CEO wire transfer scams (also sometimes known as whaling attacks, BEC, or Business Email Compromise) are becoming a big problem.
Scammers, impersonating a CEO or other high-up executive inside a company, send an urgent request to a more junior member of staff, urging them to forward sensitive information or transfer a large amount of money.
The problem is that no-one likes to say “no” to the big boss.
As a result, some companies have had many millions of dollars stolen from them – recently, for instance, I wrote about a European firm which lost 40 million Euros after it was targeted by an email scammer.
Security consultant Florian Lukavsky decided that it was time to fight back against attacks like this, and told the HITB conference how he created a boobytrapped PDF file, capable of grabbing information from any computer on which it was opened.
The Register takes up the story:
“Someone impersonated the CEO of an international company requesting urgent wire transfers and a couple of hours later they realise it was a scam … we worked together with law enforcement to trick the fraudsters,” Lukavsky says.
“We sent them a prepared PDF document pretending to be transaction confirmation and they opened it which led to Twitter handles, usernames, and identity information.”
“We were able to get the Windows 10 usernames and hashes which are tied by default to Outlook.”
The information gathered was shared with police, who later arrested the perpetrators.
Lukavsky recommends that companies put in place a variety of organisational and technical defences to prevent themselves from becoming the victims of BEC.
- Raising staff awareness of the threat, and common techniques used by scammers.
- Defining processes for making legitimate payments.
- Enforcing strict use of business email addresses for business purposes.
- Not accepting emails with your domain from foreign mail servers.
- Fully implementing email authentication, making it harder for criminals to spoof your company’s domain name in the “From” field.
- Using email signatures / encryption (S/MIME / PGP).
- Marking external emails in the subject line.
- Strong authentication for web mail users.
For more information, check out the slides from Lukavsky’s presentation.