On Q Professional Investigations

Not that they knew him personally, but Taylor Huddleston, a 27-year-old from Hot Springs, Arkansas, was for a time very popular among the world’s cyber criminals, thanks to a malicious piece of software he created called NanoCore RAT.

That malware allowed hackers to steal sensitive information from victims’ computers, including account numbers and passwords, and even allowed them to secretly activate the webcams of infected computers to spy on unsuspecting victims.

“Basically, the malicious software compromises victim computers and steals information,” said a special agent from the FBI’s Washington Field Office who investigated the case. “The NanoCore RAT has the ability to control a victim’s computer.”

This type of malware—a Remote Access Trojan (RAT)—is all the more insidious because in most cases victims have no idea their computers have been compromised. According to court documents, NanoCore RAT was used to infect and attempt to infect more than 100,000 computers.

RATs are not only a threat to individual users but to commercial enterprises as well. And if hackers decide to target U.S. infrastructure using this malware, the agent said, “there is a potential for national security implications.”

Huddleston had the skills to develop malicious software. “There are many cyber criminals out in the world,” the agent said. “Many are not sophisticated in terms of developing a new malware. Instead, they would rather purchase malware to carry out their crimes.”

Read More

Today, federal authorities—including the Department of Justice and the FBI—announced a major coordinated law enforcement effort to disrupt international business e-mail compromise (BEC) schemes that are designed to intercept and hijack wire transfers from businesses and individuals.

Operation WireWire—which also included the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Inspection Service—involved a six-month sweep that culminated in over two weeks of intensified law enforcement activity resulting in 74 arrests in the U.S. and overseas, including 42 in the U.S., 29 in Nigeria, and three in Canada, Mauritius, and Poland. The operation also resulted in the seizure of nearly $2.4 million and the disruption and recovery of approximately $14 million in fraudulent wire transfers.

A number of cases charged in this operation involved international criminal organizations that defrauded small- to large-sized businesses, while others involved individual victims who transferred high-dollar amounts or sensitive records in the course of business. The devastating impacts these cases have on victims and victim companies affect not only the individual business but also the global economy. Since the Internet Crime Complaint Center (IC3) began formally keeping track of BEC and its variant, e-mail account compromise (EAC), there has been a loss of over $3.7 billion reported to the IC3.

BEC, also known as cyber-enabled financial fraud, is a sophisticated scam that often targets employees with access to company finances and trick them—using a variety of methods like social engineering and computer intrusions—into making wire transfers to bank accounts thought to belong to trusted partners but instead belong to accounts controlled by the criminals themselves. And these same criminal organizations that perpetrate BEC schemes also exploit individual victims—often real estate purchasers, the elderly, and others—by convincing them to make wire transfers to bank accounts controlled by the criminals.

Foreign citizens perpetrate many of these schemes, which originated in Nigeria but have spread throughout the world.

During Operation WireWire, U.S. law enforcement agents executed more than 51 domestic actions, including search warrants, asset seizure warrants, and money mule warning letters. And local and state law enforcement partners on FBI task forces across the country, with the assistance of multiple district attorney’s offices, charged 15 alleged money mules for their roles in defrauding victims.

Read More

“Get down, this is a robbery!” That’s something no bank employee or patron wants to hear. In the past, bank robberies have resulted in thousands, even millions of dollars stolen in cash and gold (although the average yield for a bank robbery in the United States is only about $3,500, according to the FBI).

However, as money has become less physical and more digital, with credit cards and cryptocurrency rapidly replacing cash and coins, bank heists too have evolved from criminals physically breaching the walls of a bank with weapons and physical force, to hackers silently infiltrating the cyber infrastructure and funneling millions into their own accounts.

In one recent heist in Mexico, suspected to be a cyberattack, thieves stole as many as 300 million pesos ($15.4 million) through “phantom orders” to fake accounts, according to Reuters. This week, cybersecurity company Positive Technologies released a report describing how gangs execute sophisticated hacking campaigns against banks by taking advantage of social engineering and flawed security systems. The report also reveals the results of the company’s own penetration tests to show where these institutions may be falling short on protecting their networks and ultimately their funds.

This week I spoke with practice lead for governance, risk and compliance at TrustedSec, Alex Hamerstone, who works closely with large financial institutions doing cyber assessments and developing defense methods based on penetration test results, to gain more insight into bank vulnerabilities and security measures.

Read More

Beginning in 2015, the Internet Crime Complaint Center (IC3) forwarded multiple complaints to the FBI’s Houston Field Office regarding fraudulent offers of investment opportunities by perpetrators who impersonated U.S. bank officials and financial consultants over the Internet and telephone. Victims in various countries, including the U.S., were deceived into believing they would receive millions of dollars from joint ventures with certain U.S. banks if they paid up-front fees—ranging from tens of thousands to hundreds of thousands of dollars—to participate. According to court documents, victims lost more than $7 million collectively in this scam.

The complaints submitted by victims to the IC3 helped investigators uncover this elaborate international advance fee and money laundering scheme, and in February of this year, six individuals were federally charged in Houston in connection with the scam.

The IC3, which has received more than 4 million victim complaints from 2000 through 2017, routinely analyzes complaints like these and disseminates data to the appropriate law enforcement agencies at all levels for possible investigation. The IC3 also works to identify general trends related to current and emerging Internet-facilitated crimes, and it publicizes those findings through periodic alerts and an annual report.

And today, the IC3 is releasing its latest annual publication—the 2017 Internet Crime Report—which reveals that the center received more than 300,000 complaints last year with reported losses of more than $1.4 billion.

Read More

Nine Iranians were accused Friday of orchestrating years of cyberattacks on U.S. government agencies, the state of Indiana and hundreds of universities and businesses here and abroad in one of the largest state-sponsored hacking cases ever charged by the Justice Department.

A series of federal indictments and financial sanctions against Iranian individuals were announced by Deputy US Attorney General Rod Rosenstein, charging cyber activity against the United States. Federal prosecutors say the Iranians and an Iranian hacker network called the Mabna Institute illegally accessed Indiana state government computers and the computer systems of 144 U.S. universities.

Rosenstein and Justice Dept. officials would not name the 144 universities targeted by hackers in Iran, but numerous Midwestern universities are popular U.S. college destinations for Iranian students, including University of Illinois. At U of I, Iranian enrollment has jumped in recent years.

Federal agents said the hackers gained access to university databases and college library systems by using stolen login credentials belonging to university professors.

A spokesperson for U of I told the I-Team that as far as she knows, Illinois’ flagship university was not among those hacked.

American government officials said they’ve determined that the nine Iranians, in cooperation with the Islamic Revolutionary Guard Corps, were behind the hacking effort.

Investigators found 320 universities around the world were attacked along with several U.S. government entities, including the Department of Labor, United Nations, and the Federal Energy Regulatory Commission, they said. The Iranians allegedly targeted more than 100,000 email accounts of professors around the world. About half of the 8000 compromised accounts belonged to professors at U.S. universities.

Read More

The cyberwar between the west and Russia has escalated after the UK and the US issued a joint alert accusing Moscow of mounting a “malicious” internet offensive that appeared to be aimed at espionage, stealing intellectual property and laying the foundation for an attack on infrastructure.

Senior security officials in the US and UK held a rare joint conference call to directly blame the Kremlin for targeting government institutions, private sector organisations and infrastructure, and internet providers supporting these sectors.

Rob Joyce, the White House cybersecurity coordinator, set out a range of actions the US could take such as fresh sanctions and indictments as well as retaliating with its own cyber-offensive capabilities. “We are pushing back and we are pushing back hard,” he said.

Joyce stressed the offensive could not be linked to Friday’s raid on Syria. It was not retaliation for the US, UK and French attack as the US and UK had been investigating the cyber-offensive for months. Nor, he said, should the decision to make public the cyber-attack be seen as a response to events in Syria.

Joyce was joined in the call by representatives from the FBI, the US Department of Homeland Security and the UK’s National Cyber Security Centre (NCSC), which is part of the surveillance agency GCHQ.

The US and UK, in a joint statement, said the cyber-attack was aimed not just at the UK and US but globally. “Specifically, these cyber-exploits were directed at network infrastructure devices worldwide such as routers, switches, firewalls, network intrusion detection system,” it said.

“Russian state-sponsored actors are using compromised routers to conduct spoofing ‘man-in-the-middle’ attacks to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations.

Read More

A nationwide law enforcement action aimed at shining a light on those who use the dark web to buy and sell illegal opiates has resulted in hundreds of interactions and arrests of individuals who may have considered their seemingly anonymous online transactions beyond the reach of authorities.

The FBI-led enforcement action last week, named Operation Disarray, is part of a recently launched Department of Justice initiative to disrupt the sale of opioids online and was the first operation of its kind to occur simultaneously in all 50 states.

“The point of Operation Disarray,” said Special Agent Chris Brest, who helped organize the effort from FBI Headquarters, “is to put drug traffickers on notice: Law enforcement is watching when people buy and sell drugs online. For those who think the Darknet provides anonymity,” he explained, “you are mistaken.”

Darknet marketplaces resemble legitimate e-commerce sites, complete with shopping carts, thousands of products, sales promotions, and customer reviews. But the Darknet sites’ drop-down menus direct customers to cocaine, heroin, fentanyl, and other illegal drugs.

The marketplaces are accessed through a type of software that claims to make the buyer and seller anonymous. Drug users anywhere in the world can sit in front of a computer screen and, with a click of the mouse, buy narcotics without having to risk a face-to-face interaction. “Drug trafficking is changing,” Brest said. “The environment is moving from real-world to the virtual realm, and it’s on the rise.”

Such unfettered access to illegal drugs, said Special Agent Eric Yingling, who specializes in Darknet investigations from the FBI’s Pittsburgh Division, “can accelerate someone’s addiction because the drugs are so easy to obtain. It also facilitates a low barrier of entry to becoming a trafficker,” he explained. “We see a number of individuals go from consuming to becoming distributors because they’ve become comfortable using the marketplaces. Anyone who owns a computer could potentially be involved in this type of activity.”

Read More

Nine Iranian citizens—working at the behest of the government of Iran—have been charged in a massive computer hacking campaign that compromised U.S. and foreign universities, private companies, and U.S. government entities, including the Department of Labor and the Federal Energy Regulatory Commission.

The hackers were affiliated with the Mabna Institute, an Iran-based company created in 2013 for the express purpose of illegally gaining access to non-Iranian scientific resources through computer intrusions. Members of the institute were contracted by the Islamic Revolutionary Guard Corps—one of several entities within the Iranian government responsible for gathering intelligence—as well as other Iranian government clients.

During a more than four-year campaign, these state-sponsored hackers “compromised approximately 144 U.S.-based universities and 176 foreign universities in 21 countries,” said FBI Deputy Director David Bowdich during a press conference today at the Department of Justice in Washington to announce the indictments. When the FBI learned of the attacks, he said, “we notified the victims so they could take action to minimize the impact. And then we took action to find and stop these hackers.”

Initially, the cyber criminals used an elaborate spearphishing campaign to target the e-mail accounts and computer systems of their victims, which in addition to the universities included nearly 50 domestic and foreign private-sector companies, the states of Hawaii and Indiana, and the United Nations.

According to the indictments unsealed today in a Manhattan federal court, the hackers stole more than 30 terabytes of academic data and intellectual property—roughly three times the amount of data contained in the print collection of the Library of Congress.

“Their primary goal was to obtain user names and passwords for the accounts of professors so they could gain unauthorized access and steal whatever kind of proprietary academic information they could get their hands on,” said a special agent who investigated the case from the FBI’s New York Division. “That information included access to library databases, white papers, journals, research, and electronic books. All that information and intellectual property was provided to the Iranian government,” he added.

Read More

International organized crime and drug trafficking groups were dealt a blow by the takedown of an encrypted communication service they used to plan and commit their crimes, the FBI and its international partners announced yesterday.

Canada-based Phantom Secure was a criminal enterprise that provided secure communications to high-level drug traffickers and other criminal organization leaders. The group purchased smartphones, removed all of the typical functionality—calling, texting, Internet, and GPS—and installed an encrypted e-mail system, so the phones could only communicate with each other. If a customer was arrested, Phantom Secure destroyed the data on that phone, which is obstruction of justice under U.S. law. In an attempt to thwart law enforcement efforts, the company required new customers to have a reference from an existing user.

Given the limited functionality of the phones and the fact that they only operate within a closed network of criminals, all of Phantom Secure’s customers are believed to be involved in serious criminal activity. Most of Phantom Secure’s 10,000 to 20,000 users are the top-level leaders of nefarious transnational criminal organizations in the U.S. and several other countries, and the products were marketed as impervious to decryption or wiretapping.

“Working with our international partners in Australia and Canada, we learned that these phones have been used to coordinate drug trafficking, murders, assaults, money laundering, and all sorts of other crimes,” said Special Agent Nicholas Cheviron of the FBI’s San Diego Division, who investigated the case along with U.S. and international counterparts. “By shutting down Phantom Secure, criminals worldwide no longer have that platform to conduct their dangerous criminal activities.”

In collaboration with the Australian Federal Police, Royal Canadian Mounted Police, and law enforcement agencies in Panama, Hong Kong, and Thailand, Phantom Secure’s founder and chief executive Vincent Ramos was arrested in Bellingham, Washington, on March 7. Four of Ramos’ associates are fugitives. They are charged with conspiracy to distribute narcotics and Racketeer Influenced and Corrupt Organizations (RICO) Act violations.

Read More

“ESG recently published a new research report titled, The Life and Times of Cybersecurity Professionals, with its research partner, the Information Systems Security Association (ISSA).

The research looks closely at the ramifications of the cybersecurity skills shortage — beyond the obvious conclusion that there are more cybersecurity jobs than people with the right skills and background to fill these jobs.

As part of this research project, ESG and ISSA wanted to understand whether the cybersecurity skills shortage is a contributing factor to the constant wave of security events experienced by large and small organizations.

To that end, 343 cybersecurity professionals (and mostly ISSA members) were asked if their organizations had experienced a security incident over the past two years (i.e. system compromise, malware incident, DDoS attack, targeted attack, data breach, etc.). More than half (53 percent) admitted that their organization had experienced at least one security incident since 2015. It is also noteworthy that 34 percent responded with “don’t know/prefer not to say,” so the percentage of organizations experiencing a security incident is likely much higher.

4 factors contributing to cybersecurity incidents

Those survey respondents confessing to a security incident were then asked to identify the factors that contributed to these events. The data reveals that:

-31 percent say a lack of training for non-technical employees. This indicates that employees are probably opening rogue attachments, clicking on malicious links, and falling for social engineering scams, leading to system compromises and data breaches. Clearly, firms are not dedicating the people or financial resources necessary to provide ample cybersecurity training and are suffering the consequences.

-22 percent say the cybersecurity team is not large enough for the size of their organization. Boom, direct hit. In an earlier blog post, I revealed some data about the implications of the cybersecurity skills shortage, including an increasing workload on staffers and a myopic focus on emergency response at the expense of planning and strategy. The data also exposes that the skills shortage leads directly to more security incidents, which lead to business disruption, negative publicity and data breaches.

-20 percent say business and executive management tend to treat cybersecurity as a low priority. The lack of suitable business oversight on cybersecurity was a consistent theme throughout the ESG/ISSA research. It remains true that business executives are overlooking their fiduciary (and moral) cybersecurity responsibilities. Based upon this data, we can anticipate some massive GDPR fines in the second half of 2018.

-18 percent say the existing cybersecurity team can’t keep up with the workload. Another direct hit — the workload is too big, and the staff is too small.

Breach detection, proactive threat hunting, and incident response tend to be people-intensive processes dependent upon advanced skills, so it’s logical to assume the cybersecurity skills shortage would have a profound impact here. The ESG/ISSA research proves there is a strong correlation here, so it’s safe to say that organizations with lots of open cybersecurity requisitions can expect a lot of malicious activity on the network.”

Read More