Phishing: A Direct Deposit to the Criminal World (236905935)
34
Direct Deposit Phishing Attack Brian Allen [email protected] Network Security Analyst Washington University in Saint Louis May 2014
description
In the fall of 2013, Washington University in St. Louis was hit with a phishing attack targeted primarily at medical faculty. The criminals used the compromised credentials to change direct deposit bank account information to steal money. The university quickly made changes to defend against this threat and rethought the current incident response capabilities to better handle widespread attacks. In this presentation, we will walk through the incident to see how and why it was so successful and will discuss steps to detect and prevent these types of incidents. OUTCOMES: Understand how this criminal campaign worked from beginning to end * Learn what defenses can be put into place to disrupt the various phases of this type of attack * Be able to better defend against phishing attacks http://new.educause.edu/events/security-professionals-conference/2014/phishing-direct-deposit-criminal-world
Transcript of Phishing: A Direct Deposit to the Criminal World (236905935)
Direct Deposit Phishing Attack
Brian [email protected]
Network Security AnalystWashington University in Saint Louis
May 2014
Topics for Today
• Brief overview of the Washington University network
• Brief look at first incident in Sept/Oct 2013• Brief look at second incident in Jan/Feb 2014• Potential phishing defenses• Some examples of real phishing emails• Who attacked us?• Final thoughts
Washington University in St. Louis
NSS
NSO
Business School
Law School
Arts & Sciences
Medical School
Engineering School
Internet
Decentralized Campus NetworkNSS = Network Services and SupportNSO = Network Security Office
Library
Social Work
Art & Architecture
Numbers from Sept/Oct 2013 Attack:
• 13 total victims• 11 Medical School faculty• 2 Business School faculty• 11 had direct deposit info changed• 1 account caught by the new HRMS blacklist
and immediately blocked
Round 1a Phishing Attack
Round 1b Phishing Email
Numbers From Jan/Feb 2014 Attack
• 17 Users were victims– 15 Medical Faculty or Staff– 1 Engineering School Faculty– 1 Law Student
• 4 Victims had their Direct Deposit info changed• 7 Users were protected by the Blacklist• 10 Victims were logged into from new IP
addresses which were quickly added to the Blacklist
Round 2 Phish Three Months Later
Criminals seemingly have a huge advantage
They send hundreds of phishing emails and only need ONE user to fall
for it to succeed
We can turn the tables on them
Force the criminal to run througha gauntlet of defenses to succeed
Reconnaissance Phase
Phishing Email Phase
Criminal Login Phase
HR/SSO Application Suggestions
Payroll Alerting Suggestions
Communication Suggestions
Phishing Examples
WUSTL Site or Phish Site?
WUSTL Site or Phish Site?
WUSTL Site or Phish Site?
Real Email or Phish Email?
Spammers log in and useaccount to send spam
Sept/Oct Attack 1
Jan/Feb Attack
Numbers from September/October:
• 13 total victims• 11 Medical School faculty• 2 Business School faculty• 11 had direct deposit info changed• 1 account caught by the new HRMS blacklist
and immediately blocked
How Much $ Did the Criminals Get in October?
• $97,210.28 Total was Transferred Out• $91,470.53 Was Recovered by Payroll• $5,739.75 Was Lost
.
$0.00
$20,000.00
$40,000.00
$60,000.00
$80,000.00
$100,000.00
$120,000.00
$97,210.28
$91,470.53
$5,739.75
LostRecoveredTotal
Numbers From Jan/Feb Attack
• 17 Users were victims– 15 Medical Faculty or Staff– 1 Engineering School Faculty– 1 Law Student
• 4 Victims had their Direct Deposit info changed• 7 Users were protected by the Blacklist• 10 Victims were logged into from new IP
addresses which were quickly added to the Blacklist
How Much $ Did the Criminals Get in January?
• $0 Total was Transferred Out• $0 Was Recovered by Payroll• $0 Was Lost
• Thanks!• Questions?• [email protected]
