Download - Phishing: A Direct Deposit to the Criminal World (236905935)

Direct Deposit Phishing Attack

Brian [email protected]

Network Security AnalystWashington University in Saint Louis

May 2014

Topics for Today

• Brief overview of the Washington University network

• Brief look at first incident in Sept/Oct 2013• Brief look at second incident in Jan/Feb 2014• Potential phishing defenses• Some examples of real phishing emails• Who attacked us?• Final thoughts

Washington University in St. Louis

NSS

NSO

Business School

Law School

Arts & Sciences

Medical School

Engineering School

Internet

Decentralized Campus NetworkNSS = Network Services and SupportNSO = Network Security Office

Library

Social Work

Art & Architecture

Numbers from Sept/Oct 2013 Attack:

• 13 total victims• 11 Medical School faculty• 2 Business School faculty• 11 had direct deposit info changed• 1 account caught by the new HRMS blacklist

and immediately blocked

Round 1a Phishing Attack

Round 1b Phishing Email

Numbers From Jan/Feb 2014 Attack

• 17 Users were victims– 15 Medical Faculty or Staff– 1 Engineering School Faculty– 1 Law Student

• 4 Victims had their Direct Deposit info changed• 7 Users were protected by the Blacklist• 10 Victims were logged into from new IP

addresses which were quickly added to the Blacklist

Round 2 Phish Three Months Later

Criminals seemingly have a huge advantage

They send hundreds of phishing emails and only need ONE user to fall

for it to succeed

We can turn the tables on them

Force the criminal to run througha gauntlet of defenses to succeed

Reconnaissance Phase

Phishing Email Phase

Criminal Login Phase

HR/SSO Application Suggestions

Payroll Alerting Suggestions

Communication Suggestions

Phishing Examples

WUSTL Site or Phish Site?

Real Email or Phish Email?

Spammers log in and useaccount to send spam

Sept/Oct Attack 1

Jan/Feb Attack

Numbers from September/October:

• 13 total victims• 11 Medical School faculty• 2 Business School faculty• 11 had direct deposit info changed• 1 account caught by the new HRMS blacklist

and immediately blocked

How Much $ Did the Criminals Get in October?

• $97,210.28 Total was Transferred Out• $91,470.53 Was Recovered by Payroll• $5,739.75 Was Lost

.

$0.00

$20,000.00

$40,000.00

$60,000.00

$80,000.00

$100,000.00

$120,000.00

$97,210.28

$91,470.53

$5,739.75

LostRecoveredTotal

Numbers From Jan/Feb Attack

• 17 Users were victims– 15 Medical Faculty or Staff– 1 Engineering School Faculty– 1 Law Student

• 4 Victims had their Direct Deposit info changed• 7 Users were protected by the Blacklist• 10 Victims were logged into from new IP

addresses which were quickly added to the Blacklist

How Much $ Did the Criminals Get in January?

• $0 Total was Transferred Out• $0 Was Recovered by Payroll• $0 Was Lost

• Thanks!• Questions?• [email protected]