CEO Fraud Scams are a Growing Concern and IT Pros are Worried

Cybercriminals are conducting CEO fraud scams with increasing frequency and many organizations have already fallen victim to these attacks. Many companies have lost tens of thousands of dollars as a result of these criminal attacks. In some cases, companies have lost hundreds of thousands or millions of dollars.

What are CEO Fraud Scams?

CEO fraud scams involve an attacker impersonating the CEO of an organization and sending an email to the CFO requesting a bank transfer to be made. The account details of the attacker are supplied, together with a legitimate reason for making the transfer.  Oftentimes, these scams involve more than one email. The first requests the transfer, followed by a second email with details of the amount and the bank details for the transaction. By the time the fraudulent transfer is discovered, the funds have been withdrawn from the account and cannot be recovered.

The FBI has issued warnings in the past about these CEO fraud scams. A spate of attacks occurred in Arizona recently. The average transfer request was between $19,000 and $75,000. An April 2016 FBI warning indicated $2.3 billion in losses had been reported between October 2013 and February 2016, with CEO fraud scams increasing by 270% since January 2015.

By training all employees on the common identifiers of phishing emails and also to be more security aware, organizations can reduce the risk of attacks being successful. However, while training is often provided to employees, it is not always given to executives and the CEO. According to a recent survey conducted by Alien Vault, only 44% of IT security professionals said every person – including the CEO – received training on how to identify a phishing email.

Protecting Against CEO Fraud Scams

It is possible to take steps to prevent CEO fraud scams. Email security solutions – SpamTitan for example – can be configured to prevent emails from spoofed domains from being delivered; however, if the email comes from the account of a CEO, there is little that can be done to prevent that email from being delivered. It is therefore essential that training is provided to all members of staff – including executives – on phishing email identification techniques.

Alien Vault polled 300 IT security professionals at Info Security Europe 2016 to determine how prepared organisations were for phishing attacks and what steps had been taken to reduce risk. The results of the survey show that the majority of organisations now provide training to reduce risk, although almost one in five are not taking proactive steps to reduce the risk of phishing and CEO fraud scams.

Almost 45% of companies said they train every single person in the organization on phishing email identification techniques, while 35.4% said that most employees are trained how to identify malicious emails. 19.7% said they do not take proactive steps and deal with phishing problems as and when they occur.

37% of Executives Have Fallen for a Phishing Scam

Out of the 300 respondents, 37% reported that at least one executive had fallen for a phishing scam in the past, while 23.9% of respondents were unaware if they had. However, even though many had experienced phishing attacks, IT security professionals were not confident that such attacks would not happen again in the future.

More than half of respondents believed that company executives could fall for a scam, while nearly 30% said that if the scam was convincing, their executives may be fooled. Only 18.5% said that their executives had been thoroughly briefed and were well aware of the dangers and would not fall for such a scam.

CEO fraud scams can be extremely lucrative for attackers, and oftentimes a considerable amount of time is spent researching companies and crafting clever emails. A variety of social engineering techniques are used and the emails can be very convincing.

Training is important, but it is also vital that efforts are made to ensure the training has been effective. The best way to ensure that all individuals have understood the training is to conduct phishing exercises – Sending dummy phishing emails in an attempt to get a response. This allows IT departments to direct further training programs and ensure that weak links are addressed.

Office 365 Zero Day Exploited to Deliver Cerber Ransomware

A new Microsoft Office 365 zero day vulnerability is being exploited by hackers to deliver Cerber ransomware. The latest attack is being conducted on a large scale and it has been estimated that millions of business users have already been impacted by the latest Cerber ransomware campaign.

It can be difficult to keep up to date with all of the ransomware variants currently being used by cybercriminals. The malicious file-encrypting software is constantly being tweaked and reinvented by cybercriminals. Cerber ransomware especially. The criminals behind Cerber frequently change its attack mode.

Cerber was first seen in February this year and has already been delivered using a variety of methods, most recently via the Dridex botnet. Spam emails containing malicious Word macros has been favored in the past. If allowed to run, the macros would download Cerber onto victims’ devices. Cerber would then proceed to encrypt documents, images, and a host of other file types.

Victims would be presented with a warning message on screen alerting them to the infection, and an audio file would be played to chilling effect. Cerber was unique in this respect, essentially speaking to its victims.  Cerber has also been delivered using malvertising – advertisements placed in third party ad networks that direct web visitors to malicious webpages hosting exploit kits. Those exploit kits probe for browser and plugin vulnerabilities which are exploited to deliver the ransomware. That campaign mainly infected users that had failed to keep their Flash plugins up to date.

It is the rapid changes being made by the attackers that has made it so difficult to detect Cerber and prevent infections. Earlier this month, Invincea discovered that Cerber was able to manufacture new payload variants “on the fly”, allowing the attackers to bypass traditional signature-based anti-virus products. Unique hashes and payloads were being generated every 15 seconds! In tests, 40 unique hashes were discovered.

Cerber Ransomware is Now Infecting Users via Microsoft Office 365 Zero Day Vulnerability

The latest attack has bypassed many users’ anti-virus products according to security firm Avanan. It is unclear at this stage exactly how many organizations have been affected, although Avanan reports that 57% of its clients that use Office 365 have been hit.

Users who have not implemented additional email security controls have been infected via their cloud email accounts. The latest attack is bypassing the controls put in place by Microsoft and the spam emails are being delivered to end user accounts. Unfortunately, should Cerber ransomware be installed, the victims will have to recover the encrypted files from backups or pay the ransom.

The criminals behind the latest campaign may currently be exploiting the Microsoft Office 365 zero day vulnerability, but we can be sure that Cerber will continue to evolve.

To protect against Cerber ransomware attacks, business users must ensure that all patches and software updates are applied promptly.

Since ransomware is capable of infecting or deleting back up files, it is essential that backup devices are air gapped. When backups have been performed, the drives need to be disconnected.

Implementing an anti-spam solution – and not relying on Microsoft or Gmail anti-spam filters – can also help to keep businesses protected by reducing the risk of ransomware and other phishing emails from being delivered to end users.

Necurs Botnet Reactivated: Locky Ransomware Emails Surge

After a period of quiet, the Necurs botnet is back in action. A number of security companies have reported a massive surge in botnet activity which started on June 21, 2016.

The Necurs botnet has previously been used to send out huge volumes of Dridex malware and Locky; a sophisticated ransomware variant that was first discovered in February 2016. It is too early to tell whether this is just a temporary spike in activity or whether the botnet will be sending emails at the levels seen before the recent lull.

Necurs botnet activity dropped off on May 31. The volume of malicious emails being sent using the botnet fell to as few as 3 million emails per day. However, the number of emails being sent surged on June 21, shooting up to around 80 million emails. 24 hours later the volume of malicious emails had doubled to 160 million. The surge in activity comes is linked to a massive spam email campaign that is delivering emails containing malicious attachments which install Locky ransomware.

It is unclear why there was a period of quiet. Security experts having been pondering this since the dramtic fall in activity on May 31.

The Necurs botnet is massive and is believed to contain approximately 1.7 million computers, spread over 7 separate botnets. It is clear that the botnet had not been taken down, although activity across all seven of the botnets stopped. In April and May of this year, spam email volume was regularly exceeding 150 million emails a day. Now the Necurs botnet appears to be back up to speed.

Around the same time as the pause in activity, Russia’s FSB security service conducted raids resulting in the arrests of approximately 50 hackers. The gang was using the Lurk Trojan to defraud banks and other targets in Russia. It is unclear whether some of those arrests resulted in a disruption to the botnet, or whether the pause was for some other reason. Numerous theories have been suggested for the three-week pause, including the sale or the botnet and issues the operators may have had with the C&C infrastructure. If the botnet has changed hands, a single organization would likely be in control as activity across all seven botnets resumed at the same time.

The resurrection of the Necurs botnet is bad news. According to Proofpoint, the resurrection of the botnet has been accompanied by a new Locky variant which has new capabilities. The latest form of Locky is better at evading detection and determining whether it is running in a sandbox. The new capabilities were detected by Proofpoint shortly before the Necurs botnet went dark.

Eir Phishing Scam Prompts Customer Warning

A new Eir phishing scam has been uncovered which has prompted the Irish communications company to issue a warning to customers. Hundreds of customers received emails offering them a refund yesterday. To claim the refund, the email recipients have been instructed to login to their My Eir account. A fake link is supplied in the email which must be clicked to claim the refund.

Eir Phishing Scam Captures Credit Card Details of Customers

That link directs the email recipient to a fake webpage. The malicious website has been designed to look identical to the Eir website. Users are required to confirm their credit card details in order to obtain the refund. Those credentials are logged by the website and are sent to the criminals running the Eir phishing scam.

Eir has warned customers to be on the lookout for the fraudulent email messages and to delete them if they are received. Any individual who has fallen for the Eir phishing scam and has provided credit card details via the malicious website faces a high risk of credit/debit card fraud.

Phishing email campaigns such as this are commonplace. Attackers use a variety of social engineering techniques to get users to reveal sensitive information such as credit and debit card numbers, which are used by the attackers to make online purchases and rack up huge debts in the victims’ names.

The malicious emails can be extremely convincing. Criminals use legitimate imagery in the phishing emails to fool email recipients into believing the emails are genuine. The malicious spam messages usually contain a link that directs to victims to malicious websites where personal information must be disclosed in order to receive a refund, free gift, or to view important documents. The websites can look identical to the legitimate sites.

Spam Email Poses a Considerable Risk to Businesses

Email scams often direct victims to malicious websites containing exploit kits which probe for weaknesses in browsers and plugins and leverage those vulnerabilities to download malware.

The malware poses a considerable risk for businesses. Malware is used to gain a foothold in a computer network, which can be used to launch cyberattacks to steal valuable data or to gain access to corporate email and bank accounts.

To protect against such attacks, employees should be instructed never to use links sent in emails and to login to websites directly via their browsers. Employees should be provided with training to help them identify phishing emails and email and web spam.

Businesses should also use an anti-spam service such as SpamTitan to capture spam and phishing emails. Preventing the messages from being delivered to end users is the best form of defense against such attacks, and reduces reliance of employees to identify phishing scams.

FBI Releases New Business Email Compromise Scam Data

The FBI issued a new public service announcement which includes new business email compromise scam data. The new data indicates U.S. businesses have lost almost $960 million to business email compromise scams in the past three years, and the total losses from these scams is now almost $3.1 billion.

What is a Business Email Compromise Scam?

A business email compromise scam is a sophisticated attack on a company by scammers that attempt to trick individuals into wiring funds from corporate accounts to the bank accounts of the attackers. Businesses most commonly targeted are those that frequently make foreign transfers to international companies. The attackers must first gain access the email account of the CEO or another high level executive. Then an email is sent from that account to an individual in the accounts department requesting a bank transfer be made. Occasionally the scammer asks for checks to be sent, depending on which method the targeted organization most commonly uses to make payments.

A business email compromise scam does not necessarily require access to a corporate email account to be gained. Attackers can purchase an almost identical domain to that used by the targeted company. They then set up an email account in the name of the CEO using the same format as that used by the company. This can be enough to fool accounts department workers into making the transfer. Business email compromise scams use a variety of social engineering techniques to convince the targeted accounts department employee to make the transfer.

Business Email Compromise Scams are a Growing Problem

The FBI has previously warned businesses of the growing risk of business email compromise scams. In April this year, the FBI Phoenix Office issued a warning about a dramatic rise in BEC attacks. The data showed that between October 2013 and February 2016 there had been at least 17,642 victims of BEC attacks in the United States, and the losses had reached $2.3 billion.

New data from the FBI suggest that the problem is far worse. The FBI has now incorporated business email compromise scam data from the Internet Crime Complaint Center (IC3). 22,143 reports have now been received from business email compromise scam victims, which correspond to losses of $3,086,250,090.

Between October 2013 and May 2016, there have been 15,668 domestic and international victims, and losses of $1,053,849,635 have been reported. In the U.S. alone, there have been 14,032 victims. Since January 2015, there has been a 1,300% increase in losses as a result of BEC attacks. The majority of the funds have been wired to Asian bank accounts in China and Hong Kong.

The FBI warns of five scenarios that are used by criminals to commit fraud using BEC scams:

  1. Requests for W-2s or PII from the HR department – The data are used to file fraudulent tax returns in the names of employees
  2. Requests from foreign suppliers to wire money to new accounts – Attackers discover the name of a regular foreign supplier and send an email request for payment, including new bank details (their own).
  3. Request from the CEO for a new transfer – The CEO’s (or other executive) email account is compromised and a request for a new bank transfer is sent to an individual in the accounts department who is responsible for making bank transfers
  4. A personal email account of an employee of a business is compromised – That account is used to send payment requests to multiple vendors who have been identified from the employee’s contact list
  5. Impersonation of an attorney – Emails are sent from attackers claiming to be attorneys, or representatives of law firms, requesting urgent transfers of funds to pay for time-sensitive matters

To protect against BEC attacks, businesses are advised to use 2-factor authentication on all business bank transfers, in particular those that require payments to be sent overseas.  Organizations should treat all bank transfer requests with suspicion if a request is sent via email and pressure is placed on an individual to act quickly and make the transfer.

The FBI recommends that businesses never use free web-based email accounts for business purposes. Organizations should also be careful about the information posted to social media accounts, in particular company information, job descriptions and duties, out of office details, and hierarchical information about the company.