Thursday, March 28, 2019

Dissect Cyber wins major DHS S&T Award for their BEC Work

Congratulations to our great friends at Dissect Cyber for receiving the DHS S&T Global Award for their work on BEC scams!

The FBI has been warning companies for several years now of the growing prominence of Business Email Compromise (BEC) scams as being one of the top forms of cyber crime based on the volume of dollars stolen.  A single BEC scam can often lead to six-figure and even seven-figure losses!  According to a June 2018 BEC report from the Internet Crimes Complaint Center, so far the FBI has documented $12,536,948,299 in losses stolen from 78,617 businesses.

Dissect Cyber decided that the best way to attack these scams and help protect those at-risk companies was to create an early warning system called Cyber Notify, based on their analysis of the vulnerable (and detectable) points of a BEC scam that is ABOUT TO HAPPEN!  To understand why their solution is so powerful, let's look at how a BEC fraud group is structured.

BEC Org Charts

Some of the leading experts in Business Email Compromise have documented the significant role in these scams played by West African cyber criminals.  Experts such as John Wilson, Crane Hassold, and Ronnie Tokazowski at Agari are doing some great work Investigating BEC Scams actors to learn more about how they commit their crimes.  The SecureWorks experts are documenting the role of malware in BEC crimes, and produced a great chart explaining the roles of the various actors, reproduced here from their report "Golden Galleon: How A Nigerian Cybercrime Crew Plunders the Shipping Industry."

SecureWorks BEC Org Chart
In that document, American researchers assigned names to each of the roles that make up a BEC scam.  One of those roles in the SecureWorks report is "Cloner" which is described as the person who "Registers domain names for impersonating email addresses."

The West African fraud experts at AA419 (Artists Against 419) provide a similar chart, but label their content based on the names the fraudsters use themselves.  In their diagram, the "Cloner" role is called within the West African fraudster community, a "Faker Maker."  While they do create domain names that closely imitate real organization names to be used in email, they often are also responsible for creating entire fraudulent organizations, complete with corresponding web sites, in order to facilitate their fraud, including fake travel agencies, fake government organizations, fake shipping companies, fake job websites, and fake lotteries.

AA419 BEC Org Chart
The AA419 staff did an excellent blog post explaining the critical role of The Faker Maker in December 2017.

Enter Dissect Cyber and Cyber Notify

I've known and worked with April Lorenzen, the founder of Dissect Cyber and Zetalytics, and her staff and products for many years.  She has been passionate about building tools for law enforcement and investigators to quickly understand the relationships between domain names, their name servers, and the IP addresses which host them.  She's also been generous enough to share her tools with researchers in my lab, including sharing them with our UAB Cyber Detective Camp last summer!  Whether we are doing phishing investigations, malware investigations, or illicit pharmaceutical investigations, Dissect Cyber has been a great partner!

Based on the organizational charts above, what Dissect Cyber realized was that part of the PRECURSOR events to having a new BEC attack often involve the creation of a "look-alike domain" that will imitate the company being targeted.  We've blogged many times about how BEC attacks work, such as our article "Business Email Compromise: Putting a Wisconsin Case Under the Microsope." Often, such as in two of the victim cases described in the Wisconsin case, the criminals are monitoring the emails of key executives, having already planted email-stealing malware on their computers, watching for an opportunity when they are traveling or otherwise unavailable.  During that scheduled outage, an employee will receive an "urgent command" that they must quickly pay an invoice, wire some funds for a merger, or some other large financial transaction.  By having the email come from a domain that is VERY SIMILAR to the true email domain, the employee often does not realize that this is not really The Big Boss, and they will comply with the financial transfer order they receive.

This is where Dissect Cyber comes in.  Because they have full visibility of EVERY NEWLY CREATED DOMAIN ON THE INTERNET, they created the Cyber Notify system to check each new domain to see if it might be a counterfeit look-alike domain. If so, their team of highly trained and vetted professionals (at the moment, all members of the alert team are military veterans), reach out to the imitated organization to help them understand that they may be about to be targeted with a BEC attack.

According to the press release from Dissect Cyber, this work has helped 1,500 companies prevent themselves from losing $407 million dollars which was requested to be wire transferred by the scammers who had created these fake domains!  Priority notifications are given to those companies that are part of the nation's Critical Infrastructure as defined by DHS.  Why?  While the techniques that have been broadly been used to steal money by West African scammers are the majority of the financial losses as reported by the team, the scarier fake domain attacks may be foreign nation state actors who are using the techniques refined by the West Africans to send dangerous emails that could have an impact on anything from our power grids to our water supply to employees of those critical infrastructure companies!

Congratulations, Dissect Cyber!  I hope that Cyber Notify ( will grow, expand, and continue to innovate in ways to help us all protect our vulnerable small and medium-sized businesses from fraud, while also protecting our Critical Infrastructure businesses from nation state espionage hackers!

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.