Targeting CEOs: A growing trend in incident response
CASE STUDY |
Recently, an organization approached RSM after an attacker defrauded it of nearly $100,000. Posing as the CEO of the organization, the attacker convinced the organization’s accountant to transfer money to the attacker’s account. Due to insufficient security measures, the attacker could simply ask for the money, and before anyone noticed, the money was gone. This incident is sadly an example of a growing trend in cyberattacks, where criminals target high-level executives to elicit fraudulent wire transfers.
This particular client, a technology company, was unable to retrieve the lost money, but they brought in RSM to investigate how the attack occurred and to recommend security measures that could prevent a similar attack from happening again. We sent an incident response (IR) team right away to contain and investigate the event. An IR team uses interviews, log reviews and other technical analytics to verify, manage and contain a suspected security issue.
When the RSM IR team arrived on-site, it began analyzing the incident by interviewing affected personnel and the organization’s IT employees. RSM reviewed logs for the organization’s firewall and Office365 email service. RSM also imaged the CEO’s computer, which was suspected to be the origin of the attack. Through the investigation, RSM determined the sequence of events for the attack was as follows:
- An attacker gained access to the CEO’s Outlook email account, but the exact method the attacker used to compromise the account is unknown.
- The attacker created a domain with a similar name as the official one, including an extra “i” in the name.
- The attacker created an email rule in Outlook to hide correspondence from this domain. While the fake emails from the CEO used the real account, other participant emails were sent using the fake address. By cc’ing these accounts, the fake emails would be hidden in an Outlook folder on the CEO’s system, instead of displayed in the inbox.
- Once inside the account, the attacker, posing as the CEO, sent an email to the accounting administrator and another managing partner, requesting almost $100,000 be wired to a specified account.
- The accounting administrator wired the money to the attacker, and the money disappeared forever in the attacker’s account.
- The next day, the organization was made aware of the error and attempted to alert all involved of the attack.
- For the next several days, the attacker continued sending requests for more money from the initial victim’s email account, while the other victims were attempting to discern legitimate emails from the attacker’s emails.
- The organization contacted RSM to investigate the issue before more emails were compromised and more money was lost.
Because the attacker had modified the CEO’s email settings to send conversations to the “RSS Feeds” folder instead of to the main inbox, the CEO was unaware of what was happening until it was too late. Furthermore, even when those involved were made aware of the incident and tried to warn one another, some of these warnings were sent to the fake domain due to Outlook’s tendency to automatically save recipient addresses, and were instead rerouted to the attacker.
In addition to interviewing those involved, reviewing relevant emails and establishing a timeline, we attempted to examine firewall and email logs to further analyze how the attacker was able to enter and manipulate the managing partner’s system. Unfortunately, the organization had not enabled these logs, which limited our ability to determine what had happened. Office365, the organization’s email client, has a logging option, but it is turned off by default. The organization had never enabled the logging feature, so RSM could not review activity logs for the time period when the attack occurred. In addition, the organization did not enable firewall logs for their environment, meaning there was no way to track the activity during the attack.
Despite these limitations, RSM checked to ensure the incident was contained and no more money would be lost. We also analyzed the systems and found no evidence of the attacker still being in the organization’s systems. Additionally, RSM suggested the organization adopt the following recommendations to prevent any further attacks, which are good practice for all organizations looking to avoid these kinds of incidents:
- Harden the perimeter firewall to ensure an appropriate external security posture. The organization needed to focus on proper configuration, limiting egress filtering and enabling proper logging. Also, they needed to isolate critical systems and technologies via Access Control Lists (ACL).
- Constructing a baseline of normal traffic would help in comparing future logs in order to more easily determine aberrant behavior should any suspicious activity occur.
- Enable logging on Office365 email. Enabling logs on email and the firewall are relatively easy fixes and would have made tracking this event much easier or could have even prevented it from happening.
- Ensure strong passwords are in use. Though we could not confirm how the attacker entered the CEO’s email account, it was likely through a weak or compromised password. All of the employees changed their passwords as a result of the incident. Using complex passwords and changing them often would help prevent credentials from being compromised again.
- Strengthen wire transfer policy. It is good practice to require verbal confirmation of wire transfers.
- Improve organizational security awareness to assist all personnel in recognizing fake emails or other suspicious activity.
- Employees should know to use a different means of communication than the one that is suspected to be compromised (in this case, email), as this continues to provide information to the attacker.
Unfortunately, this is not an isolated incident. Cybercriminals are growing increasingly aggressive and shrewd in their tactics, and CEOs are their big target. The FBI has released Public Service Announcements regarding attacks that they call Business Email Compromises (BECs). Instead of directly stealing money from organizations, BECs get organizations to turn over the money themselves by deceiving organizations on where the money is really going. BECs often begin as phishing scams directed at high-level executives. These phishing emails often slip past spam filters because they are targeted at specific users and not emailed to numerous recipients. These phishing emails are sent to executives, asking them to click on a link. If the user clicks on the link, he or she may be prompted to enter credentials, or malware may be downloaded to the user’s computer. This gives the attacker access to the user’s actual email account for further exploitation, unbeknownst to the user. From there, the attacker uses that account to convince others to transfer money to the attacker’s account.
These tactics reveal that criminals are targeting executives because the payoff is high. From October 2013 to August 2015, the FBI stated there were 7066 U.S. victims who lost a total of almost $750,000,000. These efforts are even more successful because the attackers often research the company ahead of time, so that they can effectively impersonate executives or clients during the attack. Cybercriminals specifically target companies that have overseas operations and regularly perform wire transfers, but they attack organizations of all sizes, not just the very large ones.
RSM had in fact worked with this client before this incident occurred, and we recommended certain security measures and assessments that could have identified and remediated these potential vulnerabilities. Unfortunately, these security recommendations were postponed until it was too late. Other organizations can learn from this incident. Security measures should be a top priority for all organizations because attackers are using increasingly sophisticated methods to deceive various levels of personnel in organizations of all sizes.