Hackers Taken Down by FBI

Operation ReWired Arrests 281 and Recovers $118M

International Cooperation of Law Enforcement

Score 1 for the good guys. The FBI’s project Operation ReWired took down a network of hackers using Business Email Compromise attacks to commit fraud. This resulted in the arrests of 281 alleged hackers on charges of wire fraud ($3.7 million recovered). Additionally, these hackers allegedly committed 250,000 cases of identity theft and 10,000 cases of tax fraud. The Operation seized more than $118 million in fraudulent wire transfers that may now be returned! September 2019 was a great month for cybersecurity!

What is Business Email Compromise?

Business Email Compromise (aka: BEC) is when an email account, usually for someone in finance, is broken into. This is often accomplished through a phishing attack that leads to credential theft as outlined in CyberHoot’s recent article titled the Domino Attack. Credentials are stolen when a victim clicks on a fraudulent phishing email link or opens a bogus invoice. Doing this brings the victim to a malicious website that prompts the user to enter their email and password. These emails are often sent by someone your CFO already knows, meaning the sending email address is actually correct and expected. The other finance person’s email has likely been compromised by hackers who are now targeting your CFO.

This compromise results in a hacker entering the CFO’s email account, reading through their financial transactions emails, and redirecting normal wire transfers by inserting fraudulent wiring instructions into the email based conversations. The success of this scam rests exclusively upon both parties never authenticating these wiring instruction changes outside of email. This results in money being wired into hacker accounts that are mostly untraceable. These fraudulently wired funds are rarely recovered.

International Cooperation Leads to Take Down

Operation ReWire was possible through the combined efforts of law enforcement agencies across 10 countries. Together they unraveled a complex network of hackers, phishing attacks, money mules, and money laundering activities. This operation proves international law enforcement cooperation is possible. It also sends a message to hackers that they will be caught. Cyber Al has witnessed smaller scale BEC from social engineering and phishing attacks that will never be recovered (or reported). That’s because the dollar amounts were too small to involve the FBI or internal law enforcement. The worlds Small and Medium-sized Businesses (SMB’)s are on the front lines of BEC fraud! It’s getting worse year after year with a doubling of financial losses in 2018 alone.

An Important Message sent to Hackers

These enormous losses have led the FBI to make BEC fraud a priority for its agency. In June of 2018, the FBI made 74 arrests and seized 2.4 million in a similar BEC take-down. These take-down events and arrests are putting hackers on notice that you can and will be caught.

Who’s at risk to the threat of BEC ?

Verizon security services division puts out an annual Data Breach Incident Report (DBIR) summarizing cybersecurity attack trends which include who is being hacked and how they’re being hacked. BEC is near the top of their list of attacks. More importantly, they note that SMB’s are successfully attacked 15x more often then smaller and larger firms with less than 10 or greater than 100 employees. This puts SMB’s at the greatest risk of targeted BEC attacks. If you’re a small business owner, do not dispair! There are simple measures you can institute at your company to protect yourself.

What should SMB’s do?

Even with the FBI take down of this criminal network, it is a small drop in the bucket of an FBI estimated 3 year $26 Billion in losses. The FBI still recommends to “Implement an awareness and training program” to safeguard your business. Therefore, you need to prepare yourself for these attacks. Fortunately, with Business Email Compromise, preparations are relatively straight-forward. The single best measure you can take is to review and document your Wire Transfer Process. Cyber Al recommends that ALL changes to wiring instructions be confirmed outside of email, preferably via a phone call. Establish accurate wiring instructions with all parties. Do not dial a phone number supplied in a fraudulent email to validate new wiring instructions. That phone number is likely also bogus. Look-up a known good phone number and contact to verify and validate.

Positive Conclusions

This take-down arrested 281 potentially bad actors and recovered over $118 million in fraudulent wires. More importantly, Operation ReWire proves that international law enforcement agencies can work together. It proves that hackers cannot hide behind computer screens in the dark corners of the Internet. This is an important win. Let’s enjoy this win but also validate our business processes to protect ourselves from BEC and wire fraud.

Teach employees about Business Email Compromise and gain access to Wire Transfer Process documents with a free 30-day CyberHoot trial.

Become more Aware to become more secure.

Hacked Charging Cables Send Data Wirelessly

Most of us have tethered our mobile phones to our laptop dozens to hundreds of times.  Have you ever worried about a hacked charging cable? Security researchers have discovered hacked iPhone lightning cables with embedded Wi-Fi chips that were capable of stealing our data.

Hacked Charging Cables Transmit Data Wirelessly
Hacked charging cables can steal data over Wi-Fi
Image Source

Hack a Charging Cable via Wi-Fi?

CyberAl would bet that most people don’t think about getting hacked through their iPhone’s charging cable. People worry about hack attacks from phishing emails as outlined here: Avoiding Phishing Attacks.  Others correctly worry about password security as discussed here: Passwords, Passphrases, and Password Managers. But charging cables?  No way. Hackers have hacked the iPhone lightning cable to insert a tiny Wi-Fi transceiver into the cable itself. When an iPhone, iPod, or iPad is plugged into a computer and syncs your data (pictures, music, apps, etc.) the embedded Wi-Fi device allows a nearby hacker to take full control of your computer. Once connected, the hacker can wirelessly transmit malware onto your device all while siphoning off your data.

A Proof of Concept Wi-Fi Charging Cable

A hacker by the name of “MG” studied and experimented on these Lightning cables. With some excellent soldiering skills, and a weekend’s effort, MG created a malicious proof of conceptcharging cable. MG targeted his own  Mac computer. MG found that when an iPhone was directly connected with the hacked charging cord, he/she could be up to 300 feet away and still control of the MAC computer. Cyber Al theorizes that a directional antenna could enable the hacker to be even farther away! Even more disconcerting, MG stated “the cable can be configured to act as a client to any nearby wireless network. And if that wireless network has an Internet connection, the distance basically becomes unlimited.”

Summary Advice

This tactic is bound to be deployed in many locations by hackers targeting the general public. From charging kiosks at Airports to coffee shops, charging cables may be compromised.  The risk in these locations is mitigated partially by the fact that your charging cable isn’t connecting your smartphone to your laptop.  This prevents the lightning cable from transferring data unless you allow the iPhone to trust the charging station (something you should never ever do). Most people are aware of the dangers of inserting a USB flash drive into their computer. Cyber Al wants you to always think about the risks of a compromised charging cable provided free of charge by a business for its customers use and to remember these tips:

  • Be on the lookout for unusually shaped charging cables.
  • Better yet, always carry your own charging cable.
  • Never use an unknown origin cable from anyone.
By becoming more aware you become more secure. If you like learning about emerging threats or want to address gaps in your employees CyberSecurity knowledge, venture over to CyberHoot and sign your company up for a free 30-day trial.

#cyberhoots #smb #cybersecurity #awarenesstraining #LMS #chargingcablehack

Author, Ty Mezquita, Blogger/Social Media – CyberHoot

Editor, Craig Taylor, Co-Founder – CyberHoot

Watershed Moment: Smartphones Targeted by Drive-by Malware

Image result for Malware on Cell Phones

Cyber “Events” that Shape History

Only a few events in the history of “Cyber” and “Security” cause security professionals sit back, meditate, and try to understand the implications of that event.  The earliest such event CyberHoot recalls reading about was the “Morris Worm” which spread across the early internet way back in 1988. Its author was subsequently convicted under the newly passed Computer Fraud and Abuse act of 1986. We can thank the Morris Worm for spurring the Defense Advanced Research Projects Agency (DARPA) to create the Computer Emergency Response Team tasked with coordinating emergency responses activities to critical computing events.

Since then multiple “events” have occurred which directly influenced Cybersecurity programs, protection technologies, and procedures.  The ILOVEYOU virus (2000) and “SQL Slammer Worm (2003)” both taught us about network segmentation and the importance of limiting ports and protocols passing across our internal networks.  Fast forward to 2017 and “WannaCry Ransomware” reminded us on the need for strong backup and restore capabilities.

When Malware targets Mobile…

A recent revelation has CyberHoot wondering if 2019 will be the year we look back and say: “That was the year Smartphones became vectors for wide-spread worms, viruses, and data theft.”  Until this moment, smartphone hacking cost millions of dollars and was limited to nation state sponsored attacks. That is no longer true and the extent of how “untrue” this is seems like a watershed moment in cybersecurity.

Security researcher Ian Beer, from Google’s Project Zero whitehat hacking team published evidence of widespread smartphone hacking that successfully installed malicious software on Android and iOS smartphones.  Googles researchers showed that by exploiting a series of vulnerabilities together (something the call chaining) hackers could install anything they wanted on your devices, just by visiting their malicious websites. Worse yet, this appears to have gone on for two years without being discovered. Sobering, isn’t it?

What does Cyber Al from CyberHoot suggest you do about this development?  Let’s dive into some suggestions we’ve collected from various articles covering this noteworthy development.

10 Protection Tips for Smartphone Users:

  1. A mobile device is a computer. Do not install any App or Game onto the device unless you absolutely need it. Even then, limit the permissions you give each app.  Does the Facebook really need access to your Microphone?
  2. Always consider how you connect to the Internet on mobile devices.  Be highly suspicious of Free or Public WiFi which is very insecure.  Companies should enforce Acceptable Use Policies requiring the use of Virtual Private Network (VPN) technology on all mobile devices and combine it with two-factor authentication.
  3. Establish and enforce Bring-Your-Own-Device (BYOD) policies at work.  Personal devices are everywhere, but they should never be allowed on your Trusted business networks; that is what guest WiFi was created for.
  4. Block Jail Broken iPhones and rooted Android phones from accessing trusted networks and corporate data including online email services.
  5. Keep mobile device operating systems up to date.  The latest iPhone software 12.1.4 is not at risk to chaining vulnerabilities identifiedy by Ian Beer of Google.  However, given the two-years of dwell time, you can be certain other vulnerabilities have been discovered and are exploiting our phones.
  6. Encrypt your mobile devices and data stores (USB sticks).  All iOS and Android operating systems automatically encrypt their file systems for at least that last 7 years.
  7. Enforce Mobile Device Management policies with solid management tools available from Microsoft, AirWatch, Good Mobile and many other vendors.  You must be able to selectively wipe corporate data of loss or stolen devices.
  8. Install Applications only from Trusted Vendors.  Consider building an Enterprise Store of vetted and approved smartphone applications (this tip is for Large Enterprises with highly mature Cyber Programs).
  9. Provide Cloud-Storage Alternatives for your employees who will use any service that is convenient and free without a second thought.
  10. Install Anti-Malware on your Android device (Sophos has a product).  iOS and BlackBerry do not allow for any such products to be used today.
  11. BONUS: reboot your iOS device periodically.  These chained vulnerabilities did not survive a reboot of the smartphone device. iPhone, please meet Windows 95 where a reboots was the solution to so many problems.  iPhone Reboots, really???

How should we think about and use our Smartphones?

Google’s security researcher Ian Beer writes. “All that users can do is be conscious of the fact that mass exploitation exists and behave accordingly; treat their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”

We’ve entered a new era, where our beloved smartphones can be infected just by visiting malicious websites.  Think before you surf the Internet willy-nilly on a trusted corporate devices containing Intellectual Property or Regulated Data. Maybe don’t visit that website!

Call to Action

If your worried about the cybersecurity of your company and want to do something concrete and meaningful to protect it, then visit CyberHoot.com today and sign up for a free 30-day trial.  Email Sales@CyberHoot.com for information and assistance with any questions.