1. January 15 th 2016 Intelligence Briefing NOT PROTECTIVELY MARKED

2. Current Threats  Investigation Update  New Phishing Campaigns  Payment Advice – 0002014343 Macro Malware  ‘Scanned Document’ from MRH Solicitors  Avoid Being a Victim of Phishing  CEO Fraud and ‘Whaling’  Legacy Systems, Old Hardware and Security Action Fraud Reports from the South West Region  PBX Dial Through Miscellaneous  CiSP  New non-protectively marked briefing NOT PROTECTIVELY MARKED

3. Investigation Updates:  The South West Regional Cyber Crime Unit has recently completed an investigation into a series of cyber crime and fraud offences targeting a family-run farming business based in Gloucestershire and a transportation company based in London.  The offenders set up websites in the name of the legitimate companies and then used those names, details and associated e-mail addresses to try to obtain credit with a variety of suppliers for a range of high value goods.  These attempts were successful when suppliers did not complete full credit reference checks. They also used a complex network of telephone numbers and e-mail addresses to further mask their identities. NOT PROTECTIVELY MARKED

4. Investigation Updates Continued…  To reduce the chances of becoming a victim of this type of offence please consider the following: I. Be aware of your online digital footprint, especially when you don’t have a company website. Are others setting up web sites purporting to be you? Try Google searching you/ your company. II. If you are responsible for conducting credit checks on prospective customers, consider what measures you take to verify the legitimacy of the applicant. Do you use the details provided by them to check on them? Do you use the telephone numbers they provide to make contact? Consider using independently verified details (e.g. from Companies House) to contact the prospective customer to confirm their identity.  If you suspect that you have been a victim of similar offences then please report to Action Fraud. NOT PROTECTIVELY MARKED

5. Payment Advice – 0002014343 Macro Malware :  We have received a recent report from an organisation in Bristol regarding a fake email containing a malicious Word document. This appears to be from a compromised email address. If you receive this, do not open the attachment  Description: Bhavani Gullolla Payment Advice – 0002014343 macro malware.  Headers: From: Bhavani Gullolla {bhavani.gullolla1@wipro.com} Subject: Payment Advice – 0002014343  Attachment filename: 0724376838.doc NOT PROTECTIVELY MARKED  Message Body: Dear Sir/Madam, This is to inform you that we have initiated the electronic payment through our Bank. Please find attached payment advice which includes invoice reference and TDS deductions if any. Transaction Reference : Vendor Code :0724376838 Company Code :WT01 Payer/Remitters Reference No :81797771 Beneficiary Details :43668548/090666 Paymet Method : Electronic Fund Transfer Payment Amount :1032.00 Currency :GBP Processing Date :11/01/2016 For any clarifications on the payment advice please mail us at wipro.vendorhelpdesk@wipro.com OR call Toll Free in India 1800-200-3199 between 9:00 am to 5:00 pm IST (Mon-Fri) OR contact person indicated in the purchase order. Regards, VHD Signature

6. Payment Advice – 0002014343 Macro Malware :  This Word attachment contains a malicious macro which is aimed at Windows and Microsoft Office users.  The Word document, once opened, is seen to download either the Dridex or Shifu banking trojans; both of which are designed to search for and collect banking details. Advice:  If you receive a suspected phishing email, do not open the attachment as there is a high risk of infecting your system and network infrastructure.  Do not reply to the email and report it to the appropriate people within the organisation. This includes network administrators, cyber security and Action Fraud.Action Fraud  If you believe financial accounts may have been compromised, contact your financial institution immediately for advice.  Make sure your anti-virus and malware scanners are up-to-date. NOT PROTECTIVELY MARKED

7. ‘Scanned Document’ - Macro Malware :  We have received a second report of a fake email containing a malicious Excel spreadsheet. If you receive this, do not open the attachment. This appears to be from a compromised email address.  Description: Color @ MRH Solicitors Scanned Document macro malware.  Headers: From: "Color @ MRH Solicitors" {color236@yahoo.co.uk} Subject: Scanned Document  Attachment filename: ScannedDocs122151.xls NOT PROTECTIVELY MARKED  Message Body: Find the attachment for the scanned Document  The Excel document, once opened, is seen to download either the Dridex or Shifu banking trojans both of which are designed to search for and collect banking details. -----------------------------  Please follow the advice in the previous slide. -----------------------------

8. Avoid being a Victim of Phishing:  Do not reveal personal and financial information in emails and do not respond to emails asking for this information. This includes any demands to follow a web link within the fake email.  Before sending your sensitive information over the Internet, be sure to check the security and legitimacy of the website first.  Many fake websites can be spotted by paying attention to the website’s URL. Malicious websites will look almost identical to the genuine site, but succeed in fooling people by changing one letter in the domain or by using a.net address as opposed to the genuine.com site.  If you are unsure whether an email request is legitimate, try searching keywords in a web search engine, such as the subject line or source email address. Contacting the company directly may also provide some answers.  If ever in doubt, never open attachments, even Office documents, as they can still contain malicious code that can automatically run once opened.  Keep anti-virus and anti-malware packages running and up-to-date. Should anything slip though the net then you have extra layers of security. NOT PROTECTIVELY MARKED

9. CEO Fraud and ‘Whaling’:  We have seen an increase in ‘whaling’ attacks in the South West region; nothing to do with big fish but primarily criminals posing as CEO’s targeting financial departments.  Whaling is a specific form of ‘spear-phishing’ in which higher management and CEO’s are targeted to acquire usernames, passwords, bank details and money.  This form of attack acts in the same way as spear-phishing, but the phishing emails have an increased chance of being responded to because they purport to be from a named senior executive.  Content within these emails will be carefully crafted to target higher management by first or full name. They will often be disguised as a legal requirement, customer complaint or internet executive directive.  In our most recent report: a company based in Devon received an email posing as the CEO. The email requested a money transfer to a recipient with details provided. The financial department contacted the CEO to question it. The attempt was reported it to Action Fraud. NOT PROTECTIVELY MARKED

10. CEO Fraud and ‘Whaling’: What to do if you suspect a targeted attack?  If you receive an unexpected email asking for money, question it. If it appears to be from another member of staff pick up the phone and check with them.  Once you have confirmed it to be a form of spear-phishing attack, keep all emails and any correspondence with the attacker and report it to Action Fraud.  Equally, be cautious of any web links that are in the emails as well as malicious attachments. Even Word documents appearing to be a form of invoice, for instance, can have an embedded virus.  Frequent testing of your organisations’ staff awareness by simulating spear- phishing attacks to gauge the effectiveness of cyber security is recommended. NOT PROTECTIVELY MARKED

11. Legacy Systems, Applications & Security Risks:  We have investigated multiple incidents at organisations in the South West region where old legacy systems and hardware have caused security issues within the IT infrastructure.  By using out-dated hardware and applications within your business you run the threat of creating new attack vectors for hackers to exploit.  Unpatched software and firmware, default and hardcoded passwords and failure to invest in IT infrastructure all contribute to an unsafe network.  Some network engineers have been found to have customised legacy software to such a large degree that upgrading a switch, for instance, may require the upgrading of many other systems and software. What can we do?  Small to medium enterprises should consider completing an assessment of their hardware installations and security setup to prevent intrusions.  Identify vulnerable network devices such as printers and scanner which are common among legacy systems.  If you run a large network infrastructure, think about where budget is spent. Investing in new technologies makes business sense, but spending money on replacing legacy systems can potentially resolve underlying technical and security risks. NOT PROTECTIVELY MARKED

12. Hacking PBX/ Dial Through We have received a report of a PBX/Dial through attack on a business based in Bristol. The telephone system was compromised during closed office hours and calls were placed to premium rate numbers in Belarus and Jamaica resulting in a financial loss of £1177.22. In order to prevent yourselves becoming the next victim:  Use strong pin/passwords for your voicemail system, ensuring they are changed regularly.  If you still have your voicemail on a default pin/ password change it immediately.  Disable access to your voice mail system from outside lines. If this is business critical, ensure the access is restricted to essential users and they regularly update their pin/ passwords.  If you do not need to call international/ premium rate numbers, ask your network provider to place a restriction on your line.  Consider asking your network provider to block outbound calls at certain times eg when your business is closed.  Ensure you regularly review available call logging and call reporting options.  Regularly monitor for increased or suspect call traffic.  Secure your exchange and communications system, use a strong PBX firewall and if you don’t need the function, close it down!  Speak to your maintenance provider to understand the threats and ask them to correct any identified security defects. NOT PROTECTIVELY MARKED

13. CiSP - Cyber Crime Threats Shared The Cyber Security Information Sharing Partnership (CiSP), which is run by Cert-UK, is an information sharing platform used to share and publish cyber crime threat information. The aim of the platform is to allow members to take remedial action and modify their organisations to prevent cyber attacks. If you would like to join the CiSP then please sign up at www.cert.gov.uk/cisp and contact us as we can sponsor you.www.cert.gov.uk/cisp A regional South West CiSP is in place and will formally launched in April 2016; more details will be shared in due course. Open the ‘Adobe Acrobat Document’ attached (below) to find out more about the CiSP. NOT PROTECTIVELY MARKED

14. Additional Briefing Dissemination This document has been given the protective marking of NOT PROTECTIVELY MARKED and may be disseminated outside law enforcement with no restriction. If you know anyone else who would like to receive this, please send us their e-mail address and we will add them to the distribution list. Any comments or queries please email South West Regional Cyber Crime Unit at: swrccu@avonandsomerset.pnn.police.uk 0117 372 2446 NOT PROTECTIVELY MARKED