Google and Facebook were victims of Business Email Compromise (BEC) or ‘CEO Fraud’
Google and Facebook have been identified as the victims of an email phishing attack for which a Lithuanian man was charged in March 2017.
The attack relied upon social engineering methods rather than technical intrusion techniques. However, the individual was still able to trick the organisations into transferring over $100 million between 2013-2015, highlighting how cyber-enabled social engineering can be effectively used to commit fraud.
The individual posed as a manufacturer which both firms had existing business relationships with, and sent emails which were designed to look like they came from the manufacturer. The emails contained forged invoices and contracts which appeared to have been signed by executives. This is less technically sophisticated than some other cases of BEC whereby the third-party supplier’s legitimate email is compromised and used to request transfers. The phishing emails were highly targeted, sent to Facebook and Google employees who regularly conducted multi-million dollar transactions with the manufacturer the scammer was impersonating.
Large organisations are especially vulnerable to attacks such as this: often suppliers and individuals have less face to face interaction, and therefore may have reduced opportunities to identify bogus or suspicious transfer requests through conversation.
Fraudulent communication to convince organisations to transfer funds is not new, however it is increasingly common as a low cost, high return crime. Other variations on this attack include
- Spear-phishing emails co-ordinated with phone calls confirming the email request
- Impersonation of trusted partners beyond suppliers, including charities, law firms, think tanks or academic institutions
- Impersonation of fellow employee emails, either through compromising an account, or creating a similar looking fake address
- Use of social media to research or make contact with potential victims
The NCSC has previously issued guidance on phishing attacks aimed at senior executives or payment departments.
Facebook outlines plan to combat information operations
Facebook has outlined measures to combat “information operations”, which it defines as efforts conducted by organisations, including governments, to spread misleading information and falsehoods to “distort domestic or foreign political sentiment". Whilst reporting has focused on the potential impact on democratic processes, manipulation of social media could similarly be used to inflict reputational or even financial damage on organisations. An example of this would be the 2013 fake “alert” from one of America’s most trusted news sources, briefly fooling some news outlets into reporting that an explosion had occurred at the White House and causing the Dow Jones to drop 145 points in two minutes.
Facebook has highlighted that information operations extend beyond the creation of “fake” news stories: other activities such as the dissemination and promotion of stolen information, and targeted data collection on individuals have all been noted. Furthermore, the increased circulation of “fake” news stories to a larger audience is regularly achieved through artificial amplification of posts, whereby paid individuals, often using fake accounts, use techniques such as co-ordinating “likes” to boost the prominence of key postings or creating groups that camouflage propaganda by including legitimate items.
Facebook has stated that it will mitigate the artificial amplification of fake stories using machine learning and analysis to identify bogus accounts, which will then be suspended or deleted. For example, Facebook suspended 30,000 accounts in France prior to the first round of the French presidential election.
Mainly platform agnostic/cross platform updates this week, leaning towards Linux and Unix based systems.
Intel released a fix to their Active Management Technology to address a flaw which could allow remote and local users to gain elevated privileges. A mitigation guide has been published here.
IBM released two updates for WebSphere to fix a browser redirect and cross-site request forgery vulnerability, and an update to DB2 to address a bug that could allow a local user to obtain root privileges.
Xen saw a number of updates to fix elevation of privilege bugs.
HPE updated NonStop Server to address a flaw that could allow a remote user to obtain sensitive information, and updated Intelligent Management Center to fix a flaw that could allow for remote code execution.
Elsewhere this week there were updates from Trend Micro to fix cross-site scripting bugs and an elevation of privilege bug. Drupal updated a flaw that could allow access to the target system and FreeBSD fixed a bug which could cause the target to reload.
Debian updates this week include LibreOffice, Ghostscript, Freetype, weechat, Libxstream-Java, MySQL-Connector-Java, Tomcat7 and Tomcat8.
ICS updates this week came from Advantech, CyberVision and Schneider Electric.
No individual sector is anticipated to be impacted more than any other this week.