CHAPTER 2: CASE STUDY SPEAR-PHISHING CAMPAIGN GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC



Similar documents
SPEAR PHISHING UNDERSTANDING THE THREAT

Ouachita Baptist University. Identity Theft Policy and Program

How To Integrate Hosted Security With Office 365 And Microsoft Mail Flow Security With Microsoft Security (Hes)

Overview An Evolution. Improving Trust, Confidence & Safety working together to fight the beast. Microsoft's online safety strategy

Presented by: Mike Morris and Jim Rumph

Business Compromise Scam

SPEAR PHISHING TESTING METHODOLOGY

CHAPTER 4 : CASE STUDY WEB APPLICATION DDOS ATTACK GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

FFIEC BUSINESS ACCOUNT GUIDANCE

September 20, 2013 Senior IT Examiner Gene Lilienthal

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper

When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling

Cybersecurity Governance Update on New FFIEC Requirements

Cyber Security Metrics Dashboards & Analytics

ACH AND WIRE FRAUD LOSSES

FFIEC CONSUMER GUIDANCE

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Targeted Phishing SECURITY TRENDS

Advanced Security Methods for efraud and Messaging

White paper. How to choose a Certificate Authority for safer web security

SPEAR PHISHING AN ENTRY POINT FOR APTS

Information Security Field Guide to Identifying Phishing and Scams

Protect your brand from phishing s by implementing DMARC 1

Targeted attacks: Tools and techniques

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

Dissecting Wire Fraud: How it Happens, and How to Prevent It WHITE PAPER

Here are two informational brochures that disclose ways that we protect your accounts and tips you can use to be safer online.

Evaluating DMARC Effectiveness for the Financial Services Industry

Protecting Your Organisation from Targeted Cyber Intrusion

Top 20 Critical Security Controls

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Cyber Security Breakout Session. Ed Rosenberg, Vice President & Chief Security Officer, BMO Financial Group Legal, Corporate & Compliance Group

Centre for the Protection of National Infrastructure Effective Log Management

DON T BE FOOLED BY SPAM FREE GUIDE. Provided by: Don t Be Fooled by Spam FREE GUIDE. December 2014 Oliver James Enterprise

Spear Phishing Attacks Why They are Successful and How to Stop Them

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

North Carolina Office of the Governor North Carolina Office of Information Technology Services North Carolina Department of Cultural Resources

Spear phishing campaign targeting staff to perform wire transfers

OIG Fraud Alert Phishing

Targeted Phishing. Trends and Solutions. The Growth and Payoff of Targeted Phishing

SPAM, VIRUSES AND PHISHING, OH MY! Michael Starks, CISSP, CISA ISSA Fellow 10/08/2015

MIDDLE EAST POST BOX. - Opt-In Direct Marketing -

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C

ITL BULLETIN FOR JULY Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance

Filtering for Spam: PC

ICS-CERT Incident Response Summary Report

Filtering for Spam: Macintosh

A New Era. A New Edge. Phishing within your company

Malicious Mitigation Strategy Guide

Fighting Advanced Threats

Niara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined

NATIONAL CYBER SECURITY AWARENESS MONTH

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Attachment A. Identification of Risks/Cybersecurity Governance

Evaluation Report. Office of Inspector General

FFIEC Supplemental Guidance to Authentication in an Internet Banking Environment. Robert Farmer Senior Technology Compliance Manager

With the Target breach on everyone s mind, you may find these Customer Service Q & A s helpful.

I N T E L L I G E N C E A S S E S S M E N T

Comprehensive Filtering. Whitepaper

Report. Phishing Deceives the Masses: Lessons Learned from a Global Assessment

How To Protect Your From Spam On A Barracuda Spam And Virus Firewall

How to Identify Phishing s

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

1. Initial contact is BCC d to many people (you may see undisclosed recipients in the To: field).

When Reputation is Not Enough. Barracuda Security Gateway s Predictive Sender Profiling. White Paper

Anti-Phishing Best Practices for ISPs and Mailbox Providers

Shield Your Business - Combat Phishing Attacks. A Phishnix White Paper

T.38 fax transmission over Internet Security FAQ

Conducting an Phishing Campaign

How To Create An Insight Analysis For Cyber Security

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Identity Theft Prevention Program

PENETRATION TESTING GUIDE. 1

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Performing Advanced Incident Response Interactive Exercise

ONLINE RECONNAISSANCE

North Carolina Office of the Governor North Carolina Office of Information Technology Services North Carolina Department of Cultural Resources

You ll learn about our roadmap across the Symantec and gateway security offerings.

DomainKeys Identified Mail DKIM authenticates senders, message content

Social Engineering & How to Counteract Advanced Attacks. Ralph Massaro, VP of Sales Wombat Security Technologies, Inc.

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Phishing Past, Present and Future

Your Guide to Security

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

Information Technology

Extended Validation SSL Certificates

State of the Phish 2015

Cloud Services. Anti-Spam. Admin Guide

Authenticating and policing the internet for consumer confidence and security

Supplement to Authentication in an Internet Banking Environment

April 23, 2015 ACME Company. Security Assessment Report

Microsoft Phishing Filter: A New Approach to Building Trust in E-Commerce Content

DST . Product FAQs. Thank you for using our products. DST UK

Transcription:

: CASE STUDY SPEAR-PHISHING CAMPAIGN 1

SPEAR-PHISHING CAMPAIGN CASE STUDY MORAL Attacks do not have to be technically advanced to succeed. OVERVIEW In August of 2014, Aerobanet (named changed to protect client identity) contacted NTT Group for assistance with a potential spear-phishing attack. NTT Group determined that Aerobanet had been targeted by a skillfully crafted social-engineering/spear-phishing campaign. The campaign used detailed knowledge of Aerobanet s internal wire transfer request and approval processes to deceive staff into completing bogus wire transfers. NTT Group security consultants assisted with rapid investigation and response to the attack. 2

TIMELINE OF EVENTS The table below shows the chronology of events. TIMELINE OF EVENTS - SPEAR PHISHING DATE DAY 1 EVENT Initial phishing emails received which contained instructions on wire transfers DAY 2 Aerobanet transferred funds per the first set of instructions DAY 5 Second email request for wire transfers was received DAY 6 Third email request for wire transfers received DAY 9 DAY 9-11 DAY 15 While processing wire transfers Aerobanet became suspicious and contacted NTT Group to initiate an investigation into the fraudulent phishing emails NTT Group reviewed fraudulent emails, investigated the fake server and initiated additional internal review NTT Group determined the absense of malware, and isolated the attack as social engineering/spear-phishing attack Timeline of events: Spear phishing. DESCRIPTION OF EVENT In August 2014, after successfully processing several wire transfers, Aerobanet identified potentially suspicious emails requesting wire transfers of funds. Their suspicions were aroused when staff detected an unusually high number of wire transfers in a short period of time. Aerobanet contacted NTT Group to verify their suspicions and to assist in investigation of the attack. Initial investigations confirmed the attack was executed via phishing emails. The emails were well crafted, and included several indications that the attacker had detailed knowledge of Aerobanet internal processes and employee roles: 3

The attacker knew which users to target internally in order to initiate wire transfers. The attacker had inside knowledge of users who could authorize wire transfers. The emails included fake email thread histories to make the wire transfers appear sanctioned. The emails included PDF attachments designed to help make the emails appear official. The emails used a properly registered and fully active domain to help make the emails appear official. This domain was registered via a third-party cloud-based provisioning site. The emails were constructed to include information and instructions which were key to the wire-transfer process. The fake email thread histories appeared to run for several days, and included emails in which authorized employees allegedly requested and approved the transfers. The level of detail used to construct the emails suggested the attackers had internal knowledge of Aerobanet processes and procedures. NTT Group security analysts were unable to determine whether the attacker s knowledge of Aerobanet resulted from social engineering attacks or from other sources. NTT Group had been following an increase in similar spear-phishing attacks. This helped the onsite analysts to determine the nature of the attack against Aerobanet and verify this was a phishing attack. The security consultants observed that the domain on the phishing emails was slightly different from Aerobanet s legitimate domain. This attacker used a free trial domain service to create and register valid domains used in the attack. NTT Group has seen an increase in attacker use of cloud-provisioned domains, because these sites are cheap (or free), easy to set up, and can be rapidly provisioned. In this case, the cloud-provisioned domain served as a fraudulent email domain. 4

For Aerobanet, the attacker provisioned the domain Aerobannet which was very similar to the actual target of the attack. The phishing email recipients did not identify the extra n in the fake domain name. This allowed the attacker to be included in an email dialog discussing each wire transfer. The attackers created an email account on their fake Aerobannet site, using the name of the real Aerobanet official responsible for approving wire transfers (johndoe@ aerobanet.com vs. johndoe@aerobannet.com). While employees believed they were responding to email from an internal user, they were actually responding to the attacker s fake external email account. The emails also included PDF attachments which identified mailing addresses and account numbers for the wire transfers. These attachments added credibility to the wire transfer requests. Analysis of the PDFs uncovered no malware. The addresses in the PDFs were residential street addresses. Based on analysis by NTT Group, there was no evidence to suggest the attackers had breached the Aerobanet infrastructure. Analysts identified no malware and no internal access to the environment. Attacks which are constrained to social-engineering and spear-phishing techniques are relatively rare, but can be extremely successful, especially when they are as expertly crafted as this attack. NTT Group has seen several attack scenarios like this in the past year, and these types of attackers appear to be increasing their level of precision. 5

NTT Group security consultants demonstrated how the free trial domain had facilitated the attack, and provided documentation which helped show the wire transfers were fraudulent. Aerobanet provided this documentation to its bank and obtained refunds of nearly all the funds which had been fraudulently transferred. Aerobanet subsequently changed its approval process to require all wire transfers to be manually verified in person or by phone prior to completion. ROOT CAUSE This attack was successful because the highly accurate and targeted content of the email chain helped convince Aerobanet staff that the wire transfer requests were genuine. The fraudulent domain used in the attack added credibility to the email chain, resulting in the success of the spear-phishing attacks. COST OF INCIDENT Aerobanet provided the actual cost of this event. COST OF EVENTS - SPEAR PHISHING ITEM The actual cost of investigation, remediation and professional incident support as described COST $15,400 Actual cost of legal and public relations support $8,775 Potential loss due to wire transfers $127,530 Wire transfers recovered -$126,630 Total actual cost directly related to the event $25,075 Cost of event: Spear phishing. 6

CASE STUDY SUMMARY Spear-phishing attacks are usually the first phase of a more sophisticated attack, and rarely function as an attack on their own. In this case, the highly targeted spear-phishing email thread was crafted to convince staff to initiate fraudulent wire transfers. Since the emails included appropriate requesters and reasonable responses, and appeared to be sent from an internal domain, the internal staff was not immediately suspicious of the requests. As a result, the staff initiated several wire transfers before suspicion was raised. THREAT MITIGATION, SPEAR PHISHING Organizations should consider a variety of security controls to help protect against spear-phishing attacks. Perform targeted security awareness and training: The attacker conducted a successful spear-phishing attack. If Aerobanet had previously provided security awareness training, including guidance on actively looking for social engineering and phishing attacks, the attack may have been recognized earlier. Such awareness training must consider the context of the organization receiving the training. It should be customized to the processes and procedures of the company, and should use examples of attacks to which employees can relate. Perform social-engineering testing: Personnel who administer critical tasks should be tested beyond formal training. They should be tested with professional social-engineering engagements to challenge their skills at identifying an attack in progress. Many major breaches begin with a social engineering attack. Ensuring that critical personnel are adequately prepared to detect an attack is just as important as hardening technical systems to withstand attacks. 7

Implement dual controls for critical transactions: The attacker included enough information in the email thread that it appeared the wire transfer had been authorized. Using an active confirmation of a second approval, outside of the same email communication path, could have helped raise a red flag over attempts to initiate the transfers. Active confirmation (via phone, fax, or paper copy) would have initiated an additional dialog to help verify the transfer was truly authorized. Configure email DNS verification: In order for a spear-phishing attack to be successful it must fool multiple layers of infrastructure, which is why it is important to configure Sender ID Framework in the email server to help ensure the sender is using an appropriate IP address. Using this technology, when a sender transmits an email to the receiver, the receiver s email server makes a call to the Sender ID Framework. The Sender ID Framework asks the DNS server to verify that the source IP address matches the domain from which the email was sent. If the IP address is NOT a match, the email will be blocked/dropped. If the email does match, it is forwarded to the receiver. This is effective in a case where email addresses are being spoofed in the mail headers, as is done in many such phishing attacks. However, if an attacker establishes a domain similar to that of the target and manages DNS records for the similar fake domain (as the attacker did with Aerobanet/Aerobannet) then DNS verification will not be effective. Configure email Phishing Confidence Level: Phishing Confidence Level (PCL) is a tool which is available via the Microsoft Exchange environment. This tool creates a value scale of 1 through 8, which reflects the likelihood an email is part of a potential phishing attack. When PCL is configured, the site s email administrator can choose how to treat each email according to its rating on the PCL value scale. Configuring PCL could assist in identifying further threats or stopping an attack altogether. 8

Implement anomaly/fraud detection: This particular attack was identified when a single staff member recognized that the wire-transfer pattern was anomalous. He observed a significant increase in the number of wire transfer requests, and verified the latest request because it fell outside of expected boundaries. The ability to identify such anomalous behavior is invaluable, especially in a large organization which may process a high volume of transactions. For an incident such as this, organizations should implement manual and, to the extent possible, automated checks to help identify when the frequency or size of sensitive transactions exceeds an expected range. Some financial institutions will also help organizations set and conform to transaction boundaries. 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information