‘Whaling’ attackers fall for poison PDF ‘invoices’
HITB Florian Lukavsky hacks criminals profiting from out-of-control multi-billion dollar CEO wire transfer scams… and they hate him for it.
The director of SEC Consult’s Singapore office has made a name striking back at so-called “whaling” scammers by sending malicious Word documents that breach their Windows 10 boxes and pass on identity information to police.
Whaling is a well-oiled social engineering scam that sees criminals dupe financial controllers at large lucrative organisations. Whalers’ main method is to send emails that appear to originate from chief executive officers, bearing instructions to wire cash into nominated bank accounts.
The FBI estimates some $2.2bn (£1.7bn, A$2.9bn) in losses have arisen from nearly 14,000 whaling cases in the seven months to May this year.
Some $800m (£601m, A$1bn) in losses occurred in the 10 months to August 2015.
Harpooned companies include Mattel, which shipped and by dumb luck recuperated $3m its executive sent to a hacker’s Chinese bank account; Ubiquiti, which lost $46.7m in June last year; and Belgian bank Crelan, which lost $78m in January.
They join Accenture, Chanel, Hugo Boss, HSBC, and countless smaller victims.
Lukavsky told The Reg of his work on the back of his presentation at August’s Hack in the Box in Singapore, where he explained that he uses the attacker’s tactics to compromise scammers’ Microsoft accounts.
“Someone impersonated the CEO of an international company requesting urgent wire transfers and a couple of hours later they realise it was a scam … we worked together with law enforcement to trick the fraudsters,” Lukavsky says.
“We sent them a prepared PDF document pretending to be transaction confirmation and they opened it which led to Twitter handles, usernames, and identity information.”
“We were able to get the Windows 10 usernames and hashes which are tied by default to Outlook.”
Those Windows 10 password hashes only last a few hours when subjected to tools like John the Ripper.
The information Lukavsky passed on to police from that attack late last year lead to the arrest of the scammers located in Africa.
He says he got a kick out of the tale of one security researcher who avenged his parents by convincing a net scammer to run the dangerous Locky ransomware.
Lukavsky says one of his friends recently compromised a whaling scammer and has reported seven of the criminal’s bank accounts to financial institutions which shut them down. “And those bank accounts are probably one of the most valuable goods to the fraudsters as they are difficult to set up in times of more stringent regulatory controls, know your customer rules, anti money laundering, etcera,” he says.
It generally difficult for organisations to recuperate their losses. Ubiquiti clawed back $9m from the $46.7m it lost, a rare win.
The document harvesting system Lukavsky uses is being woven into a data leak prevention system Sec Consult hopes to launch by year’s end.
MyNetWatchman’s Donald McCarthy has had equal fun messing with whaling scammers. He told Vulture South earlier this year how he doxed tax scammers in Africa, where about 17,000 business email compromise actors, or about 40 per cent of the global pool, are thought to operate.
Some of the best scams are compartmentalised, with different teams responsible for various intelligence and social engineering tasks.
Teams will often compromise a business’s email accounts to gather intelligence on the types of services and partners it uses.
Criminal call centre services offer scammers the ability to pay for English-speakers to make follow-up phone calls to further convince targeted businesses.
Scammed funds are often wired between banks on its way to the Chinese port city of Wenzhou, a hub of cybercrime on the East China Sea, where money trails run cold. ®