How to turn the tables on fake CEO scammers

Scammers should be just as cautious of PDFs as the rest of us.

How to turn the tables on CEO wire transfer scammers

CEO wire transfer scams (also sometimes known as whaling attacks, BEC, or Business Email Compromise) are becoming a big problem.

Scammers, impersonating a CEO or other high-up executive inside a company, send an urgent request to a more junior member of staff, urging them to forward sensitive information or transfer a large amount of money.

The problem is that no-one likes to say "no" to the big boss.

As a result, some companies have had many millions of dollars stolen from them - recently, for instance, I wrote about a European firm which lost 40 million Euros after it was targeted by an email scammer.

Security consultant Florian Lukavsky decided that it was time to fight back against attacks like this, and told the HITB conference how he created a boobytrapped PDF file, capable of grabbing information from any computer on which it was opened.

The Register takes up the story:

"Someone impersonated the CEO of an international company requesting urgent wire transfers and a couple of hours later they realise it was a scam … we worked together with law enforcement to trick the fraudsters," Lukavsky says.

"We sent them a prepared PDF document pretending to be transaction confirmation and they opened it which led to Twitter handles, usernames, and identity information."

"We were able to get the Windows 10 usernames and hashes which are tied by default to Outlook."

The information gathered was shared with police, who later arrested the perpetrators.

Lukavsky recommends that companies put in place a variety of organisational and technical defences to prevent themselves from becoming the victims of BEC.

These include:

  • Raising staff awareness of the threat, and common techniques used by scammers.
  • Defining processes for making legitimate payments.
  • Enforcing strict use of business email addresses for business purposes.
  • Not accepting emails with your domain from foreign mail servers.
  • Fully implementing email authentication, making it harder for criminals to spoof your company's domain name in the "From" field.
  • Using email signatures / encryption (S/MIME / PGP).
  • Marking external emails in the subject line.
  • Strong authentication for web mail users.

For more information, check out the slides from Lukavsky's presentation.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

8 Responses

  1. Nathan

    September 7, 2016 at 11:11 pm #

    I've used the process of scamming the scammer. I did this when I was contacted by a scammer who was acting as a real estate agency for a property in Mexico. I reverse engineered the process and found discovered that the scammer, who called himself Reverend John Tony, was actually Lillian Hernandez who lived in Yonkers, New York. I was able to get her bank account information and once I did, I called her bank and forwarded them the entire email thread. I also did the same with Yahoo. Rev Tony, a.k.a. Lillian Hernandez vanished like a puff of smoke and I never heard from him/her again. Score one for a potential victim.

  2. Lisa B.

    September 8, 2016 at 2:40 pm #

    Hmmm. PDF files to booby trap the scammers. How do we *really* know those PDF files at the end of the article are slides from Lukavsky's presentation?

    ;)

    All kidding aside, it's wonderful to hear when the scammer gets what he/she deserves.

  3. Gadget37

    September 8, 2016 at 3:00 pm #

    The problem with this "Not accepting emails with your domain from foreign mail servers." is that this is precisely how email reflectors work. You work on a collaborative email server with other external companies and your own emails come back to you and your colleagues, sourced from your domain but redistributed. Blocking these causes a problem…

    • Bob in reply to Gadget37.

      September 9, 2016 at 6:23 pm #

      If you use DKIM, DMARC and SPF in conjunction with each other then you won't find your emails blocked.

      It's best practice to configure these but seeing all three configured correctly is rare. It's not difficult and is mainly down to the incompetence of system administrators / lack of knowledge / use of legacy systems.

  4. Peter Freeman

    September 10, 2016 at 11:06 pm #

    "Scammers should be just as cautious of PDFs as the rest of us"

    Quite so. Oh look, here's another Graham Cluley article with the title
    "Dell has acquired RSA – download a PDF to read all about it".

    A good thing I trust Graham not to mess with his loyal fans :)

    • Graham Cluley in reply to Peter Freeman.

      September 11, 2016 at 5:53 pm #

      :)

      Did you read what I said in that other article? :)

      • Peter Freeman in reply to Graham Cluley.

        September 12, 2016 at 1:56 pm #

        No, but I have now. Lol, you are exonerated and RSA is in the doghouse :)

  5. Michael G. Crooks

    September 13, 2016 at 11:08 am #

    FYI – The live presentation by Florian Lukavsky, titled 'Fake President Fraud Defrauded', dated September 13, is available on YouTube. It is just over 28 minutes duration:
    https://youtu.be/HQwh5whOAr4

Leave a Reply