Con artists go corporate with sophisticated email breaches
By Michael Bradley
Chase Cotton has an exercise he used to perform with his University of Delaware students when he taught them about cyber security. He would ask for a show of hands of people who don’t have a lock of sorts on their cellphones. Usually, about “15 to 20 percent” of the students would raise their hands, rather sheepishly.
“I stopped doing it after a while because I didn’t want to embarrass them,” Cotton said.
A professor of practice in electrical and computer engineering at UD and the director of the school’s cyber security programs, Cotton has a broad understanding of the dangers facing everyone from unsuspecting college students to major corporations when it comes to cyber safety. He has advised companies on how to protect themselves, seen what happens when officers of firms aren’t vigilant, and knows quite well that there are people out there capable of costing companies huge sums of money because of their criminal acumen – and their targets’ vulnerabilities.
It’s a condition that has become national in scope, as those who develop schemes designed to bilk companies out money are more sophisticated than ever, and their targets are less likely to devote the kind of resources necessary to protecting themselves. The old joke about a Nigerian prince’s having $10 million dollars for someone dim enough to provide his or her contact information has grown into a larger issue that can cost companies millions.
According to the FBI, in the first eight months of 2015 alone, there was a 270 percent increase in “business e-mail compromise” (BEC) victims, with all 50 U.S. states and more than 80 countries affected. According to the FBI, more than 7,00 U.S. companies were affected from 2013 until late ’15. As the perpetrators get more sophisticated, those numbers will grow. Individuals who fall prey to scams lose on average $6,000, according to the FBI. Affected companies forfeit $130,000.
Three years ago, the University of Delaware launched a Cybersecurity Initiative, with a focus on issues facing corporate America, and hired Starnes Walker, a physicist and a veteran of crafting plans to enhance network security for the corporate, government and military sectors in the U.S. and around the world. His vast experience has led him to survey the current landscape and conclude that trouble is mounting.
“It’s exponential in occurrence and in terms of sophistication,” Walker said. “Adversaries are becoming more and more nefarious and are getting more and more people to click on to things they shouldn’t and getting people to buy into products that don’t exist. “These things are going on every day.”
Perhaps the most interesting – and frightening – parts of this phenomenon are the methods criminals are using to gain access and get money. Once thought to be just the purview of geeks and other computer nerds, this field has grown to include a variety of criminal elements, who are capable of magic on the keyboard but also can build relationships that create confidence among their prey, leading to trouble later on.
For some cyber crooks, the preferred method of catching some prey is a shotgun approach. Fire the pellets and see what you hit. More sophisticated predators prefer more of a rifle shot or “spear phishing,” which targets a specific organization and often one person within the firm. The goal is to create a relationship with that person, based on perceived commonality. But instead of running an old-time con, designed to take advantage of the individual’s vulnerability, these criminals have larger plans.
“I had been completely unaware about this,” Cotton admits. “I’m an engineer and a computer guy. I have worked on national security issues since 2008.”
Cotton sure knows about it now. He understands that the criminals will find someone on an organizational chart who works in a corporation’s IT department and befriend him or her. It’s generally someone in a larger firm, the better to assure that there is a chance that a big wire transfer won’t be double and triple-checked by top management. In the biggest deals, there is no automatic payment, like there is with many accounts payable transactions.
In those instances, the execs approve the transactions, generally through e-mail confirmation. If the cyber criminal has made friends with the IT person and has exchanged e-mails with him, usually about a “shared” interest, the crook has the opportunity to spread malware to infect the employee’s home computer, giving him access to his information. Then, all he has to do is wait for the IT person to log into work from home, and he has an entrÃ©e to the company’s network.
“No finance person will do a big deal if isn’t approved by the Chief Information Officer, CFO or CEO,” Cotton said. “If the criminal has access to the network, he can break into the e-mail accounts of top executives, and they are vulnerable to losing the money in the transaction.”
Often, the affected transactions are international, between U.S. firms and those in other countries, according to Cotton. That’s because in the U.S. and Western Europe, if a company notices that it has been scammed, government officials can recover the money. On international transactions, it’s harder to recoup the losses.
“You wouldn’t believe how clever and disguised these schemes are to get people to open up their information,” Walker said.”
As the methods become more sophisticated, and the threat grows, there is a constant need for firms of all sizes to protect themselves. There is no foolproof method to avoid this risk, since like performance-enhancing drug use in athletics, the cheaters are always ahead of the testers. But there are steps that can be taken to ensure good cyber “hygiene.” Walker said that one of the cheapest ways to provide some defense is to make sure all systems have the most up-to-date antivirus software, the better to alert people to possible breaches and thwart the malware that does get through.
It’s also vital for companies to provide continuous training for employees. Sending people to a class and doing nothing in the ensuing months and years assures that a company’s defense systems will be antiquated and susceptible. Cotton said that “no silver bullets” exist and that there will never be one, so companies must decide what is most important to them and prioritize their protection strategies, especially if financial resources are limited. It’s also vital to establish protocols that prevent breaches, like the spear phishing example he provided earlier.
“No company should be doing wire transfers “˜manually,'” Cotton said. “They should have to go through 14 steps.”
And watch out for Nigerian princes.