Anti-phishing most critical defence against rife CEO email fraud

'Please', 'thanks', and GUMMY BEARS will win over anyone, scam menacer says


AusCERT Internal anti-phishing programs are essential to prevent chief executive officers wiring money to fraudsters, threat man Donald McCarthy says.

The programs are an underrated yet proven method for clamping down on what is perhaps the world's most successful and widely-used avenue to attack businesses and individuals.

Business email compromise, a subset of phishing that tricks executives into wiring money to attackers, is estimated by the FBI to have cost US$740 million in the US alone since 2013.

Anti-phishing schemes involve internal security teams sending realistic but benign phishing emails to staff, and tracking who clicks what. The emails become more tricky as employee competence grows.

Twitter is one of the largest companies to go public with its internal phishing campaign, which thanks to company-wide acceptance and mature feedback loops has dramatically reduced its exposure to social engineering cons.

Donald McCarthy, myNetWatchman. Image: Darren Pauli, The Register

Donald McCarthy, myNetWatchman. Image: Darren Pauli, The Register.

McCarthy of Atlanta, Georgia -based investigations firm myNetWatchman, knows a lot about business email compromise; the digital detective recapped for the AusCERT conference last week how he earlier this year doxed US W2 tax scammers in Africa.

This resulted in personal threats against the hacker's life and a series of photographs depicting African email scammers hanging out together with laptops in hand.

McCarthy doxes West African business email compromise scammers.

"There have been some emails, but as a rule I feel relatively secure … you do what you can, and you pay your life insurance every month," McCarthy told El Reg.

About 17,000 business email compromise actors are thought to operate out of West Africa, or about 40 percent of the global pool, McCarthy estimates. Together they inflict billions of dollars in damages to businesses and represent one of the most poignant reasons for implementing anti-phishing schemes.

"I think all organisations greater than one person should use anti-phishing," McCarthy says.

"Even that one person should use it".

No refunds here

Banks are largely not required to reimburse victims of business email compromise, unlike regular instances of carding. The firms have done so ostensibly in the name of customer confidence, but that free ride is likely to end, according to the investigator.

McCarthy says small pleasantries can make otherwise tough financial managers malleable: "Just by saying 'please' and 'thank you' frequently in an email you can get people to do things they would normally not do".

He covered multiple cases where conned managers had wired tens of millions of dollars from their firms en route to business email compromise scammers.

In April such scammers nearly scored US$3 million from toy maker Mattel, stopping in transit thanks only to a Chinese bank holiday.

The bank is located in the China Wenzhou region infamous for tunnelling cash stolen from such phishing scams. It is thought 90 percent of funds stolen from European firms through business email compromise are wired into the gritty east coast enclave, and transited out.

There are many platforms for anti-phishing schemes. Paid hosted services like PhishMe are well established, while businesses in Australia are understood to be finding success by piping their phishing through the same outsource mail services they pay to send their newsletters.

"If you take one thing from this, it is that [anti-phishing] is not something you need to go and buy," McCarthy says.

Slick open source alternatives also exist. Jordan Wright (@jw_sec) published the GoPhish modular framework which he is still actively maintaining.

Whatever the preference, staff incentives and engagement is king. Gift cards and gummy bears are effective rewards for those who report and avoid internal phishing emails.

McCarthy says it will make staff reporting of real phishing attacks "skyrocket".

Companies can also defend against the attacks by keeping tabs on URL squatters who will replicate targeted business sites on domains that appear to be the legitimate firm's address.

WhiteHat Security founder Jeremiah Grossman discussed last month how organisations can help defend against that threat. ®

Similar topics


Other stories you might like

  • Voicemail phishing emails steal Microsoft credentials
    As always, check that O365 login page is actually O365

    Someone is trying to steal people's Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications.

    This email campaign was detected in May and is ongoing, according to researchers at Zscaler's ThreatLabz, and is similar to phishing messages sent a couple of years ago.

    This latest wave is aimed at US entities in a broad array of sectors, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain, the researchers wrote this month.

    Continue reading
  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Zscaler bulks up AI, cloud, IoT in its zero-trust systems
    Focus emerges on workload security during its Zenith 2022 shindig

    Zscaler is growing the machine-learning capabilities of its zero-trust platform and expanding it into the public cloud and network edge, CEO Jay Chaudhry told devotees at a conference in Las Vegas today.

    Along with the AI advancements, Zscaler at its Zenith 2022 show in Sin City also announced greater integration of its technologies with Amazon Web Services, and a security management offering designed to enable infosec teams and developers to better detect risks in cloud-native applications.

    In addition, the biz also is putting a focus on the Internet of Things (IoT) and operational technology (OT) control systems as it addresses the security side of the network edge. Zscaler, for those not aware, makes products that securely connect devices, networks, and backend systems together, and provides the monitoring, controls, and cloud services an organization might need to manage all that.

    Continue reading

Biting the hand that feeds IT © 1998–2022