At the end of 2017, SWIFT, which moves trillions of dollars around the globe each day, warned the world’s banks that international cyber-crime is on the rise with gangs using increasingly sophisticated tools and techniques to launch new attacks.
These attacks are now being designed to circumvent the kind of security gateways and email filters on which companies now increasingly depend for their cyber security. They often involve several levels of preparation including patient social engineering where organized criminal gangs (OCGs) spend weeks or even months following a targeted executive’s online presence and monitoring his/her activities on social media sites. The OCGs also closely examine activity on the target company’s website as well as those of its partners, subsidiaries and clients.
Once a sufficiently accurate profile of the target has been constructed, the OCG can select any one of a number of new and potentially devastating attack vectors.
These include, for example, new whaling techniques such as the weaponization of Google Drive applications such as word-processing ‘Docs’, presentation ‘Slides’ and spreadsheet ‘Sheets’. These are used in conjunction with social engineering techniques such as trawling social media to build enough of a personal profile of the whaling target to make the Google “lure” appear to come from a legitimate source such as a trusted colleague, client or potential business partner.
The targeted executive or key member is sent a legitimate invitation to the weaponized document via Google’s sharing features. Using a weaponized Google spreadsheet hosted on the legitimate Google platform, a remote HTML platform will open, mimicking the Google sign-in process, inviting the victim to re-authenticate.
Because the “lure” contains a legitimate URL and appears to have come from a legitimate sender, the targeted company’s email based security gateway is unlikely to filter or quarantine the content.
Once the unsuspecting executive or key staff member opens the weaponized document, spreadsheet or presentation, he or she will have no reason to suspect anything while the organization’s entire system is silently being infiltrated and compromised. The duped executive or member of staff and the firm’s IT security department may only become aware of the breach once the company receives a ransomware demand or is compromised in some other fashion.
Sometimes, the threat actor can remain unnoticed for some time, as was the case with the massive hack detected last year into the accountancy giant Deloitte, which was reported to have compromised a server that contained the emails of an estimated 350 clients, including four US government departments, the United Nations and some of the world’s biggest multinationals.
The initial breach, believed to involve a compromised administrator account or accounts within Deloitte’s global email platform hosted on Microsoft’s Azure cloud, is reported as occurring during October or November of 2016 although it remained undiscovered until March 2017. Given this, the threat actor had effectively four to five months of potentially unrestricted access to the mailboxes of Deloitte’s 244,000 employees and any customer data contained therein.
One reason why cyber-attacks are becoming more sophisticated, better orchestrated and increasingly ambitious is because many of the international criminal gangs behind them are now thought to be basing their operations in ‘safe’ and long-term locations outside the jurisdiction of security services in Western regions such as the UK, the US and Europe.
Secure from investigation or prosecution in geographies such as Russia, the OCGs can take their time in carefully orchestrating long term ongoing scams taking place across a number of countries. For example, in the case of refund fraud, the act of defrauding a retailer via the return process, 32% of the threat actors originate from Europe, mainly Russia.
It is believed that may have been the case in the recent Infraud case, where an internationally coordinated police operation uncovered an international criminal organization trafficking in stolen financial data, identities and contraband worth over $530 million in losses.
Infraud's alleged creator, the Ukrainian Svyatoslav Bondarenko, is reported to have ruled that all buying and selling of stolen data from Russian victims would be banned from Infraud’s forum. As the Russian authorities are notoriously reluctant to prosecute cyber-crimes perpetrated on those outside their jurisdiction, this could have enabled Infraud to operate from servers inside Russia.
There are also growing fears among western security services that the increasingly sophisticated social engineering and phishing and whaling techniques now being deployed from countries such as Russia may also be being used by nation states intent on conducting cyber-attacks against other countries.
The danger was highlighted at the end of January 2018 by Britain’s defense secretary, Gavin Williamson, when he warned of potential Russian cyber attacks targeting the UK’s infrastructure and energy supplies.
This means that UK-based organizations of all kinds must now be prepared for increasingly sophisticated attacks from OCGs based overseas. Senior executives, in particular, should be taught to exercise caution online, especially when using social media.