Search Results

Share Article:

Facebook Twitter Linkedin Mail

A silent cyber crime blitzkrieg as Aussie businesses robbed of millions

Cyber Security Business tips

Posted on May 22, 2018

5 min read

Business email compromise devastates Australia, but a few simple steps can foil attacks.

It was a mundane email sent to a delinquent client: “Payment of your invoice is overdue”. Nothing about it alluded to the deep financial and personal pain the owners of the small Melbourne construction business were set to endure at the hands of online criminals who had just fleeced them of more than $100,000.

But perpetrators of business email compromise (BEC), a form of cyber-crime described by seasoned security experts as “out of control” and operating on a “phenomenal” scale costing businesses billions of dollars a year, rarely offer victims clues of their crimes until it is too late.

The scams, experts agree, are on an epidemic scale with businesses in each Australian state and territory losing thousands of dollars every day. Criminal investigators say Australian businesses regularly lose “often more than $100,000 per incident”.

Yet public reports of these attacks have been minimal.

These attacks are a world apart in their technical complexity from the type of advanced state-sponsored hacking that captures headlines; BEC is mostly textbook swindling with an occasional click of automated hacking platforms.

It take different forms, all of which criminals deploy to devastating effect. Criminals, in an example known as whaling, will impersonate a company director in an email to a subordinate financial controller ordering them to pay money to their bank account.

In another, known as doctored invoicing, scammers will use automated tools to break into a business’ email inbox and alter the payable bank accounts on client invoices.

A brazen online criminal apparatus means criminals need not even hack email accounts and can simply buy that access from other criminals.

Chain of events

This is what happened to the Melbourne-based Buildr (we are concealing the victim’s true identity).

Buildr staff discovered they had been robbed only after their client informed them the invoice was paid two months earlier.

This chain of events made little sense to Buildr. Emails showed their project manager had sent the invoice to the client, along with a thank you note and glib wishes for the weekend.

There was no reply and the exchange fell silent for the next three months.

Follow up phone calls revealed the invoice the client received contained a bank account number that did not match that sent by Buildr.

A Buildr IT technician suspected foul play and appealed to trusted information security contacts, finding Kayne Naughton – a Melbourne-based threat intelligence expert at Cosive, with a much-exercised history in computer forensics and combatting financially-driven cyber-crime.

“This isn’t even my day job, it’s barely my side job, and I’ve handled about $2 million in losses across Australian businesses in the last few years,” Naughton says.

“It’s out of control”.

The same attacker who targeted Buildr is thought to have stolen hundreds of thousands of dollars from more than a dozen Australian businesses using the same BEC techniques.

Rising tides

Business email compromise is exploding in growth and financial impact across the world. The FBI in October last year estimated BEC had cost businesses in all countries some US$5.3 billion.

The Australian Federal Government says businesses here have lost more than $20 million to BEC between 2016 and 2017, up from $8.6 million the previous year. It had in the three years to December received more than 2000 reports of BEC.

Government numbers on BEC attacks have steadily increased but remain it says “only a small percentage of total activity” thanks to “misreporting and underreporting”.

Source: Telstra’s Security Report 2018.

Losses from BEC are high. Multiple Australian organisations in the last three years have each lost millions of dollars in single unreported BEC attacks, security responders with first-hand knowledge of the incidents tell us.

Typical losses incurred by businesses vary between experts. Some find BEC victims lose about $10,000 an incident, while others handle cases between $25,000 and $50,000 each. Well-placed crime investigators say losses of $100,000 per incident in Australia are common.

Many of these losses are likely absent from government registers. Security experts working in private and public sectors agree that total of all cyber-crime losses reported to government is significantly less than the true costs because many victims, especially businesses, are reluctant to report incidents for fear of public exposure.

Security incident responders contracted to assist hacking and BEC victims are often made to sign non-disclosure agreements that can prevent them from supplying even anonymised crime data to the Federal Government. Many well-intentioned contractors try and fail to convince their clients to lift the reporting ban.

Ghost in the wires

The average BEC scam leans on employing social engineering skills more than hacking prowess. The same was true for the criminal who defrauded Buildr. A combination of automated password guessing, simple email forwarding rules, and a pair of custom email addresses was sufficient to pull off the six-figure crime.

Not all business email compromise attacks run the same way, but most see criminals targeting weak webmail passwords to gain their initial foothold.

Passwords are guessed with the use of online rapid-fire automated tools that test millions of simple words, clichés, and known hacked passwords, against an email login. Buildr’s password, however, was strong and it remains unknown how the credentials were compromised.

The West Africa -based attacker who compromised Buildr’s inbox remained inside for months, searching email exchanges for signs of a business deal, and intercepting and manipulating messages between the company and its client.

Buildr’s attacker registered two domains and email addresses to resemble the real addresses of Buildr and its client (for example creating darren@telstra.io to mimic darren@telstra.com).

The criminal emailed Buildr’s project manager posing as the client and emailed the client posing as the project manager. This allowed them to sit in the middle of the conversation copying and pasting and, at times, editing exchanges between Buildr and its client.

The invoice Buildr intended to send to its client was instead sent to the attacker who modified it such that the bank account for payment matched their own. The client’s email of confirmation of payment never made it to Buildr, buying time for the attacker to secure the stolen funds.

But Buildr’s criminal could have used other means. Many BEC attackers will set up mail forwarding rules within the compromised inbox to divert inbound and outbound emails. These rules may redirect emails between a business and its client to a folder within the compromised inbox that the attacker creates, or could be redirected to the attacker’s external email account.

In the latter case, mail spoofing is often successful at masking the attacker’s interception such that the email exchange between business and client appears normal.

The typical BEC process. (Source: Secureworks)

Other BEC criminals, in a subset of attacks called whaling, will use compromised corporate inboxes or mail spoofing techniques to send emails to finance staff requesting payments be made to their accounts.

Other attackers will target human resources in often successful bids to have employee payslip bank accounts altered.

Crime as a service

Business email compromise like many forms of online crime is offered as turnkey services that reduce the technical skills barriers to entry.

Here, criminals will break into large numbers of email accounts and sell in darkweb and public sites access to the usernames and passwords of the respective compromised inboxes.

It is then up to criminal buyers to pull off the BEC attack, swindling businesses and their clients. “Dollar for effort, BEC offers a better return on investment than any other cyber-crime,” says Alex Tilley, a former cyber-crime veteran of the Australian Federal Police and now an ecrime intelligence expert with Secureworks Counter Threat Unit.

“The amount of cash here is phenomenally large; it represents a very big bucket in cyber-crime.”

Other criminals sell diversion attacks as a managed offering. Denial of Service attacks, where large quantities of junk traffic overwhelm a target, are used against victims by some online criminals in a bid to divert the attention of security teams.

It appears to work. We have heard of instances of BEC victims in Australia who were distracted by Denial of Service attacks while BEC criminals were breaking into corporate inboxes.

Rattled

Any sector where workers wire without secondary validation, like a phone call, significant sums of money to bank accounts etched into emailed invoices are at risk of BEC.

Attacks have hit businesses from manufacturers of children’s toys to global technology behemoths, and scores of industries in between.

But the entry of business email compromise criminals into the Australian real estate sector is setting Tilley on edge.

And it takes a significant crime to rattle Tilley, an operator battle hardened to the worst forms of cyber-crime. This is because he sees the vast amounts of cash moving daily from buyers, agents, and lawyers within Australia’s booming real estate industry at speed as a recipe ripe for BEC attacks.

His experience late last year in buying a house in Queensland spiked his concern when his agent declined his offer to confirm over the phone bank account details they had sent him over email to which large payments were to be made.

Any losses may not be protected. Unlike victims of traditional credit card fraud, real estate buyers who lose money to BEC attacks are not guaranteed to be reimbursed by banks or agents.

This could mean a loss of life savings for some victims; High-value transactions including deposits are vulnerable to BEC targeting as money is transferred without any verification into bank account numbers that are provided over email.

Australia’s old manual settlement and chequebook processes serve to protect the largest residential real estate money transfers, Tilley says. But these manual processes may be open to BEC criminals as they are streamlined in the future.

Meanwhile, the smaller rental market notably around bond payments remains open to BEC targeting. The latest 2016 Census reveals 30.9 percent of Australians rent homes, a year-on-year increase.

Regional specialities

Heritage of the crime can be traced back 60 years to scammers who sent fake lottery winnings through the post.

Perpetrators of BEC are, like those postage fraudsters, based often out of African nations including Ghana, Nigeria, Mali, and Somalia, especially around university towns, or are commonly expatriates from those areas. Experts in law enforcement and private security companies know this because the perpetrators make little effort to conceal their real identities from them. Exchange has seen photos of some individuals experts say are behind serious BEC attacks.

“These are the same guys doing 419 scams and Spanish lotteries,” Tilley says. “When I started this 20 years ago they were pulling smaller cons; These are dudes who have been doing con tricks their whole lives, and now they are digitally enabled.”

The vast sums of money from BEC is laundered through a network of offshore bank accounts and flows in many directions. The laundering networks in Australia are extensive and fast-paced, experts say, with bank accounts “on tap”.

Some networks are known to break the digital money trail and skirt money-laundering checks, by turning stolen funds into Rolex watches that are then carried out of Australia on the wrists of money mules. Many mules, however, are also victims who are unaware that their activities are part of cyber crime operations.

Within West Africa the profits are thought to have bankrolled everything from traditional organised crime to armed conflicts, along with boosting the bank balances of BEC criminals.

One family based Johannesburg linked to BEC was using the proceeds of that crime to buy and sell BMWs on major online trading sites, and were broadcasting their lavish life and huge property investments on social media, posing in photos with popular local rappers and celebrities.

Others operate out of internet cafes where the main users are online scammers. “We’re not talking any of this darkweb marketplace stuff – we’re talking bank notes exchanged for email lists scrawled on grubby bits of paper,” Naughton says. “These cafes are a safe environment for the criminals to learn.”

But experts agree most attackers face little risk of repercussion.

Defence

Better passwords and enabling of two-factor authentication are immediate security controls that businesses should employ to defend against BEC and other cyber threats.

But at least one seasoned security expert within an Australian global enterprise has cooked up some proactive alternative defences.

Speaking on the condition of anonymity, the expert revealed he registered false corporate email addresses such as CEO@hiscompany.com and CFO@hiscompany.com in order to divert and bait attackers targeting is organisation.

An email bot operating within those false email accounts would engage the attackers with one of six written responses styled in the voice of a personal assistant. The responses were designed to trick attackers into thinking they were succeeding with the would-be director, prompting them to email their illicit Australian bank accounts for payment.

The security expert would then report the bank accounts to his anti-fraud contacts within Australia’s Big Four banks. The accounts would be scuppered in what he described as a significant disruption to crucial BEC money laundering operations.

But the dozen security experts interviewed for this story are unanimous: the best defence against BEC is a simple phone call. Most businesses should be able to introduce a phone call as “another step in the playbook”, Tilley says, to confirm a bank account number ahead of a significant money transfer.

This advice is more complex for organisations which regularly fire off large amounts of money across international borders, Naughton says, but should still be implemented. “No one is going to hold up a transfer of a few million for fun, but it is worth making that one phone call,” he says.

Technical controls do play a key role. Unique passwords, such as a personal and perhaps nonsensical non-cliché phrase, are critical to protect important accounts. Password managers are a worthy consideration for all users.

Corporate inboxes protected by reused or common passwords without two factor authentication are at significant risk of attack.

Google and University of California, Berkeley, academics found in November research that users who had an account login compromised in a phishing attack were 400 times more likely to have their Google account subsequently hijacked, compared to those who had never been phished.

Naughton undertook a series of defensive recommendations for Buildr. Validation of bank accounts over phone prior to payment was top of the list, along with better monitoring of out of country logins – a difficult task for a multinational business. “You should have a phone number to call for big transfers of money,” he says. “It’s a cheap and easy fix.”