Sophisticated corporate email attacks are gaining popularity, as evidenced by this FBI warning of April 13, 2021. In this article, I’ll be telling you about it, including the materials submitted by IC3 and I’ll also be describing realistic fraud schemes in great detail so that everyone can gain 100% insight into this issue and understand how it works. And above all – why does it work?
The Internet Crime Complaint Center (IC3) receives more and more complaints from fraud victims whose funds are diverted for conversion into cryptocurrency and subsequently, to the fraudsters. Let’s pay attention to the following fact: in 2020, IC3 processed over 791,790 applications, exceeding the 2019 figure by 69% and setting a record high. 19,369 of the complaints related to the problem of compromised corporate mailboxes. People lost more than 1.8 million dollars, which is much higher than with other forms of fraud. The saddest part of the story is that this trend will only continue to increase in 2021.
Why Crypto Wallets?
The main feature of the cryptocurrency system is anonymity, which is useful both for the protection of personal data and for the method of fraud. Firstly, the attacker may have multiple wallets, having created a separate address for each transaction which they may use just once. The attacker may also have a hidden address, e.g. cryptocurrencies such as Monero, DASH or Zcash do not provide visible information regarding the sender, the receiver or transactions on their blockchain. Secondly, information on completed transactions is publicly available, but it never contains personal data (PIN). Finally, the only thing that is displayed on such a network when a transaction is performed is the wallet address. Thus, the use of cryptography to protect communications and financial transactions provides a very high degree of anonymity.
‘I Was Not Going to Transfer the Cryptocurrency, So How did It Happen?’
There are 2 main attack schemes using corporate addresses to target organizations that have dealings with foreign partners and that make regular electronic transfers in large amounts. Both schemes are described in general terms in the FBI warning but in this article, I will describe them in as much detail as possible and cover the material presented by IC3. This is so that everyone can 100% understand this issue, how it works and most importantly – why it works.
Businesses that have established, long-term relationships with suppliers are usually targeted. The cybercriminal compromises the email account of a company representative or hacks into their email account. The criminal then sends the victim a fake letter with detailed instructions for the transfer of funds. It sounds just like the usual phishing, doesn’t it? Nevertheless, these attacks are much more complicated. They are at the crossroad of technological and social methods of fraud and they have many distinguishing features. Let’s take a closer look.
Let’s turn back to the theft of funds. The transfer requested by the fraudster is sent to a traditional financial institution where the cryptocurrency exchange has a custodian account. Custodian accounts (or the account depot) exist for the purpose of facilitating trade or exchange. The cybercriminal creates and configures (in advance) the crypto wallet where the funds from the exchange account depot will be automatically converted from fiat into cryptocurrency.
The main steps in this scheme are as follows:
The attacker communicates with the victim using a fake email and sends a letter with detailed information on the implementation of the transfer to the financial institution (bank) that is usual for the payer.
The bank has a depot account belonging to the exchange which is used to facilitate the transfer of financial cash into cryptocurrency and to facilitate exchanges between users.
When the victim transfers funds to that account, the money (in fiat) is automatically converted into cryptocurrency.
The cryptocurrency goes to the exchange and into the account of the attacker.
The crypto address of the wallet involved in the transfer of funds will not be sent by any cybercriminal (unless they are very inexperienced) – that would be too suspicious, wouldn’t it? In a ‘direct transfer’, it is difficult for the victim to recognize the deception, since this scheme is virtually identical to a real transaction, making it almost impossible to detect.
Transfer of the ‘Second Transition’
Here, social engineering plays a special role. Extortion, blackmail, romantic scams and fake technical support – this is the basis of the transfer of the second transition. In general, it’s just an augmentation of the first scheme but it can still be used by the perpetrator to commit far greater thefts.
Let’s get a closer look at the main steps:
The cybercriminal interacts with Victim #1, thereby coercing the individual to provide his or her personal data, such as their ID (passport/driver’s license). With this, the attacker can gain access to Victim # 1’s account.
The fraudster writes to Victim # 2 using the forged email or hacked email of Victim # 1 and sends a letter with details of the transfer to a bank account, currently owned by Victim # 1.
When Victim #2 transfers funds to this account, the money (in fiat) is automatically converted into a cryptocurrency.
With the help of the personal data received through coercion, the fraudster opens a crypto wallet in the name of Victim #1, where the funds were previously transferred and converted into cryptocurrency from the bank’s custodial account.
Having access to the crypto purse of Victim #1, the cybercriminal transfers the funds from this wallet to their own one.
How Not to Become a Victim
In its recommendations, IC3 provides several remedies against the schemes described above. In my opinion, the following actions should guarantee your safety:
The most important is to do the following – I recommend using two-factor authentication wherever possible, creating unique passwords for each of your accounts and regularly checking your corporate email account for changes.
Refrain from submitting your personal data via email. Use only protected communication channels!
Use a VPN or TOR browser. This will prevent your personal data from leakage before the data leaks away.
Pay special attention to orders from ‘the boss’ and any letters from ‘the ‘lawyers’. Often in legal practice, there are situations when a response to such letters are 100 percent urgent and may pertain to a trade secret. The message is always the same – transfer funds secretly / provide confidential information.
Employee devices, including your own, must have active settings which will help to view emails’ complete extensions.
Always pay attention to the name of the domain in hyperlinks – a dummy domain can stand out because of one small and insignificant detail, revealing the dummy counterparty. So always check the URL address.
And, of course, remember about the long-standing rules of protection against phishing.