View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 10, 2017updated 13 Feb 2017 10:45am

Verizon Data Breach Digest: How to protect your business from Fraud, Doxxing & Insider Threats

Learn from the real-life examples of others that have faced these issues.

By James Nunns

Rarely does a dull moment pass when you’re dealing with cyber security, mainly because it feels as though a new threat or data breach is just around the corner.

The messaging regarding cyber security and the threat of cyber-attacks has recently come in for some criticism, and while there certainly appears to be a growing fervour regarding the coverage of cyber security, the potential threat should not be dismissed as scaremongering.

The reality is, is that cyber-attacks happen constantly and the vast majority are either never reported, not big enough to make the news, or the victim simply doesn’t know that they are a victim.

The very real threat posed by cyber-attacks is highlighted in the latest Data Breach Digest (DBD) report from Verizon. The companion to the company’s annual Data Breach Investigations Report, the DBD contains different prevalent scenarios that occur at any given time.

The report looks at real world scenarios that have happened and looks at them from the investigative response point of view.

The DBD says: “Carrying forward from last year, we have come to realise that these data breach scenarios aren’t so much about threat actors, or even about the vulnerabilities they exploited, but are more about the situations in which the victim organisations and their IR stakeholders find themselves.”

CBR takes a look at the different scenarios so that you can learn from the experiences of others.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Down to the Wire

This situation is about fraudulent wire transfers – yes these still happen and it’s more common than you think.

Typically threat actors use social engineering tactics in order to fool someone into processing a fraudulent wire transfer.

This particular victim, a CIO, was informed that the finance department was missing an international tax form for a wire transfer that had happened three weeks prior. That missing form prompted the finance director to request it from the accountant who had originally submitted the request.

Unfortunately the accountant could not recall the details of the transaction.

The company’s wire transfer process requires its accounting team to first email an invoice that contains various details about the bank account information, invoice amount, type of services and so on. That is then reviewed and, if approved, it is sent on to the wire transfers department that then reviews and processes it.

The RISK Team was deployed and they found that the email domain was different from the corporate email by one character.

What transpired was that a domain, which was very similar to the company’s, had been registered a few days before the wire transfer emails were sent.

Further investigations revealed that numerous external IP addresses had been successfully logging into the accountant’s email using email web access.

What can be learned from this?
  • Require two-factor authentication for access to email from internet.
  • Prepend a marker (e.g., “subject: [External]…” to the subject line denoting externally originated emails.
  • Require secondary authorisation for wire transactions over a certain dollar amount.
  • Require Virtual Private Network access for telecommuters accessing the corporate environment.
  • Provide, at least annually, user security training.
The response should following these points:
  • Maintain sufficient logging of access to email accounts from external source.
  • Collect volatile data, memory dumps, and forensic disk images prior to system shutdown.
  • Encourage and recognise employees who report potential security issues.
  • Engage bank fraud investigators for assistance, when applicable.
  • Engage law enforcement for assistance, when applicable.
 Do you know how to respond to a Doxxing attack or Insider Threat?
An Executive Doxxing Match
The situation:

A multinational organisation had attracted negative attention following an unpopular company restructuring This resulted in a significant number of disgruntled employees and ex-employees and drew the attention of more than one hacktivist group.

The company was a soft target for hacktivism due to its sheer size and was exacerbated by the further risk of insider threat.

The Verizon RISK team was brought in to proactively gather threat intelligence, perform penetration testing, and be prepared should any online threat materialise.

It was found that the home address and personal details of executives were being actively sought by suspicious parties. Evidence appeared later that personal details for two executive had been found and were being shared online.

The company implemented its Incident Response Plan and the breach was reported to law enforcement before malicious parties could act on it.

Distributed Denial of Service (DDoS) attacks were attempted and the majority were thwarted. The Pen Testing Team worked with the RISK team to assess key assets and this identified vulnerabilities in web-facing servers, which could have proven catastrophic if noticed by hacktivists.

After two weeks of unsuccessful attacks, an attack was finally successful. One of the company’s websites was defaced and threats were made regarding the leaking of customer data. It was found that visitors were being redirected to another server hosting the message, rather than the URL being compromised.

Investigators went to the data centre containing the affected web server and no evidence of a breach existed.

It was later found that the domain registrar for the effected domain had been targeted in a social engineering attack. Basically the threat actor had impersonated a member of staff and gained access to the account and then modified the relevant DNS records.

What can be learned from this?
  • Stay off the radar of any potential hacker.
  • Base your defences, detection mechanisms and response capabilities on sound threat intelligence.
  • Implement a timely and effective path management program; conduct regular penetration-testing activities.
  • Use two-factor authentication, strong and varied password, as well as proper security awareness training for staff who manage the social media presence.
  • Protect account credentials by using a reputable domain name registrar that offers two-factor authentication or approved address whitelisting.
The response should follow these points:
  • Establish an Incident Response Plan early and then regularly review, test and update it.
  • Effectively scope and task prioritise; be prepared to manage simultaneous, yet distinct, incidents.
  • Confirm facts quickly and develop a remediation strategy and communicate this to your customers.
  • Consider legal and regulatory responsibilities in conjunction with advice from legal counsel.
Data Breach
The Broken Circle of Trust
The situation:

A law firm’s client, a regional water supplier, contacted the firm to discuss online account details that had been changed for several of their SME sized enterprise clients. Customer data was potentially compromised and advise was sought regarding their obligations regarding data protection.

The issue turned out to be more than a simple data breach as it was revealed that when customers had reset their passwords and regained access to their accounts, many noticed that the registered bank account details has been changed.

This meant that refunds due to customers were being fraudulently transferred to new bank accounts. It was later found that sums totaling over £500,000 had been redirected to two bank accounts in England.

Law enforcement was notified and so was the National Action Fraud Hotline in order to track down the bank account holder.

It was revealed that the banks had also been socially engineered and believed that the refunds were foreign deposits, which led to them to allowing the account holder to transfer 90% of the money to accounts in Dubai and the Bahamas as soon as payments arrived in the UK accounts.

Read more: Ransomware: #1 business cyber security threat or media hype?

The funds had been withdrawn and then used to purchase Bitcoin, which was then transferred to addresses associated with a Bitcoin laundering service. After this the trail went cold and law enforcement couldn’t identify a subject.

No malicious software was found and so it was decided that interviews with some of the people involved be carried out.

A third-party call centre in Mumbai was visited and a review of the CRM log files found that one user had accessed all the accounts that had been fraudulently refunded.

An investigation of the user’s CMS records confirmed this but there was no suggestion that data had been copied or that the refunds had been requested using this computer. The user was adamant that he was not involved and in order to prove it he signed an affidavit to permit the Verizon RISK team to examine his home computer.

The home computer revealed very little data, so little that it looked to have been systematically cleaned using data wiping software. However, the software did not fully clean the volume and shadow copies of data were recovered that revealed numerous emails between the employee and another individual – a cousin in the UK.

The emails revealed pictures of the fraudulent activity and the metadata in the photos revealed that they had been taken with a camera phone.

When presented with the evidence the user confessed to the crime and assisted in identifying accounts with over £1,000 in refunds stolen.

What can be learned from this?
  • Monitor corporate and guest network activity.
  • Take steps to reduce external device threats.
  • Keep tabs on sensitive data.
  • Be aware of changes in employee attitude/behaviour.
  • Establish a data classification policy and limit printing copies.
The response should follow these points:
  • Prepare and initiate your IR Plan in a timely manner.
  • Quickly scope and triage the incident.
  • Proactively communicate with affected entities.
  • Seek advice from legal counsel and contact law enforcement when the time is right.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.