Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Year in the life of Direct Deposit Fraud

Published byDulcie Blair Modified over 7 years ago

Similar presentations

Presentation on theme: "A Year in the life of Direct Deposit Fraud"— Presentation transcript:

1 A Year in the life of Direct Deposit Fraud

2 outline Introduction An overview of the case Lessons Learned Questions

3 Case Overview

4 Preparation Very good log collection on central IT systems Nitro SIEM, but on its way out Cisco AnyConnect VPN Suricata listening on the border Netflow and DNS logging No full packet capture system

5 How I found out From: Jimmy Lummis To: Christopher Craig Date: Monday, December 1, :52AM Subject: Fwd: The VPN issue I called about Over the Thanksgiving weekend, three users had contacted payroll to complain that their checks never cleared. On investigation payroll found that they were re-routed to another bank and contacted CyberSecurity for information on the VPN connections that made the changes.

6 What I found From: Christopher Craig To: Jimmy Lummis Date: Monday, December 1, :23PM Subject: Re: The VPN issue I called about I think this is going to end up being a much bigger issue than we realize so far… 1 account on the VPN, from a Malaysian ISP, accessing 20 accounts in the accounting system The source IP had tried to access systems before but been caught by other controls At least 16 accesses to payroll suspect

7 How it started From: Georgia Institute of Technology Sent: Monday, November 10, :16 AM To: Subject: Message From Georgia Institute of Technology One(1) new update Click here, to view message. Georgia Institute of Technology

8 It gets worse We knew about the Phishing message, and that the sender’s account was compromised The sender had her direct deposit changed November 7 and had contacted payroll on to have it changed back. They asked her to change her password, but never contacted CyberSecurity.

9 Our reaction Contacted internal Executive Incident Response Contacted FBI and opened a case Notified users Reset passwords on all affected accounts Began watching for new VPN connections from the same ASNs. The next day we find him using a new VPN connection from a new user

10 The next day Someone from Malaysia tries the account we knew about in the VPN. It fails. Then they use a new account we didn’t know about.

11 What Next? Important to note that goal was not prosecution (though I’m still hopeful we can achieve that). The goal was to keep him off our network. This isn’t most phishers What do I know about his behavior so far? What if all the Higher Ed Direct Deposit Incidents are the same actor? "Red and blue pill" by W.carter, CC BY-SA 4.0 via Wikimedia Commons

12 What do we know? The actor is staying on the same VPN account
Other schools have had them in the system for months They seemed to learn about their targets Generally VPN users didn’t have payroll compromised VPN users were also the lowest paid users The source IPs I was seeing had been seen by others over the past year At other schools they had in the past: - waited until payroll cutoff to make changes - done searches of directory information to target higher paid employees - sourced s in other universities

13 Tracking the actor Contacted the compromised VPN user and moved him to a different account.​ Contacted the networking group and assigned the user to their own VLAN in VLAN steering Started capturing all Suricata alert and metadata logs on that range​ Ran full packet capture of that VPN, which we also shared with law enforcement​ Pushed logs into a “community” Splunk> instance. (Because our real Splunk was still in the Purgatory of State Purchasing) Image released by US Navy with ID N-1205W-002

14 Splunk! Pushed in VPN logs and Suricata metadata for the affected connections. Started identifying new compromised logins as fast as he made them. Found that the VPN was logging the client MAC address, and that it was consistent across all of the suspect connections. T03:21: :00 ipsec5.vpn.gatech.edu %ASA : DAP: User ppaul31, Addr : Session Attribute endpoint.anyconnect.macaddress["0"] = "f4-b7-e2-7b-32-9b" After this bad guy stops using ppaul31 and moves to a new account that never accessed payroll. The account in question was a student with an unlisted number. It pays to have contacts in the registrars office before something like this happens.

15 OODA loop number 3 Bad guy realized I was tracking his connections, but thought it was based on payroll Moved to a new VPN account that has never been used to attack Georgia Tech. The second VPN account was a student and was never used for any login other than the VPN. The account in question was a student with an unlisted number. It pays to have contacts in the registrars office before something like this happens.

16 Splunk analysis of outbound connections

17 Issues Outside of REN-ISAC members, getting reliable contact info for the Info Sec group at most universities is hard. It was great if there was contact information for somebody on whatever comes up for a Google search for “information security” or “cybersecurity” But that was rare.

18 What does a crime ring do on a VPN?

19 The gold mine From To Chat a_wire info_s i go like work with you boss
you into wire right?? yes you?? i dey do wire, transfer and dating but need sure contact for wire work i spam Mexico most time but not getting good resulf i get singapore drops well

20 More Interesting Chats
okay bro bro i use use the husband and wife ? their w2?

21 Phishing University From To Chat j_1 z65
OK but you have to buy the tools from me And then I show you how to do it What tools do i need ? Rdp smtp ist scampage Shell Lol...How much is everything ? Total 100$ with tools and teaching So what would you teach me how to spam ? If i have to pay you for teaching i dont have buy all the toolz from you You should buy the tools because I am the master I spam for people bank logins for 500$

22 A bit of a scare From To Chat kathy info_s Why is the FBI calling me?
What??!? DELAY Nevermind, it was about my husband’s pension.

23 Web searches paymentsandrefunds service-site

24 HOW MANY ACTORS? 81 distinct MAC addresses 16 countries
81 distinct endpoints 16 countries

25 Impact We identified connections to 400 hosts at 120 institutions

26 Filing International Charges
I was hoping to talk about this at SPC last year, but then our subject moved out of the country, so we waited. When he moved back we flew to DC to give a statement at the embassy, which started the ball rolling on arrests. Image by Some Rights Reserved (CC BY-NC-ND)

27 Two arrests made in by Malaysian Royal Police in November of 2015

28 Financial Impact Over 700 credentials
Access to over $1 million in paychecks per pay cycle Folders on over 120 schools Over 2000 W2s Countless other scams including credit card fraud, romance scams, retirement accounts, tax fraud, business …

29 Won’t the next group just use some other VPN service?
What’s the point? Won’t the next group just use some other VPN service? Maybe, but if enough people shut them down on compromised VPN services they’ll have to start doing something like using stolen credit cards to buy them or something, which is more complicated for them.

30 Another Vector From: President To: Accountant Reply-To: Subject: Need Wire transfer We're frequently seeing these with legitimate From addresses and faked Reply-To. When we started seeing these our team met with the people who are authorized to make wire transfers on behalf of the Institute.  We were told they only authorize wire transfers with an in-person wet signature.  What we weren't told is that they'll take a request from Person A on behalf of Person B and Person A _will_ accept an .

31 Lessons Learned

32 Establish Contacts REN-ISAC was invaluable for security contacts. Establish a relationship with the FBI before you need it. Have a good relationship with your bank. Make sure your team has personal contacts on important campus units (HR, Registrar, Police, Payroll, Controller’s office…)

33 How to talk to the FBI Have certified incident handlers and forensic analysts Be able to create and retain forensic images Take advantage of briefings on ongoing threats and find out what sorts of attacks they’re interested in. If you’re a Cleared Defense Contractor, have cleared information security staff.

34 Know how badly you’re hacked.
Know within Information Security how risk averse your institution is. Have contacts within Risk Management to be able to get quick approval within reasonable risk tolerances to investigate before starting mitigation. Don’t be to quick to give up intelligence to block the threat unless you know you’re actually blocking the threat. Other institutions blocked GT to clean up the mess, and continued to get compromised through other networks. Several institutions identified the source but continued to be hit for months as they cycled through accounts.

35 Don’t Cycle passwords Our logs show them retrying the same passwords about every six months.

Download ppt "A Year in the life of Direct Deposit Fraud"

Similar presentations

© 2005 Convio, Inc. NTEN Webinar: Protecting your organization and donors from online scams February 23, 2006.

© 2005 Convio, Inc. NTEN Webinar: Protecting your organization and donors from online scams February 23, 2006.
Module 5: financial services review

Module 5: financial services review
1 Identity Theft and Phishing: What You Need to Know.

1 Identity Theft and Phishing: What You Need to Know.
Breaking Trust On The Internet

Breaking Trust On The Internet
2009 ONTARIO COLLEGE APPLICATION SERVICE. Plan The “Plan” section helps you prepare for your college education. Here you will find information about the.

2009 ONTARIO COLLEGE APPLICATION SERVICE. Plan The “Plan” section helps you prepare for your college education. Here you will find information about the.
1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.

1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.
Other useful information about the presentation ECE 6612 Kyle Koza.

Other useful information about the presentation ECE 6612 Kyle Koza.
Email By Laura Trawin.

By Laura Trawin.
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 

BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
ICT Essential Skills. Email (electronic mail) Snail Mail.

ICT Essential Skills. (electronic mail) Snail Mail.
CONNECTION SETTINGS FOR USE WITH THE MOTION COMPUTING MODEL-F5 TABLET COMPUTER AKA: SIMON October 8, 2011 (And other useful information.)

CONNECTION SETTINGS FOR USE WITH THE MOTION COMPUTING MODEL-F5 TABLET COMPUTER AKA: SIMON October 8, 2011 (And other useful information.)
Staying Safe Online Keep your Information Secure.

Staying Safe Online Keep your Information Secure.
IT security By Tilly Gerlack.

IT security By Tilly Gerlack.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS). SELECT AND USE APPROPRIATE METHODS TO MINIMISE SECURITY RISK TO IT SYSTEMS AND DATA 1.1 I can describe.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS). SELECT AND USE APPROPRIATE METHODS TO MINIMISE SECURITY RISK TO IT SYSTEMS AND DATA 1.1 I can describe.
Plan The “Plan” section helps you prepare for your college education. Here you will find information about the individual colleges, a map of their campus.

Plan The “Plan” section helps you prepare for your college education. Here you will find information about the individual colleges, a map of their campus.
Security at NCAR David Mitchell February 20th, 2007.

Security at NCAR David Mitchell February 20th, 2007.
Phishing scams Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal.

Phishing scams Phishing is the fraudulent practice of sending s purporting to be from reputable companies in order to induce individuals to reveal.
BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)

BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)
Grants Management Training 200 Cyber Security There are two kinds of people in America today: Those who have experienced a cyber-attack and know it, and.

Grants Management Training 200 Cyber Security There are two kinds of people in America today: Those who have experienced a cyber-attack and know it, and.
Testing External Survey Automatic Credit Granting Shepherd University Department of Psychology.

Testing External Survey Automatic Credit Granting Shepherd University Department of Psychology.

Similar presentations

Ads by Google