Spear phishing campaign targeting staff to perform wire transfers



Similar documents
Business Compromise Scam

Information Security Field Guide to Identifying Phishing and Scams

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C

Cyber Threats Views from the FBI. Special Agent Keith Custer Federal Bureau of Investigation Baltimore Division

DON T BE FOOLED BY SPAM FREE GUIDE. Provided by: Don t Be Fooled by Spam FREE GUIDE. December 2014 Oliver James Enterprise

Policy Of Government of India

Additional Security Considerations and Controls for Virtual Private Networks

Fighting spam in Australia. A consumer guide

I N T E L L I G E N C E A S S E S S M E N T

NATIONAL CYBER SECURITY AWARENESS MONTH

Malicious Mitigation Strategy Guide

How to Identify Phishing s

Acceptable Use and Publishing Policy

Protecting Your Organisation from Targeted Cyber Intrusion

Streamlining Web and Security

Acceptable Use Policy - NBN Services

Class Outline. Part 1 - Introduction Explaining Parts of an address Types of services Acquiring an account

When registering on a jobsite, first ensure that the site is reputable and has a physical address and landline phone number.

KEY STEPS FOLLOWING A DATA BREACH

The Bishop s Stortford High School Internet Use and Data Security Policy

Western Australian Auditor General s Report. Information Systems Audit Report

Information security management guidelines

Protecting your business from fraud

Payment Fraud and Risk Management

Phishing Scams Security Update Best Practices for General User

Information Security Incident Management Policy

Network Security Policy

OCIE Technology Controls Program

Review of.au domain name policy framework Submission to.auda

Industry. Cyber Security. Information Sharing at the Technical Level. Guidelines

SPEAR PHISHING TESTING METHODOLOGY

How To Protect Decd Information From Harm

Who s Doing the Hacking?

Cyber Security Breakout Session. Ed Rosenberg, Vice President & Chief Security Officer, BMO Financial Group Legal, Corporate & Compliance Group

Embedded Network Solutions Australia Pty Ltd (ENSA) INTERNET ACCEPTABLE USE POLICY

Identity Theft. Protecting Yourself and Your Identity. Course objectives learn about:

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

Specific recommendations

Protect yourself online

SEC-GDL-005-Anatomy of a Phishing

OIG Fraud Alert Phishing

McAfee. Firewall Enterprise. Application Note TrustedSource in McAfee. Firewall Enterprise. version and earlier

Online security. Defeating cybercriminals. Protecting online banking clients in a rapidly evolving online environment. The threat.

Brainloop Cloud Security

Market Intelligence Cell. Fighting Financial Crime

Guide to Preventing Social Engineering Fraud

Using the Message Releasing Features of MailMarshal SMTP Technical White Paper October 15, 2003

Egress Switch Administration Panel. User Guide

SPAM, VIRUSES AND PHISHING, OH MY! Michael Starks, CISSP, CISA ISSA Fellow 10/08/2015

New Security Features

Infocomm Sec rity is incomplete without U Be aware,

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

A Guide to . For Beginners

SHORT MESSAGE SERVICE SECURITY

CYBER SECURITY STRATEGY AN OVERVIEW

Acceptable Use of ICT Policy For Staff

V1.4. Spambrella Continuity SaaS. August 2

The Protection and Security of Electronic Information Held by Australian Government Agencies

How To Configure A Microsoft Virtual Server On A Microsoul.Com (Windows) 2005 (Windows 2005) (Windows Vvirtual) (Powerpoint) (Msof) (Evil) (Microsoul) (Amd

Best Practices Guide to Electronic Banking

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Attackers are highly skilled, persistent, and very motivated at finding and exploiting new vectors. Microsoft Confidential for internal use only

U06 IT Infrastructure Policy

Cybercrime and Identity Theft: Awareness and Protection 2015 HLC Conference

Cyber Security Incident Reporting Scheme

Acceptable Use Policy

Spear Phishing. October 12, 2015 TLP: WHITE.

University of Aberdeen Information Security Policy

SMTP Settings. Magento Extension User Guide. Official extension page: SMTP Settings. User Guide: SMTP Settings

Preventing, Insuring, and Surviving Fund Transfer Fraud... and Other Cyber Attacks

HIPAA Security Education. Updated May 2016

The following Protective Markings are classified as Dissemination Limiting Markers (DLM).

Online Account Takeover. Roger Nettie

Djigzo encryption. Djigzo white paper

Gatekeeper PKI Framework. February Registration Authority Operations Manual Review Criteria

Transcription:

Spear phishing campaign targeting staff to perform wire transfers Updated 3 February 2015. This is an update to the advisory originally released on 9 October 2014. The update includes additional recommendations and details. The list of indicators has not changed. CERT Australia has received reports from multiple Australian businesses of fraudulent emails purporting to be from a senior executive of their company such as the CEO, requesting financial staff to perform wire transfers to an external bank account. The emails use similar initial wording and are directed by name to the chief financial officer (CFO) or other staff. Reports suggest that some incidents may have involved the compromise of staff email accounts corporate or personal, or may include spoofing a known trusted supplier, to add legitimacy to the scam. The highly targeted emails suggest that prior research and planning has been conducted to ascertain accurate details of senior executives and staff with financial responsibility. Recommendations CERT Australia suggests partners consider the following: Alert employees to be vigilant with regard to these incidents, especially those conducting or authorising wire transfers or similar financial instruments. Establish other communication channels, such as telephone calls, to verify significant transactions. Avoid organising such arrangements via email. Use two-factor authentication with web-based email and remote access VPN gateways. Be aware that information posted to social media and company websites can be abused, especially job duties/descriptions, hierarchal information, and out of office details. Do not reply to unsolicited or suspicious emails. Sender policy framework (SPF) checking should be implemented to detect and prevent sender address forgery.

Review network logs for evidence of the indicators provided. Specifically, emails relating to this advisory have been observed since 2 October 2014. Configure mail servers and mail scanners to block and remove emails with the indicators below. Report identified activity to CERT Australia. If a company has been defrauded as a consequence of these emails, report the matter to the Australian Cybercrime Online Reporting Network. Details CERT Australia has received reports from multiple Australian businesses of emails sent to CFOs, or other staff with financial responsibilities in their organisations, signed in the name of a senior company official. The emails generally follow the same structure, with a salutation by name and the use of internal nicknames or colloquialisms in some cases. The sender address is often extremely similar to the actual email address of a senior executive at the target organisation. Often domains with very similar spelling to the actual target domain have been acquired and used to make the emails look more authentic. Reports suggest that some fraudulent e-mails have coincided with business travel dates, for executives whose e-mails were spoofed. Compromised corporate or personal email accounts may be used to add legitimacy. In some cases ransomware infections were reported preceding the fraud attempts. Instances where employees have responded to the emails have resulted in a reply asking for a wire transfer. The wire transfer bank account details are typically contained in a PDF attachment. The amount requested has varied from tens of thousands of dollars to over one million dollars, based on the size of the targeted organisation. This campaign has used a mixture of both Australian and overseas based bank accounts. Partner research suggests that this scam is linked to other forms of fraud, including but not limited to: romance, lottery, employment, and home/vacation rental scams. The victims of these scams may be recruited as unwitting money mules. They receive fraudulent funds in their personal accounts and are then directed by the subject to quickly transfer the funds using wire transfer services or another bank account. Mules

may sometimes be directed to open business accounts for fake corporations, which may be registered in the mule s real name. Indicators From: Senior Executive s Name <senior.executive@victim-company.com.au> A senior executive s official email address, spoofed. Reply-To: Senior Executive s Name <[variable]@some-domain.com> The senior executive s name at a valid email domain. Domains may have been obtained that look similar to the victim company domain, such as a fraudulently misspelt official looking company domain name. Alternatively, a free email address such as aol, hotmail or gmail may be used. To: Financial Officer <financial.officer@victim-company.com.au> CFO or other financial officer's official company email address. Sample subjects: Important Important request Wire transfer Wire request Request PDF file attachments: Wire transfer banking instructions are contained in a PDF attachment usually with a file name starting with a company or individual name, followed by the text 'WIRING INSTRUCTION' with a '.pdf' extension. The '.pdf' extension is sometimes preceded by a space or an additional dot, as follows: <COMPANY OR INDIVIDUAL NAME> WIRING INSTRUCTION.pdf <COMPANY OR INDIVIDUAL NAME> WIRING INSTRUCTION..pdf <COMPANY OR INDIVIDUAL NAME> WIRING INSTRUCTION.pdf

Sample email body #1: Hi <CFO s first name>, I need to know if you can still process out an international wire transfer today. <CEO s first name> Sample follow-up email body #1: <CFO s first name>, Per our conversation, I have attached the instruction for the wire. Let me know when sent. Thanks <CEO s first name, or abbreviated first name> Attached file: (A PDF file containing fraudulent bank account details) Sample email body #2: Hello <CFO s first name>, Can you please email me the details you will need to help me process an outgoing wire transfer to another bank. Please kindly note that I can't take calls right now due to meetings, therefore, I will appreciate swift email correspondence. Hope I am not bothering you too much with this? Thanks Sample email body #3: <CFO s first name>, Process a wire of $45,371.00 to the account attached. Code to Admin Expenses and let me know when completed. <CEO s first name> Attached file: (A PDF file containing fraudulent bank account details)

Feedback CERT Australia welcomes any feedback you may have with regard to this publication and/or the services we provide info@cert.gov.au or 1300 172 499. This document remains the property of the Australian Government. The information contained in this document is for the use of the intended recipient only and may contain confidential or privileged information. If this document has been received in error, that error does not constitute a waiver of any confidentiality, privilege or copyright in respect of this document or the information it contains. This document and the information contained herein cannot be disclosed, disseminated or reproduced in any manner whatsoever without prior written permission from the Executive Manager, CERT Australia, Attorney-General's Department, 3-5 National Circuit, Barton ACT 2600. The material and information in this document is general information only and is not intended to be advice. The material and information is not adapted to any particular person s circumstances and therefore cannot be relied upon to be of assistance in any particular case. You should base any action you take exclusively on your own methodologies, assessments and judgement, after seeking specific advice from such relevant experts and advisers as you consider necessary or desirable. To the extent permitted by law, the Australian Government has no liability to you in respect of damage that you might suffer that is directly or indirectly related to this document, no matter how arising (including as a result of negligence).

Traffic light protocol The following table lists the classification levels used in the traffic light protocol (TLP) and describes the restrictions on access and use for each classification level. TLP classification Restrictions on access and use Access to and use by your CERT Australia security contact officer only. RED You must ensure that your CERT Australia security contact officer does not disseminate or discuss the information with any other person, and you shall ensure that you have appropriate systems in place to ensure that the information cannot be accessed or used by any person other than your CERT Australia security contact officer. Restricted internal access and use only. AMBER Subject to the below, you shall only make AMBER publications available to your employees on a need to know basis strictly for your internal processes only to assist in the protection of your ICT systems. In some instances you may be provided with AMBER publications which are marked to allow you to also disclose them to your contractors or agents on a need to know basis strictly for your internal purposes only to assist in the protection of your ICT systems. Restricted to closed groups and subject to confidentiality. GREEN You may share GREEN publications with external organisations, information exchanges, or individuals in the network security, information assurance or critical network infrastructure community that agree to maintain the confidentiality of the information in the publication. You may not publish or post on the web or otherwise release it in circumstances where confidentiality may not be maintained. Not restricted. WHITE NOT CLASSIFIED WHITE publications are not confidential. They contain information that is for public, unrestricted dissemination, publication, web-posting or broadcast. You may publish the information, subject to copyright and any restrictions or rights noted in the information. Any information received from CERT Australia that is not classified in accordance with the TLP must be treated as AMBER classified information, unless otherwise agreed in writing by the Attorney-General s Department.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information