The news over the last 24 months has been flooded with stories of technically advanced, sexy, almost Hollywood Blockbuster style hacks. Terms such as “APT”, “detection evading custom malware”, and “zero day” litter the media when discussing corporate cyber-attacks. That’s because the reality of many actual attacks are, to put it bluntly, boring. In many ways this should be an absolutely expected turn of events. Attackers spent years building and utilizing highly-advanced hacking kits, malware, and command and control systems. Security companies naturally responded by designing defensive measures meant to detect and prevent such exploits. This resulted in a change in the hacker’s ever-evolving behavior and tactics. If security controls and technologies were being focused on “high-tech” methods of hacking, why not throw a wrench into the works by suddenly shifting back to “low-tech” methods that were popular years ago?
Over the last year McGladrey’s DFIR (Digital Forensics and Incident Response) have responded to a rapidly escalating number of events stemming from “low-tech” hacking episodes. These are often treated by clients as full network compromises at first because they simply will not acknowledge that they could have fallen for such simple attacks. Below are the two most common examples at the moment:
Vendor Fraud aka. Invoice Fraud aka. Supply Chain Fraud
In these events the attackers identify an existing, or likely, vendor for the target organization. This is relatively simple as many vendors will advertise on their web pages that they are “proud service providers” to your organization. In other cases the attackers will pretend to be a vendor that is commonly used within your industry and hope that they’ve guess correctly. Once they assume that role they begin to target various members of your organization in an effort to convince them to make some type of payment. Prevalent tactics include:
- Asking that the next normal payment be carried out on the standard date, but informing the organization that the vendor has switched banks and the payment should be made to a new account number
- Stating that the organization missed a prior payment and attempting to convince them to make an immediate “catch-up” payment to a new account
- Alleging that additional payments must be made to cover some unplanned expense such maintenance, upgrades, software licenses, etc., and that the payment should go to a different account than normal
In all of these cases it is very likely that the organization will be unaware of the fraud until days, weeks, or months later. Typically the true vendor will contact the organization asking about missed payments, or the organization will contact the vendor for follow-ups to the new payments.
Fake Executive Fraud
These attacks are meant to rely on organizational pressure in order to work. The attackers will take on the persona of some person in a position of power within the organization and attempt to convince or bully an employee into carrying out some transaction. While these may tie back to fake vendor claims, we also see common requests for fake tax payments, for fake legal fines, the issuing of corporate credit cards, purchases of equipment and services, and other such activities. It is very common for the attackers to hand-construct entire, elaborate email chains with apparent conversations with other key executives in order to make the scenarios more likely. The goal of the attacker is to reduce the odds that the target of the attack will reach to other employees for validation of the request because the required approvals already appear to have been granted.
So how does this happen?
In many cases our teams are called in to investigate these events with the victim organizations convinced that the attacker have breached the environment. The typical comment is “there is no way they could know that much detailed information about our people and processes without being in our environment or working with an insider.” In reality this is very rarely the case. When reviewing the event we will often examine the various email threads and realize that the victims were, in many cases, spoon-feeding the attacker all of the required information. A common example is the attacker starting off the conversation with “I was just talking with Bob down in Accounts Payable…”, and the target would respond with the equivalent of “Do you mean Jim?”, at which point the attacker would simply recycle that bit of information with “oh, Yes, I meant Jim”, and continue on with the same tactic over and over again until they’ve gathered the required names and procedures. This process sounds extremely obvious, but in many cases the target is completely unaware of the situation until the damage is done.
In other cases the target might start to become suspicious of the exchange causing the attacker to assume a variety of personas. They may start pretending to one vendor, gather parts of the information, abandon that identity, contact the same target or a new one pretending to a be new vendor that is now operating with a bit more information, and laterh-wash-rinse-repeat until they’ve gathered all the required data. They then take on a final persona that starts off their communications with the target with absolute spot-on names and procedural information. From the point of view of the victim it appears as if they are being contacted by a long time vendor that knows every inch of the payments process. It isn’t until the investigation occurs that the organization realizes that they’ve been talking to the attacker in various roles for weeks or months.
In rare cases we will also find instances where the attackers have compromised part of the corporate environment, typically a single user’s email account. This often happens when a user has malware installed onto their system via social engineering allowing an attacker access to their specific system but not the environment at large. In this situation the attackers can examine the emails contained within the account, map all of the required personnel and processes, and even send “official” emails from the compromised accounts.
So what do we do about it?
These types of attacks are both very difficult and very easy to defend against. The “easy” defense comes from the concept that the attacker really has not compromised the environment. All they are doing is simply asking someone to send them money. If that person says “no”, then the attack fails. The “difficult” part of the defense comes from the fact that human beings are, regrettably, horrible at identifying these attempts as attacks rather than valid requests. While education and awareness training can be effective at reducing the likelihood of these attacks succeeding, in reality the best defensive measures revolve around taking away the ability of a single user to carry out these types of transactions whether they are real or fake.
- Vendor Contact Lists: Have pre-vetted vendor contact lists that employees are required to contact for any payment issues that are out of the norm. These lists have “known good” names, email addresses, and phone numbers, and changes are not allowed to occur to vendor payment accounts without active, documented approval from one of these sources.
- Multiple Approvals: Do not allow any single individual to make payments without additional approvals. Most banking systems will allow organizations to setup dual approvals for any transaction or transactions exceeding specific limits.
- AUP for One-Off: It has to be accepted that, on occasion, there will be a real need for an out of the norm payment. However, it these should be done within a set of Agreed Upon Procedures (AUP) that are required to be completed. As an example, organization may require that for any emergency payment at least two executives must provide verbal approval via phone coming from known-good phone numbers. When such procedures are agreed upon in advance, it reduces the risk that an attacker can successfully “bully” a victim into paying without checking with other key stakeholders.
- Two Factor Authentication: In certain situations such as the attacker social engineering a victim, gaining access to their email accounts, or placing malware on their laptop, the attacker can acquire the username and password for someone with access to corporate bank accounts. Two factor authentication, where a PIN number is displayed on a device or sent via text message, will prevent the attacker from accessing the bank account with only the captured credentials.
- Payment Limits: In many cases procedures can be arranged with banking institutions so that ACH or wire transfers above a certain limit cannot occur without designated executives providing verbal approval to the bank. This creates a situation where, usually, another person has to become aware of the pending transaction and that the bank is aware of the attempt. This might allow the second person or the banking representative to notice that the request is out of the norm and potentially prevent the loss.