1
00:00:00,000 --> 00:00:08,080
Today on our Tech for Business podcast, we're joined by Nate, our Director of Cyber Security,

2
00:00:08,080 --> 00:00:12,320
and Andrew, our Security Incident Response Team Lead.

3
00:00:12,320 --> 00:00:17,600
This week, we're continuing incident scenarios and proactive measures you could take to prevent

4
00:00:17,600 --> 00:00:18,600
them.

5
00:00:18,600 --> 00:00:23,400
All personal information has been changed to protect confidentiality.

6
00:00:23,400 --> 00:00:32,680
So, before we dive in, just first up top, is there any terminology we need so that we

7
00:00:32,680 --> 00:00:34,960
can fully understand today's podcast?

8
00:00:34,960 --> 00:00:40,480
And then, if there was kind of a number one thing someone can do to prevent what we're

9
00:00:40,480 --> 00:00:42,640
talking about today, what that might be.

10
00:00:42,640 --> 00:00:45,680
I can talk.

11
00:00:45,680 --> 00:00:51,800
One of the acronyms that comes to mind is going to be BEC, Business Email Compromise.

12
00:00:51,800 --> 00:00:55,800
Your logs in gets into your email.

13
00:00:55,800 --> 00:01:00,600
Another one is IC3, and now I don't know the off the top of my head, so Nate, back me up.

14
00:01:00,600 --> 00:01:02,520
Internet Crime and Complain Center.

15
00:01:02,520 --> 00:01:03,520
That one, okay.

16
00:01:03,520 --> 00:01:04,520
It's in the FBI.

17
00:01:04,520 --> 00:01:07,720
Yeah, yeah, I just didn't, yeah.

18
00:01:07,720 --> 00:01:09,320
Anyway, prevention.

19
00:01:09,320 --> 00:01:17,000
Specifically about email compromises, two huge things you can do is MFA and use security

20
00:01:17,000 --> 00:01:19,160
awareness training.

21
00:01:19,160 --> 00:01:24,800
Like teaching users how to react when they maybe get a phishing email, get a document

22
00:01:24,800 --> 00:01:27,560
they're not expecting.

23
00:01:27,560 --> 00:01:35,160
As well as not reusing passwords, don't accept random MFA prompts, things like that.

24
00:01:35,160 --> 00:01:40,720
Those are two huge things I think are very easy to implement that can give you a very

25
00:01:40,720 --> 00:01:45,320
good layer of protection.

26
00:01:45,320 --> 00:01:54,760
Obviously, we are changing the names and information just to protect the innocent in this, but

27
00:01:54,760 --> 00:02:02,680
I think Andrew wanted to jump in maybe and share our first scenario.

28
00:02:02,680 --> 00:02:12,720
Similar to our third organization from last week's podcast, this one is an actual compromise.

29
00:02:12,720 --> 00:02:17,920
The user's mailbox, a wire transfer had gone out.

30
00:02:17,920 --> 00:02:24,280
The attacker had gotten into a mailbox and saw that the CEO was traveling.

31
00:02:24,280 --> 00:02:28,760
During that time, the CEO was in the air flying to China.

32
00:02:28,760 --> 00:02:38,200
They requested a wire transfer for $283,000.

33
00:02:38,200 --> 00:02:44,200
What ended up tipping it off was they came back for seconds for a second wire transfer.

34
00:02:44,200 --> 00:02:53,080
The user who sent the first wire transfer asked about the original wire transfer when the

35
00:02:53,080 --> 00:02:54,880
second one was going through.

36
00:02:54,880 --> 00:02:56,480
The CEO was like, no, that wasn't me.

37
00:02:56,480 --> 00:02:58,520
I didn't ask for any of that.

38
00:02:58,520 --> 00:03:04,920
Unfortunately, they did lose $283,000.

39
00:03:04,920 --> 00:03:11,040
It was a very painful learning experience.

40
00:03:11,040 --> 00:03:18,280
The core outcome of that one was that when that CEO was traveling and the threat actor

41
00:03:18,280 --> 00:03:23,480
knew that they were on the plane and said, I have a business deal that I need to close

42
00:03:23,480 --> 00:03:26,720
up before I get home.

43
00:03:26,720 --> 00:03:32,080
One of the big tip-offs here, if you ever see something like that, is that be cautious

44
00:03:32,080 --> 00:03:39,240
of anything that instills some type of urgency or action on your behalf or makes you emotional

45
00:03:39,240 --> 00:03:41,080
or something along those lines.

46
00:03:41,080 --> 00:03:45,240
It's one of the best indicators of some type of malicious email because they're trying

47
00:03:45,240 --> 00:03:50,240
to play to the emotions, which I'm not going to get into psychology or anything like that

48
00:03:50,240 --> 00:03:52,920
or neuroscience.

49
00:03:52,920 --> 00:03:58,360
When you start getting emotional, you tend to start cutting off that frontal lobe and

50
00:03:58,360 --> 00:04:04,320
the logical nature of it, and you start acting a lot more quickly.

51
00:04:04,320 --> 00:04:07,480
Threat actors intentionally play into that.

52
00:04:07,480 --> 00:04:12,280
Biggest thing, just be aware if you got emotional reading an email.

53
00:04:12,280 --> 00:04:17,240
Maybe not that someone's just mean, but if it's instill some type of action.

54
00:04:17,240 --> 00:04:22,200
Another thing that I didn't talk about as far as the protection goes, when it comes to

55
00:04:22,200 --> 00:04:27,480
wire transfers, when it comes to bank account information changes, verify in two different

56
00:04:27,480 --> 00:04:28,480
ways.

57
00:04:28,480 --> 00:04:33,480
Yeah, you receive an email, talk to the person in person, call them from a known phone number,

58
00:04:33,480 --> 00:04:37,800
not in the email, but somewhere like you had them on speed dial, you had them in your

59
00:04:37,800 --> 00:04:40,920
Rolodex, whatever.

60
00:04:40,920 --> 00:04:43,600
Contact them in a separate way outside of that email.

61
00:04:43,600 --> 00:04:50,800
CIT, what we do is if a person has to change their bank account information, JSA, they change

62
00:04:50,800 --> 00:04:51,800
banks.

63
00:04:51,800 --> 00:04:58,320
We send their paycheck through the snail mail.

64
00:04:58,320 --> 00:05:02,280
So then the user has a paper check in their mailbox.

65
00:05:02,280 --> 00:05:06,960
It's kind of an immediate tip off that maybe I didn't request this, and then things can

66
00:05:06,960 --> 00:05:07,960
be changed.

67
00:05:07,960 --> 00:05:14,440
What you said, Rolodex, I was thinking of the old Palm pilots, with the little stylus.

68
00:05:14,440 --> 00:05:18,480
Even older, the ones that you turned.

69
00:05:18,480 --> 00:05:19,480
Yeah.

70
00:05:19,480 --> 00:05:28,640
Kind of org five, just a second incident where we had an email compromise, someone sat in

71
00:05:28,640 --> 00:05:31,160
the mailbox for quite some time.

72
00:05:31,160 --> 00:05:36,440
Similar to last week when we talked about they can sometimes sit there for weeks or months,

73
00:05:36,440 --> 00:05:46,640
just waiting for the perfect opportunity to capture some type of desirable wire transfer.

74
00:05:46,640 --> 00:05:53,800
We had another organization that called us saying, I'm really concerned.

75
00:05:53,800 --> 00:05:57,640
Actually last week I talked about we've had people crying on the phone.

76
00:05:57,640 --> 00:06:00,000
This was one of the business owners.

77
00:06:00,000 --> 00:06:09,720
He called and legit crying because he just lost $528,000 due to a fraudulent wire transfer.

78
00:06:09,720 --> 00:06:15,640
It's devastating to hear someone going through that stress, but being able to say, well,

79
00:06:15,640 --> 00:06:18,760
at least start taking the proper actions to help you out.

80
00:06:18,760 --> 00:06:22,520
Now, CIT, we can't guarantee you'll get those funds.

81
00:06:22,520 --> 00:06:24,160
They've already been sent off.

82
00:06:24,160 --> 00:06:29,120
Now that's up to the banks and the government and everything like that to help you out.

83
00:06:29,120 --> 00:06:32,720
But we helped them navigate the federal reporting.

84
00:06:32,720 --> 00:06:38,920
When Andrew had mentioned the IC3 or Internet Crime and Complaint Center, that is the FDA's

85
00:06:38,920 --> 00:06:42,680
division to report some type of cyber crime.

86
00:06:42,680 --> 00:06:47,440
They don't always get back to you, right, sometimes if it's a very, very minimal thing,

87
00:06:47,440 --> 00:06:51,800
like I got compromised on my email, you probably never will hear from it.

88
00:06:51,800 --> 00:07:01,640
In this case, because it was over $500,000 and it was to a different nation, the FBI

89
00:07:01,640 --> 00:07:06,440
was really engaged in that one and reached out and started working with them.

90
00:07:06,440 --> 00:07:07,960
Where was the wire transfer sent?

91
00:07:07,960 --> 00:07:09,280
What's your bank account info?

92
00:07:09,280 --> 00:07:10,800
Everything like that.

93
00:07:10,800 --> 00:07:14,880
They were actually able to stop that fund while I was traveling through some Canadian

94
00:07:14,880 --> 00:07:19,760
banks over to China and they actually received all that money back.

95
00:07:19,760 --> 00:07:25,920
My biggest takeaway there is even though it was processed, there is a chance you may still

96
00:07:25,920 --> 00:07:26,920
get it back.

97
00:07:26,920 --> 00:07:28,720
Now, there's no guarantees, right?

98
00:07:28,720 --> 00:07:31,800
We heard in the last example from Andrew that they didn't get that back.

99
00:07:31,800 --> 00:07:34,000
They lost a quarter of a million dollars.

100
00:07:34,000 --> 00:07:40,040
In this case, they got the half a million dollars back, but it required federal intervention

101
00:07:40,040 --> 00:07:45,360
and at that point, I'm assuming multiple nations to be able to coordinate that between all

102
00:07:45,360 --> 00:07:47,640
the different banks.

103
00:07:47,640 --> 00:07:50,480
As you're talking about that, I do want to add a little bonus one.

104
00:07:50,480 --> 00:07:54,280
Maybe this is more of a close call, but it would have been a successful wire transfer.

105
00:07:54,280 --> 00:07:59,760
I don't remember all the details of it, but let me step back a little bit.

106
00:07:59,760 --> 00:08:04,600
When a wire transfer goes through the attackers, they will normally, it's to an account that

107
00:08:04,600 --> 00:08:08,040
they have control of, then they're going to hop it multiple times to multiple different

108
00:08:08,040 --> 00:08:12,520
banks all around the world, so it makes it impossible to pull it back.

109
00:08:12,520 --> 00:08:16,400
Then the last hop transfers to Bitcoin and it's gone.

110
00:08:16,400 --> 00:08:22,840
The attacker in this bonus close call, I guess, they had mistyped the bank account information

111
00:08:22,840 --> 00:08:24,840
by one digit.

112
00:08:24,840 --> 00:08:29,560
I think it's like $40,000 or something like that, but that one single mistype froze the

113
00:08:29,560 --> 00:08:33,280
funds because it was an incorrect bank account.

114
00:08:33,280 --> 00:08:41,360
People did get the money back, but it was the attacker mistyping which saved them.

115
00:08:41,360 --> 00:08:44,240
Human error, man.

116
00:08:44,240 --> 00:08:46,160
Human error never happens, right?

117
00:08:46,160 --> 00:08:47,160
Yeah.

118
00:08:47,160 --> 00:08:48,160
Wow.

119
00:08:48,160 --> 00:08:52,480
I feel like this month is all about, you know, September.

120
00:08:52,480 --> 00:09:00,040
We got some scary stories going on, but most important, so what do we do as a business?

121
00:09:00,040 --> 00:09:03,640
What are the key takeaways from this week's information?

122
00:09:03,640 --> 00:09:06,840
What do we set up so that we're not in this situation?

123
00:09:06,840 --> 00:09:17,160
Then a second part is, if this happens, why it might be important to slow down?

124
00:09:17,160 --> 00:09:24,360
I think people speed through a situation like this if it's happening to them.

125
00:09:24,360 --> 00:09:29,720
I think the first thing that comes to mind, so one of the best words of advice I've ever

126
00:09:29,720 --> 00:09:32,040
had for how do you best protect a network?

127
00:09:32,040 --> 00:09:37,360
It's focusing on where the prevention failures have happened in the past.

128
00:09:37,360 --> 00:09:45,880
When you take a look at both of these successful wire transfer attempts, they both failed because

129
00:09:45,880 --> 00:09:51,240
there was an account compromise in their email first.

130
00:09:51,240 --> 00:09:56,640
The first prevention failure is that the employee fell for a phishing email and gave up their

131
00:09:56,640 --> 00:09:57,640
credentials.

132
00:09:57,640 --> 00:10:02,400
That means that there's additional employee training that has to happen in that environment.

133
00:10:02,400 --> 00:10:08,400
The second prevention failure was that I believe in both of these cases, they didn't have a

134
00:10:08,400 --> 00:10:09,400
multi-factor enabled.

135
00:10:09,400 --> 00:10:16,160
I don't remember about the other one with the mistype on the wire transfer, but I believe

136
00:10:16,160 --> 00:10:20,000
in two of the cases, they didn't have a multi-factor.

137
00:10:20,000 --> 00:10:26,120
Even if they did, they still maybe accepted that multi-factor push to still allow someone

138
00:10:26,120 --> 00:10:27,120
in.

139
00:10:27,120 --> 00:10:32,480
Regardless, someone had to make their way into that mailbox to start monitoring those

140
00:10:32,480 --> 00:10:37,920
activities and wire transfer requests.

141
00:10:37,920 --> 00:10:41,080
That's the biggest thing was multi-factor, multi-factor, multi-factor.

142
00:10:41,080 --> 00:10:43,920
I literally have glasses that say multi-factor everything.

143
00:10:43,920 --> 00:10:46,960
It's that important.

144
00:10:46,960 --> 00:10:51,440
And then, Andrew, you kind of mentioned it before about the verifying wire transfers,

145
00:10:51,440 --> 00:10:56,640
but I don't know if you want to reiterate anything else there.

146
00:10:56,640 --> 00:11:01,480
If something doesn't sit right, question it.

147
00:11:01,480 --> 00:11:06,320
CEO says, hey, I can't talk right now.

148
00:11:06,320 --> 00:11:08,400
Can you please do this?

149
00:11:08,400 --> 00:11:09,400
Verify it.

150
00:11:09,400 --> 00:11:15,640
Nothing is going to be needed in the next two minutes that you can't maybe ask a question

151
00:11:15,640 --> 00:11:20,520
of one of your coworkers or ask maybe the CEO secretary.

152
00:11:20,520 --> 00:11:27,440
Just ask questions if something doesn't feel right because it's worth the extra time to

153
00:11:27,440 --> 00:11:32,760
verify who you're talking to or verify the legitimacy before you complete a request.

154
00:11:32,760 --> 00:11:38,440
That's, as Nate had mentioned before, the attackers bring in the emotional urgency.

155
00:11:38,440 --> 00:11:39,680
I need this now.

156
00:11:39,680 --> 00:11:42,000
My cat died, whatever.

157
00:11:42,000 --> 00:11:45,200
Make you feel good, feel bad, whatever.

158
00:11:45,200 --> 00:11:50,400
So if something doesn't sit right, verify it.

159
00:11:50,400 --> 00:11:52,280
I just thought of one thing.

160
00:11:52,280 --> 00:11:54,400
This also comes in multiple flavors.

161
00:11:54,400 --> 00:12:00,800
So we keep talking about just business to business, wire transfer attempts.

162
00:12:00,800 --> 00:12:04,720
If you're an HR individual, one of the most common things that we see here is someone's

163
00:12:04,720 --> 00:12:11,400
spoofing one of your employees, emailing HR and saying, I want to change my payroll

164
00:12:11,400 --> 00:12:16,840
to a new bank account, and HR not validating that that employee actually wants to change

165
00:12:16,840 --> 00:12:18,960
their bank account.

166
00:12:18,960 --> 00:12:22,560
Sometimes they just go, yep, it looks like it came from their email, but it was spoofed

167
00:12:22,560 --> 00:12:25,400
from some other email address.

168
00:12:25,400 --> 00:12:28,680
And then they just go in and process it and all of a sudden the employee says, well, where's

169
00:12:28,680 --> 00:12:29,680
my paycheck?

170
00:12:29,680 --> 00:12:30,840
And then they start finding out.

171
00:12:30,840 --> 00:12:35,000
So it doesn't just have to be banked or business to business transfers.

172
00:12:35,000 --> 00:12:36,000
It can be internal.

173
00:12:36,000 --> 00:12:40,520
So if you are an HR payroll, be very careful with those ones as well.

174
00:12:40,520 --> 00:12:44,120
Thanks to Nate and Andrew for joining us this week.

175
00:12:44,120 --> 00:12:47,520
If you enjoyed this podcast, please like and subscribe.

176
00:12:47,520 --> 00:12:52,400
If you have a question or topic you'd like us to discuss, reach out to us at info at

177
00:12:52,400 --> 00:12:58,520
cIT-net.com or head out to our website cIT-net.com slash podcast.

178
00:12:58,520 --> 00:13:20,800
And we'll be back next week with more incident scenarios.