“It’s beautiful, it’s elegant, it’s convincing,” Markus Jakobsson gushes, describing the fake email used to hack into the personal Gmail account of Hillary Clinton’s presidential campaign chairman.
Sent on March 19, 2016, to the chairman, John Podesta, the email landed in the spam folder of his account. That should have signaled “heightened danger” to the recipient, says Jakobsson, chief scientist at Agari, a Silicon Valley computer security firm that works with Google on email authentication. Spam implies a clear message, he adds: “Don’t touch!”
But members of the Clinton campaign succumbed to what was probably a powerful temptation to open an email that was both addressed to Podesta and that carried a warning about his password. Once the email was opened, the message, still visible in January as a screenshot on WikiLeaks, so much resembled a normal Gmail warning notice that it almost begged to be clicked.
The expertly crafted message was clearly not the shoddy work of “Nigerian” email scammers, according to Jakobsson. Aimed at a specific target rather than a vast population of email users, it lacked the inept spelling, factual errors, and incoherence of those messages that ask individuals to send money to bogus business officials in Nigeria. Other signs that it was the work of highly focused hackers: the domain name was subtly altered, and the email was customized to make it seem as if it were meant precisely for Podesta (see “Anatomy of a Spoof” at the end of this article).
No, “you don’t have to be insane to fall for [scams like the Podesta spoof],” says Jakobsson.
And fall for it the Clinton campaign did, resulting in “a decade of emails that Podesta maintained in his Gmail account—a total of about 60,000”—being unlocked by Russian hackers, according to a December 14, 2016 New York Times investigation. A December 29 report by the Department of Homeland Security and the FBI all but confirmed that the email to Podesta was part of a spear phishing campaign by Russian civilian and military intelligence services. The report provides technical details about the tools and infrastructure used to trick email recipients into changing their passwords, leading to “the exfiltration of information” from multiple senior members of an unnamed political party tied to the U.S. election.
While the cyber attack on the Clinton campaign might seem worlds apart from the private sector, the expertise, focus, and sophistication it represents are closing in fast on corporate America, cybersecurity experts and former FBI officials say.
Very soon the tactics mentioned above could be used to ensnarl a large number of finance chiefs and other senior executives in scams against their companies. And evidence is mounting to support the theory that behind these increasingly targeted attacks on both companies and governments is a formidable underground economy with its own corporate structures, white-collar employees, regular hours, and even its own version of the Internet: a reverse image of the world these criminals aim to exploit.
The Surge Begins
Email attacks against businesses of all sizes, with many of them exhibiting characteristics similar to the Podesta attack, have surged over the last two years, according to the FBI. Since January 2015, there has been a 1,300% increase in losses incurred by companies in so-called business email compromise (BEC) scams, according to a June 2016 statistical update issued by the bureau. Overall, 22,000 domestic and international companies have been exposed to $3.1 billion in losses from actual and attempted BEC attacks. Businesses in all 50 states and in 100 countries have reported email-related attacks.
BEC is “a sophisticated scam targeting businesses working with foreign suppliers or businesses that regularly perform wire transfer payments,” the FBI notes. Such crimes are “carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”
Like the Clinton campaign hackers, BEC attackers know their victims and often engage in “spoofing,” a means of making it seem as if phony emails are sent from a legitimate sender. By studying company posts on social media before launching a scam, the fraudsters “are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment,” according to the FBI.
Targeted executives may first get phishing emails, in which the scammers, posing as legitimate businesspeople, ask for details like the names of other company executives and the dates they will be out of the office on business travel.
In one common scenario, the email accounts of CFOs, chief technology officers, or other high-level executives are spoofed or hacked. The scammers then send an email from the compromised account requesting a wire transfer from a company employee who normally processes such requests.
“In some instances, a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank ‘X’ for reason ‘Y,’” according to the FBI.
Jakobsson predicts that an added surge of BEC and similar scams will be fueled by a “trickle down effect” caused by the prominent success of targeted attacks like the ones on the Clinton campaign and the Democratic National Committee.
“Similar attacks will be a big thing in a year or so, as more and more criminals latch onto this and say, ‘this worked really well’ and do it to their intended victims,” he says.
Notes from the Underworld
Indeed, there are signs that the pace of innovation, if you can call it that, has been quickening in the cyber underworld. Buttressed by increasingly hierarchical and stable crime organizations, highly efficient and secretive means of communication, and digital currency, a variety of online criminals are able to move quickly when new opportunities arise.
Because of its secretive nature, a comprehensive view of the economy and structure of cyber crime against corporations has been hard to come by. But researchers like Steve Meckl, director of Americas Incident Response for cybersecurity firm Symantec, have traced the outlines of this shadow world by studying data on criminal patterns and making inferences based on the information.
“We see that a lot of these groups are coming from areas of the world that have a high degree of technical education and poor job markets. [People there] find that working for organizations that conduct cyber crime pays more,” says Meckl, a former technical operations unit chief in the cyber division of the FBI. The groups hail largely from Eastern Europe and increasingly from Internet-supported areas of Africa and Asia.
Jakobsson, for example, says he found IP addresses and other technical information confirming that the spoofed email sent to Podesta’s Gmail account last year was part of a batch sent from servers in Russia.
Some of those criminal groups look like regular companies, with their own organizational charts, call centers, and white-collar employees working the equivalent of 9 to 5 jobs, with holidays included, Meckl deduces from data patterns unearthed by Symantec in its research on the “Dridex Gang.” The gang is run by criminals from Moldova and elsewhere and operates a “sophisticated malware package designed to steal banking and other credentials from infected computers,” according to a U.S. Department of Justice press release.
Says Symantec’s report on the gang: “Dridex’s operators are quite professional in their approach, usually following a Monday-to-Friday work week and even taking time off for Christmas. The malware is continually refined and some degree of effort is applied to its spam campaigns to make them appear as authentic as possible.”
Such regular hours and time off are “not normal for your lone-wolf attackers. This looks more like a business,” observes Meckl. “In tracking other groups in the past, we’ve seen similar patterns.” For example, you can sometimes tell which time zone a group is located in because the attack activity is occurring during the business hours of that part of the world.
Another indication of the professionalization of these groups is an accelerating pace of innovation that suggests they are supported by significant effort and financing. Meckl sees proof of this activity in the rapid increase in hackers’ exploitation of “zero-day” vulnerabilities.
Competing against other criminal “software developers,” highly skilled cyber criminals race to find software vulnerabilities that are unknown to vendors, who thus have zero days to patch holes in their software. Then, the criminals develop customized malware to mount “zero-day attacks” themselves, or they sell the malware on the black market. Such activities are comparable to legitimate corporate research and development operations.
“In the hacker community, [zero-day exploits] are prized possessions,” Meckl adds. “Attackers will only use these when they’re going after a target [they deem] worth it. It takes a lot of effort to find and hold onto a zero day, so they don’t get used very much.”
From about 2006 to 2012, cyber professionals noted that attackers were exploiting only a handful of zero-day defects a year, according to Meckl. “Yet in 2015 alone, we saw 54 zero days in the market, which is over four times more than we saw a couple of years prior,” he says.
Yet another sign of the professionalism of these groups is attention to detail. For example, Dridex uses real company names in the body text, subject lines, and sender addresses of most of their spamming campaigns, according to the Symantec report on the gang. “The attackers behind Dridex have gone to some lengths to make their spam emails appear more authentic,” it says.
An Internet of their Own
Two other signs of the emerging sophistication of the cyber crime economy: it has its own communication system and its own currency. When a hacker group wants to transact business—sell a zero-day application, say, or hire an illicit web designer—it’s likely to do so on what’s known as the “dark web.” And if the group wants to collect a ransom from a company that it has hobbled via malware, it’s likely to demand payment in the digital currency bitcoin to avoid detection.
Purposefully hidden outside the realm of conventional browsers like Google, Safari, and Internet Explorer, the dark web resides on the Tor Network. On its aboveground website, Tor describes itself as “free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.”
As Austin Berglas, a former assistant special agent in charge of the FBI’s cyber branch in New York, sees it, the dark web descends into deeper and deeper areas of anonymity. At its least private level, “it is various marketplaces, forums, and chat rooms where people can gather and talk about the selling of guns or drugs or stolen credit cards or child pornography, as well as various other illegal activities like hacking services and murder for hire,” he says.
The next layer down consists of password-protected forums. “You need to have some sort of street cred to get into these forums. Often, you are vetted by an admin,” says Berglas, who is now head of cyber defense at K2 Intelligence, an investigative firm.
Finally, there are the user-created sites “where the real deep-down dirty work takes place,” says the investigator, who during his tenure at the FBI managed the seizures of a number
of illegal Tor-based sites, including Silk Road. On the dark web’s user-protected sites, he says, small groups can gather to trade zero-day exploits and plan attacks, protected from law enforcement officers and cybersecurity vendors looking to do research in the underworld.
If payment is to be arranged within the confines of the dark web, it most likely will be made in bitcoin, the virtual, encrypted currency that passes from user to user without the intrusion of an intermediary. The development of bitcoin has helped modernize the underground cyber economy by enabling hackers to seize company networks and demand ransoms in ways “that were very difficult to do before,” says Symantec’s Steve Meckl.
Before bitcoin, scammers could demand payment only via cash, credit cards, or wire transfer, ways that made it “much easier for law enforcement to follow the money,” he notes. Picking up the trail is much tougher with the virtual currency, “which drastically reduces risk for the criminals who are conducting this activity,” says Meckl.
Seeing the advantages of bitcoin, some of the more established cybercrime groups have begun providing technical support to their victims to make it easier for them to pay up. In one instance, scammers set up a ransomware pop-up page for companies under attack that provides step-by-step instructions on how to obtain bitcoin and make payments, says Meckl.
But if users still can’t figure out how to pay, “they can click on a link to get tech support, which takes them to a message center, where they can ask questions and get help,” he adds.
The development of such efficient service is a hallmark of what has become an increasingly corporate cybercrime economy. Ever more prepared to probe the online vulnerabilities of legitimate businesses, emerging hacking organizations warrant significant attention from senior corporate management. If CFOs and their peers fail to appreciate the centralized power of their enemies, they could find themselves on the wrong side of an ever more asymmetrical struggle in the years to come.
David M. Katz is a Deputy Editor at CFO.
Anatomy of a Spoof
Featuring the familiar colors of the Google logo, the phony email that appeared in John Podesta’s spam folder announced in white letters on a bright red banner that “Someone has your password.”
After greeting the recipient with “Hi John,” the message’s sender went on to warn that “Someone just used your password to try to sign in to your Google Account,” which it identified correctly as “email@example.com.” At the bottom, on a blue banner, it provided a link with the words “CHANGE PASSWORD.”
Sara Latham, Podesta’s chief of staff, had access to her boss’s Gmail account and forwarded the email to Charles Delavan, a Clinton IT aide who was manning the campaign’s help desk. According to press reports, Delavan said he recognized the email as phony. But he reportedly added that he erred in his reply to Latham, typing out “This is a legitimate email” when he really meant to write that it wasn’t legitimate.
To be fair, after advising Latham that Podesta “needs to change his password immediately,” Delavan directed the chairman to do that through Google’s legitimate page for changing one’s password and included a link to that page. Unfortunately, someone—Podesta himself, according to a Motherboard.vice.com report—clicked on the phony change-password link, rather than the legitimate one, and apparently followed the instructions.
Markus Jakobsson, chief scientist at computer-security firm Agari, found other “digital fingerprints” testifying to the sophistication of the scam. For example, the hackers used a fake webmail domain that was very similar to the one used by Google. The researcher also notes that the hackers customized the email so that it was addressed only to Podesta, “not sent to a million other recipients with exactly the same name.” — D.M.K.
The Great Compromise
Business email compromise (BEC) scams attack legitimate business email accounts through social engineering or computer intrusion techniques with the aim of getting victims to transfer funds to the attackers. The following statistics reflect victim complaints to the FBI’s Internet Crime Complaint Center between October 2013 and May 2016.
Domestic and international victims of business email compromise
Total U.S. victims
Total U.S. exposed dollar loss*
Total non-U.S. exposed dollar loss*
*Includes actual losses and those targeted in failed hacks.
Note: Loss numbers are rounded.
An Ounce of Prevention
- Patch applications and operating systems. Vulnerable applications and operating systems are the targets of most attacks. Ensuring they are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker. Only updates from authenticated vendor sites should be used.
- “Whitelist” applications. Whitelisting allows only specified programs to run while blocking all others, including malicious software.
- Restrict administrative privileges. Hackers increasingly focus on gaining control of legitimate credentials, especially those associated with highly privileged accounts. Reduce privileges to only those needed for a user’s duties. Separate administrators into privilege tiers with limited access to other tiers.
- Segment and segregate networks. Segment networks into logical enclaves and restrict host-to-host communications paths. That helps protect sensitive information and critical services and limits damage from network perimeter breaches.
- Validate inputs. Input validation is a method of sanitizing untrusted user input provided by users of a web application and may prevent many types of web application security flaws.
- Tune file reputation systems. Keep antivirus file reputation systems at the most aggressive setting possible. Some products can limit execution to only the highest reputation files, stopping a wide range of untrustworthy code from gaining control.
- Maintain firewalls. Firewalls can be configured to block data from certain locations (IP whitelisting) or applications while allowing relevant and necessary data through.
Source: Joint Analysis Report 16-20296, Dept. of Homeland Security and the FBI