25th November, 2019 – Purple Post

This week’s insight from Purple Team

How Business Email Compromise works

Last week, we had talked at length about how to identify a phishing attempt.  This week, let us look at how a specific variety of phishing, Business Email Compromise (BEC) targets you.  This is also called Whaling, CEO Fraud or Wire-Transfer Fraud.
Lest you underestimate it, please understand that we are talking about an attack that caused $ 26 Billionin losses last year!  This type of attack is difficult to detect particularly because, like Jeeves, they work on ‘the psychology of the individual’.  This linked article gives a sample of such a scam.
Let us see how the scam works:


BEC Tactics

Barracuda has published a detailed reporton the various means perpetrators employ to get you to click that link. Key tactics:

  • Timing of the Attack
    91% of BEC attacks originate during a work day to convince you that the email is indeed from the presumptive originator. They are smart enough to avoid popular holidays; this trips them up sometimes in cultures with which they are not conversant. Conversely, they also increase the frequency during busy holidays like Thanksgiving or Deepavali betting that you would not pay as close attention.
  • Convincing Impersonation
    Most BEC attacks are very convincing. They target, on average, only 6 people in an organization. This also enables them to monitor the activities of the target better.  While the ‘from’ address looks convincing enough, the ‘reply to’ address is a giveaway. And the mail provider of choice is gmail.
  • Urgency
    The messages are imperative in tone & convey urgency very well. About half the BEC mails have “Request” or “Urgent”.  A significant portion have “Follow-up” to imply that it is an ongoing conversation.  Most first messages ask for help or check your availability. Once that is established, the rest follows. Again, remember, BEC mails do not have links typically; they get you to do the work for them!  For example, you could get a message from your CEO saying: 
    “Have you got a minute? I need you to complete a task for me discreetly.
    p.s. I am in a meeting now and can’t talk so just reply.”
    CEO, Acme Corp, <acme url> 
    Sent from wireless”

There are variations in the ultimate aim of the BEC – it could target HR to change payroll account or dues, or it could impersonate a vendor or supplier with an appropriate story. The thing to remember is that it is extremely believable.


What should you do?

At a transaction level, you need to validate the transaction off-band via , for example, a direct phone call.  As a process, you should essure that anyone who does validate is never penalized or chastised for it, ever. 
At a technical level, you can implement DMARC to authenticate your emails.
Whatever you choose, please be wary – ’tis the season for scams too!

– Sridhar Parthasarathy, CEO, Purple Team (www.purpleteam.in)


Learning News this Week

The Language of Cybercrime

Since phishing in general & BEC in particular so rooted in the psychology of the individual, it is very illuminating to look into how a scammer works.  The link above has some snippets  of an actual romance scam. Please read it; it is worth your time.

Learning

Two aspects stood out for me – (1) how easy it is to script an interaction to scam some one and, (2) the extent to which a scammer can push a victim. 
We each have this image of a scammer being computer nerd (disheveled may be; but a nerd!). Clearly that is not the case. Set scripts are available and all they need is a bit of seed capital. 
What we need to understand is that it is not about how smart we are; a successful scam depends  on how human you are. 

How the hell did that happen?

The article linked above explains how ransomware bypasses security checks, even in organizations that seem to have implemented good security practices.  We saw how psychology is at the core of BEC.  

Learning

The article talks about a few techniques like “Code Signing” or “Privilege Escalation”, etc.  These are but the methods how a ransomware hijacks your systems and data. The core problem in ransomware attacks is also rooted in psychology. 
The key  attack vectors  for ransomware are email links & malicious sites.  All the techniques listed in the article are useless if nobody clicks those links. And getting you to click on those links is an exercise in applied psychology.
In my opinion, investment in employee education pays extremely high dividends in the security arena.


Interesting News

1.2 Billion People Exposed

Data sleuth Bob Diachenko located an unsecured Elastisearch server with 1.2 Billion records leftover from two data aggregation companies – People Data Labs & OxyData.io.

Top 5 CyberSecurity Project that can save you

Small and medium enterprises can leverage these open-source projects and gain a head start to start their security initiatives for safeguarding their businesses. Another advantage of open-source projects is that companies can customise it based on their requirements and guard their information.

Are you 1-10-60 Compliant?

How long do you need to containg a breach in your organization. The recommendation is: 1 minute to detect, 10 minutes to triage, and 60 minutes to contain. The average company takes 162 hours to detect, triage, and contain a breach.
 

Ginp Android Banking Trojan

An Android malware, called Ginp, masquerades as other legitimate android apps like Adobe Flash Player. Once downloaded, it seeks  & gets permissions. That provides the springboard for further breaches. The current version targets your banking information.

How to avoid shopping scams this season

There’s nothing quite like a major online sale to have us reaching for the credit cards in the hopes of nabbing a bargain (or ten), but with Black Friday and Cyber Monday fast approaching, the need for increased diligence around our online safety is at an all-time high. 

Phoenix Key Logger Avoids detection

The Phoenix Key Logger (it has now morphed into an info-stealer) has gained anti-AV & Anti-VM capabilities. It now actively avoids 80 different security products.