We all receive the emails and request notifications informing us of new suggested connections, but is the connection or request from a real person? The profile says Jim Reuter, is it really him? Or maybe the profile is for someone who appears to work for FirstBank, but you do not know who they are? Even more, maybe the request is from your grandma, but you are certain you are already “friends” with grandma. In the last two years, the internet has seen a significant rise in spoofed or fake social profiles. These profiles are used in social engineering schemes to commit identity theft and ultimately, fraud. According to Norton Internet Security, the top five social media scams are Chain Letters, Cash Grabs, Hidden Charges, Phishing Requests and Hidden URLs (https://us.norton.com/internetsecurity-online-scams-top-5-social-media-scams.html).
You may ask, “What do these fraudsters need my information for?” The most likely scenario is a phishing campaign – they are among the most popular scams used to obtain a target’s credentials and personal data. Follow me down this rabbit hole for a moment, once the trap is set with a social media connection, targets are lured into giving up information such as business emails which can be used in directed phishing campaigns (spear phishes). It escalates from there as hackers continue to collect data from their targets. Over time, they gain access to business reporting structures and titles, giving them the necessary information to assume the identity of senior management. If the hackers are able to communicate through company emails, they could pretend to be a member of the board, the CEO, or another senior executive. Does this sound like the foundation for Business Email Compromise? There are numerous instances when an employee is asked to transfer money, at the request of the faux executive or senior, directly to the impersonator’s account.
As another means of phishing, a hacker could also assume the identity of a vendor or supplier, sending an email that could be mistaken as routine communication. Vendor emails can be compromised or spoofed with subtle changes, an extra character here, a removed one there – which would make the email appear legitimate. The scale of such an operation is only revealed when targeted employees seek to verify the transaction.
Another instance in which emails are deemed an effective hacking vulnerability is malware-laced attachments that infect targeted computers entirely. The most prominent example of financial malware is that used by FIN7, or the Carbanak cyber gang. Altogether, the cybercriminal outfit is believed to have stolen over $1 billion from more than 100 financial institutions around the world.
When banking employees click a link in a phishing email, or open an unknown attachment, malware can be downloaded onto their machines. A particular FIN7 campaign targeted employees responsible for handling a financial institutions’ software and ATM protocols. The malware ensnared the compromised machines in a botnet, and through its command and control centers exfiltrated files, compromised other computers on the network, and captured screenshots and video of the workstations. The credentials displayed on screen were used to siphon money from bank accounts to the hackers’ accounts.