Virtual Kidnapping ScamThis frightening extortion scheme is where victims truly believe their loved ones are at risk of possible violence and even death. Due to this belief, the victim pays a ransom to free their loved one. In reality, the loved one is simply withheld from communication by some measure and often is unaware. If the victim did not make payment, eventually the relative would return or become available to communicate regardless. Unlike traditional abductions, virtual kidnappers have not actually kidnapped anyone. Instead, through deceptions and threats, they coerce victims to pay a quick ransom before the scheme is discovered; before the loved one reappears. This is another form of social engineering attack, however, not one we usually discuss. But it’s playing off the same set of emotions you might find in a Phishing email – fear, uncertainty, and that ever-present clock counting down until bad things happen. Failures that lead to a successful virtual kidnapping can stem from gaps in the operational security (OpSec), such as actively sharing locational data, and this information together provides a public picture of a target’s life. Often, this can be passive monitoring of a target’s social media accounts. A malicious actor can review shared information to determine the affluence, associations, friends and social activities to time an attack, and increase the likely hood of a payment. If you are interested in learning more about this, read the FBI’s article on Virtual Kidnapping. A CIT programme lives in a worst-case scenario view, which includes relevant threat models, understanding of the attack surface, along with the constraints. Implementation of a CTI programme within an educational institution, especially ones which are made up of wealthy student bodies, would need to anticipate this virtual kidnapping scam along with traditional abductions. They would need to drive proactive actions such as recommendations and/or restrictions of public information, practices, and limiting audience view. Whilst Parents are naturally protective of their children, they can also be proud and wish to share achievements such as first days of school in the new uniform pictures, and these seemingly small mistakes can bring harmful consequences. Applying the threat model:
- Unfortunately, not all audience members viewing a photo of a uniformed child have the best intentions, it’s important to recognise what information a photograph can reveal.
- When sharing on social media platforms, be aware there’s a chance a profile is viewable to more than the intended audience, often there is no way to know all who viewed an image.
- Sites hosting images might not have a great track record, especially with what the general public knows about the value of their data.
- Not all websites remove the metadata, i.e. hidden data on where/when a photo was taken.
- Not all photo editors change the file when cropping, it is possible at times to restore to the original version.
- Even when you limit your connections to known contacts, their profiles might not be as restricted, and/or can be used to access information you didn’t realise.
- Limit locational information shared, such as through Instagram photos, until after you have left the location.
- Do not ‘check in’ to loved one’s homes or share details of your usual routine.
Providing Proactive RecommendationsLimit your audience, make sure you know who you’re sharing a photo and/or information with, and remove anything that you do not wish the world to know. When posting photos of children, make the conscious decision whether or not faces should be included – this is a decision both you and your child should be a part of. Remove or blur labelled items, consider if a blank wall is a better option than the back garden.
Countering Business Email Compromise attacks (BEC)Cyber Criminals compromise email systems – often by poorly secured office 365 or outlook web access accounts. Sometimes these criminals use social engineering tactics to gain information about corporate payment or payroll systems. They can deceive company employees into transferring money into a new bank account, using an updated invoice that was legitimate – also commonly referred to as invoice redirection scams. The FBI reports that $3.5 Billion was lost to cyber-crime in 2019, noted to be led by Business Email Compromise attacks. CTI programmes would identify BEC attacks as a key risk to organisations, especially ones invoicing/paying many large accounts; and therefore analyse the processes and procedures for accounts payable/receivable. Requests for a changing in banking information from legitimate invoices, or even completely fictitious invoices in the first place, are all different aspects of this sort of financial attack. For individuals, it could be as simple as discounted gift cards, where they cost £10 for £100 card credit. Organisations large and small fall for this attack, a few examples you might have heard of is when Google paid $23 million and Facebook $100 million to criminals who simply sent them invoices. Another example, that includes misuse of their position as well as fraud, was an insider threat who registered a company and invoiced his employer for hardware that didn’t exist; earning a total of £4.6 million over four years.
Providing the Proactive Recommendations
- Verify all requests to update or change banking, payroll or any financial information.
- Make this verification over known, previously confirmed secure communication channels – such as making a telephone call.
- Confirm the identity of the requesting individual using an out of band means, i.e. the telephone call on a known number.
- Never respond to any urgent requests via email or chat without verifying and confirming the identity of the requestor. If they call you, request to call them back on a known number – remember even caller ID can be faked.
- If there are any suspicions, ask someone else to verify the transaction.
- Set up executives with code words or authorisation codes, prior to an incident, and request it for further verification.
- Implement separation of duties, so no one person can sign off invoices.
- Have a job/role rotation schedule that limits a person’s capability to abuse their position. This rotation can include mandatory holiday leave.
Spotting an Attack Before it OccursThere are a number of sources of information on the internet which can be leveraged into an early warning of an impending attack. Being on the lookout for those signs is the primary job of a CTI programme. In order to conduct a typical cyber-attack, the malicious actor(s) must complete several steps – some of which can be noticeable, such as active information gathering, or even passive gathering if monitoring specific sources. A typical cyber-attack, delivered by a phishing campaign to an organisation, requires infrastructure. In order to send the email, launch an exploit, deploy and control a Trojan and order it to download a ransomware payload, for example – these all require infrastructure either owned or software-as-a-service. Prior to interacting within the organisation’s environment, what can organisations look for? Consider the attack that is commonly seen in a phishing email: similar-looking domains. Known as typosquatting, and URL hijacking, these forms of attack simply rely on typographical errors, small differences that go unnoticed and confuse users into thinking an email was from a legitimate sender or that a URL links to a legitimate site. RoseSec[.]com is legitimate whereas RoséSec[.]com is not – you can notice the accent over the e in this article, but could you see it on your phone with it’s smaller typeface? All of these attacks with fake domains, certificate registrations and hosted infrastructure are indicators of a malicious actor potentially getting ready to attack. Even if you remain unaware of this first layer, the early stages of cyber-attack can also be detected. Malicious actor(s) have to gain system access which involves interacting with your environment, making changes to systems and possibly even disrupting services. By identifying these signs, a good CTI programme can make recommendations like:
- Provide additional but tailored awareness training to employees with specific roles that may be impacted.
- Run an awareness campaign, such as advising users to never enter their credentials into a link launched from an email, simply navigate to known sites manually.
- Make use of password managers, not saving credentials in-browser, and allowing that password manager to support identifying it a URL is known or unknown for an account.
- Alert the network team/email filter to block inbound and outbound communications from specific locations such as an IP address or domain name.
- Report the domain as malicious to the registrar, and investigate any host resolving to that domain and ask for that infrastructure to be taken down.
- Monitoring data breach sources, just like the previously mentioned intelligence feeds, these sources are providing insight into sources that could be used to compromise the organisation. i.e. credential stuffing and/or reuse. Signing up for alerting on resources such as HaveIBeenPwned.com allows organisations to become aware if one of their user accounts has been compromised in a data breach, and therefore may require additional monitoring, password changes, and/or further restrictions depending on the account’s access.
About the Co-Author: