Cyber Threats Views from the FBI. Special Agent Keith Custer Federal Bureau of Investigation Baltimore Division

Transcription

1 Cyber Threats Views from the FBI Special Agent Keith Custer Federal Bureau of Investigation Baltimore Division

2 Overview Cyber Threat Overview Cyber-enabled Fraud Types of Cyber-enabled Fraud Business Compromise (BEC) Case Studies Best Practices to Protect Against Cyber-enabled Fraud UNCLASSFIED 2

3 Cyber Threats Cyber Division (CyD) Intrusions Major Infrastructure Defense Nation State Attacks Criminal Investigative Division (CID) Cyber-enabled Crime Fraud Drugs Money Laundering Identity Theft UNCLASSFIED 3

4 UNCLASSIFIED The FBI s Cybersecurity Mission To protect the United States against: Terrorist attack Foreign intelligence operations and espionage Cyber-based attacks and high technology crimes As the only U.S. agency with the authority to investigate both criminal and national security cybersecurity threats, the FBI is following a number of emerging trends. UNCLASSFIED 4

5 Cyber Threats and Motivations 5

6 Cyber-Enabled Fraud The advent of the Internet has made a lot of things easier for a lot of people Unfortunately this includes fraudsters UNCLASSIFIED 6

7 Common Types of Cyber-enabled Fraud Targeting Businesses Counterfeit Check scam (multiple varieties) Attorney/CPA Employment-based Account Takeover Business Compromise (BEC) UNCLASSFIED 7

8 Counterfeit Check Scam (Attorney/CPA) Target is usually solicited by Often the fraudster spoofs the of a real executive (e.g., jbsmith@acmefireworks.com vs. jbsmith@acmeflreworks.com ) The fraudster requests assistance with an international business matter, such as an acquisition or contract dispute If the target agrees the fraudster arranges for a high-quality counterfeit instrument to be delivered to the target as part of the engagement The target is directed to deposit the check and immediately wire funds to a drop account, usually a shell corporation in a foreign country (China, Taiwan, Malaysia, Dubai, Japan, etc.) The funds are immediately withdrawn or transferred out of the destination account The check is eventually found to be fake and the target is sometimes on the hook for the loss. Transactions are typically $100,000 to $500,000 UNCLASSFIED 8

9 Account Takeover Frequently targets individuals or businesses after a compromise of personal information ( hack or PII stolen) Fraudster identifies high value accounts Home Equity Line of Credit (HELOC) Brokerage Money Market Savings Fraudster contacts financial institution call center or and attempts to initiate a wire transfer to a drop account Fraudster will attempt to socially engineer verification Fraudster will attempt to have the targets home phone forwarded to his burner cell phone If business has been done by in past, sometimes no verification is required Usually the financial institution will take the loss in account takeovers after reimbursing the victim for any unauthorized withdrawals UNCLASSIFIED 9

10 Business Compromise (BEC) Definition BEC is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising or spoofing legitimate business accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. Most victims report using wire transfers as the common method of transferring funds for business purposes; however, some victims report using checks as the common method of payment. The fraudsters will use the method most commonly associated with their victim s normal business practices. This definition was revised to emphasize the different techniques used to compromise victim accounts. 10

11 Ubiquiti reported in August 2015 it was a BEC victim UNCLASSIFIED 11

12 BEC Descriptions Version 1: Fraudster impersonates CEO or CFO to initiate a wire transfer The fraudster hacks or spoofs a business executive s account. A request, seemingly on behalf of this business executive, is then forwarded to a second employee requesting a wire transfer to a fraudster controlled bank account. The second employee complies with the business executive s request and sends the payment. Sometimes the fraudster compromises a business executive s account and contacts the bank directly, asking for an urgent wire transfer. This process is repeated every few days until discovered. Typical transactions are $100,000 to $200,

13 BEC Case Study: Version 1 Victim A: A publicly traded, San Diego, CA-based educational resources firm with $638 million in revenues in 2014 On April 7, 2014, Victim A s corporate controller (Russell) was contacted by an individual purporting to be the CFO (Daniel) and directed to send an $85,050 wire, supposedly at the direction of the CEO (Andrew)

14 BEC Case Study: Version 1

15 BEC Case Study: Version 1 On April 8, 2014, Victim A s corporate controller (Russell) was again contacted by the same individual purporting to be the CFO (Daniel) and directed to send a $115,000 wire, again at the direction of the CEO (Andrew)

16 BEC Case Study: Version 1

17 BEC Case Study: Version 1 On April 9, 2014, the fraud was discovered, but the funds could not be recalled Contributing factors Russell was a relatively new employee (4 months) Wires had been done by in the past infrequently (lack of controls) Andrew and Dan were out of the office on April 7 th and 8 th No evidence of malware Source IP address had browsed company website on April 7, 2014

18 BEC Case Study: Version 1 Funds were transferred to an unwitting non-profit in San Diego, that was told they had been wired money accidentally and agreed to redirect the funds when contacted by the fraudsters $95,000 of the funds were redirected by bank wire to a shell company in the United States opened by an unemployed 28 year old Liberian female and withdrawn in cashier s check shortly after

19 BEC Descriptions Version 2: A business employee s is hacked An employee often in Accounts Receivable has their hacked, not spoofed. Requests for invoice payments are sent from this employee s to multiple vendors identified from this employee s contact list. These requests contain seemingly legitimate invoices with the payment instructions changed to fraudster controlled accounts. 19

20 BEC Case Study: Version #2 Victim B: A privately held, San Francisco, Californiabased international shipping and logistics firm On May 8, 2014, Victim B s corporate controller (Tim) was contacted by an individual purporting to be the CFO (James) and directed to send a $176, wire, supposedly at the direction of the CEO (George)

21 BEC Case Study: Version #2 Both wires were sent before the fraud was detected resulting in a loss of $343, Wire 1 was sent to: XXXXXXXXX Entertainment Inc. Taichung Commercial Bank Taipei, Taiwan Wire 2 was sent to: XXX LTD. Malayan Bank Kuala Lumpur, Malaysia

22 BEC Case Study: Version #2 Victim B continued to be targeted. In December 2014, a Victim B employee in Accounts Receivable (Catherine) was found to have opened an infected attachment that compromised her Victim B customers then began to receive correspondence from a spoofed using Catherine s name and an outlook.com address. The customers were asked to redirect payments to an account in Victim B s name (but not controlled by Victim B) at NATIONAL WESTMINSTER BANK in the United Kingdom These attempts were unsuccessful with the exception of a single payment of $36, on 2/11/2015

23 BEC Case Study: Version #2 Malware Bytes Detection 1/16/15 Malware was detected pidloc.txt (Malware.Trace.E) Detecting Trace^ The following symptoms signal that your computer is very likely to be infected with Trace: PC is working very slowly Trace can seriously slow down your computer. If your PC takes a lot longer than normal to restart or your Internet connection is extremely slow, your computer may well be infected with Trace. New desktop shortcuts have appeared or the home page has changed Trace can tamper with your Internet settings or redirect your default home page to unwanted web sites. Trace may even add new shortcuts to your PC desktop. Annoying popups keep appearing on your PC Trace may swamp your computer with pestering popup ads, even when you're not connected to the Internet, while secretly tracking your browsing habits and gathering your personal information. E mails that you didn't write are being sent from your mailbox Trace may gain complete control of your mailbox to generate and send e mail with virus attachments, e mail hoaxes, spam and other types of unsolicited e mail to other people.

24 BEC Case Study: Version #2

25 BEC Descriptions Version 3: Business Executive and Attorney Impersonation Fraudsters first contact an employee pretending to be a business executive, saying that an attorney will be calling or sending an about an urgent matter. The fraudsters contact the same employee pretending to be an attorney. The employee is requested to assist in handling confidential or timesensitive matters that involve the transfer of funds. The employee is pressured to act quickly or secretly in handling the transfer of funds. Requests may occur at the end of the business day or work week or are timed to coincide with the close of business of international financial 25 institutions.

26 BEC Example Attorney Impersonation UNCLASSIFIED 26

27 BEC Variants Version 4: A business working with a foreign supplier A business orders goods from a trusted supplier, usually in China or Hong Kong. The customer/victim is contacted by a fraudster via phone, fax, or e- mail to change the payment location of the invoice, usually to a bank in China or Hong Kong. The customer sends payment to the new bank account. 27

28 BEC Hallmarks Businesses and associated personnel using open source accounts are predominantly targeted. Individuals responsible for handling wire transfers within a specific business are targeted. Spoofed s very closely mimic a legitimate request. Fraudulent requests for a wire transfer are usually wellworded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request. Fraudsters use company logos, letterhead, invoice formats, and signatures of employees of the targeted supplier to increase believability. 28

29 BEC Hallmarks The amount of the fraudulent wire transfer request is business specific; therefore, dollar amounts requested are similar to normal business transaction amounts so as to not raise doubt. Additional spoofed addresses that appear to belong to the targeted business are sometimes copied to fraudulent s. Fraudulent s received have coincided with business travel dates for executives whose s were spoofed. Victims report that IP addresses frequently trace back to free domain registrars. The phrases code to admin expenses or urgent wire transfer were reported by victims in some of the fraudulent requests. 29

30 BEC Hallmarks Employees may be phished prior to the BEC incident Employees may be pressured to act quickly or secretly in making a transfer of funds BEC incidents may be timed for the close of either a domestic or international business day or week 30

31 BEC Impact 7,066 Victims $747,659, Dollar Loss US Outside the US 1,113 Victims $51,238, Dollar Loss 8,179 Victims $798,897, Dollar Loss BEC Global Total Amounts are only for those cases reported to the FBI from October 2013 to August

32 BEC Victims by Country *74 Countries with Victims October 2013 through June

33 Who Are the Victims of BEC Victims of the BEC scam range from small to large businesses. These businesses may purchase or supply a variety of goods, such as textiles, furniture, food, and pharmaceuticals. BOTH suppliers and their customers are victims of this scam. The scam impacts both ends of the supply chain, as both supplies and money can be lost and business relations may be damaged. Since the criminal activity is being facilitated through financial institutions, the financial institutions themselves can be considered victims. 33

34 Destinations of Fraudulent Transfers *72 Countries with Subjects October 2013 through June

35 Common Types of Cyber-enabled Fraud Targeting Individuals Romance Scams Every dating web site on the Internet is affected Advanced Fee Scheme International Lottery Overseas Inheritance IRS/DEA/FBI intimidation Sometimes with inside knowledge Account Takeovers Account Compromise Income Tax Refund Fraud UNCLASSIFIED 35

36 Romance Scams Vulnerable individuals, often elderly females, are targeted by fraudsters purporting to be U.S. businessmen or service members located overseas Victims are moved off website messaging as soon as possible Most victim contact continues via SMS text message, Yahoo! Chat, or After cultivating a strong romantic connection, the fraudster begins a never-ending string of scams Many victims believe they are engaged to the fraudster and carry on the relationship for years and continue even after confronted by family or the FBI UNCLASSIFIED 36

37 Typical Romance Scam Profiles Phillip Low Low purported to own a construction company working on a project in the Philippines Low provided collateral checks and requested loans to help complete the project The victim lost almost $70,000

38 Typical Romance Scam Profiles According to his profile, Lantz in interested in: Lantz Thompson open, honest, long lasting committed relationship, Someone i will grow old with. I believe a successful relationship requires both individuals to put 100% f ortrt (sic) into it. Both must also be able and willing to engage in meaningful conversation, and be able to express their deepest feelings. Surface talk I can do with anyone, and I want more. I enjoy family and friends, but the one who I enjoy the most is my mate! Nobody comes before her. I also believe we should always strive to be a good example before our children, even if they are grown. Trust and honesty is extremely important to me. If I can't trust my mate, who can I trust? I like people to be their selflf (sic), not pretend to be someone they are not

39 Typical Scams Oil Business in Nigeria Taxes/Fees Equipment lost or broken Bribe corrupt official Employee died or injured Rare Gem Dealer (SE Asia) Customs fees Bribe corrupt official Imprisoned overseas Fiancé Car accident, hospitalized Travel expenses to come home to marry victim Family member hospitalized Robbed overseas Construction Project in Philippines/Malaysia Taxes/Fees Equipment lost or broken Natural disaster Bribe corrupt official Employee died or injured

40 Common Types of Cyber-enabled Fraud Targeting Individuals Advanced Fee Schemes International Lottery Overseas Inheritance IRS/DEA/FBI intimidation Sometimes with inside knowledge Account Takeovers Account Compromise Income Tax Refund Fraud UNCLASSIFIED 40

41 Suggestions to Protect Yourself Create intrusion detection system rules that flag s with extensions that are similar to company . For example, legitimate of abc_company.com would flag fraudulent of abc-company.com. Register all company domains that are slightly different than the actual company domain. Verify changes in vendor payment location by adding additional two factor authentication such as having a secondary sign off by company personnel even if there is a delay in authorizing the payment. 41

42 Suggestions to Protect Yourself Confirm requests for transfers of funds. When using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the request. Know the habits of your customers, including the details of, reasons behind, and amount of payments. Carefully scrutinize all requests for transfer of funds to determine if the requests are out of the ordinary. 42

43 Suggestions to Protect Yourself Avoid free web-based accounts: Establish a company domain name and use it to establish company e- mail accounts in lieu of free, web-based accounts. Be careful what is posted to social media and company websites, especially job duties/descriptions, hierarchal information, and out of office details. Be suspicious of requests for secrecy or pressure to take action quickly. 43

44 Suggestions to Protect Yourself Talk to your insurance carrier to see if you are covered in the event of a victimization Additional information is publically available on the United States Department of Justice website publication entitled Best Practices for Victim Response and Reporting of Cyber Incidents. 44

45 File a Complaint If you believe your businesses is the victim of cyberenabled fraud (regardless of dollar amount) report it to the Internet Crime Complaint Center (IC3) at 45

46 Cyber Threat Takeaways It s not just the hackers and data thieves you need to worry about Fraudsters will eventually find a company s vulnerabilities wherever they exist and exploit them Most of the time the vulnerability will be human in nature You are only as strong as your weakest link, educate your personnel, especially those in key positions UNCLASSIFIED 46

47 Questions? UNCLASSIFIED 47