Breaking Down a Breach – What Happened and How to React

Hello and welcome to the Breaking Down a Breach series! 

It's time to select a breach or cyberattack that has been in the news, analyze the information that is publicly available, and offer some recommendations for protecting your network against similar attacks. We will be looking at these attacks based on the five “P’s” of cyberattacks[i]:

  • Probe 
  • Penetrate 
  • Persist 
  • Pivot
  • Pilfer 

Our goal in this series is to uncover what happened, how it was accomplished, and what you can do with your environment to help protect yourself. Remember that there is no one ‘silver bullet’ for security! Rather, you have to build your technical measures in depth[ii] and, most importantly, develop a culture of security. There is no such thing as ‘My company is too small/large/unusual/whatever to be a target’. The cybercriminals know that you have something of value and will do whatever they can to get their hands on it.

Today, we will take a foray into the most troublesome and unfortunately effective tactics used by cybercriminals - phishing. Essentially, this type of cyberattack uses email and social engineering to ‘hack the human’, a much easier task than penetrating a network by technical means. There are a number of variations on this technique – business email compromise (“BEC”), spear phishing, and even whaling (yeah, I don’t know who thinks up these names…)

In October of this year, the city of Ocala, Florida suffered a loss of $500,000 due to a successful spear phishing scam[iii]. Let’s take a closer look…

What happened: An employee in a city department received an email that appeared to be from a construction company which was currently doing work for the city of Ocala. The email contained an invoice, coupled with a request to remit payment via electronic funds transfer to a specific bank account. The invoice was real – the city did, in fact, owe $640,000 to the contractor for work performed – but the bank account to which the funds were transferred was fraudulent. When the city discovered the fraud, there was still about $110,000 left in the fraudulent account which the city then recovered. Investigations are ongoing and few other details are known at this time.

How it happened: This story may lead you to believe that the fault lay with an inattentive staff member but reading between the lines reveals a tale that is more disturbing and, unfortunately, all too common. 

The first thing that struck me was this question – “How did the attacker spoof the email and produce a ‘legitimate’ invoice?” As stated earlier, investigation is ongoing, so the real answers regarding the Probe and Penetrate phases of this attack aren’t available; however, I will speculate on the methods used, based on knowledge of previous cybercriminal tactics.

First, since the contractor was working for a municipality, this relationship is a matter of public record. Likely, this was published in a local paper more than once – i.e. city council meetings, legal notices, or perhaps even articles. The attacker didn’t expend much effort to get the basic information. 

Secondly, getting an email, including addresses, signatures, and perhaps even an invoice from the contractor might have required little more than a phone call, posing as a city employee and directing that the email be sent to an alternate address – e.g. ‘My computer is down but you can send it to this gmail/Hotmail/ISP address…’ With a very small investment of time and work, the cybercriminal has completed the first phase of his reconnaissance. 

The next phase is to penetrate and pilfer by spoofing the email, sending it to the correct city department, set up a fraudulent bank account, and wait for the money to come in. Finding the correct department or even individual is once again pretty simple; the information may have been available from multiple sources, including legal notices in the paper, the city’s website, or even another phone call (FYI – I found email addresses, phone numbers, names and bios on the city website in about a second and a half. Not too hard to imagine how the cybercriminal got the necessary information.)

Obviously, the cybercriminal(s) found some pretty low hanging fruit here. The next question I ask myself is – “Why did this actually work?” This is where things get really frightening.  

  • The invoice and account were not confirmed. Once again, with sketchy details available (I am speculating), but it is pretty unusual for an electronic funds transfer to be requested to pay an invoice, especially for a municipality. Even had this been the agreed method of payment, a change in the receiving bank account should have been noticed and confirmed prior to payment. Simply picking up the phone and having a short conversation between the authorized contacts would have avoided this loss.
  • The ‘two-man’ rule was apparently not in effect or broke down. Standard accounting and security practices dictate that amounts exceeding the purchase or payment authority of any person be reviewed and authorized by at least two people in ascending order of authority. Simply put, payment should not have been issued without secondary review and approval. Even though the invoice appeared to be legitimate, the receiving bank account was clearly not.
  • Weak email security. There are DNS records which should be in place to improve mail server reputation to help prevent spoofing. In addition, a modern email security service using a sophisticated threat intelligence and behavior analysis filter would likely have caught and quarantined this attempt.
  • End user security education would have greatly improved the chances of avoiding this attack. Clearly, the end user in this case did not recognize this as a phishing attempt. 

There was no persistence or pivot steps to this attack. This was an obvious ‘snatch-and-grab’, but it could have just as easily contained a malware component to allow the cybercriminal access to internal systems.

What you can do to protect your company: Although this attack was fairly straightforward fraud for a payday, the reason it was successful can be attributed to a weak security culture and some missing or misconfigured technical controls. Here are a few lessons you can apply to your business which can help you protect your business:

  1. Be cautious of the information you post publicly – The Ocala city website[iv] contains an incredible wealth of information for a cybercriminal. While this is a website for a municipality and thus requires more openness than a typical business, it is best to eliminate direct contact links from your website, using contact forms and phone numbers where possible and requiring authentication for more privileged information. Networks Plus recommends that you should limit information you post to your website or social media accounts, including email addresses and process documentation. 
  2. Improved security processes and procedures – As mentioned above, the ‘two-man’ rule eliminates quite a bit of potential trouble sources, but it is not the only security practice that should be used. Make certain that you implement the principle of least privilege and separation of duties. When you develop security processes and procedures, make sure they are followed implicitly. Remember Horton’s Rules for Basic Security:
    1. STOP, LOOK, AND THINK before you react to anything.

    2. DON’T TRUST ANYTHING. VERIFY EVERYTHING.

  3. Advanced email security – Implementing strong email security is an absolute must to prevent phishing attacks. Networks Plus offers a very strong email security package and can help you get your DNS records configured properly.
  4. Supply Chain management – While you cannot control what your vendors do with their networks, you can and should exert your influence. Develop a minimum security standard which you require of your vendors, including procedures for invoicing. This is not fool proof, by any means, but does help both your company as well as the vendors to build a strong, secure relationship.
  5. Education – Once again, this breach all started with a phishing attack; not entirely surprising since 95% of attacks begin with a phishing email.[v] Make sure that you are training your entire company, including yourself, on security threats. Couple your training program with periodic tests to make sure that the lessons are being learned. Networks Plus partners with KnowBe4 to provide your organization top-notch security education and testing.

At Networks Plus, cybersecurity is our focus. We want to ensure that your company can prevent and recover from cyberattacks. Contact one of our Business Consulting team to discuss how our products and services can help you build a strong and resilient network for your business.

1 For more detail on the Five “P’s”, read the first Breach blog here: https://networksplus.com/breaking-down-a-breach
2 For more information, here is my blog: https://networksplus.com/defense-in-depth-a-primer
https://www.ocala.com/news/20191024/ocala-gets-scammed-in-spear-phishing...
https://www.ocalafl.org/home
https://blog.dashlane.com/phishing-statistics/