The Centripetal Blog

Baiting the Phisherman

Posted by Steven Rogers on May 20, 2016

A Centripetal Network sales person recently received an email that appeared to be from me, CEO Steven Rogers, requesting an immediate wire transfer in the amount of $32,780. Upon closer examination, the email originated from a similar domain, with one spelling change, Looking quickly, it is hardly noticeable and the email looks legitimate.

Thankfully, our salesperson had a keen eye, and he forwarded it to our security team for analysis. After ensuring the company network was safe and employees were aware of the attack, the security team planned to get to the root of the problem.

While this kind of attack does not seem complex, dangerous computer hackers and internet scams do not always have to be complicated. Simple ‘typos’ in an email domain name may be all a hacker needs to impersonate executives while attempting to trick employees into transferring money.

This type of phishing has become known as business email compromise (B.E.C) or whaling. The scammer researches employees who manage money, then uses language from the company to target organizations that commonly work with foreign suppliers, or companies that regularly perform wire transfer payments.

The Federal Bureau of Investigation stated this scam has cost companies more than $2.3 billion in losses over the past three years. Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss. This has gone global, law enforcement has received complaints from victims in every U.S. state and in at least 79 countries.

Our security team alerted the Secret Service and then proceeded to engage the attackers in several email exchanges, gathering key information about the plan, such as bank routing and account numbers, several user locations including Malaysia and Nigeria, and the name of an individual who was to receive the funds in Texas.

Of course, once engaged, our security team also set out to take down the operation that owned the misspelled domain name. What we found in doing this was a list of 77 other misspelled domains that the attackers had also commandeered.


Tags: Best Practice, Phishing, Security