Blog by Chris Gausden, Arcanum Principal Consultant.
In the old days making money was quite easy for a criminal; you either mugged people, burgled their houses or bought yourself a sawn-off shotgun and robbed the nearest building society or post office. Times have changed and with development of modern digital technology and forensic science your chances of getting caught after committing one of these crimes has increased dramatically. Even the recent spate of cash machine thieves are probably working on borrowed time.
So, has cash theft stopped? Well not really. In the same way that transfers of cash are now digital and almost instantaneous, so is its theft. Cyber theft takes place almost anonymously and evidence of the event is easy to conceal as most organisations lack the ability to recognise and apply the required protections. Once the crime is perpetrated the “virtual” evidence can be removed or hidden and a series of confusing trails can be left behind for trying to track the thieves, with little prospect of the funds being recovered. Well organised groups of thieves, operating remotely from countries outside of the reach of international law, are actively carrying out criminal activities from any one of several countries[1] globally that do not naturally co-operate with foreign criminal investigations. Electronic theft of money on an industrial scale is routine and significant sums are usually made up of a number of smaller e-crimes perpetrated globally on unwary victims.
A recent investigation into cyber theft was carried out by Arcanum and the tortuous path to the truth of events was partly obscured by the cunning of the thieves and partly by the lack of preparation for such an event by the victim. Most of these incidents start in the recent past with a successful Phishing attack that encourages an employee to give away their credentials (most often via cloud services and/or MS365 access). This leads to unexplained logins at odd hours from unusual IP addresses which are noticed if event logging and alerting are enabled. The next phase is subtle reconnaissance by the intruder using their new access credentials to look for anything that may be of value in the environment such as credit card data, payment invoices, and correspondence about imminent business transactions that could be subverted. This is often supported by creating some mail rules on the account they have compromised to divert copies of “interesting“ mail to a hidden folder that can then be discreetly unpicked and if necessary modified/exported. All of this is [2]invisible to legitimate owner of the mail account unless they have set up logging/alerts and are monitoring user activity. At a carefully planned juncture in a legitimate exchange of business emails a believable invoice emailed from a recognised mail domain (recently created with a similar domain name give or take the odd extra letter) is received and paid. The slight variation in payee details explained in the apparently legitimate e-mail. Once the deed is done and all housekeeping in the account completed, the intruders move on leaving few clues behind, with the possibility of returning briefly to see if the credentials they have still work or have been changed.
In most circumstances the only purpose of a post event investigation can be to establish what happened and to identify control measures to implement to ensure that the same incident cannot easily happen again. Alternatively, you could employ a cyber security company to review your business processes and IT security configuration and settings to reduce the risk of it happening to you in the first place.
[1] https://www.securityweek.com/inside-operations-west-african-cybercrime-group
[2] https://www.computerweekly.com/news/252438668/Cyber-criminals-earn-up-to-2m-a-year-study-shows