Workshop on online fraud and electronic payment frauds Bucharest, 12-14 November 2018 Social engineering, BEC/CEO fraud : a challenge for investigators and prosecutors www.coe.int/cybercrime

Agenda Overview Evolution of BEC Versions of BEC & Money Laundering Trends Investigative Avenues Private Sector Vulnerabilities Partnerships and prevention www.coe.int/cybercrime

BEC Statistics Oct 2013 – May 2016 Global Victims Reach 22,143 and $3,086,250,090 Loss Exposure! Oct 2013 – Dec 2016 Global Victims Increase to 40,203! Loss Exposure Bounds to $5,302,890,448! 72% Increase in 6 Months! More than 131 countries have recently been impacted by BEC!

CEO Impersonation www.coe.int/cybercrime

Security Breach Scams www.coe.int/cybercrime

Supplier Fraud www.coe.int/cybercrime

Other types of BEC VERSION 1: REAL ESTATE TRANSACTIONS Email Intrusion Actor monitors progress of real estate transactions and changes the payment type (check to wire) or bank account details VERSION 2: UNIVERSITIES WITH CONSTRUCTION CONTRACTS Spoofed Domains Actor impersonates construction firm and requests payment be routed to a new account VERSION 3: AIRLINES Actor requests funds be sent to U.S. bank accounts Actor using address of a legitimate U.S. company in wire transfers Recently occurred in Canada and China!

Versions of BEC VERSION 4: MICROSOFT OFFFICE 365 CUSTOMERS Account Payable Manager of the company targeted with spear phishing email Redirected to harvesting site to reset Office 365 password Actor sent emails from Accounts Payable Manager (victim) to partner bank which manages bill payment Instructed funds to be sent to “actor-owned” account

BEC Evolution VICTIM: VICTIM: VICTIM: Companies with Chinese Business Relationships VECTOR: Intrusion (Man-in-the-Middle) FUNDS: Hong Kong & Mainland China Bank Accounts VICTIM: Companies from US (All Sectors) VECTOR: Spoofed Domain Less Intrusion FUNDS: Global Bank Accounts VICTIM: Foreign Companies (All Sectors) VECTOR: Spoofed Domain FUNDS: Global Bank Accounts

Fraud Hints Direct contact by a senior official you are normally not in contact with Unusual request in contradiction with internal procedures Request for absolute confidentiality Use of particularly alarming tone by an IT/security officer Sudden change in contact/payment details of an international supplier Change occurring shortly after a significant order was passed or shortly before a deadline for payment

Prevention and Detection www.coe.int/cybercrime

How do fraudsters conceal their identity? Use forged documents with legitimate company logo/signatures obtained online •Use copycat e-mail addresses •Disguise the origin of the call through applications faking the caller’s identity (display the number of the service/individual they impersonate) •Use VOIP and proxy servers to lower the risks of detection •Use the services of illicit call centres based outside the EU www.coe.int/cybercrime

BEC Trends – Money Laundering “Human Infrastructure” is key Domestic U.S. Accounts Multiple “hops” before leaving US Romance Scam Mules Increased use with domestic “hops” Prepaid Cards Some can accept prepaid cards and wire transfers Cashiers Check Actor contacted bank client team and requested funds in the form of a cashier’s check “Human Infrastructure” is key

Digital Money

Bitcoin ATM by continent Future of BEC Money Laundering Global Partners Reporting Bitcoin! 3,989 Bitcoin ATMs 72 Countries Bitcoin ATM by continent

Investigative Avenues Global & Domestic Money Recovery Processes X-Sender / Reply-To Email Accounts Summer Surge Malware & Keyloggers Spoofed Domains Phishing Emails/Domains Forums/Social Media Research – BEC Manuals Email Lists for Purchase Private Sector Insight

Investigative Avenues .

Malware&Keyloggers Predator Pain Redpill Hawkeye Limitless Olympic Vision

Spoofed Domains

Spoofed Domains Domain Categories Self-Named Fake Organizations Impersonating Legitimate Organizations Targeting of Domains Legal Process to Tucows Replicate with BlueHost and 1&1 Data Usage Registrant information for fraudulent accounts Domains and IPs for DMARC and other email authentication tools

Compromised accounts www.coe.int/cybercrime

Case study – BEC Case and money laundering for 2 mil. Euro Funds redirected in China and Japan IP Adresses USA Source of the funds Destination of the funds www.coe.int/cybercrime

Ionut STOICA Senior Project Officer Workshop on online fraud and electronic payment frauds Bucharest, 12-14 November 2018 Va multumesc! Ionut STOICA Senior Project Officer Cybercrime Programme Office (C-PROC) Council of Europe ionut.stoica@coe.int www.coe.int/cybercrime