Bex Nitert, managing consultant, digital forensics and incident response at ParaFlare, explains how cyber threat actors structure the day-to-day operations of their criminal enterprises.
Sitting at a beachside restaurant, an entrepreneur in his thirties watches his wife and children play on the boardwalk from a distance. There’s an infrastructure outage affecting his online services and customers are angry. Like many business leaders, Julian [not his real name] sacrifices family time to deal with the crises, reassuring customers the services will be restored soon.
To everyone else at that restaurant, Julian looks like your average, hardworking family man. But he is not. The business he runs enables hundreds of prolific cyber criminals to compromise online accounts belonging to governments, businesses and individuals every day. He has been operating in plain sight for several years without consequence.
If the economic and social impact of Julian’s “Phishing-as-a-Service” business wasn’t so harmful, one might be amused by the curious toddler watching people catch fish on the jetty while his father helps criminals cast digital phishing lures from his smartphone 50 metres away.
As an outside observer who has been tracking Julian since September 2020, I often wonder if his family knows him as well as I do. Sure, we probably share knowledge about the medication he takes and what he eats for dinner, but do they know he’s been engaging in cyber crime activities for at least 10 years? Do they know where and from whom the money is really coming from? Do his sisters know that he uses their names when signing up to services with stolen credit cards? I do wonder.
Julian has developed a public facade, boasting of the success of his cryptocurrency investments and has a website for a web hosting company that all search engines are blocked from indexing (who wants legitimate customers anyway?). Yet the online store where he sells phishing services is easy to find and he’s advertised roles for developers, tech support and an accountant through platforms that normal businesses use every day.
It all provides a means of legitimising his wealth, at least to those who don’t look deeper. His invoices to customers even look legitimate, with a stock logo and an innocent description of the illicit services rendered, “web design and hosting”.
Unfortunately for Julian and his customers, he made the mistake many companies have by publishing sensitive, unencrypted data to publicly accessible locations online. Not once, but multiple times. This includes online aliases of customers and bitcoin transaction records among other useful information that has enabled me to expand the scope of my research into his operations and customers significantly.
My research began while my ParaFlare colleagues and I were assisting a government entity with an investigation into the compromise of multiple email account credentials. Like many phishing incidents associated with Julian and his customers, these compromised accounts were used to further proliferate phishing emails to every contact in the victim’s address book. Being a government entity, it’s not surprising that current and former politicians, government departments and high-profile offices were on the list of phishing email recipients.
The monthly revenue of Julian’s illicit business is more than the annual salary of a fulltime worker on minimum wage in Australia. If you can’t afford the median rental price of a house in Sydney, you can’t afford his top tier, fully outsourced phishing service.
For a monthly fee, Julian and his employees will set up phishing sites and handle the full phishing process for his VIP customers. If the precompiled target lists of company CEOs and CFOs aren’t satisfactory, the customer can also specify their desired email recipients through negotiation with Julian.
The VIP service is potentially unaffordable for entry-level cyber criminals. But the return on investment can be very high, with one happy bandit boasting about defrauding a victim company of more than US$200,000 in a single transaction earlier this year. Most, but not all, of Julian’s customers seek to steal money from businesses and government through various types of fraud. Some possible links with foreign espionage groups have also been uncovered, but not yet confirmed.
Budget conscious cyber criminals can purchase monthly hosting of authentic looking phishing pages for a fraction of the price of the full VIP service. Online training is also available for a modest fee. By reducing the barrier to entry, Julian’s business is arguably fostering the next generation of cyber criminals while also catering to veterans of the illicit economy.
Monetising the stolen credentials obtained via phishing requires some effort. Though, if you know where to look, you can find outsourcing opportunities for various fraud types too. Payment diversion fraud is a common objective of phishing actors who may intercept email communications and modify banking details on invoices to deceive victims into transferring funds to an account under the offender’s control. Financial losses attributed to this technique, referred to as business email compromise (BEC), are the highest of all cyber crime types. By outsourcing the email composition to native speakers of the victim’s language and using professional forgers to edit documents, criminals can increase their chances of success.
The theft of credentials through phishing is a reality for organisations and user education is not going to eliminate this problem. More effort needs to be directed towards minimising the impact of a phishing incident (not just the likelihood), which consequently reduces the value of stolen credentials to criminals.
It requires a defence in-depth approach, where additional barriers (such as multifactor authentication) are placed between the criminals and an organisation’s assets, making it harder for the criminals to achieve their objectives once credentials are stolen. It also requires a swift and thorough response, using both people and technology to detect and eradicate the threat before harm occurs.
Due to the inherently secretive nature of criminal activity, but mostly lack of attributable victim-related data, it is difficult to quantify the harm caused by Julian and his customers. However, the direct and indirect costs would be significant. I encourage all organisations to share information about cyber threats impacting them as it helps to connect the dots and generate investigative leads.
The depth of my research would not have been possible without the information and observations shared by both individuals and organisations around the world. In addition to sharing information with law enforcement related to the identity of Julian and his customers, my research seeks to understand the enablers and constraints of the phishing economy to help inform our future responses to combatting cyber crime.