Financial fraud committed with the use of mail, email, or phone, otherwise known as wire fraud, isn’t exactly a new concept. Recently, criminals have refined the spear-phish to the point where they have succeeded in scamming hundreds of thousands of dollars from a company as a result of only a single email. The companies victimized by the latest wire fraud scheme are losing on average up to $55,000 and sometimes as much as $800,000, all with very little to no hope of recovery once the money is transferred (Clark, 2014). As of just last November, EIIA Risk Management reported that at least four of its members were approached by criminals posing as a college president who attempted to initiate a fraudulent financial transfer (Funk-Baxtor, 2014).
No, we haven’t seen many press reports about these success stories nor are we likely to see them in the near future. Companies are obligated by law to report certain data breaches because of the potential harm it could cause the individuals whose personal information has been exposed; this risk is not present in the case of wire fraud and therefore companies are not required to publicly report it. What we are seeing instead is that financial institutions and publications are speaking up to warn businesses about this potential threat from the point of view of the banks who are dealing with businesses trying to recoup their losses (McCann, 2014).
The highest form of flattery
There are a number of implications for both pentesters and those involved in security awareness but allow me to start by outlining the problem in a bit more detail. Criminals, posing as a C-level executive within the company, send a very authentic-looking urgent request via email (though vishing has been reported also) to another employee who has the ability to complete financial transactions on the executive’s behalf (McCann, 2014).
David Pollino, of Bank of the West, is being credited with naming this particular method of wire fraud as Masquerading (Kitten, 2014). The key to masquerading is the level of believability criminals are achieving when impersonating C-level executives of a company. I’m sure you’ve heard the term “sophisticated” used a lot lately when it comes to digital attacks, particularly when they involve social engineering. The believability of the impersonation involved here is a prime example of this increase in sophistication. The success of the fraudulent email sent to an employee who has probably had multiple dealings with the real executive, requires a high degree of complexity and awareness of subtle details in order to pull it off.
First, the criminal has to identify an executive who would typically order a financial transaction and also a lower-levelemployee with access to carry out such a transaction and for whom such a request from that executive would be believable. Second, the criminal must create a believable pretext for ordering the transaction such as a late payment to a particular vendor. Next, the criminal would set about writing an email using the appropriate corporate logos, closing signatures, name-dropping, and jargon necessary to convince the employee that it is a legitimate request from inside the company. Then the criminal has to find a way to make the source of the email creditable. This has been done by creating fake domains which are similar enough to the company’s to be overlooked because the employee is in a hurry to comply with the sense of urgencycreated by the email. Another method is through actually taking over the executive’s email account through spear-phishing or other network attacks (Brooks, 2014). After the criminal has set up the account to receive the money, the scam is good to go.
How are criminals able to put together such a convincing scam when, as we’ve pointed out, the employee receiving the email very likely knows the executive that is being impersonated? Open source information (OSI) can be more than enough to put together an authentic looking request. For example, perhaps the executive has posted on social media that they will be going on vacation and even where they are going. This means that the criminal knows the perfect time to send an email saying “Darn it! I forgot to send this transaction through before I left…and I need you to get it done because it’s already late.” The criminal is helped by the fact that the employee can’t walk to the executive’s office to confirm the request face-to-face or even possibly reach them by phone (who wants to call and bug the boss when they are on vacation?). Another example would be internal corporate documents that end up online with vendor information, chain-of-command, or that expose corporate jargon. In addition, a spear-phish sent to the executive which gets the criminal any kind of reply gives the criminal the format and closing signature of the executive.
Implications for pentesters
The implication for pentesters is simple. Masquerading is currently in use and is working well in defrauding companies of large sums of money. Therefore, it is a realistic attack vector to consider proposing to a client when discussing the scope for a penetration test or security audit. Of course it is best if the company allows for as realistic pentesting as possible, but in some cases the attack does not have to be fully carried out. Not all companies have policies in place to deal with this vector and educating the company might be enough to persuade them to build a strategy for mitigating this scam. If a company is informed of the high risks associated with this vulnerability, they may choose to allow the pentester to actually perform the attack.
Implications for security awareness programs
For those in security awareness, the implications of this attack are A) to create or modify security policy which would help to alleviate the risk of this vector, B) to identify any potential target employees within the company when mapping accessibility within the infrastructure, C) and to make sure these employees receive the proper training to diminish the success of this vector.
An example of a security policy might be to require more than one employee’s authorization in order to process a financial request at or above a certain amount (Nicastro, 2014). Another example is to limit the amount of personal information about employees, particularly executives, that is publicly exposed on social media if the personal information can be tied to the employee’s corporate identity. Business-related social media accounts should never be utilized for personal use. It is also important at an executive and board-level to have education regarding such attacks and the importance of knowing the damage your company’s online leakage could pose. If you don’t know the value of the information you possess and where that information is, you can’t protect it.
As said in the beginning, we aren’t going to see news articles every time a company loses a couple hundred-thousand to this type of fraud. It’s an embarrassment to the company and doesn’t directly affect the average American. Instead we have to wait for reports from groups like the FTC and IC3 to post how rampant masquerading has become (IC3, 2014; Flemming, 2014). Unfortunately, the lack of media attention does not indicate a low risk level though since not only is this attack becoming more prevalent but it also carries a HIGH risk due to the sheer amount of money lost with just one click of a button. I don’t know about you, but I prefer to rip the mask off this scam and educate the necessary individuals to make this vector look less appealing to criminals.