Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/8/2020
02:00 PM
Shane Shook
Shane Shook
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

BEC, Domain Jacking Help Criminals Disrupt Cash Transfers

The two hacking methods occur independently but are being used in concert to steal funds that are part of online payments and transactions.

Spoofed emails and bogus domains allowed bad actors to intercept a $1 million cash transfer between a Chinese venture capitalist and an Israeli startup, Vice recently reported. And rather than just a one-off, the scenario could easily recur anytime two parties exchange money… even experienced users who think they're protected. 

These attacks are done by tricking the paying party into sending the money to an account that appears to be the payee but is not. This should grab the attention of investors, who should always take precautions particularly during significant transactions. A few things to ask before completing a money transfer:

  • Do I really know who I'm sending money to?
  • How do I know?
  • What should I do to protect myself?

Know Your Customer
Business email compromise (BEC) and "domain jacking" are popular methods used by hackers to hijack unwary users. The two methods occur independently, but in recent years have been used in concert to achieve financial fraud in supply chain and vendor payments, customer refunds, foreign exchange currency accounts management, and investment transactions. When money changes hands between counterparties, it is important to know who they (all) are.

In recent years, BEC gangs have taken advantage of social trust engendered by frequent electronic interactions by focusing on related third-parties and using compromised services to interleave or wholly redirect communications between target counterparties of financial transactions. This has led to more than $26 billion in estimated losses from BEC fraud since 2016, according to FBI statistics.

When people think of BEC, they commonly mistake the cybercriminal’s interest as merely intending to cause information loss from the email target. However, determining who the target communicates with, and how often, (the "social graph") from BEC is more valuable to cybercriminals. The social graph is determined by analyzing the frequency in correspondence between victim companies and their customers, investors, services providers, suppliers, and even family and friends. The endgame: Compromise a victim's entire network.

BEC may include compromise of the victim's email services. More sophisticated cybercriminals avoid this tack since that only gives them limited control over the configuration of a system owned by a victim. Thus, they risk leaving evidence for investigators to discover who the criminals are. That's why they have also shifted away from domain-changing malware that changes the lookup for related Internet addresses on a computer (or mobile phone), and instead prefer attacks on the routing architecture that businesses and even home or mobile users rely upon.

More often though, sophisticated cybercriminals will use social graph analysis and engineering domain info to perform "brandjacking," or "typosquatting," simple modifications to the domain names used by common correspondents in business emails. Some are obvious, such as an extra letter or a different top-level domain – .co rather than .com or etc., for example. Some are less obvious – such as a modified character set that is not visibly different to a human but is processed differently by a computer.

Can you spot the differences in these addresses? Would you spot them every time?

Cybercriminals Are Anti-Social
The reason that domain jacking has been used in concert with social graph analysis from BEC is that today's cybercriminals have realized the power of identity. By following the interactions of correspondents, they can choose when and how to use man-in-the-middle (MITM) attacks with maximum effect by impersonating rather than merely intercepting messages. Cybercriminals can interdict common messaging between participants with social references that are familiar from past communications or from public information sources. Thus, by promoting focus on the message, they can obscure indicators that might otherwise tip off a message recipient to an impersonated email address.

Financial transactions are particularly vulnerable to social engineering through these concerted BEC and MITM activitism as they include traits like an established relationship of trust between two parties; regular or typical correspondence between the parties; and defined expectations (and intent) of time and actions by each.

Trust is developed between parties in financial transactions principally on the basis of identity and repetitive correspondence. However, our social nature leads to anti-social opportunities that, after all, are characteristic of cybercriminals.

When a payee account number change is requested by a supplier who has frequent email communication with the payor they are more likely to request verification (if at all) by email than otherwise. When significant transactions occur, such as investments, the transactions are negotiated over time and with social clues that the counterparties develop that can be mimicked by cybercriminals to take advantage of the transaction and redirect the funds.

Trust, But Verify
There are several precautions you can take to protect your information:

  • Keep your computer and phone software updated and run antivirus scans regularly.
  • Use email, domain, and CASB filtering and monitoring services.
  • Use multi-factor authentication with email, social, and financial services accounts.
  • Use encrypted messaging services such as Slack or Signal rather than email for social or developmental correspondence.
  • Don't use the same Internet browser for financial transactions that you do for other purposes. Use a single-session virtual instance or application isolation.
  • Monitor or periodically audit your social profile on the Internet to see who might be lurking in your "friends" as one-degree of separation from your actual friends.
  • Conduct physical audits during transactions and related negotiations.
  • Always verify all participants in conference calls or Web meeting rooms.
  • During transactions audit KYC details of the payee with their financial institution.
  • Remember that the details of your identity, particularly your history and your social graph, are what's most valuable to a hacker.

Hacking for BEC and MITM as well as other purposes will continue. Those activities are too easy to perform because too many (technical and social) vulnerabilities exist. Combating these activities essentially begins with accepting this truth. 

Given our reliance on technology, we need to manage technology as we would our other social situations and verify who we are talking with, when, where, and why. Email filters such as "Impersonation Protection," SPF, and DKIM are useful and even essential technologies – but are subject to these evolving BEC techniques. So just as we'd do when passing a secret (or cash) to a friend, verify that it's really person they claim to be.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

Shane Shook, PhD. is a recognized veteran of information technology and security consulting. An author, trainer and expert witness in cybercrime investigations, Dr. Shook works with the team at Forgepoint Capital while also serving as an advisor to several companies in the ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4177
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174732.
CVE-2020-4180
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 174735.
CVE-2020-4182
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174738.
CVE-2020-4187
PUBLISHED: 2020-06-03
IBM Security Guardium 11.1 could disclose sensitive information on the login page that could aid in further attacks against the system. IBM X-Force ID: 174805.
CVE-2020-4190
PUBLISHED: 2020-06-03
IBM Security Guardium 10.6, 11.0, and 11.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 174851.