Tuesday, October 13, 2015

Defending against CEO Fraud

Defending against CEO Fraud

It would seem CEO fraud has accelerated, emerging as a key revenue generation technique for attackers, and could be more profitable than ransomware.  Attackers going after 40K up to 500K beats the $300 and administrative headache per person in a typical PII theft attack. As we tell our clients, the Internet Crime Complaint Center (IC3) estimates that well over 2,000 companies have been victimized by this type of attack and these attackers have absconded with more than $200million.  Brian Krebs has been tracking the attack in greater detail http://krebsonsecurity.com/tag/ceo-fraud/

In about an hour you can inoculate your organization from this growing threat.  Defending against CEO fraud means understanding what makes the attack successful.  It is exploiting human weakness, those with the authority to wire transfer money are instructed by what they believe to be a legitimate authorization from leadership.  In a policy driven non-technical way the fix is validation:  call the CEO or whomever was or is demanding the money directly. However, do not use the phone number in the signature, but use the phone number on record.  More importantly recognize the attempt and have a course of action to defend against it, because the attacker will come back a few months later hoping the next time it works and the validation process has become relaxed.

A simple defense is straightforward, do what the attacker does; research.  Your company is ACME MONEY and you have the domain ACMEMONEY.COM.  We need to know that anyone can buy a domain near the target domain, something that may fool someone on yourfinance team to make a wire transfer.  Ideally we only need to know who the CEO is and  who will do my bidding in finance, three pieces of information.  Start shopping for domains that would look like ACMEMONEY.COM.

The attackers run a script much the same way I would check and mutate the domain name by removing and adding characters and then quickly checking the domain registers to see if they can buy it. This is hard to do by hand and the permutations are extensive so we focus on domains that easily fool the human brain such as extra letters, missing letters, and transposed letters, just like the attackers who probably score it or visually inspect it.

  • Acmemmoney.com
  • Acmemonney.com
  • Amcemoney.com
  • acmemoneey.com
  • acmemoneyacmemone.com
  • acmemonney.com
  • acmemooney.com
  • acmmemoney.com
  • nacmemoney.com
  • acmmoney.com
  • acmemony.com

The extension might be important as well so acmemoney.com could have more than 30 other listings that might fool a human based on the zone and not the TLD.


Without going too deep into the analysis and making you think it is a futile effort, some action must be taken against those domains. Big corporations might go out and buy them but certainly everyone should go out and block them at the email gateway. 

  1. Write down a list of all the domains you own, which are supporting email services.
  2. For each one, create a realistic permutation list.
    1. Add letters (cheaper for the attacker, most common)
    2. Remove letters.
    3. Switch two of them the trick the eye M and N for example.
  3. At your email gateway, add those domains as drop or block.
    1. Clever administrators, direct that mail to an unattended inbox
    2. Review the inbox and see what attackers are attempting.
  4. If you are so inclined, schedule a script to check for registration of the domains in question or changes in ownership (if any).

In an effort to look at the possible permutations of domains, a simple python script generate 27K possibilities for acmemoney.  Again, our goal is to defend against the ones that fool humans, and the actual useful count is probably around 30 domains or so.  It is worthwhile to query every one of those domains and see if they are parked or purchased.  Tracking the generated domains is also useful for an improved defense. Consider law enforcement when detecting the attempted fraud as a formal investigate is useful when combined with other investigations, especially in monitoring where the wire transfers end.

All domain registrars will take action and seize the fraudulent domains, but only a few prevent the registration of domains that might be used for fraud.  In most cases, the domain registrars don’t care and in a couple of cases, they enable it by advertising tools that enable the attack. Expert services aid the attacker by providing a listing of domains that are available, with an associated score.  An advertisement shows a link to harvested emails and signatures.  Usually calling the company and asking about how to wire transfer or pretending to offer services, anything that generally will get you and email address.

Threat modeling techniques would suggest that another possibility is the person in accounting who authorized the wire transfer could potentially be colluding with the outside party for part of the money.  Cannot say I have seen this but people are devious.

EDIT:  You will find this code to be very useful in the discovery of the domains mentioned above.  Run it against all your domains and ideally, block it at the perimeter or create a set of signatures (snort rules) for each.  https://github.com/elceef/dnstwist