- Email: [email protected]
Scamming the scammers with their own tricks
FEATURE gives a bad impression of the organisation’s general security capability.
Preventing crypto-jacking Like most opportunistic cyber-attacks that are easy to carry out, crypto-jacking is also quite easy to defend against if the organisation is prepared. The basic security hygiene that companies should be following in preparation for serious attacks will generally cut off attempts to embed crypto-jacking scripts as well. Carrying out a thorough risk assessment is one of the most important steps, as this will help the organisation to understand how appealing it might be to crypto-jackers (and criminals in general) and how they might strike. Any company that hosts a popular consumer-facing website or operates an internal employee portal should be aware that they make particularly attractive targets. A thorough server audit should be carried out to locate any existing mining scripts in case you’ve already been compromised, and further attempts to insert malicious code can be detected by monitoring access and changes to the web code. Following best practice such as regular security patching will also go
a long way in preventing crypto-jacking, as the vulnerabilities commonly exploited by attackers to compromise a website are generally discovered and patched by software vendors quite quickly. Crypto-mining can be more difficult to identify than most other malevolent activity because its only notable impact is draining computational resources. However, enterprises that are concerned that their workforces are being targeted can use behavioural analytics to detect signs of mining such as large patterns of users calling on computer ‘slowness’ or ‘overheating’. Web browser plugins such as ad blockers or even specific plugins to block crypto-jacking can help prevent those scripts from landing on your users’ screens from the start. While the crypto market continues to be something of a rollercoaster, cryptomining has established a place as an easy and reliable source of income for cybercriminals. As a result, organisations must ensure that they are able to spot the signs and shut illegal miners down if they don’t want to suffer overtaxed networks and angry customers.
About the author Karl Sigler is the threat intelligence research manager for SpiderLabs at Trustwave, where
he is responsible for research and analysis of current vulnerabilities, malware and threat trends. Sigler and his team run the SpiderLabs at Trustwave Threat Intelligence database, maintaining security feeds from internal research departments and thirdparty threat exchange programmes. His team also serves as liaison for the Microsoft MAPP programme, co-ordinates SpiderLabs at Trustwave’s responsible vulnerability disclosure process and maintains the IDS/IPS signature set for MSS customers. With more than 20 years experience working in information security, Sigler has presented on topics such as intrusion analysis and computer forensics to audiences in over 30 countries.
References 1. ‘Pixalate unveils the list of sites secretly mining for cryptocurrency’. Pixalate, 26 Oct 2017. Accessed Aug 2018. http://blog.pixalate.com/ coinhive-cryptocurrency-mining-cpusite-list. 2. Cimpanu, Catalin. ‘Smominru Botnet Infected Over 500,000 Windows Machines’. Bleeping Computer, 1 Feb 2018. Accessed Aug 2018. www.bleepingcomputer. com/news/security/smominru-botnet-infected-over-500-000-windowsmachines/.
Scamming the scammers with their own tricks John Wilson, Agari
John Wilson
Despite constant warnings from the security community and authorities, cases of business email compromise (BEC) continue to roll in. In its most recent report, the FBI estimated that financial losses from these attacks has amounted to more than $5.3bn since October 2013. Unlike the low-effort, high-volume spam campaigns that are commonplace in every inbox today, BEC is a fairly sophisticated and targeted attack that impersonates a trusted contact to trick the victim into transferring funds or pri14
Computer Fraud & Security
vate information. The tactic is popularly known as ‘CEO fraud’, as the authority of the chief executive is perfect for the scam – but other senior staff, as well as suppliers and partners, are also frequently impersonated.
What makes this steadily mounting figure even more noteworthy is the fact that the vast majority of email scammers rely on the same handful of tricks to disguise their identities and can be easily spotted and blocked if the target organisation is equipped to see though the deception. The phrase “know your enemy” from September 2018
FEATURE Sun Tzu’s The Art of War may be something of a cliché, but absolutely holds true when it comes to cyber-attackers – and particularly malicious emails. As part of an ongoing effort to better understand our enemy, I decided to try baiting some scammers into revealing more about their tactics. This is not a new idea and the approach has formed the basis for several successful books. However, unlike previous cases it wasn’t just a case of wasting the time of the scam artists for entertainment – it was an attempt to fight back and help to take them down.
Finding a scammer After deciding to embark on this project, the first challenge quickly appeared – where to find a scammer to bait and interact with? This resolved itself when we got lucky and a fraudster impersonated Agari’s own founder, Patrick Peterson. It was immediately obvious that we had an imposter on our hands, as the email said it was sent from a smartphone that I know Peterson doesn’t use. More tellingly though, the email claimed to be from [email protected], rather than Peterson’s real email. ‘Evil Pat’ had written to our financial controller, asking if she was in the office. I took over and asked what they needed. They quickly responded to say they needed an urgent wire transfer of $44,960, and provided the payment details. I realised I knew the fraud officer at the particular bank, and decided to contact him to help look into it and at the same time turned the Gmail address over to Google. In the meantime, I stalled our fraudster by asking for the cost centre I should charge the payment to and if it counted as a marketing expense. However, by this point, greed had obviously gotten the better of them and they ignored my questions and simply chased after the payment. Instead of a $44,960 payday, however, they found their email and bank accounts shut down. Not only that, but investigations by the bank and Google found multiple other accounts associated with the September 2018
identified email and bank accounts and shut all of those down as well. We later learned that criminals tend to reuse their bank accounts and email addresses, so our first takedown effort probably spoiled a number of ongoing scams.
A lesson in scamming After this initial success, it was time to expand the project, baiting more scammers to get a better feel for their tactics and scope, as well as other factors like location and targets. Again, the first step was to find some would-be scammers on which to turn the tables. Although we’d been lucky that a fraudster had been unwise enough to try to perform an email-based scam on an email security company, this doesn’t happen every day. Our email monitoring solution tracks 10 billion emails every day and identifies millions of malicious fakes, so there were plenty of resources to draw on. It didn’t take long to spot a great example of an email purporting to be from a CEO of a Fortune 500 and so we decided to hit this scammer next. However, we only see this as metadata, rather than the actual content – and unlike the incident with our Evil Pat, I couldn’t just grab the keyboard of the target and reply back to the criminal.
“While the scammers were clever enough to mask their location early on, as the conversation stretched out they eventually forgot and revealed they were emailing from Lagos, Nigeria” Instead, I did some impersonation of my own and became the target, using the very same tactics used by the criminals. A quick look on LinkedIn told me everything I needed to know about the would-be victim of this particular scam and a few minutes later I was armed with a free Gmail account with the same name. I replied to the scammers and told them I was working from home today, and asked how I could help.
I wasn’t too hopeful about my chances here and assumed the attackers would not fall for their own tricks. However, once again the thought of a big payday over-rode good sense and they got back to me within minutes with details for a wire transfer. These particular scammers were using an AOL email address, which was a bonus as AOL also lists the computer connecting to the mail server in one of the email headers. After looking up the IP, I found the email had apparently been sent from Jackson, Mississippi – but through an anonymous proxy. While the scammers were clever enough to mask their location early on, as the conversation stretched out they eventually forgot and revealed they were emailing from Lagos, Nigeria. As with the first example, I decided to delay our would-be scammers by asking for a cost centre. Eventually they got too impatient and asked me to cut a cheque instead. In their haste they revealed another clue, as the mailing address for the cheque was different from the one revealed by their previous wire transfer. I was able to look up the supposed beneficiary of the cheque and discovered a real person – likely themselves the victim of identity fraud.
Who are the scammers? I went through a total of 20 of these interactions, each one following the same basic recipe. Each case ended with me submitting the email and bank accounts to the authorities. In some cases, I was even able to trick the scammers into giving up multiple accounts by sending a fake confirmation and pretending there had been a problem. With several criminals now having a very bad day, it was time to turn to the next part of the project and find out what we could learn from the cases. Plotting the locations on a map, it became apparent that all the email servers were located in the US in an attempt to make the email more trustworthy. Emails from Nigeria and other locations known to be hotspots for cybercrime tend to be Computer Fraud & Security
15
FEATURE more likely to trigger spam filters. Likewise, almost all the banks used for the wire transfers were in the US as well. The non-US examples were both European banks used in scams targeting companies based in Europe, as again a request from the same location is immediately less suspicious. These bank accounts are generally run by money mules – accomplices that have bank accounts being used by the criminal. Many of these accounts are likely to belong to unsuspecting innocents who have themselves fallen victim to fraud. Online romance scams are a particularly common tactic used to harvest these details. The scammers themselves are located all over the world, but we identified particular hotspots in Nigeria, Romania and South Africa.
The weak link Despite the level of forward planning and sophistication frequently used to craft a deceptive identity, this project made it apparent that the scammers will very readily fall for their own tricks. Reverse engineering the criminal’s tactics delivered a 100% success rate, with all 20 scammers falling for my counter-impersonation and handing over their bank details. Many of the more impatient ones also gave up their real locations after eventually forgetting to use their proxies. Of course, the average employee doesn’t have the time or resources to counter-attack a fraudster like this. Indeed, as shown by the steadily mounting costs, in most cases the victim will probably fall for the deception and comply without realising anything is amiss – until it becomes apparent that $40,000 is missing from the corporate accounts. Although many of the common tactics used in BEC campaigns are obvious when you know what to look for, there are so many possible variations that it is not reasonable to expect employees to identify them. However, staff should be well-trained in best practice around 16
Computer Fraud & Security
operations such as transferring funds and sensitive data. Payments should never be authorised solely via email, and other sensitive data should be encrypted, with the password sent over another channel such as SMS or over the phone.
“Any company that does not equip itself with the ability to identify and block sophisticated emails using deceptive tactics is likely to find itself added to the tally the next time the FBI counts the costs” However, humans will always be the weakest link in any security strategy and the best line of defence is to prevent these malicious emails from reaching employees in the first place. Most companies still rely on traditional spam filters and anti-virus solutions to protect themselves from harmful emails. However, while these defences are still effective at stopping untargeted ‘spray and pray’ email campaigns, they are useless when it comes to targeted attacks. Spam filters work by looking for suspicious attachments or links used to deliver a malware payload, as well as other keywords in the email copy. BEC attacks don’t use links or attachments, and a well-crafted message is identical to a legitimate one – leaving the filter with nothing to work with and allowing the malicious email to fly under the radar.
Keeping BEC attacks out One of the biggest issues with most traditional security measures is that they work by looking for known signs of bad behaviour – leaving them forever a step behind as the criminals continually update their strategies. Instead, defences should be built around identifying good behaviour. With the aid of machine learning, it is possible to analyse millions of legitimate emails to build a model of what real, genuine user behaviour should look like. Once a model has been established, potentially malicious
activity that deviates from the pattern can be identified – even if the criminals are using new tactics. Each inbound email can then be analysed for warning signs such as a mismatch between the sender name and the actual sender identity. Emails that fit the model and pass the test can be considered trusted and sent through to the recipient’s inbox, but anything else should undergo additional scrutiny to detect further signs of digital impersonation. Depending on what else is discovered, the email can then be quarantined or reported to the authorities, or the organisation could even implement more tailormade rules. An email that has the same display name as the company’s CEO may not necessarily be malicious, but also may not be the real CEO. The system could be set to automatically change a display name that does not match the real identity to display ‘Stranger’, making sure the recipient does not get fooled by the apparent sender identity. Buoyed by the ease with which most targets are tricked, criminal gangs and other threat actors will continue to use BEC attacks as their preferred way to steal large amounts of cash and confidential information. While we can learn a lot from examining their tactics and reverse engineering them, it will achieve little to reduce the number of victims while most organisations are still relying on traditional signature-based email security and anti-virus. Any company that does not equip itself with the ability to identify and block sophisticated emails using these deceptive tactics is likely to find itself added to the tally the next time the FBI counts the costs.
About the author John Wilson is field CTO at Agari. He has been combating email-based fraud since 2006, when he developed an authentication-based anti-phishing solution as CTO of Brandmail Solutions. He continues his mission to rid the world of email fraud at Agari, a venture backed startup that helped to develop the DMARC standard. September 2018
Preventing crypto-jacking Like most opportunistic cyber-attacks that are easy to carry out, crypto-jacking is also quite easy to defend against if the organisation is prepared. The basic security hygiene that companies should be following in preparation for serious attacks will generally cut off attempts to embed crypto-jacking scripts as well. Carrying out a thorough risk assessment is one of the most important steps, as this will help the organisation to understand how appealing it might be to crypto-jackers (and criminals in general) and how they might strike. Any company that hosts a popular consumer-facing website or operates an internal employee portal should be aware that they make particularly attractive targets. A thorough server audit should be carried out to locate any existing mining scripts in case you’ve already been compromised, and further attempts to insert malicious code can be detected by monitoring access and changes to the web code. Following best practice such as regular security patching will also go
a long way in preventing crypto-jacking, as the vulnerabilities commonly exploited by attackers to compromise a website are generally discovered and patched by software vendors quite quickly. Crypto-mining can be more difficult to identify than most other malevolent activity because its only notable impact is draining computational resources. However, enterprises that are concerned that their workforces are being targeted can use behavioural analytics to detect signs of mining such as large patterns of users calling on computer ‘slowness’ or ‘overheating’. Web browser plugins such as ad blockers or even specific plugins to block crypto-jacking can help prevent those scripts from landing on your users’ screens from the start. While the crypto market continues to be something of a rollercoaster, cryptomining has established a place as an easy and reliable source of income for cybercriminals. As a result, organisations must ensure that they are able to spot the signs and shut illegal miners down if they don’t want to suffer overtaxed networks and angry customers.
About the author Karl Sigler is the threat intelligence research manager for SpiderLabs at Trustwave, where
he is responsible for research and analysis of current vulnerabilities, malware and threat trends. Sigler and his team run the SpiderLabs at Trustwave Threat Intelligence database, maintaining security feeds from internal research departments and thirdparty threat exchange programmes. His team also serves as liaison for the Microsoft MAPP programme, co-ordinates SpiderLabs at Trustwave’s responsible vulnerability disclosure process and maintains the IDS/IPS signature set for MSS customers. With more than 20 years experience working in information security, Sigler has presented on topics such as intrusion analysis and computer forensics to audiences in over 30 countries.
References 1. ‘Pixalate unveils the list of sites secretly mining for cryptocurrency’. Pixalate, 26 Oct 2017. Accessed Aug 2018. http://blog.pixalate.com/ coinhive-cryptocurrency-mining-cpusite-list. 2. Cimpanu, Catalin. ‘Smominru Botnet Infected Over 500,000 Windows Machines’. Bleeping Computer, 1 Feb 2018. Accessed Aug 2018. www.bleepingcomputer. com/news/security/smominru-botnet-infected-over-500-000-windowsmachines/.
Scamming the scammers with their own tricks John Wilson, Agari
John Wilson
Despite constant warnings from the security community and authorities, cases of business email compromise (BEC) continue to roll in. In its most recent report, the FBI estimated that financial losses from these attacks has amounted to more than $5.3bn since October 2013. Unlike the low-effort, high-volume spam campaigns that are commonplace in every inbox today, BEC is a fairly sophisticated and targeted attack that impersonates a trusted contact to trick the victim into transferring funds or pri14
Computer Fraud & Security
vate information. The tactic is popularly known as ‘CEO fraud’, as the authority of the chief executive is perfect for the scam – but other senior staff, as well as suppliers and partners, are also frequently impersonated.
What makes this steadily mounting figure even more noteworthy is the fact that the vast majority of email scammers rely on the same handful of tricks to disguise their identities and can be easily spotted and blocked if the target organisation is equipped to see though the deception. The phrase “know your enemy” from September 2018
FEATURE Sun Tzu’s The Art of War may be something of a cliché, but absolutely holds true when it comes to cyber-attackers – and particularly malicious emails. As part of an ongoing effort to better understand our enemy, I decided to try baiting some scammers into revealing more about their tactics. This is not a new idea and the approach has formed the basis for several successful books. However, unlike previous cases it wasn’t just a case of wasting the time of the scam artists for entertainment – it was an attempt to fight back and help to take them down.
Finding a scammer After deciding to embark on this project, the first challenge quickly appeared – where to find a scammer to bait and interact with? This resolved itself when we got lucky and a fraudster impersonated Agari’s own founder, Patrick Peterson. It was immediately obvious that we had an imposter on our hands, as the email said it was sent from a smartphone that I know Peterson doesn’t use. More tellingly though, the email claimed to be from [email protected], rather than Peterson’s real email. ‘Evil Pat’ had written to our financial controller, asking if she was in the office. I took over and asked what they needed. They quickly responded to say they needed an urgent wire transfer of $44,960, and provided the payment details. I realised I knew the fraud officer at the particular bank, and decided to contact him to help look into it and at the same time turned the Gmail address over to Google. In the meantime, I stalled our fraudster by asking for the cost centre I should charge the payment to and if it counted as a marketing expense. However, by this point, greed had obviously gotten the better of them and they ignored my questions and simply chased after the payment. Instead of a $44,960 payday, however, they found their email and bank accounts shut down. Not only that, but investigations by the bank and Google found multiple other accounts associated with the September 2018
identified email and bank accounts and shut all of those down as well. We later learned that criminals tend to reuse their bank accounts and email addresses, so our first takedown effort probably spoiled a number of ongoing scams.
A lesson in scamming After this initial success, it was time to expand the project, baiting more scammers to get a better feel for their tactics and scope, as well as other factors like location and targets. Again, the first step was to find some would-be scammers on which to turn the tables. Although we’d been lucky that a fraudster had been unwise enough to try to perform an email-based scam on an email security company, this doesn’t happen every day. Our email monitoring solution tracks 10 billion emails every day and identifies millions of malicious fakes, so there were plenty of resources to draw on. It didn’t take long to spot a great example of an email purporting to be from a CEO of a Fortune 500 and so we decided to hit this scammer next. However, we only see this as metadata, rather than the actual content – and unlike the incident with our Evil Pat, I couldn’t just grab the keyboard of the target and reply back to the criminal.
“While the scammers were clever enough to mask their location early on, as the conversation stretched out they eventually forgot and revealed they were emailing from Lagos, Nigeria” Instead, I did some impersonation of my own and became the target, using the very same tactics used by the criminals. A quick look on LinkedIn told me everything I needed to know about the would-be victim of this particular scam and a few minutes later I was armed with a free Gmail account with the same name. I replied to the scammers and told them I was working from home today, and asked how I could help.
I wasn’t too hopeful about my chances here and assumed the attackers would not fall for their own tricks. However, once again the thought of a big payday over-rode good sense and they got back to me within minutes with details for a wire transfer. These particular scammers were using an AOL email address, which was a bonus as AOL also lists the computer connecting to the mail server in one of the email headers. After looking up the IP, I found the email had apparently been sent from Jackson, Mississippi – but through an anonymous proxy. While the scammers were clever enough to mask their location early on, as the conversation stretched out they eventually forgot and revealed they were emailing from Lagos, Nigeria. As with the first example, I decided to delay our would-be scammers by asking for a cost centre. Eventually they got too impatient and asked me to cut a cheque instead. In their haste they revealed another clue, as the mailing address for the cheque was different from the one revealed by their previous wire transfer. I was able to look up the supposed beneficiary of the cheque and discovered a real person – likely themselves the victim of identity fraud.
Who are the scammers? I went through a total of 20 of these interactions, each one following the same basic recipe. Each case ended with me submitting the email and bank accounts to the authorities. In some cases, I was even able to trick the scammers into giving up multiple accounts by sending a fake confirmation and pretending there had been a problem. With several criminals now having a very bad day, it was time to turn to the next part of the project and find out what we could learn from the cases. Plotting the locations on a map, it became apparent that all the email servers were located in the US in an attempt to make the email more trustworthy. Emails from Nigeria and other locations known to be hotspots for cybercrime tend to be Computer Fraud & Security
15
FEATURE more likely to trigger spam filters. Likewise, almost all the banks used for the wire transfers were in the US as well. The non-US examples were both European banks used in scams targeting companies based in Europe, as again a request from the same location is immediately less suspicious. These bank accounts are generally run by money mules – accomplices that have bank accounts being used by the criminal. Many of these accounts are likely to belong to unsuspecting innocents who have themselves fallen victim to fraud. Online romance scams are a particularly common tactic used to harvest these details. The scammers themselves are located all over the world, but we identified particular hotspots in Nigeria, Romania and South Africa.
The weak link Despite the level of forward planning and sophistication frequently used to craft a deceptive identity, this project made it apparent that the scammers will very readily fall for their own tricks. Reverse engineering the criminal’s tactics delivered a 100% success rate, with all 20 scammers falling for my counter-impersonation and handing over their bank details. Many of the more impatient ones also gave up their real locations after eventually forgetting to use their proxies. Of course, the average employee doesn’t have the time or resources to counter-attack a fraudster like this. Indeed, as shown by the steadily mounting costs, in most cases the victim will probably fall for the deception and comply without realising anything is amiss – until it becomes apparent that $40,000 is missing from the corporate accounts. Although many of the common tactics used in BEC campaigns are obvious when you know what to look for, there are so many possible variations that it is not reasonable to expect employees to identify them. However, staff should be well-trained in best practice around 16
Computer Fraud & Security
operations such as transferring funds and sensitive data. Payments should never be authorised solely via email, and other sensitive data should be encrypted, with the password sent over another channel such as SMS or over the phone.
“Any company that does not equip itself with the ability to identify and block sophisticated emails using deceptive tactics is likely to find itself added to the tally the next time the FBI counts the costs” However, humans will always be the weakest link in any security strategy and the best line of defence is to prevent these malicious emails from reaching employees in the first place. Most companies still rely on traditional spam filters and anti-virus solutions to protect themselves from harmful emails. However, while these defences are still effective at stopping untargeted ‘spray and pray’ email campaigns, they are useless when it comes to targeted attacks. Spam filters work by looking for suspicious attachments or links used to deliver a malware payload, as well as other keywords in the email copy. BEC attacks don’t use links or attachments, and a well-crafted message is identical to a legitimate one – leaving the filter with nothing to work with and allowing the malicious email to fly under the radar.
Keeping BEC attacks out One of the biggest issues with most traditional security measures is that they work by looking for known signs of bad behaviour – leaving them forever a step behind as the criminals continually update their strategies. Instead, defences should be built around identifying good behaviour. With the aid of machine learning, it is possible to analyse millions of legitimate emails to build a model of what real, genuine user behaviour should look like. Once a model has been established, potentially malicious
activity that deviates from the pattern can be identified – even if the criminals are using new tactics. Each inbound email can then be analysed for warning signs such as a mismatch between the sender name and the actual sender identity. Emails that fit the model and pass the test can be considered trusted and sent through to the recipient’s inbox, but anything else should undergo additional scrutiny to detect further signs of digital impersonation. Depending on what else is discovered, the email can then be quarantined or reported to the authorities, or the organisation could even implement more tailormade rules. An email that has the same display name as the company’s CEO may not necessarily be malicious, but also may not be the real CEO. The system could be set to automatically change a display name that does not match the real identity to display ‘Stranger’, making sure the recipient does not get fooled by the apparent sender identity. Buoyed by the ease with which most targets are tricked, criminal gangs and other threat actors will continue to use BEC attacks as their preferred way to steal large amounts of cash and confidential information. While we can learn a lot from examining their tactics and reverse engineering them, it will achieve little to reduce the number of victims while most organisations are still relying on traditional signature-based email security and anti-virus. Any company that does not equip itself with the ability to identify and block sophisticated emails using these deceptive tactics is likely to find itself added to the tally the next time the FBI counts the costs.
About the author John Wilson is field CTO at Agari. He has been combating email-based fraud since 2006, when he developed an authentication-based anti-phishing solution as CTO of Brandmail Solutions. He continues his mission to rid the world of email fraud at Agari, a venture backed startup that helped to develop the DMARC standard. September 2018