Nowadays, the hackers attacking financial systems are much smarter and better organized than before, thus they’re stealing huge amounts of money. This is the reason why businesses should find a way for spotting the signs of fraud at the very beginning.
According to federal agent Scott Mellis, team leader of cybercrime operations with the Australian Federal Police in Melbourne, the hackers targeting Australia are currently focusing on second-tier targets like payroll systems, invoicing systems, and superannuation brokers.
“I blame the banks for all this. They’ve done a really good job of securing their retail banking platforms, God bless ’em,” Mellis told the Australian Cyber Security CentreConference this week.
With banks becoming harder targets, hackers moved down the food chain.
“We need to turn our focus to where money is held, and where there is poor security, or weak security and poor design,” Scott Mellis stated.
According to Mellis, another trend is that the amounts of money cashed out through money mules has been “much higher” in the last year. Some were more than AU$500,000. The biggest amount was AU$900,000 transferred to a mule in Western Australia “in one hit”.
“That was unheard of two or three years ago… Cash-out has moved to extremely damaging levels. We haven’t seen a single million-dollar transfer yet, but I think we’re really on the cusp of it. Who’s liable for the loss is a fair question as well.”
At the smaller end, funds were often transferred through secondary money mules to further protect the criminals. Many of these secondary mules were older people, pensioners, and stay-at-home mothers.
“Some of these people who we wouldn’t normally be dealing with actually thought they had a serious financial services job,” Scott Mellis said.
“There are some people out there who don’t think like we do. Obviously.”
The AFP has seen “multiple victims” hit with payroll system attacks, following a standard methodology.
The hackers log in using stolen credentials, check the date of the next pay run, and then log out. They log back in just before the pay run, change the employees’ bank details to those of multiple money mules, so there’s no single point of failure, and after that the payroll run proceeds.
“Employee rebellion is probably the first sign the organization will have that there’s been a problem.” Mellis stated.
The AFP has noticed some subtleties to the methodology. Cyber criminals don’t change the accounts of HR department employees, because they can notice the problem. Usually, they’ll make a small change and wait to see if anyone notices before making the large-scale changes. Also, they only access the systems during business hours, like the employees would.
“We’re seeing long periods of reconnaissance, that [once] were probably more related to the work of state-based actors. The smash-and-grab isn’t there as much as it used to be,” Scott Mellis said.
The hackers stole employees’ tax information, in order to use it for submitting false income tax returns and divert the tax refunds to through their money mules.
“There were very few successful instances of this,” said Mellis, because the Australian Tax Office’s systems detected the fraud, but attempts were made.
Similar attacks are being made against accounting systems, which are usually linked to HR payroll systems, or at least use a shared login. Money intended to pay suppliers’ invoices is diverted to the mules.
“That was quite rampant at the end of last year,” Mellis stated.
Unlike the payroll attacks, invoicing attacks take weeks to be detected, because suppliers are generally paid more slowly than employees. The AFP calls these attacks “driftnetting”, because they’re set-and-forget.
“The crooks change something, wait for a natural process to run on the platform, and then cash out,” Mellis explained.
Also, the AFP has revealed attacks against superannuation brokers who manage super on behalf of employers.
“We noticed suspicious sums of money being transferred from Australian financial institutions into mule accounts, and one of those institutions operated a superannuation fund management platform,” Scott Mellis said.
The AFP found two superannuation broking firms with access to this platform whose computers showed signs of having been infected with malware, and which had been logging into the platform at unusual times, including weekends.
Superannuation platforms often lacked user verification for high-risk transactions.
“For example, if money was transferred out of an investor’s account, there was an email sent to the investor, but only after the money had been transferred, so it was all a bit late. The target mail that that email goes to was also unverified, so anyone with the compromised credentials could access the account and change the target email, to email the criminal for example,” Mellis explained.
One platform required investors to provide an Australian Business Number, however, hackers simply searched online for the ABN of a company which sounded like it might be related to the investor somehow.
Another flaw was an online form which allowed logged-in users to transfer unlimited funds without any human verification such as a phone call.
One of the continuing problems is what the AFP calls “CEO impersonation” or “senior executive impersonation”, and the FBI calls “business email compromise”, where an organization’s staff are manipulated into sending money to criminals.
The sophistication of these attacks varies, from simply creating a generic ceoname@gmail.com account or ceoname@company1.com, to compromising an executive’s real email account to learn their lifestyle and craft a more realistic impersonation.
The AFP has noted impersonation attacks net between AU$20,000 and AU$900,000. The hackers are usually based in West Africa.
This month, the FBI’s Phoenix Division reported that $2.3 billion has been lost to business email compromise scams over the past three years. Some hackers continue to attack banks, however, the criminals are much smarter now.
Special agent Chad Hunt and special agent Mark Ray of the FBI walked the conference through a $6 million bank heist where the criminals conducted reconnaissance on the target’s network for more than a month before finally making their move.
Despite the fact that the target organization had encrypted the credit card numbers it stored, chat logs obtained by the FBI showed the hackers discussing their ability to decrypt 550,000 card numbers per hour.
Apparently, these criminals were part of a wider network and they were aware of the weaknesses of their own operational security. It was they who decided when they’d extracted enough money from the target, and when it was time to pull the plug on their operation, wipe their computers, and change their online identities.
According to the FBI agents, there’s been a shift away from cybercrime being conducted by exclusively cybercrime networks, towards old-school crime networks “using hacker skills to further their white-collar schemes”.
One of the main problems with the financial system attacks investigated by the AFP, was that the victims’ systems had been built over a long time by many people. Combined with the staff turnover, that meant no-one really knew how the systems were supposed to work.
Some superannuation brokers were even running BitTorrent and gaming software on the very PCs used to manage clients’ accounts, Scott Mellis said.
Mellis also recited the familiar litany of basic technical mistakes: lack of system patching, passwords stored in unprotected documents, single-factor authentication, shared passwords, VPNs not being used, and staff not following established processes. Nevertheless, many attacks were successful because of human failure.
“The human element is the toughest element of all. It’s so hard, because there’s a lot of really silly people out there.”
The FBI agents had further comments on the human factors.
“Threat intelligence is a big buzzword now, but I think there’s a difference between tactical threat intelligence, the right indicators, and all that stuff that we have, and then really strategic [intelligence],” Ray said.
“All the best tools, IDSs [intrusion detection systems] and SIGINT [signals intelligence] out there still doesn’t replace old-school human int.”
