January 15 th 2016 Intelligence Briefing NOT PROTECTIVELY MARKED

Current Threats  Investigation Update  New Phishing Campaigns  Payment Advice – Macro Malware  ‘Scanned Document’ from MRH Solicitors  Avoid Being a Victim of Phishing  CEO Fraud and ‘Whaling’  Legacy Systems, Old Hardware and Security Action Fraud Reports from the South West Region  PBX Dial Through Miscellaneous  CiSP  New non-protectively marked briefing NOT PROTECTIVELY MARKED

Investigation Updates:  The South West Regional Cyber Crime Unit has recently completed an investigation into a series of cyber crime and fraud offences targeting a family-run farming business based in Gloucestershire and a transportation company based in London.  The offenders set up websites in the name of the legitimate companies and then used those names, details and associated addresses to try to obtain credit with a variety of suppliers for a range of high value goods.  These attempts were successful when suppliers did not complete full credit reference checks. They also used a complex network of telephone numbers and addresses to further mask their identities. NOT PROTECTIVELY MARKED

Investigation Updates Continued…  To reduce the chances of becoming a victim of this type of offence please consider the following: I. Be aware of your online digital footprint, especially when you don’t have a company website. Are others setting up web sites purporting to be you? Try Google searching you/ your company. II. If you are responsible for conducting credit checks on prospective customers, consider what measures you take to verify the legitimacy of the applicant. Do you use the details provided by them to check on them? Do you use the telephone numbers they provide to make contact? Consider using independently verified details (e.g. from Companies House) to contact the prospective customer to confirm their identity.  If you suspect that you have been a victim of similar offences then please report to Action Fraud. NOT PROTECTIVELY MARKED

Payment Advice – Macro Malware :  We have received a recent report from an organisation in Bristol regarding a fake containing a malicious Word document. This appears to be from a compromised address. If you receive this, do not open the attachment  Description: Bhavani Gullolla Payment Advice – macro malware.  Headers: From: Bhavani Gullolla Subject: Payment Advice –  Attachment filename: doc NOT PROTECTIVELY MARKED  Message Body: Dear Sir/Madam, This is to inform you that we have initiated the electronic payment through our Bank. Please find attached payment advice which includes invoice reference and TDS deductions if any. Transaction Reference : Vendor Code : Company Code :WT01 Payer/Remitters Reference No : Beneficiary Details : / Paymet Method : Electronic Fund Transfer Payment Amount : Currency :GBP Processing Date :11/01/2016 For any clarifications on the payment advice please mail us at OR call Toll Free in India between 9:00 am to 5:00 pm IST (Mon-Fri) OR contact person indicated in the purchase order. Regards, VHD Signature

Payment Advice – Macro Malware :  This Word attachment contains a malicious macro which is aimed at Windows and Microsoft Office users.  The Word document, once opened, is seen to download either the Dridex or Shifu banking trojans; both of which are designed to search for and collect banking details. Advice:  If you receive a suspected phishing , do not open the attachment as there is a high risk of infecting your system and network infrastructure.  Do not reply to the and report it to the appropriate people within the organisation. This includes network administrators, cyber security and Action Fraud.Action Fraud  If you believe financial accounts may have been compromised, contact your financial institution immediately for advice.  Make sure your anti-virus and malware scanners are up-to-date. NOT PROTECTIVELY MARKED

‘Scanned Document’ - Macro Malware :  We have received a second report of a fake containing a malicious Excel spreadsheet. If you receive this, do not open the attachment. This appears to be from a compromised address.  Description: MRH Solicitors Scanned Document macro malware.  Headers: From: MRH Solicitors" Subject: Scanned Document  Attachment filename: ScannedDocs xls NOT PROTECTIVELY MARKED  Message Body: Find the attachment for the scanned Document  The Excel document, once opened, is seen to download either the Dridex or Shifu banking trojans both of which are designed to search for and collect banking details  Please follow the advice in the previous slide

Avoid being a Victim of Phishing:  Do not reveal personal and financial information in s and do not respond to s asking for this information. This includes any demands to follow a web link within the fake .  Before sending your sensitive information over the Internet, be sure to check the security and legitimacy of the website first.  Many fake websites can be spotted by paying attention to the website’s URL. Malicious websites will look almost identical to the genuine site, but succeed in fooling people by changing one letter in the domain or by using a.net address as opposed to the genuine.com site.  If you are unsure whether an request is legitimate, try searching keywords in a web search engine, such as the subject line or source address. Contacting the company directly may also provide some answers.  If ever in doubt, never open attachments, even Office documents, as they can still contain malicious code that can automatically run once opened.  Keep anti-virus and anti-malware packages running and up-to-date. Should anything slip though the net then you have extra layers of security. NOT PROTECTIVELY MARKED

CEO Fraud and ‘Whaling’:  We have seen an increase in ‘whaling’ attacks in the South West region; nothing to do with big fish but primarily criminals posing as CEO’s targeting financial departments.  Whaling is a specific form of ‘spear-phishing’ in which higher management and CEO’s are targeted to acquire usernames, passwords, bank details and money.  This form of attack acts in the same way as spear-phishing, but the phishing s have an increased chance of being responded to because they purport to be from a named senior executive.  Content within these s will be carefully crafted to target higher management by first or full name. They will often be disguised as a legal requirement, customer complaint or internet executive directive.  In our most recent report: a company based in Devon received an posing as the CEO. The requested a money transfer to a recipient with details provided. The financial department contacted the CEO to question it. The attempt was reported it to Action Fraud. NOT PROTECTIVELY MARKED

CEO Fraud and ‘Whaling’: What to do if you suspect a targeted attack?  If you receive an unexpected asking for money, question it. If it appears to be from another member of staff pick up the phone and check with them.  Once you have confirmed it to be a form of spear-phishing attack, keep all s and any correspondence with the attacker and report it to Action Fraud.  Equally, be cautious of any web links that are in the s as well as malicious attachments. Even Word documents appearing to be a form of invoice, for instance, can have an embedded virus.  Frequent testing of your organisations’ staff awareness by simulating spear- phishing attacks to gauge the effectiveness of cyber security is recommended. NOT PROTECTIVELY MARKED

Legacy Systems, Applications & Security Risks:  We have investigated multiple incidents at organisations in the South West region where old legacy systems and hardware have caused security issues within the IT infrastructure.  By using out-dated hardware and applications within your business you run the threat of creating new attack vectors for hackers to exploit.  Unpatched software and firmware, default and hardcoded passwords and failure to invest in IT infrastructure all contribute to an unsafe network.  Some network engineers have been found to have customised legacy software to such a large degree that upgrading a switch, for instance, may require the upgrading of many other systems and software. What can we do?  Small to medium enterprises should consider completing an assessment of their hardware installations and security setup to prevent intrusions.  Identify vulnerable network devices such as printers and scanner which are common among legacy systems.  If you run a large network infrastructure, think about where budget is spent. Investing in new technologies makes business sense, but spending money on replacing legacy systems can potentially resolve underlying technical and security risks. NOT PROTECTIVELY MARKED

Hacking PBX/ Dial Through We have received a report of a PBX/Dial through attack on a business based in Bristol. The telephone system was compromised during closed office hours and calls were placed to premium rate numbers in Belarus and Jamaica resulting in a financial loss of £ In order to prevent yourselves becoming the next victim:  Use strong pin/passwords for your voic system, ensuring they are changed regularly.  If you still have your voic on a default pin/ password change it immediately.  Disable access to your voice mail system from outside lines. If this is business critical, ensure the access is restricted to essential users and they regularly update their pin/ passwords.  If you do not need to call international/ premium rate numbers, ask your network provider to place a restriction on your line.  Consider asking your network provider to block outbound calls at certain times eg when your business is closed.  Ensure you regularly review available call logging and call reporting options.  Regularly monitor for increased or suspect call traffic.  Secure your exchange and communications system, use a strong PBX firewall and if you don’t need the function, close it down!  Speak to your maintenance provider to understand the threats and ask them to correct any identified security defects. NOT PROTECTIVELY MARKED

CiSP - Cyber Crime Threats Shared The Cyber Security Information Sharing Partnership (CiSP), which is run by Cert-UK, is an information sharing platform used to share and publish cyber crime threat information. The aim of the platform is to allow members to take remedial action and modify their organisations to prevent cyber attacks. If you would like to join the CiSP then please sign up at and contact us as we can sponsor you. A regional South West CiSP is in place and will formally launched in April 2016; more details will be shared in due course. Open the ‘Adobe Acrobat Document’ attached (below) to find out more about the CiSP. NOT PROTECTIVELY MARKED

Additional Briefing Dissemination This document has been given the protective marking of NOT PROTECTIVELY MARKED and may be disseminated outside law enforcement with no restriction. If you know anyone else who would like to receive this, please send us their address and we will add them to the distribution list. Any comments or queries please South West Regional Cyber Crime Unit at: NOT PROTECTIVELY MARKED