Typo-squatting: Fast Turnaround for Fast Money
<p>
In the spring, Websense® Security Labs identified a rising trend in <a href="http://blogs.websense.com/security-labs/assertiveness-valuable-quality-c... target="_blank">bold, well-researched, targeted fraud attacks using typosquatting</a> and false headers as their primary gambit. Since then, these fraudulent attacks have continued, logging immense gains in both volume and success: the FBI’s Internet Crime Complaint Center (IC3) reports a <a href="http://www.ic3.gov/media/2015/150827-1.aspx" target="_blank">270% increase</a> in identified victims and dollar losses since January. Since 2013, reported American losses to the scam identified as the Business Email Compromise (BEC) have totaled in excess of $740 million; non-U.S. victims have lost more than $51 million.</p>
<h3>
Typo-squatting: Key tactic</h3>
<p>
Websense Security Labs has identified some key features of these aggressive fraud campaigns, one of which is the use of recently registered domains with the Internet Corporation for Assigned Names and Numbers (ICANN) by a known bad actor. Research indicates that these domains, which often have only one character’s difference to the target domain, or feature transposed characters, are exploited within hours of registration.</p>
<h3>
Rapidity: Delude, Conclude, and Elude</h3>
<p>
From start to finish, these money scams are completed in less than a week. Throughout the attack, especially if the bait gets a nibble in the form of a first response, the recipient may receive several urgent requests for an update and promises of details and instructions to come. If the bait is taken, the entire money transfer can be completed in 1-2 days. By the time the victim has second thoughts about the validity of the request, the bad actor has disappeared, leaving very little in terms of a traceable footprint.</p>
<h3>
Where Does the Money Go?</h3>
<p>
According the IC3, the money trail takes several hops around the world, but <a href="https://www.ic3.gov/media/2015/150122.aspx" target="_blank">primarily ends up in Asian banks</a> (specifically mainland China and Hong Kong).</p>
<h3>
Who Is the Target?</h3>
<p>
In the early days of this highly successful scam, businesses in the financial and gaming sectors were the most frequent marks. Businesses in these industries regularly transfer money, often by wire and typically in large sums, and an irregular request, even one for a substantial amount, would not raise concern. More recently, the scam has broadened its reach, attacking other verticals and businesses of all sizes. In a sign of the growing audacity of fraud attacks, even security firms such as Websense and Raytheon have been targeted. Websense analytics recognized and thwarted the attempts.</p>
<p>
<img alt="" src="/sites/default/files/blog/legacy/6457.graphic_001.png-550x0.png" style="height:86px; width:550px" /></p>
<h3>
Familiarity Breeds… Huge Windfalls</h3>
<p>
These attacks are well-researched. Factual information and email addresses, easily gleaned from ‘about’ pages on websites, SEC-related documents, or other sources, are incorporated to bolster credibility.</p>
<p>
The fraudulent emails typically appear to be from the CEO and are usually sent to the email account of the CFO or another person with the authority to initiate and authorize a wire transfer. The emails address the recipient by name and may include a footer featuring the impersonated executive’s (accurate) information. Informality and familiarity are used to allay suspicions and induce cooperation, and the FBI’s data indicates that the strategy is working.</p>
<h3>
Deceptive Ploy</h3>
<p>
There have recently been three types of scams, structurally speaking. </p>
<ul>
<li>
- The first is a typo-squatted domain, which relies on simple misidentification – the domain is so similar, the difference isn’t noticed. In this case, the envelope sender and reply-to address (if there is one) will be the typo-squatted domain. </li>
<li>
- The second uses the recipient’s domain as a forged From address in the display headers, but the envelope sender is a completely different address, probably a compromised account, and the reply-to address is a freemail address. </li>
<li>
- The third involves a spoofed envelope sender, making it much more difficult to spot the email as a fraud. However, as with the others, the reply-to address is completely different.</li>
</ul>
<h3>
Format and Style</h3>
<p>
The emails are short on content, only a couple of sentences long. They are direct, succinct, and authoritative in tone. They command while simultaneously asserting familiarity. The emails do not include links or images. Subject lines are nondescript and to the point; frequently used subjects include Request, Wire Request, Wire Transfer, Chaps payment, or similar.</p>
<p>
Typically, the messages will begin with, “[Name], are you in the office?” or with a common expression of goodwill (“Hope your day is going well”). This is followed by a stated, urgent need to start a wire transfer or Chaps payment (UK). The sender may also assert that: </p>
<ul>
<li>
- they are unable to provide more information at the moment, but will provide it soon - a deal may fall through if the transfer is not started immediately - they are indisposed and can’t do it themselves and need the recipient to begin the process - procedural steps should be bypassed or postponed <img alt="" src="/sites/default/files/blog/legacy/0675.graphic_002.png-550x0.png" style="height:104px; width:403px" />
<h3>
How to Prevent this Fraud from Happening to Your Company</h3>
<p>
There are a number of ways to ensure your company does not fall victim to this costly scam.</p>
<h3>
Awareness/Education</h3>
<p>
Diligence and caution remain among the most powerful tools in any company’s arsenal.</p>
- Make sure employees are aware of this and other common scams and their hallmarks.
<p>
- Ensure that those with the authority to fast-track transfers and payments and/or bypass protocol are aware that they are likely to be approached. </p>
- Establish a protocol for confirmation/verification before transferring money that includes out-of-band methods. - All non-commercial email from a source outside the company will include a link to report the email to Websense as spam.
<p>
Websense email security customers are protected against attacks using such tactics.</p>
<p>
Websense is committed to email security and constantly monitors traffic and trends to identify threats and improve detection and protection for our customers. </p>
<p>
Primary contributor: Cristina Houle</p>
</li>
</ul>