SEI Podcast Series, a Production of Carnegie Mellon University’S Software Engineering Institute
Total Page:16
File Type:pdf, Size:1020Kb
Defending Your Organization Against Business Email Compromise featuring Anne Connell as Interviewed by Suzanne Miller ---------------------------------------------------------------------------------------------- Welcome to the SEI podcast series, a production of Carnegie Mellon University’s Software Engineering Institute. The SEI is a federally funded research and development center, sponsored by the Department of Defense and operated by Carnegie Mellon University. Today’s podcast is going to be available at the SEI website at sei.cmu.edu/podcasts. Suzanne Miller: Hello. My name is Suzanne Miller. I am a principal researcher here at the SEI on the Agile-in-Government team. I am here today to interview Anne Connell, who is a cybersecurity engineer over in our CERT Division. Today, we’re going to talk about business email compromise in all its many forms. I’m excited about that because I get crazy business emails, and I know we do a lot at the SEI to try to defend that. But we want to find out more. Before we get into that topic, just tell us a little bit about how did you get into this kind of work? What is it that you do here, and how did you get to the SEI? Anne Connell: I started off working in the CMU School of Design. Really, I worked there for about 10 years as the network manager. A lot of the faculty, especially because they tended to be older, and phishing isn’t something that just came about. It’s been around for quite a while. That was the first taste of seeing people get taken, responding...Malware on their computers and/or for them, it was everything related back to the virus that you know, CERT famously discovered... Suzanne: The Morris Worm. Anne: The Morris Worm. I’m not saying it was the Morris worm, but it was, indeed, a lot of them getting phished. It’s interesting. I’ll never forget the one faculty member. I won’t use his name, but he said, I got an email, and they told me that I had money in this Swedish bank account. I had to ask, Do you have a Swedish bank account? Did you ever open one? No, no. I said, Well, then it’s probably a scam. And to them, it really was, Why, why would people even do this? I was pursuing my degree while working there, my master’s degree in human-computer interaction. While there, I just wanted to actually use it more so than just managing computers and setting up machines. Defending Your Organization Against Business Email Compromise page 1 www.sei.cmu.edu/podcasts SEI Podcast Series I took a job here at the SEI working for what was the team before STEPfwd on creating training for the SEI and for all its customers. Shortly after that, there was something. It was the group headed by Rich Nolan. It was the Digital Intelligence and Investigations Directorate. Working with them, they had a lot of law enforcement, Federal law enforcement liaisons. Initially, I was working on the projects, kind of creating web apps for them to access tools and training. Then it became much more interesting to work with them on requirements gathering for these tools. In doing the requirements gathering, you really got to see the problems that they were dealing with. That’s sort of my path into this work now. Suzanne: OK. So, let’s talk about business email compromise. We have had everything from the historical Nigerian prince that I think everybody in the world has seen, at this point. Up to more recently, something like Operation Wire Wire, which was a scam that involved like $14 million in fraud, so really big numbers. This is something that has been around a while, hasn’t gone away, so we need to deal with it. Your work is doing that. Tell us a little bit about what are the types of business email compromise that we can be looking for and especially, what are the ones that are more insidious? Anne: I am really glad you said the Nigerian prince because we have come a long way from the Nigerian prince to, in fact, the Operation Wire Wire and that Nigerian criminal ring. Again, Nigerian. Suzanne: Hi, Nigeria. Anne: We’ve come a long way, but there is a lot of things that are the same. The attack vectors that I want to talk about are there is the CEO scam. They are all scams, by the way. Business email compromise is really just a fancy way of saying sophisticated scam. So, it’s CEO, CIO, good old social engineering, and/or brute force, lawyer impersonation. We also have the romance kind of scam developing a relationship over time. The CEO scam, that’s when a relationship is built a little over time where they get in on the network. In this case, the company, they infiltrated the network buying credentials on the dark web. Then basically just kept trying, because they could have 100 attacks that they are launching. Only one needs to succeed. They jump around the network. They obtain domain admin access. Then they can find out how the email servers work, whether it’s digital signatures or the signature just on an email. Indeed, they can see who works for who and find the best way to target someone who might work for that CEO and be able to impersonate them. The instance here—the one that I talked about first before Operation Wire Wire—was the Texas Energy Company scam. That was a young man who went by Colvis. Defending Your Organization Against Business Email Compromise page 2 www.sei.cmu.edu/podcasts SEI Podcast Series That Texas energy company, he selected it simply because there was a direct flight from Lagos, Nigeria, to Houston, Texas. We’ll come back to that eventually, because I think it’s really interesting that his criteria for conducting this was based on a direct flight. It was easier to go to Houston and more cost effective for him than to fly all the way to San Francisco. Essentially, he was already working with pre-established money mule groups, so that had a lot to do with the areas in which he was interested. He selected this energy company and pretended to be the CEO, sending an email about three o’clock on a Friday pretending to be the CEO, sending it to the person who would process the wire transfers. Sending an email directing them to do it today before close, and that he would be unavailable this weekend. In fact, they social engineered his Facebook page to find out that he was the coach of his daughter’s soccer team, even that she was going to have a game on Sunday, So don’t contact me, really extensive work into finding out the best way to make this convincing. Even in the signature, he included the same terminology that typically their vendors would use in their invoices. It really was a convincing story and communication that turned out to be then a wire transfer of $3.2 million dollars outside of the company to a fraudulent account. That particular case, we are talking 2013-2014. Colvis wasn’t his first name. It was his middle name. They were able to find him because it happened to be his Instagram handle. The same way in which he was using social engineering to find more information about his target to make his scam more convincing, they used social engineering to find him. This is just a really interesting fact. He had already applied to go to the University of Maryland, Baltimore County to study architecture. He actually had come in, I am guessing for the interview. They tried to intercept him that time, but the supervisor, special agent in charge of the investigation, just happened to be out on maternity leave. So, she missed him that first time, but he had applied for a visa. On his second time, and that’s when they were able to intercept him. He stood quiet for quite a while, but they eventually got information from him about the criminal ring he was working with. That is a very thorough example of the CEO impersonation. There is also lawyer impersonation. That is to intercept, say, huge payoffs for a home, especially when you’re buying a home. You are sending that initial down payment, whether it’s 20 percent that’s required. They will pretend to be the lawyer that is taking care of that transaction. There is also just regular social engineering, finding out somebody who might be an attractive target. You can even really assess their level of sophistication, their tech savvy, by how they interact with their social media. There is that, establishing communication with them, pretending to be one of the vendors, and reaching out to them. That is how a gentleman, in the scam that was Qantas, he was able to get $100 million out of Google, Facebook by pretending to be that vendor and sending fake invoices to these companies Defending Your Organization Against Business Email Compromise page 3 www.sei.cmu.edu/podcasts SEI Podcast Series including a wire transfer [asking] for specific information, so that it would go to these fraudulent accounts. So, really, tech-savvy companies. We’re not just talking about energy companies. We’re talking about Google, Facebook. They’re falling for it. It all depends on who you get to, what level of employee, which is why organizational training and awareness is so important.