Spear phishing campaign targeting staff to perform wire transfers

Transcription

1 Spear phishing campaign targeting staff to perform wire transfers Updated 3 February This is an update to the advisory originally released on 9 October The update includes additional recommendations and details. The list of indicators has not changed. CERT Australia has received reports from multiple Australian businesses of fraudulent s purporting to be from a senior executive of their company such as the CEO, requesting financial staff to perform wire transfers to an external bank account. The s use similar initial wording and are directed by name to the chief financial officer (CFO) or other staff. Reports suggest that some incidents may have involved the compromise of staff accounts corporate or personal, or may include spoofing a known trusted supplier, to add legitimacy to the scam. The highly targeted s suggest that prior research and planning has been conducted to ascertain accurate details of senior executives and staff with financial responsibility. Recommendations CERT Australia suggests partners consider the following: Alert employees to be vigilant with regard to these incidents, especially those conducting or authorising wire transfers or similar financial instruments. Establish other communication channels, such as telephone calls, to verify significant transactions. Avoid organising such arrangements via . Use two-factor authentication with web-based and remote access VPN gateways. Be aware that information posted to social media and company websites can be abused, especially job duties/descriptions, hierarchal information, and out of office details. Do not reply to unsolicited or suspicious s. Sender policy framework (SPF) checking should be implemented to detect and prevent sender address forgery.

2 Review network logs for evidence of the indicators provided. Specifically, s relating to this advisory have been observed since 2 October Configure mail servers and mail scanners to block and remove s with the indicators below. Report identified activity to CERT Australia. If a company has been defrauded as a consequence of these s, report the matter to the Australian Cybercrime Online Reporting Network. Details CERT Australia has received reports from multiple Australian businesses of s sent to CFOs, or other staff with financial responsibilities in their organisations, signed in the name of a senior company official. The s generally follow the same structure, with a salutation by name and the use of internal nicknames or colloquialisms in some cases. The sender address is often extremely similar to the actual address of a senior executive at the target organisation. Often domains with very similar spelling to the actual target domain have been acquired and used to make the s look more authentic. Reports suggest that some fraudulent s have coincided with business travel dates, for executives whose s were spoofed. Compromised corporate or personal accounts may be used to add legitimacy. In some cases ransomware infections were reported preceding the fraud attempts. Instances where employees have responded to the s have resulted in a reply asking for a wire transfer. The wire transfer bank account details are typically contained in a PDF attachment. The amount requested has varied from tens of thousands of dollars to over one million dollars, based on the size of the targeted organisation. This campaign has used a mixture of both Australian and overseas based bank accounts. Partner research suggests that this scam is linked to other forms of fraud, including but not limited to: romance, lottery, employment, and home/vacation rental scams. The victims of these scams may be recruited as unwitting money mules. They receive fraudulent funds in their personal accounts and are then directed by the subject to quickly transfer the funds using wire transfer services or another bank account. Mules

3 may sometimes be directed to open business accounts for fake corporations, which may be registered in the mule s real name. Indicators From: Senior Executive s Name <senior.executive@victim-company.com.au> A senior executive s official address, spoofed. Reply-To: Senior Executive s Name <[variable]@some-domain.com> The senior executive s name at a valid domain. Domains may have been obtained that look similar to the victim company domain, such as a fraudulently misspelt official looking company domain name. Alternatively, a free address such as aol, hotmail or gmail may be used. To: Financial Officer <financial.officer@victim-company.com.au> CFO or other financial officer's official company address. Sample subjects: Important Important request Wire transfer Wire request Request PDF file attachments: Wire transfer banking instructions are contained in a PDF attachment usually with a file name starting with a company or individual name, followed by the text 'WIRING INSTRUCTION' with a '.pdf' extension. The '.pdf' extension is sometimes preceded by a space or an additional dot, as follows: <COMPANY OR INDIVIDUAL NAME> WIRING INSTRUCTION.pdf <COMPANY OR INDIVIDUAL NAME> WIRING INSTRUCTION..pdf <COMPANY OR INDIVIDUAL NAME> WIRING INSTRUCTION.pdf

4 Sample body #1: Hi <CFO s first name>, I need to know if you can still process out an international wire transfer today. <CEO s first name> Sample follow-up body #1: <CFO s first name>, Per our conversation, I have attached the instruction for the wire. Let me know when sent. Thanks <CEO s first name, or abbreviated first name> Attached file: (A PDF file containing fraudulent bank account details) Sample body #2: Hello <CFO s first name>, Can you please me the details you will need to help me process an outgoing wire transfer to another bank. Please kindly note that I can't take calls right now due to meetings, therefore, I will appreciate swift correspondence. Hope I am not bothering you too much with this? Thanks Sample body #3: <CFO s first name>, Process a wire of $45, to the account attached. Code to Admin Expenses and let me know when completed. <CEO s first name> Attached file: (A PDF file containing fraudulent bank account details)

5 Feedback CERT Australia welcomes any feedback you may have with regard to this publication and/or the services we provide or This document remains the property of the Australian Government. The information contained in this document is for the use of the intended recipient only and may contain confidential or privileged information. If this document has been received in error, that error does not constitute a waiver of any confidentiality, privilege or copyright in respect of this document or the information it contains. This document and the information contained herein cannot be disclosed, disseminated or reproduced in any manner whatsoever without prior written permission from the Executive Manager, CERT Australia, Attorney-General's Department, 3-5 National Circuit, Barton ACT The material and information in this document is general information only and is not intended to be advice. The material and information is not adapted to any particular person s circumstances and therefore cannot be relied upon to be of assistance in any particular case. You should base any action you take exclusively on your own methodologies, assessments and judgement, after seeking specific advice from such relevant experts and advisers as you consider necessary or desirable. To the extent permitted by law, the Australian Government has no liability to you in respect of damage that you might suffer that is directly or indirectly related to this document, no matter how arising (including as a result of negligence).

6 Traffic light protocol The following table lists the classification levels used in the traffic light protocol (TLP) and describes the restrictions on access and use for each classification level. TLP classification Restrictions on access and use Access to and use by your CERT Australia security contact officer only. RED You must ensure that your CERT Australia security contact officer does not disseminate or discuss the information with any other person, and you shall ensure that you have appropriate systems in place to ensure that the information cannot be accessed or used by any person other than your CERT Australia security contact officer. Restricted internal access and use only. AMBER Subject to the below, you shall only make AMBER publications available to your employees on a need to know basis strictly for your internal processes only to assist in the protection of your ICT systems. In some instances you may be provided with AMBER publications which are marked to allow you to also disclose them to your contractors or agents on a need to know basis strictly for your internal purposes only to assist in the protection of your ICT systems. Restricted to closed groups and subject to confidentiality. GREEN You may share GREEN publications with external organisations, information exchanges, or individuals in the network security, information assurance or critical network infrastructure community that agree to maintain the confidentiality of the information in the publication. You may not publish or post on the web or otherwise release it in circumstances where confidentiality may not be maintained. Not restricted. WHITE NOT CLASSIFIED WHITE publications are not confidential. They contain information that is for public, unrestricted dissemination, publication, web-posting or broadcast. You may publish the information, subject to copyright and any restrictions or rights noted in the information. Any information received from CERT Australia that is not classified in accordance with the TLP must be treated as AMBER classified information, unless otherwise agreed in writing by the Attorney-General s Department.