Email is a common attack vector used by fraudsters and computer criminals. But if you thought that it was only used to spread malware, phishing, and Nigerian advance fee scams, think again. There’s a new email-driven scam where an attacker will pretend to be your boss, and get you to transfer thousands of dollars of company funds into a bank account they control.
It’s called CEO Fraud, or “Insider Spoofing”.
Understanding The Attack
So, how does the attack work? Well, for an attacker to successfully pull it off, they need to know a lot of information about the company they’re targeting.
Much of this information is about the hierarchical structure of the company or institution they’re targeting. They’ll need to know who they’ll be impersonating. Although this type of scam is known as “CEO fraud”, in reality it targets anyone with a senior role – anyone who would be able to initiate payments. They’ll need to know their name, and their email address. It’d also help to know their schedule, and when they’d be travelling, or on vacation.
Finally, they need to know who in the organization is able to issue money transfers, such as an accountant, or someone in the employ of the finance department.
Much of this information can be freely found on the websites of the company in question. Many medium-and-small size companies have “About Us” pages, where they list their employees, their roles and responsibilities, and their contact information.
Finding someone’s schedules can be a little bit harder. The vast majority of people don’t publicize their calendar online. However, many people do publicize their movements on social media sites, like Twitter, Facebook, and Swarm (formerly Foursquare). An attacker would only need to wait until they’ve left the office, and they can strike.
— Andrew Bolster (@Bolster) January 17, 2016
Once the attacker has every piece of the puzzle he needs to conduct the attack, they will then email the finance employee, purporting to be the CEO, and requesting that they initiate a money transfer to a bank account they control.
For it to work, the email has to look genuine. They’ll either use an email account that looks ‘legitimate’ or plausible (For example firstname.lastname@example.org), or though ‘spoofing’ the CEO’s genuine email. This will be where an email is sent with modified headers, so the “From:” field contains the CEO’s genuine email. Some motivated attackers will attempt to get the CEO to email them, so they can duplicate the stylings and aesthetics of their email.
The attacker will hope that the finance employee will be pressured to initiate the transfer without checking first with the targeted executive. This bet often pays off, with some companies having unwittily paid out hundreds of thousands of dollars. One company in France which was profiled by the BBC lost 100,000 Euros. The attackers tried to get 500,000, but all but one of the payments were blocked by the bank, who suspected fraud.
How Social Engineering Attacks Work
Traditional computer security threats tend to be technological in nature. As a result, you can employ technological measures to defeat these attacks. If you get infected with malware, you can install an anti-virus program. If someone’s been trying to hack your web server, you can hire someone to perform a penetration test and advise you on how you can ‘harden’ the machine against other attacks.
Social engineering attacks – of which CEO fraud is an example of – are a lot harder to mitigate against, because they’re not attacking systems or hardware. They’re attacking people. Rather than exploiting vulnerabilities in code, they take advantage of human nature, and our instinctive biological imperative to trust other people. One of the most interesting explanations of this attack was made at the DEFCON conference in 2013.
Some of the most jaw-droppingly audacious hacks were a product of social engineering.
In 2012, former-Wired journalist Mat Honan found himself under attack by a determined cadre of cyber-criminals, who were determined to dismantle his online life. By using social engineering tactics, they were able to convince Amazon and Apple to provide them the information they needed to remotely-wipe his MacBook Air and iPhone, delete his email account, and seize his influential Twitter account in order to post racial and homophobic epithets. You can read the chilling tale here.
Social engineering attacks are hardly a new innovation. Hackers have been using them for decades in order to gain access to systems, buildings and information for decades. One of the most notorious social engineers is Kevin Mitnick, who in the mid-90’s spent years hiding from the police, after committing a string of computer crimes. He was jailed for five years, and was prohibited from using a computer until 2003. As hackers go, Mitnick was as close as you could get to having rockstar status. When he was finally allowed to use the Internet, it was televised on Leo Laporte’s The Screen Savers.
He eventually went legit. He now runs his own computer-security consultancy firm, and has written a number of books about social engineering and hacking. Perhaps the most well-regarded is “The Art of Deception”. This is essentially an anthology of short stories that look at how social engineering attacks can be pulled off, and how to protect yourself against them, and is available for purchase at Amazon.
What Can Be Done About CEO Fraud?
So, let’s recap. We know that CEO Fraud is awful. We know it’s cost a lot of companies a lot of money. We know it’s incredibly hard to mitigate against, because it’s an attack against humans, not against computers. The last thing left to cover is how we fight against it.
This is easier said than done. If you’re an employee and you’ve received a suspicious payment request from your employer or boss, you might want to check in with them (using a method other than email) to see whether it was genuine. They might be a bit annoyed with you for bothering them, but they’ll probably be more annoyed if you ended up sending $100,000 of company funds to a foreign bank account.
There are technological solutions that can be used, too. Microsoft’s upcoming update to Office 365 will contain some protections against this type of attack, by checking the source of each email to see whether it came from a trusted contact. Microsoft reckons that they’ve achieved a 500% improvement in how Office 365 identifies counterfeit or spoofed emails.
Don’t Be Stung
The most reliable way to protect against these attacks is to be skeptical. Whenever you get an email that asks you to make a large money transfer, call up your boss to see if it’s legit. If you have any sway with the IT department, consider asking them to move to Office 365, which is leading the pack when it comes to fighting CEO Fraud.
I certainly hope not, but have you ever been victim to a money-motivated email scam? If so, I want to hear about it. Drop be a comment below, and tell me what went down.