Page 22 - Cyber Defense eMagazine - September 2017
P. 22

Southern Oregon University Breach: An Expensive Lesson

               by Charles Parker, II; Cybersecurity Lab Engineer


               Attackers have been motivated by money. The focus has been the cash flow for the nefarious
               operation. One area that receives significant attention as an attack method is social engineering
               or phishing. With either active or passive attacks, the effects can be substantially expensive and
               costly in terms of expense and hours spent fixing this issue. A sub-attack along this same idea
               is  spear  phishing  or  a  targeted  phishing  attack.  A  very  profitable  version  of  this  involves
               targeting  the  finance  or  accounting  office  staff  members,  as  this  area  controls  the  cash  and
               vendor payments.

               In  order  to  initiate  the  fraud  and  attack,  the  attackers  have  to  make  contact  with  the  staff
               members. This contact is generally an email from someone in a senior position (e.g. the CEO or
               CFO) directs the accounting or finance staff member to wire a specific amount of funds to a
               bank, which happens to be in a different country and to a different bank and account number.
               As  an  alternative,  the  attackers  could fraudulently  claim  to  be  a  vendor.  These  attacks  have
               been names the executive wire scam (EWS) and business email compromise (BEC).

               Recent Successful Attack


               The prior recent attacks have grossed the attacker anywhere from a few hundred dollars to tens
               of thousands of dollars. An exemplary incident occurred in April 2017 with a significant pay day
               for the attackers. Southern Oregon University published it had been a victim of this attack. The
               attackers perpetrated a massive attack and fraud against the educational entity. The attackers,
               pretending to be Andersen Construction, sent an invoice from an email account that appeared
               correct, wired to an account.

               This  account  was  not  Andersen  Construction’s  account.  The  attackers  completed  their
               reconnaissance  of  the  current  situation  for  the  University,  noting  that  Andersen  Construction
               had  been  contracted  to  construct  the  University’s  McNeal  Pavilion  and  Student  Resource
               Center. Fortunately for the University, a portion of the funds may be recovered.

               Training, Training, Training

               Although this is not the optimal situation for the University, this does provide a great opportunity
               for training. This teachable moment is for any business. When the staff receives one of these
               requests, the staff member should verify the direct request from the C-level or manager. This
               attack  only  requires  is  a  simple  call  or  email.  The  email  however  would  need  to  be  a  newly
               created email, and not a reply. Also, if there were to be significant or odd changes, such as a
               newly created email, and not a reply to the initial email. Also, if there were to be significant or
               odd changes, such as a new bank, bank account number, or if the new bank is in a different
               country, the transaction should be verified with the appropriate parties.

               The  email  itself  should  be  reviewed.  When  there  are  grammar  errors  and/or  spelling  errors,
               there generally is a problem.



                    22   Cyber Defense eMagazine – September 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   17   18   19   20   21   22   23   24   25   26   27