Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/10/2016
05:25 PM
Sara Peters
Sara Peters
Slideshows
Connect Directly
Twitter
RSS
E-Mail

The Phishie Awards: (Dis)Honoring The Best Of The Worst Phishing Attacks

From the costly to the clever to the just plain creepy, here are the recent phishing campaigns that have earned our reluctant recognition.
9 of 11

Most Expensive
Business Email Compromise

In 2015, some phishermen struck gold. And platinum, rubies, and diamonds. 

The FBI dubbed the category of attacks 'business email compromise' in an August advisory. At that time, the Bureau estimated that, since 2013, the total dollar losses to American companies exceeded $740 million, while only hitting around 7,000 targets. When international victims are added in, the losses total $1.2 billion.

For those of you doing the math at home, that means that each individual target was getting hit hard. Ubiquiti Networks was taken for $46.7 million, Crelan Bank in Belgium was slammed for $75.8 million, and a Boeing supplier, aircraft component manufacturer FACC A.G., was hit for $54.5 million. 

So how is it done?

As Don Jackson, threat researcher and malware analyst for PhishLabs explains, BEC attackers conduct reconnaissance on social networks looking for the people on staff who are responsible for issuing payments -- not just those measly payroll checks, but the big sums paid when acquiring new businesses, for example. 

The attackers then spoof executives, sometimes obtaining their email credentials first, and send messages to the individuals who handle large payments and get them to initiate enormous wire transfers to an attacker-controlled account. 

Jackson says the BEC campaigns went in two waves. The first generation of BEC targeted large organizations that take lots of payments every day and went after major payoffs in one big hit. 

From the FBI advisory:

The accountant for a U.S. company recently received an e-mail from her chief executive, who was on vacation out of the country, requesting a transfer of funds on a time-sensitive acquisition that required completion by the end of the day. The CEO said a lawyer would contact the accountant to provide further details.

'It was not unusual for me to receive e-mails requesting a transfer of funds,' the accountant later wrote, and when she was contacted by the lawyer via e-mail, she noted the appropriate letter of authorization-including her CEO's signature over the company's seal-and followed the instructions to wire more than $737,000 to a bank in China.

According to Jackson, the bank accounts to which money is transferred have generally been in the Far East. Sometimes the attackers compromise other people's accounts, other times they open their own. The scammers use money mules to remove the cash -- which is itself an expense and a risk, which is why attackers investing in that kind of criminal infrastructure are willing to go for the bigger payoff. 

Sometimes law enforcement can recover the victim's money, but other times, the accounts have been cleaned out and it's irretrievable, he says.  

Although these mega-sized payout BEC attacks are still happening in Australia and New Zealand, Jackson says BEC attackers have shifted to a subtler version of their attacks...

Most Expensive

Business Email Compromise

In 2015, some phishermen struck gold. And platinum, rubies, and diamonds.

The FBI dubbed the category of attacks "business email compromise" in an August advisory. At that time, the Bureau estimated that, since 2013, the total dollar losses to American companies exceeded $740 million, while only hitting around 7,000 targets. When international victims are added in, the losses total $1.2 billion.

For those of you doing the math at home, that means that each individual target was getting hit hard. Ubiquiti Networks was taken for $46.7 million, Crelan Bank in Belgium was slammed for $75.8 million, and a Boeing supplier, aircraft component manufacturer FACC A.G., was hit for $54.5 million.

So how is it done?

As Don Jackson, threat researcher and malware analyst for PhishLabs explains, BEC attackers conduct reconnaissance on social networks looking for the people on staff who are responsible for issuing payments -- not just those measly payroll checks, but the big sums paid when acquiring new businesses, for example.

The attackers then spoof executives, sometimes obtaining their email credentials first, and send messages to the individuals who handle large payments and get them to initiate enormous wire transfers to an attacker-controlled account.

Jackson says the BEC campaigns went in two waves. The first generation of BEC targeted large organizations that take lots of payments every day and went after major payoffs in one big hit.

From the FBI advisory:

The accountant for a U.S. company recently received an e-mail from her chief executive, who was on vacation out of the country, requesting a transfer of funds on a time-sensitive acquisition that required completion by the end of the day. The CEO said a lawyer would contact the accountant to provide further details.

It was not unusual for me to receive e-mails requesting a transfer of funds, the accountant later wrote, and when she was contacted by the lawyer via e-mail, she noted the appropriate letter of authorizationincluding her CEOs signature over the companys sealand followed the instructions to wire more than $737,000 to a bank in China.

According to Jackson, the bank accounts to which money is transferred have generally been in the Far East. Sometimes the attackers compromise other people's accounts, other times they open their own. The scammers use money mules to remove the cash -- which is itself an expense and a risk, which is why attackers investing in that kind of criminal infrastructure are willing to go for the bigger payoff.

Sometimes law enforcement can recover the victim's money, but other times, the accounts have been cleaned out and it's irretrievable, he says.

Although these mega-sized payout BEC attacks are still happening in Australia and New Zealand, Jackson says BEC attackers have shifted to a subtler version of their attacks...

9 of 11
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
sixscrews
50%
50%
sixscrews,
User Rank: Apprentice
2/17/2016 | 6:58:17 PM
Re: Greatest source of risk
Unfortunately, that has been true for more years that I can count (40+).

From fake 'demo' disks for 5 1/4" drives to downloads off websites, it's the employee that is the primary entry point for attacks.

How do you educate your employees?  How do you justify this kind of training to management?  Well, good luck.

Most managers are unaware of the vlunerability of thier groups/division/organization's staff to these attacks.  And you will be marked down as a Chicken Little if you push the problem in an open forum.

The best way is to include training and warnings for new hires - it's an 'inoculation' process.  

This leaves the 'old guard' to educate - and they are often the most vlunerable.  The person who deals with appointments for salespeople, the person who answers the phone (and, by the way, gets all the undeliverable emails....).

Filtering/deleting all the undeliverable emails is a good first line of defense - or you can divert these messages to someone who has more familarity with attacks.  But this drains your resources - better to just trash the undeliverables.

But many institutions have staff who have been there since before cell phones were invented - how do you deal with them?  I have tried many times and found the 'gaming' strategy works best - build up a collecton of attacks and make it into a game - tell them it's something to play with.  When they fall for an attack don't scold, explain.  Remember the old country doctor whose 'bedside manner' could settle most problems?  Take that approach - you are often the new person on the staff teaching the person with the longest tenure - be humble and explain, explain, explain.  If they don't understand it's not their fault - it's yours.  Try another approach - you CAN make it work.

And - best of luck.

wb
sixscrews
50%
50%
sixscrews,
User Rank: Apprentice
2/17/2016 | 6:40:45 PM
Re: Difficult to Differentiate
Only if they are seafood (you).

 

wb
AlanL907
50%
50%
AlanL907,
User Rank: Apprentice
2/16/2016 | 1:55:54 PM
Re: Difficult to Differentiate
I though all offers of free dinners from vendors were phishing.

It's 99.99% assured.
rjones2818
50%
50%
rjones2818,
User Rank: Strategist
2/11/2016 | 1:43:51 PM
Speaking of particularly
- "Unfortunately, a particularly message doesn't need to be the worst, sneakiest, or most clever in order to be successful," says Angela Knox, senior director of engineering and threat research at Cloudmark.-

A jarringly unfortunate use of the term particularly.

Sorry...it was jarring.
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
2/11/2016 | 11:24:55 AM
Difficult to Differentiate
For me, phishing has made it nearly impossible to discern what offers are legimitate and which ones are not. My only saving grace is that I verify the sender before hand but even that has the potential to be spoofed.

I've probably turned down a bunch of genuine free dinners just because I thought they were phishing. :)
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
2/11/2016 | 11:20:58 AM
Greatest source of risk
It all comes down to employees and end users being the greatest source of risk. No matter what walls you've set up, if someone opens the gate then it was all for naught.
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9351
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
CVE-2020-9352
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
CVE-2020-9353
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
CVE-2020-9354
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
CVE-2020-9355
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.