We all receive the emails and request notifications informing us of new suggested connections, but is the connection or request from a real person? The profile says Jim Reuter, is it really him? Or maybe the profile is for someone who appears to work for FirstBank, but you do not know who they are? Even more, maybe the request is from your grandma, but you are certain you are already “friends” with grandma. In the last two years, the internet has seen a significant rise in spoofed or fake social profiles. These profiles are used in social engineering schemes to commit identity theft and ultimately, fraud. According to Norton Internet Security, the top five social media scams are Chain Letters, Cash Grabs, Hidden Charges, Phishing Requests and Hidden URLs (https://us.norton.com/internetsecurity-online-scams-top-5-social-media-scams.html).
You may ask, “What do these fraudsters need my information for?” The most likely scenario is a phishing campaign – they are among the most popular scams used to obtain a target’s credentials and personal data. Follow me down this rabbit hole for a moment, once the trap is set with a social media connection, targets are lured into giving up information such as business emails which can be used in directed phishing campaigns (spear phishes). It escalates from there as hackers continue to collect data from their targets. Over time, they gain access to business reporting structures and titles, giving them the necessary information to assume the identity of senior management. If the hackers are able to communicate through company emails, they could pretend to be a member of the board, the CEO, or another senior executive. Does this sound like the foundation for Business Email Compromise? There are numerous instances when an employee is asked to transfer money, at the request of the faux executive or senior, directly to the impersonator’s account.
As another means of phishing, a hacker could also assume the identity of a vendor or supplier, sending an email that could be mistaken as legitimate communication. Vendor emails can be spoofed or compromised with subtle changes such as an extra, replaced or removed character. At a quick glance, would you notice the difference between [email protected] and [email protected]? Hint: The lowercase L’s were replaced with uppercase i’s.
Another instance in which emails are deemed an effective hacking vulnerability is malware-laced attachments that infect targeted computers entirely. The most prominent example of financial malware is that used by FIN7, or the Carbanak cyber gang. Altogether, the FIN7 cybercriminal outfit is believed to have stolen over $1 billion from more than 100 financial institutions around the world.
When banking employees click on a link in a phishing email, or open an unknown attachment, malware can be downloaded onto their machines without any visible indication. In one case, a FIN7 campaign targeted employees responsible for handling a financial institutions’ software and ATM protocols. The malware ensnared the compromised machines in a botnet, exfiltrated files through command and control centers, compromised other computers on the network, and captured screenshots and video of the workstations. In the end, the credentials displayed on screen were used to move money from bank accounts to the hackers’ accounts.