Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Hacker takes down CEO wire transfer scammers, sends their Win 10 creds to the cops

'Whaling' attackers fall for poison PDF 'invoices'

HITB Florian Lukavsky hacks criminals profiting from out-of-control multi-billion dollar CEO wire transfer scams ... and they hate him for it.

The director of SEC Consult's Singapore office has made a name striking back at so-called "whaling" scammers by sending malicious Word documents that breach their Windows 10 boxes and pass on identity information to police.

Whaling is a well-oiled social engineering scam that sees criminals dupe financial controllers at large lucrative organisations. Whalers' main method is to send emails that appear to originate from chief executive officers, bearing instructions to wire cash into nominated bank accounts.

It works. The FBI estimates some $2.2bn (£1.7bn, A$2.9bn) in losses have arisen from nearly 14,000 whaling cases in the seven months to May this year. Some $800m (£601m, A$1bn) in losses occurred in the 10 months to August 2015.

Harpooned companies include Mattel, which shipped and by dumb luck recouped $3m its executive sent to a hacker's Chinese bank account; Ubiquiti, which lost $46.7m in June last year; and Belgian bank Crelan, which lost $78m in January.

They join Accenture, Chanel, Hugo Boss, HSBC, and countless smaller victims.

Lukavsky told The Reg of his work on the back of his presentation at August's Hack in the Box in Singapore, where he explained that he uses the attacker's tactics to compromise scammers' Microsoft accounts.

"Someone impersonated the CEO of an international company requesting urgent wire transfers and a couple of hours later they realise it was a scam … we worked together with law enforcement to trick the fraudsters," Lukavsky says.

"We sent them a prepared PDF document pretending to be transaction confirmation and they opened it which led to Twitter handles, usernames, and identity information."

"We were able to get the Windows 10 usernames and hashes which are tied by default to Outlook."

Those Windows 10 password hashes only last a few hours when subjected to tools like John the Ripper.

The information Lukavsky passed on to police from that attack late last year lead to the arrest of the scammers located in Africa.

He says he got a kick out of the tale of one security researcher who avenged his parents by convincing a net scammer to run the dangerous Locky ransomware.

Lukavsky says one of his friends recently compromised a whaling scammer and has reported seven of the criminal's bank accounts to financial institutions which shut them down. "And those bank accounts are probably one of the most valuable goods to the fraudsters as they are difficult to set up in times of more stringent regulatory controls, know your customer rules, anti money laundering, etcera," he says.

It generally difficult for organisations to recoup their losses. Ubiquiti clawed back $9m from the $46.7m it lost, a rare win.

The document harvesting system Lukavsky uses is being woven into a data leak prevention system Sec Consult hopes to launch by year's end.

MyNetWatchman's Donald McCarthy has had equal fun messing with whaling scammers. He told Vulture South earlier this year how he doxed tax scammers in Africa, where about 17,000 business email compromise actors, or about 40 per cent of the global pool, are thought to operate.

Some of the best scams are compartmentalised, with different teams responsible for various intelligence and social engineering tasks. Teams will often compromise a business's email accounts to gather intelligence on the types of services and partners it uses.

Criminal call centre services offer scammers the ability to pay for English-speakers to make follow-up phone calls to further convince targeted businesses.

Scammed funds are often wired between banks on its way to the Chinese port city of Wenzhou, a hub of cybercrime on the East China Sea, where money trails run cold. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like