Fri, Feb 26, 2016

Burgle Your House? I’d Rather Take Your Password…

I remember clearly the first time I came across this particular type of scam. A wealthy Saudi businessman had had over $1million transferred from his bank account to pay for bills he had never authorized. He suspected one of his aides or IT staff had committed the fraud, while they were convinced he had authorized the transactions but had forgotten or had now changed his mind.

The transactions had been authorized by email from the principal’s personal AOL email account. The instructions used the same terse language that his CFO had come to expect. They instructed the CFO to spend money from the exact same bank account the principal always used for his personal affairs, in amounts that rose from around $30,000 to around $300,000 but were nothing out of the ordinary as far as the CFO was concerned.

We checked the emails, and they were genuinely from his AOL account; they had not been spoofed. Then we checked the geographic locations from which the email account had been accessed, and there we found the key clue. Yes, we could see the account had been accessed from Jeddah, from Riyadh, from Germany, from the UK, and from the U.S. as the principal had made his way around the world on his private jet but interspersed among these genuine logons were regular logons from Cairo, sometimes only half an hour before or after the principal had himself logged on thousands of miles away. And he hadn’t gone to Cairo, nor had he any business there.

The penny dropped. The attacker had managed to obtain the principal’s email password. Armed with these genuine credentials, he had logged in to the email account and slowly read his way through the principal’s inbox and sent items. He had seen how the principal paid to refuel his jet, how he had arranged for his hotel bills to be paid, how he had made a deposit on a holiday villa. Using the same language the principal used, it was easy for the attacker to trick the CFO into thinking he was receiving instructions from the principal.

Over the years since then, I have seen dozens and dozens of variations on this theme. So have others at Kroll, before and since. They are known as account takeover frauds. We have seen clever attackers set up rules in people’s email accounts so that all emails from the person being tricked are sent to the drafts folder or the trash folder where only the attacker will look. We have seen the accounts of wealth advisors taken over, as well as those of solicitors involved in conveyancing transactions. We have seen not only children of the ultra high net worth community impersonated, but also girlfriends, clients, customers the numbers rise exponentially.

Why such a rise? Well, it doesn’t require a lot of skill. The hardest part is laundering and withdrawing the cash and you can rent that as a service on the dark web. There are several easy ways to get people’s passwords that require almost zero technical knowledge, tools that are available for free on the Internet, complete with video tutorials on how to use them. You can attack insecure Wi-Fi spots with a man-in-the-middle attack, or load a malicious attachment or link into an email. With a bit more skill, you can infect ads that appear in browsers with malicious code, as has indeed started to happen. But I suspect many fall victim to the easiest trick of all, simple guesswork. How many of us use passwords based on the names of children, pets, favorite sports teams or singers, or dates of birth? Did you know that the most popular password globally for the last several years has remained 123456? The second most popular is “password”! Or is the password that you use for several accounts one of the many hundreds of thousands listed in hackers’ dumps on Pastebin, waiting for someone to recognize your username and use it elsewhere?

Luckily, there are equally simple techniques which can help prevent your becoming a victim to this type of crime. Use a unique long password for your most important accounts over 12 characters is good. Don’t use insecure or public Wi-Fi. Understand your digital profile so you can anticipate the most likely vectors a cyber criminal would use against you. If you are tricked, we can get your money back, but that also costs money. Most importantly, don’t use anything as a password that someone would see on your Facebook account. Don’t be hacker bait!

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.