Defending against CEO Fraud
It would
seem CEO fraud has accelerated, emerging as a key revenue generation technique
for attackers, and could be more profitable than ransomware. Attackers
going after 40K up to 500K beats the $300 and administrative headache per
person in a typical PII theft attack. As we tell our clients, the Internet
Crime Complaint Center (IC3) estimates that well over 2,000 companies have been
victimized by this type of attack and these attackers have absconded with more
than $200million. Brian Krebs has been tracking the attack in greater
detail http://krebsonsecurity.com/tag/ceo-fraud/
In about an
hour you can inoculate your organization from this growing threat.
Defending against CEO fraud means understanding what makes the attack
successful. It is exploiting human weakness, those with the authority to
wire transfer money are instructed by what they believe to be a legitimate
authorization from leadership. In a policy driven non-technical way the
fix is validation: call the CEO or
whomever was or is demanding the money directly. However, do not use the phone
number in the signature, but use the phone number on record. More
importantly recognize the attempt and have a course of action to defend against
it, because the attacker will come back a few months later hoping the next time
it works and the validation process has become relaxed.
A simple
defense is straightforward, do what the attacker does; research. Your
company is ACME MONEY and you have the domain ACMEMONEY.COM.
We need to know that anyone can buy a domain near the target domain, something
that may fool someone on yourfinance team to make a wire transfer.
Ideally we only need to know who the CEO is and who will do my bidding in finance, three pieces of
information. Start shopping for domains that would look like ACMEMONEY.COM.
The
attackers run a script much the same way I would check and mutate the domain
name by removing and adding characters and then quickly checking the domain
registers to see if they can buy it. This is hard to do by hand and the
permutations are extensive so we focus on domains that easily fool the human
brain such as extra letters, missing letters, and transposed letters, just like
the attackers who probably score it or visually inspect it.
- Acmemmoney.com
- Acmemonney.com
- Amcemoney.com
- acmemoneey.com
- acmemoneyacmemone.com
- acmemonney.com
- acmemooney.com
- acmmemoney.com
- nacmemoney.com
- acmmoney.com
- acmemony.com
The
extension might be important as well so acmemoney.com could have more than
30 other listings that might fool a human based on the zone and not the TLD.
Acmemoney.band
Acmemoney.associates
Without
going too deep into the analysis and making you think it is a futile effort,
some action must be taken against those domains. Big corporations might go out
and buy them but certainly everyone should go out and block them at the email
gateway.
- Write down a list of all the domains you own, which are supporting email services.
- For each one, create a realistic permutation list.
- Add letters (cheaper for the attacker, most common)
- Remove letters.
- Switch two of them the trick the eye M and N for example.
- At your email gateway, add those domains as drop or block.
- Clever administrators, direct that mail to an unattended inbox
- Review the inbox and see what attackers are attempting.
- If you are so inclined, schedule a script to check for registration of the domains in question or changes in ownership (if any).
In an effort
to look at the possible permutations of domains, a simple python script
generate 27K possibilities for acmemoney.
Again, our goal is to defend against the ones that fool humans, and the
actual useful count is probably around 30 domains or so. It is worthwhile
to query every one of those domains and see if they are parked or
purchased. Tracking the generated domains is also useful for an improved
defense. Consider law enforcement when detecting the attempted fraud as a
formal investigate is useful when combined with other investigations,
especially in monitoring where the wire transfers end.
All domain registrars
will take action and seize the fraudulent domains, but only a few prevent the
registration of domains that might be used for fraud. In most cases, the
domain registrars don’t care and in a couple of cases, they enable it by
advertising tools that enable the attack. Expert services aid the attacker by
providing a listing of domains that are available, with an associated score.
An advertisement shows a link to harvested emails and signatures. Usually
calling the company and asking about how to wire transfer or pretending to
offer services, anything that generally will get you and email address.
Threat modeling techniques
would suggest that another possibility is the person in accounting who
authorized the wire transfer could potentially be colluding with the outside
party for part of the money. Cannot say I have seen this but people are
devious.
EDIT: You will find this code to be very useful in the discovery of the domains mentioned above. Run it against all your domains and ideally, block it at the perimeter or create a set of signatures (snort rules) for each. https://github.com/elceef/dnstwist
EDIT: You will find this code to be very useful in the discovery of the domains mentioned above. Run it against all your domains and ideally, block it at the perimeter or create a set of signatures (snort rules) for each. https://github.com/elceef/dnstwist
