Landing the big catch: sophisticated phishing and international wire transfers

Earlier this month, networking technology and service provider Ubiquiti (NASDAQ:UBNT) filed a report with the U.S. Securities and Exchange Commission (SEC) disclosing a significant attack worth US $46.7 million. The haul was acquired through a new and increasingly popular attack technique targeting top-level corporate execs.

These kinds of attacks may seem like a new trend, however they’ve actually been around for some time. This particular case is significant due to the magnitude of the attack. According to Ubiquiti’s website, the company reported fourth-quarter earnings of $44.1 million (on June 30, 2015). This attack effectively wiped out those earnings.

At eSentire, our incident response team has investigated many variants of these types of phishing attacks. In most cases the victim organizations didn’t know anything had happened until they detected irregularities in their balances. Without continuous detection and intervention, it’s practically impossible to avoid these types of targeted attacks as they’ve fast become the attack of choice.

While phishing scams require more time and effort to execute, cybercriminals have found incredible success, regardless of an enterprise’s size, scope or industry. The most common kind of attacks that eSentire sees are of the “six figure” variety which provide a hefty reward for a reasonable output of effort. These kind of attacks are not only a nuisance to the victim but they’re also quite embarrassing. The attackers are highly effective and know the meaning of the term “pigs get fat, hogs get slaughtered”.

Targeted attacks take advantage of the single greatest weakness within the enterprise - the employee. You absolutely can’t “patch” every employee with cybersecurity training. Regardless of how cyber-savvy your employees become, cybercriminals prey on the fact that inevitably, an employee will click a malicious link or unintentionally engage in a phishing attack – executive level included. Hackers take advantage of basic human nature and the fact that today, employees are busy, distracted and easily duped through feigned familiarity, flattery or appeals to their vanity.

In the case of Ubiquiti, scammers were able to successfully spoof corporate emails, leading to a multi-phase fund transfers spanning international jurisdictions. In the last year alone, the volume of cases related to this attack style have been on the rise and highlight an emerging trend targeting businesses regularly working with international suppliers or foreign trade partners.

Ubiquiti - through the assistance of banking partners and law enforcement - has so far recovered $8.1 million since the initial breach was discovered in early June. Company officials are hopeful that through continued legal proceedings they will recover another $6.8 million.

The resulting investigation concluded that internal controls over financial reporting were ineffective due to one or more material weaknesses. The report filed with the SEC highlights that the company continues to implement additional procedures and controls as a result of the investigation. While there has been no discussion of regulatory action specific to this case, the online brokerage industry has seen recent enforcement actions for failure to effectively protect infrastructure under what the SEC refers to as “The Red Flag Rule”.

At the end of the day, this style of attack can drain your bank account, wipe out earnings and cause reputational damage. Not to mention the disruption to regular business operations that could be ignited by regulatory practices and procedures investigations.

Is it all doom and gloom? Maybe not. It depends on what actions you take to defend against these kinds of attacks. Noted cybersecurity author Brian Krebs highlighted the architecture of a Business Email Compromise (BEC) in a recent article detailing the Ubiquiti attack. BEC attacks vary from traditional phishing attacks in that cybercriminals target decision-making executives through careful and thoughtful research netting access to corporate email accounts.

Once they gain access, they troll communications looking for keywords and triggers that help them to craft the accurate messaging that will ultimately launch the transfer attempt. These sorts of attacks are highly complex and require special attention from attackers. This high-touch mode of attack also means that the attacker can pivot the techniques they use to evade detection from traditional spam filters. In spite of the effort required to launch this kind of attack, the rewards are quite lucrative.

Preventing every possible scenario is virtually impossible and any cybersecurity expert claiming otherwise is either exaggerating or lying. While unpreventable, you can dramatically reduce risk by ensuring someone is designated to watch for the signs of suspicious activity inside your corporate network.

This type of continuous monitoring requires the deployment of a rich platform of network forensic tools, with capabilities like sophisticated packet-level detection. eSentire provides Active Threat Protection, which is delivered as a continuous 24x7x365 service. The Intelligence and Defence contractor communities developed these very sophisticated capabilities a number of years ago to deal with nation state adversaries. Several of these capabilities have made their way into commercial offerings from firms including RSA and Palantir. They’re costly but certainly within reach of Fortune 50-sized budgets. They also require a sophisticated, operational skillset, which is scarce in most markets.

The reality is that you don’t know what you don’t know. Therefore it’s essential that all traffic is reviewed at a granular level. Security information event management technology – the popular go-to in compliance-driven environments – attempts to derive threat indicators from security event logs (Syslog and Windows Event Logs) which deliver a very terse set of facts. While still useful they have limited efficacy in the current threat landscape in terms of detecting whether something bad is happening in time for you to react to it. The same devices that are collecting log information are missing these new attacks. If the attack is missed, it won’t be logged.

eSentire employs methodologies utilized by the Intel and Defence. At the core of these methodologies is the recognition for a rich data set. The only way to collect entire data sets is with full-packet capture. Once full-packet capture is underway, the data must be rapidly and efficiently interrogated in order to investigate atypical events or anomalous behaviors. This involves complex pattern matching, IP reputation testing, correlating to known indicators of compromise and performing elapsed time behavior analysis. Due to the ever increasing use of TLS/SSL, having the ability to monitor the contents of encrypted traffic is incredibly important.

The downside of this approach is the expense; it requires a lot of CPU, ample storage and complex software. Now, the your threat needle lives in a much larger haystack than when compared to the old SIEM-based approach. While these technologies can be highly effective at identifying candidate threats, you need a skilled human analyst to perform the last mile of investigation and correlation.

At eSentire our sensors and SOC analytics automatically detect and respond to all but the last 0.0015% of security events. For these complex anomalies eSentire “grey matter” intervenes to perform the last leg of correlation. This proven technique is highly effective when confronted with advanced targeted attacks like the Ubiquiti case.

This formula can be replicated in-house by combining advanced cybersecurity expertise, tools, an A-team of threat analysts and a multi-million dollar budget. However countless organizations lack the budget and resources to assemble an internal SOC. eSentire provides this and more to mid-sized organizations as a service.

eSentire is a trusted security provider, protecting over $2.5 trillion of assets protected globally 24x7x365. Contact eSentire to learn how Active Threat Protection can help you avoid the headlines.