Cyber Threats Views from the FBI Special Agent Keith Custer Federal - - PowerPoint PPT Presentation

Cyber Threats – Views from the FBI

Special Agent Keith Custer

Federal Bureau of Investigation – Baltimore Division

Overview

• Cyber Threat Overview
• Cyber-enabled Fraud
• Types of Cyber-enabled Fraud
• Business Email Compromise (BEC)
• Case Studies
• Best Practices to Protect Against Cyber-enabled

Fraud

UNCLASSFIED 2

Cyber Threats

• Cyber Division (CyD)

– Intrusions – Major Infrastructure Defense – Nation State Attacks

• Criminal Investigative Division (CID)

– Cyber-enabled Crime

• Fraud
• Drugs
• Money Laundering
• Identity Theft

UNCLASSFIED 3

The FBI’s Cybersecurity Mission

To protect the United States against:

• Terrorist attack
• Foreign intelligence
• perations and espionage
• Cyber-based attacks and

high technology crimes

As the only U.S. agency with the authority to investigate both criminal and national security cybersecurity threats, the FBI is following a number of emerging trends.

4

UNCLASSIFIED

UNCLASSFIED

Cyber Threats and Motivations

5

Cyber-Enabled Fraud

• The advent of the Internet has made a lot of things

easier for a lot of people

• Unfortunately this includes fraudsters

UNCLASSIFIED 6

Common Types of Cyber-enabled Fraud Targeting Businesses

• Counterfeit Check scam (multiple varieties)

– Attorney/CPA – Employment-based

• Account Takeover
• Business Email Compromise (BEC)

UNCLASSFIED 7

Counterfeit Check Scam (Attorney/CPA)

• Target is usually solicited by email

– Often the fraudster “spoofs” the email of a real executive (e.g., jbsmith@acmefireworks.com vs. jbsmith@acmeflreworks.com )

• The fraudster requests assistance with an international

business matter, such as an acquisition or contract dispute

• If the target agrees the fraudster arranges for a high-quality

counterfeit instrument to be delivered to the target as part of the engagement

• The target is directed to deposit the check and immediately wire

funds to a “drop account”, usually a shell corporation in a foreign country (China, Taiwan, Malaysia, Dubai, Japan, etc.)

• The funds are immediately withdrawn or transferred out of the

destination account

• The check is eventually found to be fake and the target is

sometimes on the hook for the loss.

• Transactions are typically $100,000 to $500,000

UNCLASSFIED 8

Account Takeover

• Frequently targets individuals or businesses after a

compromise of personal information (email hack or PII stolen)

• Fraudster identifies high value accounts

– Home Equity Line of Credit (HELOC) – Brokerage – Money Market Savings

• Fraudster contacts financial institution call center or email and

attempts to initiate a wire transfer to a “drop account” – Fraudster will attempt to socially engineer verification – Fraudster will attempt to have the targets home phone forwarded to his burner cell phone – If business has been done by email in past, sometimes no verification is required

• Usually the financial institution will take the loss in account

takeovers after reimbursing the victim for any unauthorized withdrawals

UNCLASSIFIED 9

Business Email Compromise (BEC) Definition

BEC is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising or spoofing legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. Most victims report using wire transfers as the common method of transferring funds for business purposes; however, some victims report using checks as the common method of payment. The fraudsters will use the method most commonly associated with their victim’s normal business practices. This definition was revised to emphasize the different techniques used to compromise victim e-mail accounts.

10

Ubiquiti reported in August 2015 it was a BEC victim

UNCLASSIFIED 11

BEC Descriptions

Version 1 : Fraudster impersonates CEO or CFO to initiate a wire transfer

• The fraudster hacks or spoofs a business executive’s e-mail account.
• A request, seemingly on behalf of this business executive, is then

forwarded to a second employee requesting a wire transfer to a fraudster controlled bank account.

• The second employee complies with the business executive’s request

and sends the payment.

• Sometimes the fraudster compromises a business executive’s e-mail

account and contacts the bank directly, asking for an “urgent wire transfer.”

• This process is repeated every few days until discovered. Typical

transactions are $100,000 to $200,000.

12

• Victim A: A publicly traded, San Diego, CA-based

educational resources firm with $638 million in revenues in 2014

• On April 7, 2014, Victim A’s corporate controller (Russell)

was contacted by an individual purporting to be the CFO (Daniel) and directed to send an $85,050 wire, supposedly at the direction of the CEO (Andrew)

BEC Case Study: Version 1

BEC Case Study: Version 1

• On April 8, 2014, Victim A’s corporate controller

(Russell) was again contacted by the same individual purporting to be the CFO (Daniel) and directed to send a $115,000 wire, again at the direction of the CEO (Andrew)

BEC Case Study: Version 1

BEC Case Study: Version 1

• On April 9, 2014, the fraud was discovered, but the funds

could not be recalled

• Contributing factors
• Russell was a relatively new employee (4 months)
• Wires had been done by email in the past infrequently (lack of

controls)

• Andrew and Dan were out of the office on April 7th and 8th
• No evidence of malware
• Source IP address had browsed company website on April

7, 2014

BEC Case Study: Version 1

• Funds were transferred to an unwitting non-profit in San

Diego, that was told they had been wired money accidentally and agreed to redirect the funds when contacted by the fraudsters

• $95,000 of the funds were redirected by bank wire to a

shell company in the United States opened by an unemployed 28 year old Liberian female and withdrawn in cashier’s check shortly after

BEC Case Study: Version 1

BEC Descriptions

Version 2 : A business employee’s e-mail is hacked

• An employee often in Accounts Receivable has their e-mail

hacked, not spoofed.

• Requests for invoice payments are sent from this

employee’s e-mail to multiple vendors identified from this employee’s contact list.

• These requests contain seemingly legitimate invoices with

the payment instructions changed to fraudster controlled accounts.

19

• Victim B: A privately held, San Francisco, California-

based international shipping and logistics firm

• On May 8, 2014, Victim B’s corporate controller (Tim) was

contacted by an individual purporting to be the CFO (James) and directed to send a $176,081.46 wire, supposedly at the direction of the CEO (George)

BEC Case Study: Version #2

• Both wires were sent before the fraud was detected

resulting in a loss of $343,613.38

• Wire 1 was sent to:

XXXXXXXXX Entertainment Inc. Taichung Commercial Bank Taipei, Taiwan

• Wire 2 was sent to:

XXX LTD. Malayan Bank Kuala Lumpur, Malaysia

BEC Case Study: Version #2

• Victim B continued to be targeted.
• In December 2014, a Victim B employee in Accounts Receivable

(Catherine) was found to have opened an infected email attachment that compromised her email

• Victim B customers then began to receive correspondence from a

spoofed email using Catherine’s name and an outlook.com email address.

• The customers were asked to redirect payments to an account in

Victim B’s name (but not controlled by Victim B) at NATIONAL WESTMINSTER BANK in the United Kingdom

• These attempts were unsuccessful with the exception of a single

payment of $36,779.85 on 2/11/2015

BEC Case Study: Version #2

BEC Case Study: Version #2

Malware Bytes Detection 1/16/15 ‐ Malware was detected ‐ pidloc.txt (Malware.Trace.E) Detecting Trace^ The following symptoms signal that your computer is very likely to be infected with Trace: PC is working very slowly Trace can seriously slow down your computer. If your PC takes a lot longer than normal to restart or your Internet connection is extremely slow, your computer may well be infected with Trace. New desktop shortcuts have appeared or the home page has changed Trace can tamper with your Internet settings or redirect your default home page to unwanted web sites. Trace may even add new shortcuts to your PC desktop. Annoying popups keep appearing on your PC Trace may swamp your computer with pestering popup ads, even when you're not connected to the Internet, while secretly tracking your browsing habits and gathering your personal information. E‐mails that you didn't write are being sent from your mailbox Trace may gain complete control of your mailbox to generate and send e‐mail with virus attachments, e‐mail hoaxes, spam and

• ther types of unsolicited e‐mail to other people.

BEC Case Study: Version #2

BEC Descriptions

Version 3 : Business Executive and Attorney Impersonation

• Fraudsters first contact an employee pretending to be a business executive,

saying that an attorney will be calling or sending an e-mail about an urgent matter.

• The fraudsters contact the same employee pretending to be an attorney.
• The employee is requested to assist in handling confidential or time-

sensitive matters that involve the transfer of funds.

• The employee is pressured to act quickly or secretly in handling the transfer
• f funds.
• Requests may occur at the end of the business day or work week or are

timed to coincide with the close of business of international financial institutions.

25

BEC Example – Attorney Impersonation

UNCLASSIFIED 26

BEC Variants

Version 4 : A business working with a foreign supplier

• A business orders goods from a trusted supplier, usually in China or

Hong Kong.

• The customer/ victim is contacted by a fraudster via phone, fax, or e-

mail to change the payment location of the invoice, usually to a bank in China or Hong Kong.

• The customer sends payment to the new bank account.

27

BEC Hallmarks

• Businesses and associated personnel using open source e-mail

accounts are predominantly targeted.

• Individuals responsible for handling wire transfers within a specific

business are targeted.

• Spoofed e-mails very closely mimic a legitimate e-mail request.
• Fraudulent e-mail requests for a wire transfer are usually well-

worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request.

• Fraudsters use company logos, letterhead, invoice formats, and

signatures of employees of the targeted supplier to increase believability.

28

BEC Hallmarks

• The amount of the fraudulent wire transfer request is business

specific; therefore, dollar amounts requested are similar to normal business transaction amounts so as to not raise doubt.

• Additional spoofed e-mail addresses that appear to belong to the

targeted business are sometimes copied to fraudulent e-mails.

• Fraudulent e-mails received have coincided with business travel dates

for executives whose e-mails were spoofed.

• Victims report that IP addresses frequently trace back to free domain

registrars.

• The phrases “code to admin expenses” or “urgent wire transfer” were

reported by victims in some of the fraudulent e-mail requests.

29

BEC Hallmarks

• Employees may be “phished” prior to the BEC incident
• Employees may be pressured to act quickly or secretly in

making a transfer of funds

• BEC incidents may be timed for the close of either a domestic
• r international business day or week

30

BEC Impact

• 7,066 Victims
• $747,659,840.63

Dollar Loss

US

• 1,113 Victims
• $51,238,118.62

Dollar Loss

Outside the US

• 8,179 Victims
• $798,897,959.25

Dollar Loss

BEC Global Total Amounts are only for those cases reported to the FBI from October 2013 to August 2015

31

BEC Victims by Country

32

*74 Countries with Victims

October 2013 through June 2015

Who Are the Victims of BEC

• Victims of the BEC scam range from small to large businesses. These

businesses may purchase or supply a variety of goods, such as textiles, furniture, food, and pharmaceuticals.

• BOTH suppliers and their customers are victims of this scam. The scam

impacts both ends of the supply chain, as both supplies and money can be lost and business relations may be damaged.

• Since the criminal activity is being facilitated through financial

institutions, the financial institutions themselves can be considered victims.

33

Destinations of Fraudulent Transfers

34

*72 Countries with Subjects

October 2013 through June 2015

Common Types of Cyber-enabled Fraud Targeting Individuals

• Romance Scams

– Every dating web site on the Internet is affected

• Advanced Fee Scheme

– International Lottery – Overseas Inheritance

• IRS/DEA/FBI intimidation

– Sometimes with inside knowledge

• Account Takeovers
• Email Account Compromise
• Income Tax Refund Fraud

UNCLASSIFIED 35

Romance Scams

• Vulnerable individuals, often elderly females, are

targeted by fraudsters purporting to be U.S. businessmen or service members located overseas

• Victims are moved off website messaging as soon

as possible

• Most victim contact continues via SMS text

message, Yahoo! Chat, or email

• After cultivating a strong romantic connection, the

fraudster begins a never-ending string of scams

• Many victims believe they are engaged to the

fraudster and carry on the relationship for years and continue even after confronted by family or the FBI

UNCLASSIFIED 36

Typical Romance Scam Profiles

“Phillip Low”

• Low purported to own a

construction company working on a project in the Philippines

• Low provided collateral

checks and requested loans to help complete the project

• The victim lost almost

$70,000

Typical Romance Scam Profiles

“Lantz Thompson”

According to his profile, Lantz in interested in: “open, honest, long lasting committed relationship, Someone i will grow old with. I believe a successful relationship requires both individuals to put 100% f ortrt (sic) into it. Both must also be able and willing to engage in meaningful conversation, and be able to express their deepest feelings. Surface talk I can do with anyone, and I want more. I enjoy family and friends, but the one who I … enjoy the most is my mate! Nobody comes before her. I also believe we should always strive to be a good example before

• ur children, even if they are grown. Trust and

honesty is extremely important to me. If I can't trust my mate, who can I trust? I like people to be their selflf (sic), not pretend to be someone they are not”

• Oil Business in Nigeria
• Taxes/Fees
• Equipment lost or broken
• Bribe corrupt official
• Employee died or injured

Typical Scams

• Fiancé
• Car accident, hospitalized
• Travel expenses to come

“home” to marry victim

• Family member hospitalized
• Robbed overseas
• Rare Gem Dealer (SE

Asia)

• Customs fees
• Bribe corrupt official
• Imprisoned overseas
• Construction Project in

Philippines/Malaysia

• Taxes/Fees
• Equipment lost or broken
• Natural disaster
• Bribe corrupt official
• Employee died or injured

Common Types of Cyber-enabled Fraud Targeting Individuals

• Advanced Fee Schemes

– International Lottery – Overseas Inheritance

• IRS/DEA/FBI intimidation

– Sometimes with inside knowledge

• Account Takeovers
• Email Account Compromise
• Income Tax Refund Fraud

UNCLASSIFIED 40

Suggestions to Protect Yourself

• Create intrusion detection system rules that flag emails

with extensions that are similar to company email. For example, legitimate email of abc_company.com would flag fraudulent email of abc-company.com.

• Register all company domains that are slightly different

than the actual company domain.

• Verify changes in vendor payment location by adding

additional two factor authentication such as having a secondary sign off by company personnel even if there is a delay in authorizing the payment.

41

Suggestions to Protect Yourself

• Confirm requests for transfers of funds. When using phone

verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.

• Know the habits of your customers, including the details of,

reasons behind, and amount of payments.

• Carefully scrutinize all e-mail requests for transfer of funds

to determine if the requests are out of the ordinary.

42

Suggestions to Protect Yourself

• Avoid free web-based e-mail accounts: Establish a

company domain name and use it to establish company e- mail accounts in lieu of free, web-based accounts.

• Be careful what is posted to social media and company

websites, especially job duties/descriptions, hierarchal information, and out of office details.

• Be suspicious of requests for secrecy or pressure to take

action quickly.

43

Suggestions to Protect Yourself

• Talk to your insurance carrier to see if you are covered

in the event of a victimization

• Additional information is publically available on the

United States Department of Justice website www.justice.gov; publication entitled “Best Practices for Victim Response and Reporting of Cyber Incidents”.

44

File a Complaint

If you believe your businesses is the victim of cyber- enabled fraud (regardless of dollar amount) report it to the Internet Crime Complaint Center (IC3) at

www.ic3.gov

45

Cyber Threat Takeaways

• It’s not just the hackers and data thieves you need

to worry about

• Fraudsters will eventually find a company’s

vulnerabilities wherever they exist and exploit them

• Most of the time the vulnerability will be human in

nature

• You are only as strong as your weakest link,

educate your personnel, especially those in key positions

UNCLASSIFIED 46

47 UNCLASSIFIED

Questions?