Direct Deposit Phishing Attack Brian Allen brianallen@wustl.edu Network Security Analyst Washington University in Saint Louis May 2014 ----- Meeting Notes (5/7/14 10:17) -----
Topics for Today Brief overview of the Washington University network Brief look at first incident in Sept/Oct 2013 Brief look at second incident in Jan/Feb 2014 Potential phishing defenses Some examples of real phishing emails Who attacked us? Final thoughts
Washington University in St. Louis Business School NSS Internet Law School NSO Arts & Sciences Medical School Decentralized Campus Network NSS = Network Services and Support NSO = Network Security Office Library We have a decentralized campus network. The Internet comes into the department called NSS which acts as the ISP for the University. NSS handles, among other things, the core routers, many of the switches, the main DNS servers, the main mail gateway, and all of the campus wireless. The Network Security Office sits inside NSS and my team of one, namely me, works closely with NSS. Every department on campus runs their own IT show. Each one has their own staff, and each runs their own mail servers, web servers, computer labs, etc. This means I don’t have access to any of their devices. Social Work Art & Architecture Engineering School Washington University in St. Louis
Numbers from Sept/Oct 2013 Attack: 13 total victims 11 Medical School faculty 2 Business School faculty 11 had direct deposit info changed 1 account caught by the new HRMS blacklist and immediately blocked
Round 1a Phishing Attack
Round 1b Phishing Email
Numbers From Jan/Feb 2014 Attack 17 Users were victims 15 Medical Faculty or Staff 1 Engineering School Faculty 1 Law Student 4 Victims had their Direct Deposit info changed 7 Users were protected by the Blacklist 10 Victims were logged into from new IP addresses which were quickly added to the Blacklist
Round 2 Phish Three Months Later
Criminals seemingly have a huge advantage They send hundreds of phishing emails and only need ONE user to fall for it to succeed
We can turn the tables on them Force the criminal to run through a gauntlet of defenses to succeed
Reconnaissance Phase
Phishing Email Phase
Criminal Login Phase
HR/SSO Application Suggestions
Payroll Alerting Suggestions
Communication Suggestions
Phishing Examples
WUSTL Site or Phish Site?
WUSTL Site or Phish Site?
WUSTL Site or Phish Site?
Real Email or Phish Email?
Spammers log in and use account to send spam
Sept/Oct Attack 1
Jan/Feb Attack
Numbers from September/October: 13 total victims 11 Medical School faculty 2 Business School faculty 11 had direct deposit info changed 1 account caught by the new HRMS blacklist and immediately blocked
How Much $ Did the Criminals Get in October? $97,210.28 Total was Transferred Out $91,470.53 Was Recovered by Payroll $5,739.75 Was Lost
Numbers From Jan/Feb Attack 17 Users were victims 15 Medical Faculty or Staff 1 Engineering School Faculty 1 Law Student 4 Victims had their Direct Deposit info changed 7 Users were protected by the Blacklist 10 Victims were logged into from new IP addresses which were quickly added to the Blacklist
How Much $ Did the Criminals Get in January? $0 Total was Transferred Out $0 Was Recovered by Payroll $0 Was Lost Thanks! Questions? brianallen@wustl.edu