Record-Breaking BEC Recovery: A Case Study and Future Implications

Executive Summary

INTERPOL’s recent recovery of over $40 million in a Business Email Compromise (BEC) scam marks a significant milestone in cybercrime prevention. This case study examines the incident, its resolution, and the broader implications for business cybersecurity.

Incident Overview

A Singapore-based commodity firm fell victim to a sophisticated BEC scam, resulting in an unauthorized transfer of $42.3 million to an account in Timor Leste. The scam exploited a common vulnerability in business processes: the manipulation of vendor email communications to redirect legitimate payments.

Resolution

  1. Rapid Reporting: Upon discovery, the victim company promptly alerted local authorities.
  2. International Cooperation: INTERPOL’s Global Rapid Intervention of Payments (I-GRIP) team was activated.
  3. Fund Recovery: $39 million was initially recovered, with an additional $2 million seized during follow-up investigations.
  4. Arrests: Seven suspects were apprehended, demonstrating the effectiveness of international law enforcement collaboration.

Key Takeaways

  • Evolving Threat Landscape: BEC scams continue to pose a significant and growing threat to businesses globally.
  • Importance of Swift Action: Rapid reporting and response were crucial in recovering a substantial portion of the stolen funds.
  • International Cooperation: The success of this operation highlights the effectiveness of coordinated global efforts in combating cybercrime.

Future Implications for BEC Compromises

  1. Adaptive Cybercriminal Tactics:
    • Expect more sophisticated, multi-layered scams designed to evade detection.
    • Potential shift towards higher-volume, lower-value attacks to avoid triggering large-scale investigations.
  2. Enhanced Prevention Strategies:
    • Implementation of AI-driven email authentication systems.
    • Adoption of blockchain technology for transaction verification.
    • Development of more robust and frequent employee training programs.
  3. Advanced Response Mechanisms:
    • Potential development of global, real-time financial transaction monitoring systems.
    • Increased integration of cybersecurity measures within standard business processes.

Recommendations for Businesses

  1. Implement rigorous email authentication protocols.
  2. Establish and regularly update vendor verification procedures.
  3. Conduct frequent, comprehensive cybersecurity training for all employees.
  4. Develop and maintain relationships with local law enforcement and cybersecurity agencies.

Contacting I-GRIP

In the event of a suspected BEC attack:

  1. Immediately contact your local law enforcement agency.
  2. Provide all relevant details of the suspected fraud.
  3. Request that your case be escalated to INTERPOL if it involves international transactions.
  4. For general information on international cybercrime reporting, visit www.interpol.int.

By staying informed and proactive, businesses can significantly mitigate the risks associated with BEC scams and contribute to a more secure global business environment.

Ensuring Cybersecurity: Blocking Discord Access with Firewall Rules

 

I. Introduction

Purpose of Blocking Discord Access

Social media and communication platforms like Discord are everywhere in today’s digital landscape. However, their widespread use also introduces significant cybersecurity risks. Discord, known for its extensive user base and real-time communication features, can be a vector for malicious actors’ malware distribution and command and control (C2) operations. Blocking access to Discord within a corporate environment is a proactive measure to mitigate these risks.

Importance of Controlled Access to Prevent Malware Command and Control

Controlling access to external platforms is crucial in preventing unauthorized use of corporate resources for malicious purposes. By restricting access to platforms like Discord, organizations can reduce the risk of malware infections, data breaches, and unauthorized communications. This measure helps keep network integrity and security intact, safeguarding sensitive business information from cyber threats.

II. Assessing Business Needs

Identifying Users with Legitimate Business Needs

Before implementing a blanket ban on Discord, it’s essential to identify any legitimate business needs for accessing the platform. This could include marketing teams monitoring brand presence, developers collaborating with external partners, or customer support teams engaging with clients through Discord channels.

Documenting and Justifying Business Needs

Once legitimate needs are identified, they should be documented comprehensively. This documentation should include the specific reasons for access, the potential benefits to the business, and any risks associated with allowing such access. This step ensures that decisions are transparent and justifiable.

Approval Process for Access

Establish a formal approval process for users requesting access to Discord. This process should involve a thorough IT and security team review, considering the documented business needs and potential security risks. Approved users should be granted access through secure, monitored channels to ensure compliance with corporate policies.

III. Technical Controls

A. Network Segmentation

Isolating Critical Systems

One of the fundamental strategies in cybersecurity is network segmentation. Organizations can limit the potential impact of a security breach by isolating critical systems from the rest of the network. Critical systems should be placed in separate VLANs (Virtual Local Area Networks) with strict access controls.

Implementing VLANs

Creating VLANs for different departments or user groups can help manage and monitor network traffic more effectively. For instance, placing high-risk users (those needing access to external platforms like Discord) in a separate VLAN allows for focused monitoring and control without impacting the broader network.

B. Firewall Rules

Blocking Discord-Related IPs and Domains

To block Discord access, configure firewall rules to block known Discord IP addresses and domain names. For example:

! Block Discord IP addresses
access-list 101 deny ip any host 162.159.129.233
access-list 101 deny ip any host 162.159.128.233

! Block Discord domain names
ip domain list discord.com
ip domain list discord.gg
access-list 101 deny ip any host discord.com
access-list 101 deny ip any host discord.gg

! Apply the access list to the appropriate interface
interface GigabitEthernet0/1
 ip access-group 101 in
    

For comprehensive lists of Discord servers and IPs to block, refer to resources such as:

Creating Whitelists for Approved Users

For users with approved access, create specific firewall rules to allow traffic. This can be done by setting up a whitelist:

! Allow approved users to access Discord
access-list 102 permit ip host approved_user_ip any

! Apply the whitelist access list to the appropriate interface
interface GigabitEthernet0/1
 ip access-group 102 in
    

C. Proxy Servers

Filtering Traffic

Utilize proxy servers to filter and control web traffic. Proxy servers can block access to Discord by filtering requests to known Discord domains. This ensures that only approved traffic passes through the network.

Monitoring and Logging Access

Proxy servers should also be configured to monitor and log all access attempts. These logs should be reviewed regularly to detect unauthorized access attempts and potential security threats.

D. Application Control

Blocking Discord Application

Application control can prevent the installation and execution of the Discord application on corporate devices. Use endpoint security solutions to enforce policies that block unauthorized software.

Allowing Access Only to Approved Instances

For users who need Discord for legitimate reasons, ensure they use only approved instances. This can be managed by allowing access only through specific devices or within certain network segments, with continuous monitoring for compliance.

Conclusion

Blocking Discord access in a corporate environment involves a multi-layered approach combining policy enforcement, network segmentation, firewall rules, proxy filtering, and application control. Organizations can mitigate the risks associated with Discord by thoroughly assessing business needs, documenting justifications, and implementing robust technical controls while allowing necessary business functions to continue securely.

For assistance or additional insights on implementing these controls, contact MicroSolved. Our team of experts is here to help you navigate the complexities of cybersecurity and ensure your organization remains protected against emerging threats.

 

 

* AI tools were used as a research assistant for this content.

 

All About Credit Union Credential Stuffing Attacks

Credential stuffing attacks continue to be a grave concern for all organizations worldwide. However, for many Credit Unions and other financial institutions, they represent one of the most significant threats. They are a common cause of data breaches and are involved in some 76% of all security incidents. On average, our honey nets pretending to be Credit Union and other financial services experience targeted credential stuffing attacks several times per week. 

What Is Credential Stuffing?

“Credential stuffing occurs when hackers use stolen information, such as usernames and passwords from database breaches or phishing software from one account, and attempt to gain access to another. The hackers prey on people’s habit of using the same usernames and passwords for multiple sites. Using automated tools, they run large amounts of stolen information across multiple sites looking to find the same usernames and passwords being used elsewhere. Once they find a match, they can monetize the personal and financial information they gather.” (ardentcu.org)

How Common is Credential Stuffing?

Beyond our honey nets, which are completely fake environments used to study attackers, credential stuffing and the damage it causes is quite starteling. Here are some quick facts:

  • It is estimated that automated credential-stuffing attempts makes up 90% of enterprise login traffic in the US. (securityboulevard.com)
  • It’s estimated that credential stuffing costs companies more than $5 billion a year and creates havoc with consumers. (ardentcu.org)

  • According to Akamai’s latest State of the Internet report on credential stuffing, its customers alone were deluged by 30 billion malicious login attempts between November 2017 and June this year, an average of 3.75 billion per month. (theregister.com)

  • Significant credential stuffing attacks are a favorite of professional hacking groups from Russia, India, Asia and Africa. They often gather extensive lists of stolen and leaked credentials through advanced Google hacking techniques, by combing social media for password dumps (so called “credential spills”) and by purchasing lists of exposed credentials from other criminals on the dark web. Lists of member information from compromised online banking, online retailers and business association sites are common. This information often includes names, addresses, bank account numbers/credit card numbers, social security numbers, phone numbers and other sensitive data – enabling credential stuffing and social engineering attacks against victims around the world.

What Can Credit Unions Do About Credential Stuffing?

The key to handling this threat is to be able to prevent, or at the very least, identify illicit login attempts and automate actions in response to failed logins. Cybercriminals use a variety of tools, rented botnets (including specifically built credential stuffing bots) and brute force attacks to pick off less than strong passwords all around the Internet. Then, as we discussed above, they use that stolen information to probe your credit union for the same login credentials. 

The first, and easiest step, in reducing these cybercriminals’ success rate is to teach all of your legitimate users not to use the same password across multiple systems, and NEVER use passwords from public sites like Facebook, LinkedIn, Instagram, Pinterest or Twitter for example, as account credentials at work or on other important sites. Instead, suggest that they use a password manager application to make it simple to have different passwords for every site. Not only does this help make their passwords stronger, but it can even reduce support costs by reducing password reset requests. Ongoing security awareness is the key to helping them understand this issue and the significance their password choices have on the security of their own personal information and that of the company.

Next, the Credit Union should have a complete inventory of every remote login service, across their Internet presence. Every web application, email service, VPN or remote access portal and every single place that a cybercriminal could try or use their stolen credentials to gain an account takeover. Once, the Credit Union knows where login credentials can be used, they should go about preventing abuse and cyberattacks against those attack surfaces. 

The key to prevention should start with eliminating any Internet login capability that is not required. It should then progress to reducing the scope of each login surface by restricting the source IP addresses that can access that service, if possible. Often Credit Unions are able to restrict this access down to specific countries or geographic areas. While this is not an absolute defense, it does help to reduce the impacts of brute force attacks and botnet scans on the login surfaces. 

The single best control for any authentication mechanism, however, is multi factor authentication (MFA) (basically a form of secure access code provided to the user). Wheverever possible, this control should be used. While multi factor authentication can be difficult to implement on some services, it is widely available and a variety of products exist to support nearly every application and platform. Financial services should already be aware of MFA, since it has been widely regulated by FFIEC, NCUA and FDIC guidance for some time.

More and more, however, credential stuffing is being used against web mail, Office 365 and other email systems. This has become so common, that a subset of data breaches called Business Email Compromise now exists and is tracked separately by law enforcement. This form of unauthorized access has been wildly popular across the world and especially against the financial services of the United States. Compromised email addresses and the resulting wire transfer fraud and ACH fraud that stems from this form of credential theft/identity theft are among some of the highest financial impacts today. Additionally, they commonly lead to malware spread and ransomware infections, if the attacker can’t find a way to steal money or has already managed to do so.

No matter what login mechanism is being abused, even when MFA is in place, logging of both legitimate access and unauthorized access attempts is needed. In the event that a security breach does occur, this data is nearly invaluable to the forensics and investigation processes. Do keep in mind, that many default configurations of web services and cloud-based environments (like Office 365) have much of this logging disabled by default. 

While Credit Unions remain prime targets, having good prevention and detection are a key part of strong risk management against credential stuffing. Practicing incident response skills and business recovery via tabletop exercises and the like also go a long way to stengthening your security team’s capabilities.

How Can MicroSolved Help?

Our team (the oldest security firm in the midwest) has extensive experience with a variety of risk management and security controls, including helping Credit Unions inventory their attack surfaces, identify the best multi factor authentication system for their environment, create policies and processes for ensuring safe operations and performing assessments, configuration audits of devices/applications/cloud environments. 

We also scope and run custom tabletop exercises and help Credit Unions build better information security programs. Our team has extensive experience with business email compromise, wire/ACH/credit card fraud prevention, cybercriminal tactics and incident response, in the event that you discover that credential theft has occurred. 

Lastly, our ClawBack data leak detection platform, can help you watch for leaked credentials, find source code and scripts that might contain reuseable account credentials and even hunt down device configurations that can expose the entire network to easy compromise. 

You can learn more about all of our services, and our 28 years of information security thought leadership here.

Lastly, just reach out to us and get in touch here. We’d love to talk with your Credit Union and help you with any and all of these controls for protecting against credential stuffing attacks or any other cybersecurity issue.

Car Dealership Threat Scenario – Wireless Printer Hacking AP Fraud

Today, I wanted to talk about a threat scenario that we have modeled recently. In the scenario, the victim was a car dealership, and the target was to commit accounts payable fraud. The testing scenario is a penetration test against a large group of car dealerships, but our research shows the threat to be valid against any number of organizations. 

Here’s the basics of the scenario:

  • The team found a car dealership with an extensive wireless network. Though the network was encrypted and not available to the public, the team was able to compromise the wireless credentials using a wifi pineapple in a backpack, while pretending to shop for a new car.
  • The team used the credentials to return later, appearing to wait for a service visit and working from the customer lounge. (The coffee and snacks were great! )
  • The team logged into the wireless network and quickly identified many devices, workstations and such available. Rather than focus on the workstations or attempt an attack on the users – the team instead focused on the shared printers.
  • One printer was identified with the name “BackOffice”, and access to the print spool was easily obtained through known default passwords which hadn’t been changed on the device.
  • Our team made notes of attack their recon attack path, and left the dealership.
  • Once away from the dealership a couple of simple social engineering calls were made to the accounts payable folks, pretending to be a vendor that we had observed at work at the facility. Without any real information, the accounts payable team member explained when we could expect payment, because accounts payable checks were processed every Thursday morning. The social engineer thanked them and completed the call.
  • On Thursday morning, the team showed up at the dealership again, pretending to wait for a service appointment. While in the lounge, they accessed the compromised network and printer. This time, taking deeper control of the printer’s file buffer.
  • The team waited for the accounts payable staff to submit their weekly check printing to the printer. Indeed, around 10:45, the printer file showed up in the printer spool, where our penetration testing team intercepted it. 
  • The team quickly edited the file, changing one of the checks in amount (increasing the amount by several thousand dollars) and the payee (making the check payable to a fictional company of our choosing). They also edited the mailing address to come to our office instead of the original vendor. (PS – we alerted the manager to this issue, so that the bill could be paid later — never harm a client while doing testing!!!)
  • The file was then re-sent to the printer and released. The whole process occurred in under 3 minutes, so the AP person never even noticed the issue.
  • One expected control was that perhaps the AP staff would manually reconcile the checks against their expected checks, but this control was not in place and the fake check was mailed to us (we returned it, of course!).

This is a pretty simple attack, against a very commonly exploitable platform. Poor wireless network security and default installs of printer systems are common issues, and often not given much thought in most dealerships. Even when organizations have firewalls and ongoing vulnerability scanning, desktop controls, Anti-Virus, etc. – this type of attack is likely to work. Most organizations ignore their printers – and this is an example of how that can bite you.

These types of threat scenarios are great examples of our services and the threat modeling, fraud testing and penetration testing available. If you’d like to learn more about these kinds of activities, or discuss how to have them performed for your organization – get in touch. You can contact us via web form or give us a call at (614) 351-1237. You can also learn more about our role and services specific to car dealerships here.

Thanks for reading and let me know if you have any questions – @lbhuston on Twitter.

3 Threats We Are Modeling for Clients These Days

Just a quick post today to discuss three threat scenarios we are modeling frequently with clients these days. #ThreatModeling

1) Ransomeware or other malware infection sourced from managed service providers – this scenario is become a very common issue, so common that DHS and several other organizations have released advisories. Attacker campaigns against managed services providers have been identified and many have yielded some high value breaches. The most common threat is spear phishing into a MSP, with the attackers eventually gaining access to the capability to push software to the clients. They then push a command and control malware or a ransomware infection down the pipe. Often, it is quite some time before the source of the event is traced back to the MSP. The defenses here are somewhat limited, but the scenario definitely should be practiced at the tabletop level. Often, these MSPs have successfully passed a SOC audit, but have very little security maturity beyond the baselines.

2) Successful credential stuffing attacks against Office 365 implementations leading to wire/ACH/AP fraud – This is another very common scenario, not just for banks and credit unions, but a lot of small and mid-size organizations have fallen victim to it as well via account payable attacks. In the scenario, either a user is phished into giving up credentials, or a leaked set of credentials is leveraged to gain access to the Office 365 mail and chat system. The attackers then leverage this capability to perform their fraud, appearing to come from internal email accounts and chats. They often make use of stored forms and phish their way to other internal users in the approval chain to get the money to actually move. Once they have their cash, they often use these email accounts to spread malware and ransomware to other victims inside the organization or in business partners – continuing the chain over and over again. The defenses here are to MFA, limited access to the O365 environment to require VPN or other IP-specifc filtering, hardening the O365 environment and enabling many of the detection and prevention controls that are off by default. 

3) Voicemail hacking and dial-system fraud – I know, I know, it’s 2020… But, this remains an incredibly impactful attack, especially against key management employees or employees who traffic in highly confidential data. Often this is accessed and then either used for profit via trading (think M&A info) or as ransom/blackmail types of social engineering. Just like above, the attackers often hack one account and then use social engineering to get other users to follow instructions around fraud or change their voicemail password to a given number, etc. Larger corporations where social familiarity of employees and management is low are a common attack target. Dial system fraud for outbound long distance remains pretty common, especially over long weekends and holidays. Basically, the attackers hack an account and use call forwarding to send calls to a foreign number – then sell access to the hacked voicemail line, changing the destination number for each caller. Outbound dial tone is also highly regarded here and quite valuable on the underground markets. Often the fraud goes undetected for 60-90 days until the audit process kicks in, leaving the victim several thousand dollars in debt from the illicit activity. The defenses here are voicemail and phone system auditing, configuration reviews, hardening and lowering lockout thresholds on password attempts. 

We can help with all of these issues and defenses, but we love to help organizations with threat scenario generation, threat modeling and attack surface mapping. If you need some insights into outside the box attacks and fraud potential, give us a call. Our engagements in this space are informative, useful and affordable.

Thanks for reading, and until next time, stay safe out there! 

Introducing ClawBack :: Data Leak Detection Powered By MicroSolved

Cb 10We’ve worked with our clients and partners to put together a world-class data leak detection platform that is so easy to use that most security teams have it up and running in less than five minutes. No hardware appliance or software agent to deploy, no console to manage and, best of all, affordable for organizations of any size.

In short, ClawBack is data leak detection done right.

There’s a lot more to the story, and that’s why we put together this short (3 minute) video to describe ClawBack, its capabilities and why we created it. Once you check it out, we think you’ll see just how ClawBack fits the mission of MSI to make the online world safer for all of us.

View the video here.

You can also learn a lot more about ClawBack, its use cases and some of the ways we hope it can help you here. On that page, you can also find pricing for three different levels of service, more videos walking you through how to sign up and a video demo of the platform.

Lastly, if you’d like to just get started, you can visit the ClawBack Portal, and select Register to sign up and put ClawBack to work immediately on providing detection for your leaked data.

In the coming weeks, we’ll be talking more about what drove us to develop ClawBack, the success stories we’ve had just while building and testing the platform, and provide some more specifics about how to make the most of ClawBack’s capabilities. In the meantime, thanks for reading, check it out and if you have any questions, drop us a line.

Time to protect – BEC Series #3

A few weeks ago, we published the Business Email Compromise (BEC) Checklist. The question arose – what if you’re new to security, or your security program isn’t very mature?

Since the checklist is based on the NIST model, there’s a lot of information here to help your security program mature, as well as to help you mature as a security practitioner. MSI’s engineers have discussed a few ways to leverage the checklist as a growth mechanism.

Part 1 and Part 2 covered the first checkpoint in the list – Identify.

Continue reading

Pay Attention to Egress Anomalies on Weekends

Just a quick note to pay careful attention to egress anomalies when the majority of your employees are not likely to be using the network. Most organizations, even those that are 24/7, experience reduced network egress to the Internet during nights and weekends. This is the perfect time to look for anomalies and to take advantage of the reduced traffic levels to perform deeper analysis such as a traffic level monitoring, average session/connection sizes, anomalies in levels of blocked egress ports, new and never before seen DNS resolutions, etc. 

If you can baseline traffic, even using something abstract like net flow, you may find some amazing stuff. Check it out! 

From Dark Net Research to Real World Safety Issue

On a recent engagement by the MSI Intelligence team, our client had us researching the dark net to discover threats against their global brands. This is a normal and methodology-driven process for the team and the TigerTrax™ platform has been optimized for this work for several years.

We’ve seen plenty of physical threats against clients before. In particular, our threat intelligence and brand monitoring services for professional sports teams have identified several significant threats of violence in the last few years. Unfortunately, this is much more common for high visibility brands and organizations than you might otherwise assume.

In this particular instance, conversations were flagged by TigerTrax from underground forums that were discussing physical attacks against the particular brand. The descriptions were detailed, politically motivated and threatened harm to employees and potentially the public. We immediately reported the issue and provided the captured data to the client. The client reviewed the conversations and correlated them with other physical security occurrences that had been reported by their employees. In today’s world, such threats require vigilant attention and a rapid response.

In this case, the client was able to turn our identified data into insights by using it to gain context from their internal security issue reporting system. From those insights, they were able to quickly launch an awareness campaign for their employees in the areas identified, report the issue to localized law enforcement and invest in additional fire and safety controls for their locations. We may never know if these efforts were truly effective, but if they prevented even a single occurrence of violence or saved a single human life, then that is a strong victory.

Security is often about working against things so that they don’t happen – making it abstract, sometimes frustrating and difficult to explain to some audiences. But, when you can act on binary data as intelligence and use it to prevent violence in the kinetic world, that is the highest of security goals! That is the reason we built TigerTrax and offer the types of intelligence services we do to mature organizations. We believe that insights like these can make a difference and we are proud to help our clients achieve them.

3 Reasons You Need Customized Threat Intelligence

Many clients have been asking us about our customized threat intelligence services and how to best use the data that we can provide.

1. Using HoneyPoint™, we can deploy fake systems and applications, both internally and in key external situations that allow you to generate real-time, specific to your organization, indicators of compromise (IoC) data – including a wide variety of threat source information for blacklisting, baseline metrics to make it easy to measure changes in the levels of threat actions against your organization up to the moment, and a wide variety of scenarios for application and attack surface hardening.

2. Our SilentTiger™ passive assessments, can help you provide a wider lens for vulnerability assessment visibility than your perimeter, specifically. It can be used to assess, either single instance or ongoing, the security posture of locations where your brand is extended to business partners, cloud providers, supply chain vendors, critical dependency API and data flows and other systems well beyond your perimeter. Since the testing is passive, you don’t need permission, contract language or control of the systems being assessed. You can get the data in a stable, familiar format – very similar to vulnerability scanning reports or via customized data feeds into your SEIM/GRC/Ticketing tools or the like. This means you can be more vigilant against more attack surfaces without more effort and more resources.

3. Our customized TigerTrax™ Targeted Threat Intelligence (TTI) offerings can be used for brand specific monitoring around the world, answering specific research questions based on industry / geographic / demographic / psychographic profiles or even products / patents or economic threat research. If you want to know how your brand is being perceived, discussed or threatened around the world, this service can provide that either as a one-time deliverable, or as an ongoing periodic service. If you want our intelligence analysts to look at industry trends, fraud, underground economics, changing activist or attacker tactics and the way they collide with your industry or organization – this is the service that can provide that data to you in a clear and concise manner that lets you take real-world actions.

We have been offering many of these services to select clients for the last several years. Only recently have we decided to offer them to our wider client and reader base. If you’d like to learn how others are using the data or how they are actively hardening their environments and operations based on real-world data and trends, let us know. We’d love to discuss it with you!