sign in sign up
<<
Home , Fancy Bear

Common Cyber Threats and How To Fight Back

Farmington Economic Development Commission Breakfast Series

Bryan Cassidy, VP / Information Security Officer (CISA, CISSP, CFE) Disclaimer

This information is provided for informational purposes only.

The controls mentioned in this presentation are common industry best practices to help protect your organization from wire/ACH fraud or . There is no guarantee by Farmington Bank that your organization will avoid being a victim even by implementing these controls.

For further information on security & privacy, please visit www.farmingtonbankct.com/Resource-Center

5/4/2017 | page 2 “…once a single cyber weapon is loose, it can spread around the world in seconds, to be used by peer states, cyber mafia, and teenager alike.” -WikiLeaks Press Release: CIA Hacking Tools Revealed (3/7/2017)

5/4/2017 | page 3 Bad Actor Profiles

Organized Nation Hacktivists Crime States

Motivation Skill

Social & Political Financial Gain Intelligence Impact • Debit/Credit Card • Military • Free Speech Data Information • Social Injustice • Medical Records • Trade Secrets • Human Rights • •“Market Moving ” • Extortion Financial Information

5/4/2017 | page 4 A Global Problem w/ No Surefire Solution

Moscow (RUS) Calgary (CAN) Paris (FRA)

Kiev (UKR) Company ABC Sofia (BUL) Hartford, CT (USA)

Shanghai (CHN)

Why can’t we arrest these bad actors!? • Masking Techniques • Geopolitical Challenges • Differing Global Laws/Regulations • Protection by Governments • Attribution is Very Challenging

5/4/2017 | page 5 Blurring of Crime and War

Equation Group Deep Panda

Longhorn Black Vine Sofacy

DragonOK Fancy Bear

Hidden Lynx Shadow Brokers

Mofang

Syrian Electronic Army OilRig

5/4/2017 | page 6 Surface Web Only 4% of Web content (~8 billion pages) is available via search engines

1 zettabyte

Deep Web Approximately - 250 billion 96% of the digital 7.9 universe is DVDs unsearchable or Zettabytes - 36 million password protected years of HD video

Dark Web A portion of the “deep web” used by criminals to perform illegal activities

5/4/2017 | page 7 Source: The Deep Web: Semantic Search Takes Innovation to New Depths Products & Services On the Dark Web

Products Services Account Credentials Spam Rental Services

Drugs & Prescriptions Translation Services

Debit/Credit Cards Money Mules

Crimeware Kits Re-shippers

Human Trafficking Crimeware-as-a-Service DIY Guides “…daily sales were Identification Docs found to fluctuate Exploits between $300,000 and Bank Statements $500,000 per day.” Carnegie Mellon University: “Measuring the Longitudinal Evolution of the Online Marketplace Ecosystem (August 2015).

5/4/2017 | page 8 Spoofing, Compromise, and Account Takeover

5/4/2017 | page 9 FBI - Public Service Announcement

The business email compromise (BEC) scam continues to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300% increase in identified exposed losses . The scam has been reported in all 50 states and in 100 countries. Reports indicate that the June 14, 2016 fraudulent transfers have been sent to 79 I-061416-PSA countries with the majority going to Asian banks located within China and Hong Kong.

From January 2015 to June 2016 , there have been 22,143 victims with an exposed loss amount of $3.1 billion .

5/4/2017 | page 10 Variations of Email Wire Fraud

Email Account Spoofing Compromise Takeover Least Complex Moderately Complex Most Complex

A criminal either A criminal steals user A criminal steals online “spoofs” the email credentials and banking credentials to message header or accesses email – they perform unauthorized buys a domain that search for keywords wire/ACH transfers. looks similar to your (e.g., “ bank ”, company’s and “attorney ”, etc.) and pretends to be an attempt to masquerade executive, vendor, themselves as the and/or business hacked individual to partner. trick other companies to perform wire/ACH transfers.

5/4/2017 | page 11 6 Common Email Spoofing Fraud Red Flags

Poor spelling and/or grammar . Requests for instructions to process wires Last minute changes in wire/ACH instructions. Elements of urgency . -“This needs to be completed by today !” Elements of secrecy -“Don’t tell anyone !” -“This needs to remain confidential !” Avoiding communication - “I can’t talk right now .” - “I’m in a meeting !”

5/4/2017 | page 12 Ransomware

5/4/2017 | page 13 What is “Ransomware”?

A variant that encrypts important file types (.docx, .xlsx, etc.) and demands a “ ransom” via digital currency to obtain the private key that unlocks your data.

of respondents say negligent employees put 58% their company at risk for a ransomware attack. Source: Ponemon Institution: Rise of Ransomware 2017

Common Digital Currencies

5/4/2017 | page 14 Recent High Profile Victims

Target Industry Demand Negotiated Payment San Francisco Light Trail Transportation Did Not Pay Transit $73,000 Hollywood Presbyterian Healthcare $17,000 Medical Center $3,600,000 University of Calgary Education $16,000 $16,000 City of Detroit Government $800,000 Did Not Pay Moses Afonso Ryan Ltd. Legal $25,000 Paid (Undisclosed) Carroll County Sheriff's Office Law Enforcement $2,400 (Arkansas) $2,400

5/4/2017 | page 15 FBI - Public Service Announcement

“…the FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee the victim will regain access to their data ; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to September 15, target other victims for profit, and could 2016 provide incentive for other criminals to I-091516-PSA engage in similar illicit activities for financial gain. While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers .”

5/4/2017 | page 16 Ransomware Timeline (2005 to 1Q2016)

2005-2013 2014 2014 2015 2016 (Q1)

ò Gpcoder ò Urausy ò Linkup ò TeslaCrypt ò Locky ò Reveton ò Kovter ò Slocker ò Cryptolocker2015 ò Nanolocker ò Nymaim ò Onion ò BandarChor ò Paycrypt ò Cryptowall ò CTB-Locker/Citron ò Cryptvault ò Hi Buddy ò Browlock ò TorrentLocker ò Simplocker ò Job Cryptor ò Zerolocker ò Pacman ò HydraCrypt ò Synolocker ò Pclock ò Umbrecrypt ò Coinvault ò Threat Finder ò Ransom32 ò Virlock ò ò CryptoJocker ò ORX-Locker ò Magic ò Tox ò LeChiffre ò Troldesh ò Ginx “...emails containing ò Encryptor RaaS ò ò CryptoApp ò Lockdroid ransomware ò XRTN ò VaultCrypt ò Radamant increased 6,000% ò LowLevel404 ò Dumb from FY15.” ò Power Worm ò DMA-Locker IBM “Ransomware: How Consumers and Business Value Their ò Chimera-Locker Data ” ò Satan Source: Symantec

5/4/2017 | page 17 /Social Engineering (Example)

5/4/2017 | page 18 TeslaCrypt (Crypto-Locker)

5/4/2017 | page 19 Jigsaw (Crypto-Locker)

5/4/2017 | page 20 Internet of Things (IoT)

5/4/2017 | page 21 Convenience of Connected Devices

5/4/2017 | page 22 IoT Research & Studies

…of consumers surveyed don’t believe there are enough connected device users for them to be a 44% worthwhile target for hackers .

“…over six in 10 consumers believed connected home devices were designed with online security in mind.” Source: 2016 Norton Cybersecurity Insights Report

5/4/2017 | page 23 Malware

A malware variant that took control of specific Internet- connected devices so they could be directed & used in large scale attacks. The open source code was then released on hacker forums.

October 21, 2016

and many more…

5/4/2017 | page 24 9 Helpful Tips to Protect Your Organization

Employees need to be continuously educated on “ red flags ” for phishing/fraud schemes. Be careful when posting financial/personal information . Perform call back verification on suspicious requests. Consider implementing dual verification on wires/ACH. Use strong passwords on critical systems. Consider implementing multi-factor authentication for remote access to network. Maintain and patch software and operating systems . Perform regular system backups of critical data. Restrict websites that can be accessed by employees on the company’s network.

5/4/2017 | page 25 How You Can Help With the “Global Solution”

It no longer is “if” but “when” you will be a victim of wire fraud or malware – as a business it is critical that you have an incident response plan . For example;

° How would you detect unauthorized activity? ° What actions would you take to stop further unauthorized activity ? ° What security vendor will you bring in to clean your systems? ° Who at your financial institution would you contact? ° What federal agencies would you contact for assistance? ° What information should be collected about the criminal activity?

They are your friends!

5/4/2017 | page 26