Securing Identities from Phishing – A Financial Sector Perspective

Discussing phishing and communications fraud is often a confusing experience, a territory filled with buzzwords and distorted news of incidents at major corporations.  Getting to the facts underneath the clutter requires understanding that elements of both the “how” and the “why” of cybercriminal methods, have value.

 

Setting the Stage

Let’s define some terminology first: phishing refers to fraudulent attempts to obtain sensitive information by impersonating a trustworthy entity in electronic communication.  The entity being impersonated can be a private organization, a government division, or a specific person.  Phishing can happen via any form of electronic communication including phone calls, SMS text messages, email, instant messaging, social networks, or customer-interactive websites.  Email is the most common phishing vector, and according to research groups like IBM’s X-Threat division, the volume of phishing email has been steadily growing for each of the last five years.  An average corporate user account will receive between 15 and 20 malicious emails per month.

The goal of a phishing campaign is to gain sensitive information which is not otherwise publicly accessible, leading to direct or indirect monetary gain for cybercriminals.  Phishing’s fundamental technique is social engineering: psychological manipulation of people into performing actions that divulge information, thus bypassing physical and digital security mechanisms.  Therefore, user awareness is the best defense against phishing: human beings are the targets, and human preparation can halt even the most advanced phishing campaign.

Phishing is becoming more sophisticated and multi-dimensional with time.  While some phishing attempts seek to complete only one action such as getting a user to click on a malicious link, the real money lies in performing layered attacks that have a sequence of objectives.  Additionally, the subset of attacks known as spear phishing are increasingly effective at triggering a response from targeted users.  Instead of a generic phish communication sent to thousands of recipients, spear phishing crafts content to be contextually relevant to a single organization or even a single person.

Financial professionals are particularly lucrative targets for advanced phishing campaigns.  There is a wide variety of content available about phishing in general, but little guidance specifically tailored to the threat landscape of finance.  By analyzing in detail, both the methods and goals of finance-specific spear phishing campaigns, CPAs and other finance professionals can enhance their ability to resist these attacks.  In this arena knowledge operates like a vaccine, inoculating against the risk and severity of future bad events.

 

Phishing Methods and Goals

 

Method 1: fake login portals

This phishing method has an attacker create a web site which seeks to very closely mimic the “look and feel” of a login page for a corporate software asset.  The page layout, fonts, branding, and color scheme will all be identical to the legitimate login page, but the URL of the website will not be correct, instead belonging to a domain the attacker controls.  The rapid adoption of software-as-a-service application delivery in corporate environments is the primary contributing factor to the growth of this phishing method; users are conditioned to think of credentials entry on websites as a normal daily activity.  Hoping the user does not notice the change in URL, an attacker steals the username and password entered on the page for their own use.  Examples of frequently-mimicked login portals include Microsoft Office 365, SalesForce, and Dropbox.

Credential theft is already a serious security issue in and of itself because it allows an attacker to move laterally within an organization across systems where those credentials are valid.  Once an attacker has access to working login credentials of a corporate user, they can begin sending electronic communications directly as that user, increasing the degree of trust that further victims will afford to the phishing attempts.  One particularly dangerous variant is conversation hijacking: an attacker replies to an existing email thread instead of delivering a new email.  The degree of skepticism a user applies toward a reply to a preexisting conversation is lower by default, and attackers seek to exploit that implicit trust to deliver further malicious content.

Method 2: VIP impersonation

Commonly known as “business email compromise” or “CEO fraud”, this attack method works by having the attacker impersonate someone of hierarchical importance and authority: a CEO, CFO, controller, or in-house legal counsel.  When crafted correctly, the electronic communication will appear to be from the legitimate account for that person of authority.  It may include timely details like their location out of office or reference discussions with clients, details that attackers can gather from social media networks, press releases, or corporate data exploration using compromised credentials.  Common examples of requested actions are to complete wire transfers of large sums of money to a bank account or to send copies of tax documents.  The power of this attack method lies in the ability to create artificial urgency for the target to take the action desired by the attacker.  This can happen either by negative reinforcement, placing an immediate deadline on the action, or by positive reinforcement, invoking a friendly and disarming sense of trust and dependency.

Method 3: malicious attachments

Some classics never go out of style: malicious file attachments are defacto of phishing methods.  Attachments sent to phish finance professionals often take the shape of invoices, forms to electronically sign via software like DocuSign, or Microsoft Office documents with embedded macros and instructions on the first page of the document to override macro security warnings.  All these attachments make good choices because they mimic the normal daily workflow of finance professionals; the attacker is hoping to trick the target into acting on autopilot and not performing a critical examination of the attachment before opening the file.

The attachment, once opened, can deliver any number of malicious software payloads to the target’s computer.  One dangerous example is a class of malware called banking trojans which seek out stored login information to financial institutions and send them to the attacker to use for fraudulent wire transfers or credit card purchases.  Ransomware is another famous malware class, locking a company out of their own files until a ransom payment is delivered in exchange for the decryption key held by the attacker.  However, the largest recent source of growth in illicit profits for cybercriminals is corporate espionage.   Once they use malware to exfiltrate data from corporate networks the attackers can sell that data to competitor companies or use that data to make predictive stock trades based on insider secrets.  Never underestimate the power contained in a general ledger, let alone a recently approved merger proposal or confidential intellectual property.

Method 4: impersonation of regulatory agencies

A phishing attempt using this method would proport to be from the IRS, the SEC, an auditor like Deloitte or KPMG, or from a law firm.  The phishing communication will make a call to action toward the targeted finance professional, requiring them to review a document or send a data set in a reply.  The goal of regulatory impersonation is to steal information, either by intimidating a targeted user into replying or by making the user believe the impersonated actor already has the information and just needs a confirmation copy.  This technique becomes particularly dangerous when the attack is targeting a CPA preparing tax returns and asking for either information on specific individuals or access to practitioner databases.  The attacker often intends to use the stolen information to file fraudulent tax returns and collect tax refunds, an outcome which requires considerable time commitment to remediate.  The IRS requests that financial professionals who receive phishing emails related to taxes forward those emails to phishing@irs.gov for analysis.

Mitigation

Despite the growing sophistication of phishing methods, the situation is far from hopeless.  There are effective mitigation tools available to finance professionals that require nothing more than the use of critical thinking and changes in personal behavior.  One of the best tools to detect phishing is to look for a tone mismatch between the email content and its alleged sender.  This is a bidirectional consideration: an email with a highly informal greeting and an overabundance of slang is suspicious if sent on behalf of a professional organization, as is an email filled with unnaturally formal language when sent by an individual considered a close compatriot.  Attachments should always be treated with suspicion because almost any type of file can be used to deliver malware.  The use of security software to scan electronic communications and block the delivery of malware in attachments acts in compliment with user preparedness, creating better defense in depth against phishing.

Another powerful phishing detection tool is domain auditing: by comparing the text of a web address or portion of an email address after the @ symbol to the known correct text for the person or institution the attacker is attempting to impersonate, an alert user can find the text does not match and reject the phishing attempt.  This auditing needs to be highly precise because attackers often use the smallest possible change to a domain, different by just a one letter or a single added punctuation mark.  The best tool of all to halt phishing is to verify the requested action with the alleged sender prior to acting via a different interactive, real time communication method.  The result of a phone call, a video conference, or an in-person visit with the alleged sender will reveal the truth: they did not send the request, and the phishing attempt ends unsuccessfully.

Stay safe out there.

 

JR Maycock is a 12-year IT veteran with a background spanning corporate, freelance,
And K-12 education environments.  His areas of expertise include identity management, behavioral security, systems architecture, and exploring the alignment of technology with business strategy.  JR currently holds the position of Business Technology Architect at NetWize in Salt Lake City, UT.  He is reachable at jrmaycock@netwize.com.