Cyber Threats – Views from the FBI
Special Agent Keith Custer
Federal Bureau of Investigation – Baltimore Division
Overview
•
•
•
•
•
•
Cyber Threat Overview
Cyber-enabled Fraud
Types of Cyber-enabled Fraud
Business Email Compromise (BEC)
Case Studies
Best Practices to Protect Against Cyber-enabled
Fraud
UNCLASSFIED
2
Cyber Threats
• Cyber Division (CyD)
– Intrusions
– Major Infrastructure Defense
– Nation State Attacks
• Criminal Investigative Division (CID)
– Cyber-enabled Crime
• Fraud
• Drugs
• Money Laundering
• Identity Theft
UNCLASSFIED
3
UNCLASSIFIED
The FBI’s Cybersecurity Mission
To protect the United States against:



Terrorist attack
Foreign intelligence
operations and espionage
Cyber-based attacks and
high technology crimes
As the only U.S. agency with the authority to investigate
both criminal and national security cybersecurity threats, the
FBI is following a number of emerging trends.
UNCLASSFIED
4
Cyber Threats and Motivations
5
Cyber-Enabled Fraud
• The advent of the Internet has made a lot of things
easier for a lot of people
• Unfortunately this includes fraudsters
UNCLASSIFIED
6
Common Types of Cyber-enabled Fraud
Targeting Businesses
• Counterfeit Check scam (multiple varieties)
– Attorney/CPA
– Employment-based
• Account Takeover
• Business Email Compromise (BEC)
UNCLASSFIED
7
Counterfeit Check Scam (Attorney/CPA)
• Target is usually solicited by email
– Often the fraudster “spoofs” the email of a real executive
(e.g., [email protected] vs.
[email protected] )
• The fraudster requests assistance with an international
business matter, such as an acquisition or contract dispute
• If the target agrees the fraudster arranges for a high-quality
counterfeit instrument to be delivered to the target as part of the
engagement
• The target is directed to deposit the check and immediately wire
funds to a “drop account”, usually a shell corporation in a
foreign country (China, Taiwan, Malaysia, Dubai, Japan, etc.)
• The funds are immediately withdrawn or transferred out of the
destination account
• The check is eventually found to be fake and the target is
sometimes on the hook for the loss.
• Transactions are typically $100,000 to $500,000
UNCLASSFIED
8
Account Takeover
• Frequently targets individuals or businesses after a
compromise of personal information (email hack or PII stolen)
• Fraudster identifies high value accounts
– Home Equity Line of Credit (HELOC)
– Brokerage
– Money Market Savings
• Fraudster contacts financial institution call center or email and
attempts to initiate a wire transfer to a “drop account”
– Fraudster will attempt to socially engineer verification
– Fraudster will attempt to have the targets home phone
forwarded to his burner cell phone
– If business has been done by email in past, sometimes no
verification is required
• Usually the financial institution will take the loss in account
takeovers after reimbursing the victim for any unauthorized
withdrawals
UNCLASSIFIED
9
Business Email Compromise (BEC)
Definition
BEC is defined as a sophisticated scam targeting businesses working with foreign
suppliers and/or businesses that regularly perform wire transfer payments. The scam
is carried out by compromising or spoofing legitimate business e-mail accounts
through social engineering or computer intrusion techniques to conduct unauthorized
transfers of funds.
Most victims report using wire transfers as the common method of transferring funds
for business purposes; however, some victims report using checks as the common
method of payment. The fraudsters will use the method most commonly associated
with their victim’s normal business practices. This definition was revised to
emphasize the different techniques used to compromise victim e-mail accounts.
10
Ubiquiti reported in August 2015 it was a
BEC victim
UNCLASSIFIED
11
BEC Descriptions
Version 1:
Fraudster impersonates CEO or CFO to initiate a wire
transfer
• The fraudster hacks or spoofs a business executive’s e-mail account.
• A request, seemingly on behalf of this business executive, is then
forwarded to a second employee requesting a wire transfer to a
fraudster controlled bank account.
• The second employee complies with the business executive’s request
and sends the payment.
• Sometimes the fraudster compromises a business executive’s e-mail
account and contacts the bank directly, asking for an “urgent wire
transfer.”
• This process is repeated every few days until discovered. Typical
transactions are $100,000 to $200,000.
12
BEC Case Study: Version 1
• Victim A: A publicly traded, San Diego, CA-based
educational resources firm with $638 million in revenues in
2014
• On April 7, 2014, Victim A’s corporate controller (Russell)
was contacted by an individual purporting to be the CFO
(Daniel) and directed to send an $85,050 wire, supposedly
at the direction of the CEO (Andrew)
BEC Case Study: Version 1
BEC Case Study: Version 1
• On April 8, 2014, Victim A’s corporate controller
(Russell) was again contacted by the same
individual purporting to be the CFO (Daniel) and
directed to send a $115,000 wire, again at the
direction of the CEO (Andrew)
BEC Case Study: Version 1
BEC Case Study: Version 1
• On April 9, 2014, the fraud was discovered, but the funds
could not be recalled
• Contributing factors
• Russell was a relatively new employee (4 months)
• Wires had been done by email in the past infrequently (lack of
controls)
• Andrew and Dan were out of the office on April 7th and 8th
• No evidence of malware
• Source IP address had browsed company website on April
7, 2014
BEC Case Study: Version 1
• Funds were transferred to an unwitting non-profit in San
Diego, that was told they had been wired money
accidentally and agreed to redirect the funds when
contacted by the fraudsters
• $95,000 of the funds were redirected by bank wire to a
shell company in the United States opened by an
unemployed 28 year old Liberian female and withdrawn in
cashier’s check shortly after
BEC Descriptions
Version 2:
A business employee’s e-mail is hacked
•An employee often in Accounts Receivable has their e-mail
hacked, not spoofed.
•Requests for invoice payments are sent from this
employee’s e-mail to multiple vendors identified from this
employee’s contact list.
•These requests contain seemingly legitimate invoices with
the payment instructions changed to fraudster controlled
accounts.
19
BEC Case Study: Version #2
• Victim B: A privately held, San Francisco, Californiabased international shipping and logistics firm
• On May 8, 2014, Victim B’s corporate controller (Tim) was
contacted by an individual purporting to be the CFO
(James) and directed to send a $176,081.46 wire,
supposedly at the direction of the CEO (George)
BEC Case Study: Version #2
• Both wires were sent before the fraud was detected
resulting in a loss of $343,613.38
• Wire 1 was sent to:
XXXXXXXXX Entertainment Inc.
Taichung Commercial Bank
Taipei, Taiwan
• Wire 2 was sent to:
XXX LTD.
Malayan Bank
Kuala Lumpur, Malaysia
BEC Case Study: Version #2
•
Victim B continued to be targeted.
•
In December 2014, a Victim B employee in Accounts Receivable
(Catherine) was found to have opened an infected email attachment
that compromised her email
•
Victim B customers then began to receive correspondence from a
spoofed email using Catherine’s name and an outlook.com email
address.
•
The customers were asked to redirect payments to an account in
Victim B’s name (but not controlled by Victim B) at NATIONAL
WESTMINSTER BANK in the United Kingdom
•
These attempts were unsuccessful with the exception of a single
payment of $36,779.85 on 2/11/2015
BEC Case Study: Version #2
Malware Bytes Detection 1/16/15 ‐ Malware was detected ‐
pidloc.txt (Malware.Trace.E) Detecting Trace^ The following symptoms signal that your computer is very likely to be infected with Trace: PC is working very slowly Trace can seriously slow down your computer. If your PC takes a lot longer than normal to restart or your Internet connection is extremely slow, your computer may well be infected with Trace. New desktop shortcuts have appeared or the home page has changed Trace can tamper with your Internet settings or redirect your default home page to unwanted web sites. Trace may even add new shortcuts to your PC desktop. Annoying popups keep appearing on your PC Trace may swamp your computer with pestering popup ads, even when you're not connected to the Internet, while secretly tracking your browsing habits and gathering your personal information. E‐mails that you didn't write are being sent from your mailbox Trace may gain complete control of your mailbox to generate and send e‐mail with virus attachments, e‐mail hoaxes, spam and other types of unsolicited e‐mail to other people. BEC Case Study: Version #2
BEC Descriptions
Version 3:
Business Executive and Attorney Impersonation
• Fraudsters first contact an employee pretending to be a business executive,
saying that an attorney will be calling or sending an e-mail about an urgent
matter.
• The fraudsters contact the same employee pretending to be an attorney.
• The employee is requested to assist in handling confidential or timesensitive matters that involve the transfer of funds.
• The employee is pressured to act quickly or secretly in handling the transfer
of funds.
• Requests may occur at the end of the business day or work week or are
timed to coincide with the close of business of international financial
25
institutions.
BEC Example – Attorney Impersonation
UNCLASSIFIED
26
BEC Variants
Version 4:
A business working with a foreign supplier
• A business orders goods from a trusted supplier, usually in China or
Hong Kong.
• The customer/victim is contacted by a fraudster via phone, fax, or email to change the payment location of the invoice, usually to a bank
in China or Hong Kong.
• The customer sends payment to the new bank account.
27
BEC Hallmarks
•
Businesses and associated personnel using open source e-mail
accounts are predominantly targeted.
•
Individuals responsible for handling wire transfers within a specific
business are targeted.
•
Spoofed e-mails very closely mimic a legitimate e-mail request.
•
Fraudulent e-mail requests for a wire transfer are usually wellworded, specific to the business being victimized, and do not raise
suspicions to the legitimacy of the request.
•
Fraudsters use company logos, letterhead, invoice formats, and
signatures of employees of the targeted supplier to increase
believability.
28
BEC Hallmarks
•
The amount of the fraudulent wire transfer request is business
specific; therefore, dollar amounts requested are similar to normal
business transaction amounts so as to not raise doubt.
•
Additional spoofed e-mail addresses that appear to belong to the
targeted business are sometimes copied to fraudulent e-mails.
•
Fraudulent e-mails received have coincided with business travel dates
for executives whose e-mails were spoofed.
•
Victims report that IP addresses frequently trace back to free domain
registrars.
•
The phrases “code to admin expenses” or “urgent wire transfer” were
reported by victims in some of the fraudulent e-mail requests.
29
BEC Hallmarks
•
Employees may be “phished” prior to the BEC incident
•
Employees may be pressured to act quickly or secretly in
making a transfer of funds
•
BEC incidents may be timed for the close of either a domestic
or international business day or week
30
BEC Impact
• 7,066 Victims
• $747,659,840.63 Dollar Loss
US
Outside the US
• 1,113 Victims
• $51,238,118.62 Dollar Loss
• 8,179 Victims
• $798,897,959.25 Dollar Loss
BEC Global Total
Amounts are only for those cases reported to the FBI from October 2013 to August 2015
31
BEC Victims by Country
*74 Countries with Victims
October 2013 through June 2015
32
Who Are the Victims of BEC
• Victims of the BEC scam range from small to large businesses. These
businesses may purchase or supply a variety of goods, such as textiles,
furniture, food, and pharmaceuticals.
• BOTH suppliers and their customers are victims of this scam. The scam
impacts both ends of the supply chain, as both supplies and money can
be lost and business relations may be damaged.
• Since the criminal activity is being facilitated through financial
institutions, the financial institutions themselves can be considered
victims.
33
Destinations of Fraudulent Transfers
*72 Countries with Subjects
October 2013 through June 2015
34
Common Types of Cyber-enabled Fraud
Targeting Individuals
• Romance Scams
– Every dating web site on the Internet is affected
• Advanced Fee Scheme
– International Lottery
– Overseas Inheritance
• IRS/DEA/FBI intimidation
– Sometimes with inside knowledge
• Account Takeovers
• Email Account Compromise
• Income Tax Refund Fraud
UNCLASSIFIED
35
Romance Scams
• Vulnerable individuals, often elderly females, are
targeted by fraudsters purporting to be U.S.
businessmen or service members located overseas
• Victims are moved off website messaging as soon
as possible
• Most victim contact continues via SMS text
message, Yahoo! Chat, or email
• After cultivating a strong romantic connection, the
fraudster begins a never-ending string of scams
• Many victims believe they are engaged to the
fraudster and carry on the relationship for years and
continue even after confronted by family or the FBI
UNCLASSIFIED
36
Typical Romance Scam Profiles
“Phillip Low”
• Low purported to own a
construction company
working on a project in the
Philippines
• Low provided collateral
checks and requested
loans to help complete the
project
• The victim lost almost
$70,000
Typical Romance Scam Profiles
According to his profile, Lantz in interested in:
“Lantz Thompson”
“open, honest, long lasting committed relationship, Someone i will grow old with. I believe a successful relationship requires both individuals to put 100% f ortrt (sic) into it. Both must also be able and willing to engage in meaningful conversation, and be able to express their deepest feelings. Surface talk I can do with anyone, and I want more. I enjoy family and friends, but the one who I … enjoy the most is my mate! Nobody comes before her. I also believe we should always strive to be a good example before our children, even if they are grown. Trust and honesty is extremely important to me. If I can't trust my mate, who can I trust? I like people to be their selflf (sic), not pretend to be someone they are not”
Typical Scams
•
Oil Business in Nigeria
•
•
•
•
•
•
Rare Gem Dealer (SE
Asia)
• Customs fees
• Bribe corrupt official
• Imprisoned overseas
•
Construction Project in
Philippines/Malaysia
Taxes/Fees
Equipment lost or broken
Bribe corrupt official
Employee died or injured
Fiancé
• Car accident, hospitalized
• Travel expenses to come
“home” to marry victim
• Family member hospitalized
• Robbed overseas
•
•
•
•
•
Taxes/Fees
Equipment lost or broken
Natural disaster
Bribe corrupt official
Employee died or injured
Common Types of Cyber-enabled Fraud
Targeting Individuals
• Advanced Fee Schemes
– International Lottery
– Overseas Inheritance
• IRS/DEA/FBI intimidation
– Sometimes with inside knowledge
• Account Takeovers
• Email Account Compromise
• Income Tax Refund Fraud
UNCLASSIFIED
40
Suggestions to Protect Yourself
• Create intrusion detection system rules that flag emails
with extensions that are similar to company email. For
example, legitimate email of abc_company.com would flag
fraudulent email of abc-company.com.
• Register all company domains that are slightly different
than the actual company domain.
• Verify changes in vendor payment location by adding
additional two factor authentication such as having a
secondary sign off by company personnel even if there is a
delay in authorizing the payment.
41
Suggestions to Protect Yourself
• Confirm requests for transfers of funds. When using phone
verification as part of the two-factor authentication, use
previously known numbers, not the numbers provided in the
e-mail request.
• Know the habits of your customers, including the details of,
reasons behind, and amount of payments.
•Carefully scrutinize all e-mail requests for transfer of funds
to determine if the requests are out of the ordinary.
42
Suggestions to Protect Yourself
• Avoid free web-based e-mail accounts: Establish a
company domain name and use it to establish company email accounts in lieu of free, web-based accounts.
• Be careful what is posted to social media and company
websites, especially job duties/descriptions, hierarchal
information, and out of office details.
• Be suspicious of requests for secrecy or pressure to take
action quickly.
43
Suggestions to Protect Yourself
• Talk to your insurance carrier to see if you are covered
in the event of a victimization
• Additional information is publically available on the
United States Department of Justice website
www.justice.gov; publication entitled “Best Practices for
Victim Response and Reporting of Cyber Incidents”.
44
File a Complaint
If you believe your businesses is the victim of cyberenabled fraud (regardless of dollar amount) report it to
the Internet Crime Complaint Center (IC3) at
www.ic3.gov
45
Cyber Threat Takeaways
• It’s not just the hackers and data thieves you need
to worry about
• Fraudsters will eventually find a company’s
vulnerabilities wherever they exist and exploit them
• Most of the time the vulnerability will be human in
nature
• You are only as strong as your weakest link,
educate your personnel, especially those in key
positions
UNCLASSIFIED
46
Questions?
UNCLASSIFIED
47