CHAPTER 2: CASE STUDY SPEAR-PHISHING CAMPAIGN GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Transcription

1 : CASE STUDY SPEAR-PHISHING CAMPAIGN 1

2 SPEAR-PHISHING CAMPAIGN CASE STUDY MORAL Attacks do not have to be technically advanced to succeed. OVERVIEW In August of 2014, Aerobanet (named changed to protect client identity) contacted NTT Group for assistance with a potential spear-phishing attack. NTT Group determined that Aerobanet had been targeted by a skillfully crafted social-engineering/spear-phishing campaign. The campaign used detailed knowledge of Aerobanet s internal wire transfer request and approval processes to deceive staff into completing bogus wire transfers. NTT Group security consultants assisted with rapid investigation and response to the attack. 2

3 TIMELINE OF EVENTS The table below shows the chronology of events. TIMELINE OF EVENTS - SPEAR PHISHING DATE DAY 1 EVENT Initial phishing s received which contained instructions on wire transfers DAY 2 Aerobanet transferred funds per the first set of instructions DAY 5 Second request for wire transfers was received DAY 6 Third request for wire transfers received DAY 9 DAY 9-11 DAY 15 While processing wire transfers Aerobanet became suspicious and contacted NTT Group to initiate an investigation into the fraudulent phishing s NTT Group reviewed fraudulent s, investigated the fake server and initiated additional internal review NTT Group determined the absense of malware, and isolated the attack as social engineering/spear-phishing attack Timeline of events: Spear phishing. DESCRIPTION OF EVENT In August 2014, after successfully processing several wire transfers, Aerobanet identified potentially suspicious s requesting wire transfers of funds. Their suspicions were aroused when staff detected an unusually high number of wire transfers in a short period of time. Aerobanet contacted NTT Group to verify their suspicions and to assist in investigation of the attack. Initial investigations confirmed the attack was executed via phishing s. The s were well crafted, and included several indications that the attacker had detailed knowledge of Aerobanet internal processes and employee roles: 3

4 The attacker knew which users to target internally in order to initiate wire transfers. The attacker had inside knowledge of users who could authorize wire transfers. The s included fake thread histories to make the wire transfers appear sanctioned. The s included PDF attachments designed to help make the s appear official. The s used a properly registered and fully active domain to help make the s appear official. This domain was registered via a third-party cloud-based provisioning site. The s were constructed to include information and instructions which were key to the wire-transfer process. The fake thread histories appeared to run for several days, and included s in which authorized employees allegedly requested and approved the transfers. The level of detail used to construct the s suggested the attackers had internal knowledge of Aerobanet processes and procedures. NTT Group security analysts were unable to determine whether the attacker s knowledge of Aerobanet resulted from social engineering attacks or from other sources. NTT Group had been following an increase in similar spear-phishing attacks. This helped the onsite analysts to determine the nature of the attack against Aerobanet and verify this was a phishing attack. The security consultants observed that the domain on the phishing s was slightly different from Aerobanet s legitimate domain. This attacker used a free trial domain service to create and register valid domains used in the attack. NTT Group has seen an increase in attacker use of cloud-provisioned domains, because these sites are cheap (or free), easy to set up, and can be rapidly provisioned. In this case, the cloud-provisioned domain served as a fraudulent domain. 4

5 For Aerobanet, the attacker provisioned the domain Aerobannet which was very similar to the actual target of the attack. The phishing recipients did not identify the extra n in the fake domain name. This allowed the attacker to be included in an dialog discussing each wire transfer. The attackers created an account on their fake Aerobannet site, using the name of the real Aerobanet official responsible for approving wire transfers (johndoe@ aerobanet.com vs. johndoe@aerobannet.com). While employees believed they were responding to from an internal user, they were actually responding to the attacker s fake external account. The s also included PDF attachments which identified mailing addresses and account numbers for the wire transfers. These attachments added credibility to the wire transfer requests. Analysis of the PDFs uncovered no malware. The addresses in the PDFs were residential street addresses. Based on analysis by NTT Group, there was no evidence to suggest the attackers had breached the Aerobanet infrastructure. Analysts identified no malware and no internal access to the environment. Attacks which are constrained to social-engineering and spear-phishing techniques are relatively rare, but can be extremely successful, especially when they are as expertly crafted as this attack. NTT Group has seen several attack scenarios like this in the past year, and these types of attackers appear to be increasing their level of precision. 5

6 NTT Group security consultants demonstrated how the free trial domain had facilitated the attack, and provided documentation which helped show the wire transfers were fraudulent. Aerobanet provided this documentation to its bank and obtained refunds of nearly all the funds which had been fraudulently transferred. Aerobanet subsequently changed its approval process to require all wire transfers to be manually verified in person or by phone prior to completion. ROOT CAUSE This attack was successful because the highly accurate and targeted content of the chain helped convince Aerobanet staff that the wire transfer requests were genuine. The fraudulent domain used in the attack added credibility to the chain, resulting in the success of the spear-phishing attacks. COST OF INCIDENT Aerobanet provided the actual cost of this event. COST OF EVENTS - SPEAR PHISHING ITEM The actual cost of investigation, remediation and professional incident support as described COST $15,400 Actual cost of legal and public relations support $8,775 Potential loss due to wire transfers $127,530 Wire transfers recovered -$126,630 Total actual cost directly related to the event $25,075 Cost of event: Spear phishing. 6

7 CASE STUDY SUMMARY Spear-phishing attacks are usually the first phase of a more sophisticated attack, and rarely function as an attack on their own. In this case, the highly targeted spear-phishing thread was crafted to convince staff to initiate fraudulent wire transfers. Since the s included appropriate requesters and reasonable responses, and appeared to be sent from an internal domain, the internal staff was not immediately suspicious of the requests. As a result, the staff initiated several wire transfers before suspicion was raised. THREAT MITIGATION, SPEAR PHISHING Organizations should consider a variety of security controls to help protect against spear-phishing attacks. Perform targeted security awareness and training: The attacker conducted a successful spear-phishing attack. If Aerobanet had previously provided security awareness training, including guidance on actively looking for social engineering and phishing attacks, the attack may have been recognized earlier. Such awareness training must consider the context of the organization receiving the training. It should be customized to the processes and procedures of the company, and should use examples of attacks to which employees can relate. Perform social-engineering testing: Personnel who administer critical tasks should be tested beyond formal training. They should be tested with professional social-engineering engagements to challenge their skills at identifying an attack in progress. Many major breaches begin with a social engineering attack. Ensuring that critical personnel are adequately prepared to detect an attack is just as important as hardening technical systems to withstand attacks. 7

8 Implement dual controls for critical transactions: The attacker included enough information in the thread that it appeared the wire transfer had been authorized. Using an active confirmation of a second approval, outside of the same communication path, could have helped raise a red flag over attempts to initiate the transfers. Active confirmation (via phone, fax, or paper copy) would have initiated an additional dialog to help verify the transfer was truly authorized. Configure DNS verification: In order for a spear-phishing attack to be successful it must fool multiple layers of infrastructure, which is why it is important to configure Sender ID Framework in the server to help ensure the sender is using an appropriate IP address. Using this technology, when a sender transmits an to the receiver, the receiver s server makes a call to the Sender ID Framework. The Sender ID Framework asks the DNS server to verify that the source IP address matches the domain from which the was sent. If the IP address is NOT a match, the will be blocked/dropped. If the does match, it is forwarded to the receiver. This is effective in a case where addresses are being spoofed in the mail headers, as is done in many such phishing attacks. However, if an attacker establishes a domain similar to that of the target and manages DNS records for the similar fake domain (as the attacker did with Aerobanet/Aerobannet) then DNS verification will not be effective. Configure Phishing Confidence Level: Phishing Confidence Level (PCL) is a tool which is available via the Microsoft Exchange environment. This tool creates a value scale of 1 through 8, which reflects the likelihood an is part of a potential phishing attack. When PCL is configured, the site s administrator can choose how to treat each according to its rating on the PCL value scale. Configuring PCL could assist in identifying further threats or stopping an attack altogether. 8

9 Implement anomaly/fraud detection: This particular attack was identified when a single staff member recognized that the wire-transfer pattern was anomalous. He observed a significant increase in the number of wire transfer requests, and verified the latest request because it fell outside of expected boundaries. The ability to identify such anomalous behavior is invaluable, especially in a large organization which may process a high volume of transactions. For an incident such as this, organizations should implement manual and, to the extent possible, automated checks to help identify when the frequency or size of sensitive transactions exceeds an expected range. Some financial institutions will also help organizations set and conform to transaction boundaries. 9