‘Please’, ‘thanks’, and GUMMY BEARS will win over anyone, scam menacer says
AusCERT Internal anti-phishing programs are essential to prevent chief executive officers wiring money to fraudsters, threat man Donald McCarthy says.
The programs are an underrated yet proven method for clamping down on what is perhaps the world’s most successful and widely-used avenue to attack businesses and individuals.
Business email compromise, a subset of phishing that tricks executives into wiring money to attackers, is estimated by the FBI to have cost US$740 million in the US alone since 2013.
Anti-phishing schemes involve internal security teams sending realistic but benign phishing emails to staff, and tracking who clicks what.
The emails become more tricky as employee competence grows.
Twitter is one of the largest companies to go public with its internal phishing campaign, which thanks to company-wide acceptance and mature feedback loops has dramatically reduced its exposure to social engineering cons.
Donald McCarthy, myNetWatchman.
Image: Darren Pauli, The Register.
McCarthy of Atlanta, Georgia -based investigations firm myNetWatchman, knows a lot about business email compromise; the digital detective recapped for the AusCERT conference last week how he earlier this year doxed US W2 tax scammers in Africa.
This resulted in personal threats against the hacker’s life and a series of photographs depicting African email scammers hanging out together with laptops in hand.
McCarthy doxes West African business email compromise scammers.
“There have been some emails, but as a rule I feel relatively secure … you do what you can, and you pay your life insurance every month,” McCarthy told El Reg.
About 17,000 business email compromise actors are thought to operate out of West Africa, or about 40 percent of the global pool, McCarthy estimates.
Together they inflict billions of dollars in damages to businesses and represent one of the most poignant reasons for implementing anti-phishing schemes.
“I think all organisations greater than one person should use anti-phishing,” McCarthy says.
“Even that one person should use it”.
No refunds here
Banks are largely not required to reimburse victims of business email compromise, unlike regular instances of carding.
The firms have done so ostensibly in the name of customer confidence, but that free ride is likely to end, according to the investigator.
McCarthy says small pleasantries can make otherwise tough financial managers malleable: “Just by saying ‘please’ and ‘thank you’ frequently in an email you can get people to do things they would normally not do”.
He covered multiple cases where conned managers had wired tens of millions of dollars from their firms en route to business email compromise scammers.
In April such scammers nearly scored US$3 million from toy maker Mattel, stopping in transit thanks only to a Chinese bank holiday.
The bank is located in the China Wenzhou region infamous for tunnelling cash stolen from such phishing scams.
It is thought 90 percent of funds stolen from European firms through business email compromise are wired into the gritty east coast enclave, and transited out.
There are many platforms for anti-phishing schemes. Paid hosted services like PhishMe are well established, while businesses in Australia are understood to be finding success by piping their phishing through the same outsource mail services they pay to send their newsletters.
“If you take one thing from this, it is that [anti-phishing] is not something you need to go and buy,” McCarthy says.
Slick open source alternatives also exist. Jordan Wright (@jw_sec) published the GoPhish modular framework which he is still actively maintaining.
Whatever the preference, staff incentives and engagement is king.
Gift cards and gummy bears are effective rewards for those who report and avoid internal phishing emails.
McCarthy says it will make staff reporting of real phishing attacks “skyrocket”.
Companies can also defend against the attacks by keeping tabs on URL squatters who will replicate targeted business sites on domains that appear to be the legitimate firm’s address.
WhiteHat Security founder Jeremiah Grossman discussed last month how organisations can help defend against that threat. ®
Sponsored: Rise of the machines