Baiting the Phisherman: When Companies Strike Back at Scammers (Do Not Try This at Home)

Posted by Admin on May 16, 2016

Dangerous computer hackers and internet scams do not always have to be complicated. With a simple ‘typo’ in a domain name, hackers can impersonate senior executives while attempting to trick employees into transferring money. This scam is a type of phishing known as whaling or business e-mail compromise (B.E.C). The scammer researches employees who manage money, then uses language from the company to target organizations that commonly work with foreign suppliers, or companies that regularly perform wire transfer payments. While the process is not complex, it has been effective for cybercriminals.

The Federal Bureau of Investigation stated that whaling costs companies more than $2.3 billion in losses over the past three years. Since January 2015, the FBI has seen a 270% increase in identified victims and exposed loss. This has gone global, with Law enforcement received complaints from victims in every U.S. state and in at least 79 countries.

Employees need to be reminded to pay attention to the details in emails, especially those asking for money. Hackers use tricks in the details of email URLs, for example, turning ‘i’s into ‘1’s and ‘l’s. If your employees receive an email like this, they should immediately get in touch with your organization’s security team to ensure the proper steps are put in motion. It is very likely that the scammer will try to extort money from more than one employee, acting fast will give your company a chance to turn the predator into the prey.

Security companies are not immune to such attacks and our most recent attack serves as an example of what to do. The hackers did their research, they had my name and used it in an attempt to steal money from our company, Centripetal Networks. Luckily, as a threat intelligence company, our employees can quickly spot a phishing campaign. We not only took the steps necessary to protect ourselves, we took the opportunity to turn the tables on the scammer and see where it led.

On Monday April 11th, a Centripetal Network sales person received an email claiming to be CEO Steven Rogers requesting an immediate wire transfer in the amount of $32,780. The email originated from a similar domain, with one spelling change, Looking quickly, it is hardly noticeable and the email looks like I sent it. Due to our salesperson’s keen eye, he knew it was not me and instead forwarded it to our security team for analysis.

After ensuring the company network was safe and employees were aware of the attack, the security team planned to get to the root of the problem. Our security team alerted the Secret Service and then proceeded to engage the attackers in several email exchanges, gathering key information about the plan such as bank routing and account numbers, several user locations including Malaysia and Nigeria, and the name of an individual who was to receive the funds in Texas.

Of course, once engaged, our security team also set out to take down the operation that owned the misspelled domain name. What we found in doing this was a list of 77 other misspelled domains that the attackers had also commandeered.

It is never too late to remind employees about phishing emails and where to route suspicious finds.

Steven Rogers, CEO of Centripetal Networks

Tags: Infosec Island