CEO wire transfer scams (also sometimes known as whaling attacks, BEC, or Business Email Compromise) are becoming a big problem.
Scammers, impersonating a CEO or other high-up executive inside a company, send an urgent request to a more junior member of staff, urging them to forward sensitive information or transfer a large amount of money.
The problem is that no-one likes to say “no” to the big boss.
As a result, some companies have had many millions of dollars stolen from them – recently, for instance, I wrote about a European firm which lost 40 million Euros after it was targeted by an email scammer.
Security consultant Florian Lukavsky decided that it was time to fight back against attacks like this, and told the HITB conference how he created a boobytrapped PDF file, capable of grabbing information from any computer on which it was opened.
The Register takes up the story:
“Someone impersonated the CEO of an international company requesting urgent wire transfers and a couple of hours later they realise it was a scam … we worked together with law enforcement to trick the fraudsters,” Lukavsky says.
“We sent them a prepared PDF document pretending to be transaction confirmation and they opened it which led to Twitter handles, usernames, and identity information.”
“We were able to get the Windows 10 usernames and hashes which are tied by default to Outlook.”
The information gathered was shared with police, who later arrested the perpetrators.
Lukavsky recommends that companies put in place a variety of organisational and technical defences to prevent themselves from becoming the victims of BEC.
These include:
- Raising staff awareness of the threat, and common techniques used by scammers.
- Defining processes for making legitimate payments.
- Enforcing strict use of business email addresses for business purposes.
- Not accepting emails with your domain from foreign mail servers.
- Fully implementing email authentication, making it harder for criminals to spoof your company’s domain name in the “From” field.
- Using email signatures / encryption (S/MIME / PGP).
- Marking external emails in the subject line.
- Strong authentication for web mail users.
For more information, check out the slides from Lukavsky’s presentation.
I've used the process of scamming the scammer. I did this when I was contacted by a scammer who was acting as a real estate agency for a property in Mexico. I reverse engineered the process and found discovered that the scammer, who called himself Reverend John Tony, was actually Lillian Hernandez who lived in Yonkers, New York. I was able to get her bank account information and once I did, I called her bank and forwarded them the entire email thread. I also did the same with Yahoo. Rev Tony, a.k.a. Lillian Hernandez vanished like a puff of smoke and I never heard from him/her again. Score one for a potential victim.
Hmmm. PDF files to booby trap the scammers. How do we *really* know those PDF files at the end of the article are slides from Lukavsky's presentation?
;)
All kidding aside, it's wonderful to hear when the scammer gets what he/she deserves.
The problem with this "Not accepting emails with your domain from foreign mail servers." is that this is precisely how email reflectors work. You work on a collaborative email server with other external companies and your own emails come back to you and your colleagues, sourced from your domain but redistributed. Blocking these causes a problem…
If you use DKIM, DMARC and SPF in conjunction with each other then you won't find your emails blocked.
It's best practice to configure these but seeing all three configured correctly is rare. It's not difficult and is mainly down to the incompetence of system administrators / lack of knowledge / use of legacy systems.
"Scammers should be just as cautious of PDFs as the rest of us"
Quite so. Oh look, here's another Graham Cluley article with the title
"Dell has acquired RSA – download a PDF to read all about it".
A good thing I trust Graham not to mess with his loyal fans :)
:)
Did you read what I said in that other article? :)
No, but I have now. Lol, you are exonerated and RSA is in the doghouse :)
FYI – The live presentation by Florian Lukavsky, titled 'Fake President Fraud Defrauded', dated September 13, is available on YouTube. It is just over 28 minutes duration:
https://youtu.be/HQwh5whOAr4