Data Theft & Financial Fraud

Data Theft & Financial Fraud

Related Phishing Attack Vector Articles:


Some 15 years back, security researchers considered phishing as just one of several threats found in e-mail spam. From a technical point of view, phishing was considered relatively primitive. Phishing originally had few technical tools, techniques, and tricks that posed trivial threats only to the new and inexperienced computer users. But currently, phishing has become a predominant threat due to advanced technologies and new tactics employed by attackers. At present, phishing is not limited to just collecting user information without any intent to cause serious damage, which was the trend earlier.

Currently, phishing attacks pose serious threats in the Internet space. Attackers employ ingenious phishing attacks to carry out data thefts and financial frauds. Attackers are increasingly using different phishing techniques to steal user credentials, steal personal and financial information, perform Automated Clearing House (ACH) frauds, and carry out different variants of wire transfer scams.

Stealing Credentials

The term “credentials” in Information Technology stands for the information used to identify and authenticate a user. As an example, the e-mail address and password combination that you use to log in to your Facebook account is your Facebook credentials. Other credentials can be a combination of user name and password, phone number and password, and so on.

There are several ways to steal credentials, but phishing is the most rampant one. The reason – it’s easy to launch a phishing attack and lure victims to fall for it.

To steal credentials, an attacker launches a spear-phishing attack by sending a customized e-mail to a user. Such an e-mail is designed to be coming from a trusted source and attempts to lure the user to click on a link or button on the e-mail. An example of one such phishing e-mail is this.

1

Phishing E-mail Example

Clicking on any link or button on the phishing e-mail leads the victim to a phishing site that is designed to look like a legitimate log in page of the original site. When the victim attempt to log in to the phishing site, the credentials are sent directly to the attacker.

Once the attacker gets the user’s credentials, the consequences can be devastating. The attacker can use the credentials for different fraudulent activities. Starting with resetting the victim’s password, the attacker can keep the victim permanently locked out of his account, unless the application provides some other authentication means to enable reclaiming the account. Even if the victim succeeds to reclaim the account, it might be too late before the attacker misuses the account to steal personal and financial information or even perform financial transactions on behalf of the victim.

The primarily challenge in such type of attack is that it’s nearly impossible to detect the attacker’s activities to be suspicious. Once a user is authenticated and logs in, security monitoring systems and staff are not tuned to notice and suspect user activities, even though it’s being done illegally.

Stealing Personal and Financial Information

Stealing credentials is only the first step of an attacker to launch a full blown attack. Once an attacker gains a user’s credentials, the attacker will look to steal any personal and financial information associated with the compromised account. However, a compromised account is not the only door through which an attacker can gain access to sensitive information. With each passing day, attackers devise new phishing tricks and circulate new types of phishing attacks to steal personal and financial information.

To steal personal and financial information, a new variant of phishing attack has surfaced that combines spear phishing with different types of malwares, such as Trojan Horses or Key logging software. Such Malware-based phishing is started with a spear phishing e-mail containing a weaponized attachment. Such an attachment is designed to perform a drive-by download of malware when opened. Once the victim falls for such an attack, the malware is automatically downloaded and activated on the victim’s computer. From then onwards, the malware keeps sending information of the compromised computer to the attacker’s server. Information can be personal and financial that the malware is designed to capture. Some malware can even record every key stroke that a user types along with desktop screenshots and periodically keeps sending them back to the attacker. Advance variants of such malware can replicate and spread across the computer networks infecting other computers attached to the network.

ACH Fraud

ACH fraud is the theft of funds through the ACH network. In the United States, ACH acts as the central clearing facility for all Electronic Fund Transfer (EFT) process between bank accounts. Common uses of ACH include:

  • Employer pays salary to employees.
  • Business-to-business (B2B) payments. For example, an organization pays a supplier for products.
  • Customer- to-Business (C2B) payments. For example, a customer pays for some service to a service provider.
  • User transfers money between different bank accounts.

To know more how ACH transactions happen technically, you can check the How the ACH Network and ACH Payments Work topic.

ACH transaction volume is growing at a fast pace. According to National Automated Clearing House Association (NACHA), in 2015, 24 billion electronic payments of $41.6 trillion were transferred over the ACH Network. Such high volume of financial transactions has apparently gained attentions of attackers to commit ACH frauds and, as a result the number of ACH frauds – both attempted and successful is increasing at an alarming rate.

Another reason for increase in ACH fraud is the transition from the traditional manual ACS process to electronic ACH process. An example of the traditional process is an organization that does its payroll through ACH – say on the last day of each month. The organization physically hands over the payroll tape to the bank, and the bank verifies that the nature and amount of the check is correct. The bank would then call back and verify the amounts with the company before it releases the payroll. However, currently organizations, due to convenience, are increasingly performing ACS processes electronically by logging into the bank’s account – a primary reason for the increase in ACH fraud because it’s comparatively easy to break through the electronic ACS process than the traditional manual process. All an attacker needs to commit an ACH fraud is the login details of the victim’s bank account. One way to acquire the login details is through phishing – particularly spear phishing and malware-based spear phishing that we discussed earlier.

Recently, an attacker was able was able to install a key logger in a Midwestern company’s computer system through a phishing e-mail. The attacker then acquired the login details of the company’s bank. The attacker then used the login details to log on to the bank, and transferred $160,000 in ACH credits to several bank accounts that the attacker controls.

Wire Transfer Scams

Wire transfer scams refer to the illegal practices carried out by attackers to lure users to wire transfer money to the attacker’s bank account. There are a large number of wire transfer scams, each carried out by attackers using different approaches, but primarily using phishing e-mails. Some of the widely carried out and most damaging wire transfer scams are:

  • Business Email Compromise (BEC) attacks
  • Nigerian 419 money laundering scam
  • Lottery scam

Business Email Compromise (BEC) Attacks

One wire transfer scam carried out through phishing that has seen significant increase from 2015 is BEC attacks that are carried out in organizations. It’s the FBI that spotted BEC attacks and released an advisory on it in 2015

An attacker begins a BEC attack with extensive scrutiny about the employees of an organization. The attacker then poses as someone in the senior management, such as the company’s CEO to send out a phishing e-mail. The purpose is to convince personals with spending authority, such as the CFO to wire transfer money to the attacker-controlled bank account. It’s observed that BEC attackers commonly send out information and instructions in the phishing e-mail about mergers and acquisitions, expenses, and purchases. In the phishing e-mail, the attacker reinforces the need of urgency while maintaining secrecy. Following is an example of such one phishing e-mail used to carry out a BEC attack.

2

Phishing E-mail of BMC Attack

The FBI estimates that since 2013, BEC attacks were successfully carried out on 7,000 targets resulting in a loss of $1.2 billion globally.

Nigerian 419 Money Laundering Scam

This scam is one of the oldest wire transfers scams carried out through phishing, and most probably you have already encountered it, in one form or another. In the scam name, the “419” part stands for the Nigeria’s Criminal Code section that forbids the practice.

This scam is carried out through a mass phishing attack where the attacker sends out a large number of phishing e-mails to target as many people as possible.

The scam starts with the attacker sending out phishing e-mails with an emotional or an economically enticing fake story. The stories differ but the intention is the same – lure victims into the scam. Some gists of common stories that have been reported by victims are:

  • Large amount of money present in banks that the mail sender can’t withdraw due to civil wars or coups
  • Large amount of inherited money that the sender can’t access due to prevalent government regulations
  • Large sums of money that the sender posing as a member of a royal family wants to transfer out of the country
  • Hidden cache of gold or money that the sender posing as a soldier discovered and wants to transfer it out of the country

Along with the story in the e-mail, the attacker offers the victim to transfer the money to the victims account. The attacker initially asks the victim to respond with his e-mail ID, address, or phone number. You can look at several e-mail variants of the Nigerian 419 scam here.

When someone falls into the trap and responds, the attacker starts the second phase of the attack. The attacker contacts the victim and introduces some hurdles, such as papers and legal matters or transactions and transfer costs that are delaying or preventing the planned deal. The attacker then asks the victim to wire transfer a small amount of money to resolve the hurdles and initiate the transfer. Once the victim transfers the initial amount, the attacker asks the victim to transfer more money citing some other additional reasons. It’s common for the attacker to convince the victim by sending false documents bearing forged official stamps and seals. The attacker similarly continues extracting money from the victim till the victim realizes about the scam.

Lottery scam

This is another classic wire transfer scam carried out primarily through phishing e-mails. In the lottery scam, the attacker carries out mass phishing e-mail campaigns informing users that they won a huge amount of money by winning a lottery. Through the e-mail, the attacker informs the users to wire transfer a small amount of processing fee to collect the lottery fortune, or else the user will forfeit the right to the prize money. Even though a users don’t recall ever purchasing any lottery tickets, some still become victims and wire transfers the processing fee amount. Apparently being a scam, they never receive any lottery fortune.

You can look at several e-mail variants of the lottery scam here.

References:

http://resources.infosecinstitute.com/phishing-is-the-name-of-the-game/

http://resources.infosecinstitute.com/a-brief-history-of-spear-phishing/

http://www.legalmatch.com/law-library/article/malware-based-phishing-lawyers.html

https://www.microsoft.com/security/sir/glossary/drive-by-download-sites.aspx

https://www.nacha.org/ach-network

https://www.nacha.org/news/ach-volume-grows-56-percent-adding-13-billion-payments-2015-0

https://heimdalsecurity.com/blog/top-online-scams/

https://www.fbi.gov/news/stories/2015/august/business-e-mail-compromise/business-e-mail-compromise

https://www.scamwatch.gov.au/types-of-scams/unexpected-money/nigerian-scams

https://en.wikipedia.org/wiki/Advance-fee_scam

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Ryan
Fahey

View more articles from Ryan