

• If all eligibility requirements are met, each participant will be emailed their CPE certificates within 15 business days of live webinar

To Receive CPE Credit

11/15/2017

Lanny Morrow, EnCE®

Managing Consultant

[email protected]

Agenda

• Current Cyberthreat Landscape

• Hacker Motivations & Tactics

• Overview of Business Email Compromise (BEC)

• BEC Case Studies

• How to Mitigate BEC & Other Compromises

11/15/2017

Top Cybercrimes

• BEC Email account compromise (EAC)

• Ransomware

• Corporate account takeover

• Identity theft

• Theft of sensitive data

• Theft of intellectual property

• Denial of service

Pervasiveness of Cyberthreats

“There are only two types of companies: those that have been hacked & those that will be. Even that is merging into one category: those that have

been hacked & will be again”

– Robert Mueller, Former FBI Director

11/15/2017

Data Breaches in the News

Characteristics of Cyberthreat Actors

• Skilled• Persistent• Sophisticated• Tactical• Well funded• Difficult to detect• Evolving Technical attacks not needed Can use deceivingly simple, nontechnological methods Exploits the “weakest link” Heavy use of social engineering, e.g., BEC

11/15/2017

The Weakest Link Is … You … & Me

• Distracted

• Overworked

• Disengaged

• Trusting

• Hurried

• Compartmentalized

• Naive

Motivations for Attacks

• Disruption of business

• Bragging rights

• Reputational damage, loss of trust (social “hacktivism”)

• Corporate espionage

• Money is the primary motivator in recent years

11/15/2017

What We Stand to Lose

• Credit/debit card information via POS systems

• Protected health information (PHI)

• Personally identifiable information (PII), e.g., employee, customer, student data

• User names & passwords

• Intellectual property, e.g., blueprints, strategic plans, trade secrets

• Dirty laundry, e.g., reputational damage

Value of Your Information

• Hackers sell information packages containing “Verified” health insurance credentials Bank account numbers/logins SSNs Other PII on victims

• Sold as “kitz” with counterfeit physical documents such as Credit cards, social security cards, driver’s licenses, insurance cards

11/15/2017

Value of Your Information

• “Kitz” can sell for between $1,200 & $1,300 each

• Additional fees for adding items, such as US credit card with CVV

code Online bank account Game accounts PayPal, verified balance

Just How Good Are They?

• Hackers at DEFCON convention were given access to 13 different “highly secure” voting machines used in federal elections No documentation or other info was

provided to the hackers The first machine was compromised

within 30 minutes of starting All 13 machines were hacked within 90

minutes

11/15/2017

Interesting Statistics About Hacking

• In 93% of breaches, it took attackers minutes or less to compromise systems (Adobe products easiest to hack; Mozilla most difficult)

• In 83% of cases, it took weeks or more to discover an incident occurred

• Attackers take easiest route (63% leveraged weak, default or stolen passwords)

• 95% of breaches were made possible by nine patterns including poor IT support processes, employee error & insider/privilege misuse of access

• Analysis of successful breach cases involving software vulnerabilities in 2016 revealed that, in 86% of those cases, the patch for the vulnerability had been out for over one year

BUSINESS EMAIL COMPROMISE

11/15/2017

Nature of the Threat

• Business email compromise (BEC) is defined as a sophisticated scam targeting businesses working with foreign suppliers &/or businesses that regularly perform wire transfer payments

• The email account compromise (EAC) component of BEC targets individuals that perform wire transfer payments

BEC Statistics

2,370%Increase in exposed losses from BEC from January 2015 to December 2016

$5,302,890,448Dollar amount of exposed losses from 2013 to 2016

BEC has affected people in all 50states & in 131 countries

11/15/2017

Current Trends

• 2016 marked beginning of a heavy period of W-2 scams

• Resurgence in the original “foreign supplier” BEC tactic

• Real estate transaction schemes increased 480% in 2016

Signatures of Current Schemes

• Scenario 1: business working with a foreign supplier A business that typically has a longstanding relationship with a supplier is

requested to wire funds for an invoice payment to an alternate, fraudulent account The request may be made via telephone, facsimile or email. If an email is

received, the subject will spoof the email request so it appears similar to a legitimate request Requests made via facsimile or telephone call will closely mimic a

legitimate request

Source: FBI Alert # I-050417-PSA

11/15/2017


• Scenario 2: business executive receiving or initiating a request for a wire transfer The email accounts of high-level business executives, e.g., chief financial

officers, chief technology officers, are compromised. The account may be spoofed or hacked A request for a wire transfer from the compromised account is made to a

second employee within the company who is typically responsible for processing these requests Or, a request for a wire transfer from the compromised account is sent directly

to the financial institution with instructions to urgently send funds to bank “X” for reason “Y”



• Scenario 3: business contacts receiving fraudulent correspondence through compromised email An employee of a business has his or her personal email hacked This personal email may be used for both personal & business

communications Requests for invoice payments to fraudster-controlled bank accounts are

sent from this employee’s personal email to multiple vendors identified from this employee’s contact list The business may not become aware of the fraudulent requests until that

business is contacted by a vendor to follow up on the status of an invoice payment


11/15/2017


• Scenario 4: business executive & attorney impersonation Victims contacted by fraudsters who typically identify themselves as

lawyers or representatives of law firms & claim to be handling confidential or time-sensitive matters This contact may be made via either phone or email. Victims may be

pressured by the fraudster to act quickly or secretly in handling the transfer of funds This type of BEC scam may occur at the end of the business day or

work week & be timed to coincide with the close of business of international financial institutions



• Scenario 5: data theft Fraudulent requests for sensitive or protected data are sent using a business

executive’s compromised email The entities in the business organization responsible for W-2s or maintaining

PII, such as the human resources department, bookkeeping or auditing section, have frequently been identified as the targeted recipients of the fraudulent request for W-2 &/or PII Some of these incidents are isolated & some occur prior to a fraudulent wire

transfer request. Victims report they have fallen for this new BEC scenario even if they were able to successfully identify & avoid the traditional BEC scam This data theft scenario of the BEC scam first appeared just prior to the 2016

tax season


11/15/2017


• Real estate scams All participants targeted, e.g., buyer, seller, agent, attorneys Perpetrators able to monitor proceedings via compromised

accounts & public records Timed their attacks to request sudden change in payment type or

destination Scheme beginning to be seen in automobile purchases

BEC & EAC CASE STUDIES

11/15/2017

W-2 Scheme Case Study

• University admin receives email from “CFO” requesting all employee W-2s pursuant to an IRS inquiry

• Needs it today (received in the afternoon)• Admin puts it all together into one PDF, alphabetized• Hacker responds, telling her “this is more than I had hoped for”• Compromised W-2 information sold on the underground

market• Numerous employees contacted by real IRS about issues with

their returns or why they submitted two returns

W-2 Scheme Case Study

11/15/2017

Wire Transfer Fraud Case Study 1

Vendor Bank

Vendor Company

Your Bank

Product

Vendor Bank

Vendor Company

Your Bank

Product

Off-ShoreBank

ImpostorWhere Is My Money?!? Sent It, I Thought?!?

What Money??

Got It


11/15/2017

Anatomy of the Incident

• Total loss almost $400,000

• One email from the impostor came 15 minutes after legitimate retailer sent purchase order, with same purchase order information (in different format)

• Numerous grammatical & spelling errors in email communications from impostor, including first name of retailer representative

• Impostor email was through a Yahoo account, yet initial communication between vendor & retailer representative was via company-specific email address


• Ubiquity networks (2015)• Accounting department receives emails requesting wire

transfers Emails came from an impersonator, acting as an executive Transfer of funds requested held by company subsidiary in Hong Kong to

accounts held by impersonator(s)

• Potentially more than $40 million loss Around $14 million currently expected to be recovered through legal

proceedings in foreign jurisdictions

• No insurance recovery available!

11/15/2017

Unique Spin on the Same Theme

• University employee routinely sends wire transfer request to another employee, with routing & account number info

• One day, recipient notices the routing number “looks funny” & questions it

• Sender becomes a suspect, agrees to turn over her personal computer & phone for investigation

• Investigation reveals a keylogging tool was installed on her home computer

• Boyfriend had installed it, used info to log in to her account & fake a wire transfer request to his account

Why BEC & EAC Succeeds

The state is screaming at me & I need to send them all employee W-2s. I need this ASAP!– the Boss

You don’t want to be the one to hold up shipment of those parts – I need that wire sent immediately!

Sense of urgency, bad timing

Takes advantage of the “weakest link”

Similarity in tone & wording, but with noticeable differences

Takes advantage of natural trust

11/15/2017

“Executive Footprinting”

• Hackers monitor high-level employees via corporate website, media & their personal social media

• Fake emails sent for purposes of reading “out-of-office” replies

• Learn their lingo, travel patterns, associations, when they take vacations

• Follow executives, steal mobile devices, set up fake hotspots near them

• Will strike when executives are out of pocket

MITIGATING RISK

11/15/2017

Defending Against BEC & EAC

• Increase training & awareness• Have some form of verification process For example, call the customer/vendor to verify change in account info or

wire transfer instructions

• Double check email addresses In previous examples, email instructions involved or came from a

different email provider or domain than legitimate emails

• Do not open email messages or attachments from unknown individuals Especially zip files Or links embedded in suspicious looking emails


• Know the habits of your customers, including the details of, reasons behind & amount of payments

• Maintain a file, preferably in nonelectronic form, of vendor contact information for those who are authorized to approve changes in payment instructions

• Limit the number of employees within a business who have the authority to approve &/or conduct wire transfers

• Slow it down – does it really have to go out now?

11/15/2017


• Avoid free email accounts for business; get an established domain

• Be careful what you post to social media & company websites, especially job duties & descriptions, hierarchal information & out-of-office details

• Be suspicious of requests for secrecy or pressure to take action quickly


• Do not use the “reply” option to respond to any business emails. Instead, use the “forward” option & either type in the correct email address or select it from the email address book to ensure the intended recipient’s correct email address is used

• Consider implementing two-factor authentication for corporate email accounts. Two-factor authentication mitigates the threat of a subject gaining access to an employee’s email account through a compromised password by requiring two pieces of information to log in: (1) something you know (a password) & (2) something you have (such as a dynamic PIN or code)

11/15/2017

ADDITIONAL PERSONAL CYBERSECURITY TIPS

Personal Cybersecurity Habits

• Personal VPNs

• Don’t comingle personal assets with work

• Set passcodes on mobile devices

• Don’t browse the web while logged in to accounts

• Links in emails – hover over them, don’t click

• Hotel & public Wi-Fi – don’t use it!

• Employers should provide VPN &/or mobile broadband cards to traveling employees

11/15/2017

Personal Cybersecurity Habits

• Shred your personal trash

• Don’t be so open on social media

• Don’t throw away hard drives or USB devices

• Passwords – don’t be predictable

• Join a monitoring & protection service

• Search for yourself (www.haveibeenpwned.com)

• If it feels weird, don’t do it

More on Social Media

11/15/2017

Questions?

BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org

The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered

11/15/2017

CPE Credit

• CPE credit may be awarded upon verification of participant attendance

• For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at [email protected]

Thank You!Lanny Morrow | 816.221.6300 | [email protected]

11/15/2017

BKD Thoughtware®

Sign up for articles & event announcements based on your specific industry or service needs

Sign up at bkd.com/subscribe

How Hackers Use Business Email Compromise to Harm You · • Investigation reveals a keylogging t...

Documents

Transcript of How Hackers Use Business Email Compromise to Harm You · • Investigation reveals a keylogging t...