Are Hackers getting smart to who holds the company credit card numbers and deliberately targeting CFOs?
Phishing is a technique used by hackers to gain entry into computer systems. Rather than relying on sophisticated technology, hacking techniques, and coding to penetrate systems, phishing fools employees into willingly giving up their password (or other valuable personal data). This is why it is commonly referred to as “social engineering”.
Traditionally, phishing attacks on big firms have targeted the little guy at corporations; low-level employees that accidentally allow hackers to gain entry into systems. Once inside the network, hackers can infiltrate deeper into a firm’s system - embedding themselves to inject sophisticated malware and trojans. In the past, malicious exploits have been used to turn on computer microphones or cameras to perform corporate espionage, for example.
Now, researchers are discovering more and more evidence of hackers going after more senior members of staff. According to Agari Cyber Intelligence Division (ACID), a hacking collective known as “London Blue” has been focussing its attacks on Chief Financial Officers (CFO) at mortgage companies, accountancy firms, and some of the biggest banks in the world.
According to the evidence the cybersecurity firm has now passed to US and UK authorities, London Blue hackers have compiled a list of 35,000 company CFOs and 50,000 senior level targets in accountancy departments. Those targets’ email accounts are being used by hackers to fool other senior members of staff into transferring money to accounts belonging to the cybercrime ring.
Phishing for CFOs
The attack in question is referred to as a Business Email Compromise (BEC). BEC is, for all intents of purposes, exactly the same as a regular phishing attack. However, by gaining access to a corporate email account belonging to a CFO - the hacker is able to more easily defraud the company by sending internal emails to other members of staff.
The frightening thing about the attack is the efficiency with which it is being executed, with Agari describing London Blue as the hacking equivalent of a modern corporation. In the paper, Agari explains that London Blue splits tasks across multiple hacker-employees who perform lead generation, financial operations, and human resources roles.
According to the research, the hackers have been selecting targets using contact lists stolen from two large-scale data brokers. Those lists are normally used by marketing and sales teams to generate potential leads. Agari says that by spamming hundreds and thousands of potential targets with phishing campaigns, it is able to profit from even a small percentage of successes.
Crane Hassold, senior director of threat research at Agari commented that the attack is “pure social engineering” that is “on the rise is because it has been proven to work."
According to reports from the FBI in July, this kind of scam has cost businesses in excess of $12bn since 2013. Agari discovered victims in countries stretching across the US, the UK, Spain, Finland, the Netherlands, and Mexico.
The problem for the victims of BEC attacks is that the emails in question seem legit, and when a senior member of staff asks you to do something - it is normal to comply - and quickly.
Agari explains that on one occasion, cybercriminals were able to convince a bank’s loss prevention unit to agree to a transaction that was in excess of $20,000. Normally this kind of transaction would have been subject to secondary checks.
Sadly social engineering techniques prey on people’s trust for each other in order to coerce them into making costly human errors. Although security measures already exist, without sufficient knowledge of this kind of attack, hackers can successfully play the numbers game to find CFOs to accidentally fall for the scam. Education is key, as so far senior level management at big firms simply haven't gotten the information they need.
The wrong target
Unbelievably, Agari is said to have discovered the hacking group, when London Blue hackers attempted to fool their own CFO into transferring a large amount of money. On that occasion, the hackers impersonated the cybersecurity firm’s chief executive. Luckily for Agari, that particular attempt at social engineering failed.
However, what is interesting is that the attackers had already managed to gain entry to the Chief Executive’s email account, proof that even the most senior level employees at a cybersecurity firm can fall victim to phishing.
Agari believes that the hackers are originally based in Nigeria. However, the firm says that the hacking collective is extremely sophisticated, and has members working in various territories in the EU and the US. Agari alleges that at least two senior-level hackers live in the UK. Authorities will be hoping to catch those hackers first, as they will be much easier to prosecute.
What should firms do?
Over the last few years, there has been a massive rise in senior level phishing. In the past, firms would focus on educating lower level employees. This made sense because there are hundreds, if not thousands of those employees - all of which could potentially fall for a phishing attack.
In fact, in recent years, firms have actually decided to start training employees by subjecting them to internal phishing attacks. If a member of staff falls for a phishing scam, they are singled out and given more training. Over time, firms will increase the difficulty of the phishing campaigns, so that employees become better and better at spotting attacks. Now, it would appear that more senior members of staff need to start thinking about training too.
Too often, those in managerial positions fail to learn basic security essentials that members of staff lower down receive extensive training on. Managerial employees must now work to ensure they do not fall victim themselves. When it comes to social engineering anybody can potentially be a victim if they are not well enough prepared.
Finally, although it can be embarrassing for a firm when high-level employees are targeted, it is important that they act quickly to report fraud to the authorities. The FBI’s IC3 department has previously commented:
"If you discover a fraudulent transfer, time is of the essence. First, contact your financial institution and request a recall of the funds. Different financial institutions have varying policies; it is important to know what assistance your financial institution will provide when attempting to recover funds."
"Law enforcement may be able to assist the financial institution in recovering funds. IC3 will be able to assist both the financial institutions and law enforcement in the recovery efforts."