Federal authorities and researchers in recent weeks have issued warnings about this new form of attack, which involves hackers infiltrating e-mail networks to perpetrate fraud and cyber-espionage, says Pollino, Bank of the West's enterprise fraud prevention officer.
In a new interview with Information Security Media Group, Pollino explains why Bank of the West has labeled the new attack scheme as "masquerading."
Masquerading, as Bank of the West defines it, involves the takeover of a C-level executive's e-mail account, usually through a network attack. These attacks are waged against the bank's commercial customers, not the bank itself. But the attacks may include spear-phishing, to takeover a legitimate e-mail account, or the creation of a similar domain, so that fraudulent e-mails sent from that domain appear at a glance to be legitimate , Pollino says .
Once the cybercriminals have control of the executive's e-mail account, they use it to send out e-mails to lower-level employees and/or even banking institution staff instructing them to perform some task with a sense of urgency, Pollino says. Because of that urgency, typical security practices are often bypassed or overlooked, he adds.
The hackers literally "masquerade" as the executive, convincing lower-level employees to share confidential information and/or schedule fraudulent wire and ACH transfers, Pollino says.
"Once inside and posing as company executives, the criminals could send e-mails to the bank to request wire transfers from the business's account to a bogus account (usually outside U.S. borders) controlled by the criminals," writes Pollino in a blog. "Banks put the kibosh on these scams through stepped-up security around wire transfers."
The Internet Crime Complaint Center in late June issued a warning how attackers were increasingly targeting corporate and cloud-based e-mail accounts and networks to schedule fraudulent wire transfers. And then just last week, security firm Palo Alto Networks issued an alert on the use of remote-administration tools being used to infiltrate systems and take over corporate credentials.
Pollino first talked about the emerging scheme in May during his presentation at Information Security Media Group's Fraud Summit Chicago.
Education Is Key
While security controls and enhanced authentication can help to thwart these attacks, commercial customers must focus more attention on educating their employees about how to prevent socially engineered schemes from being effective, Pollino says.
"It's basically a social-engineering mechanism that has a high-tech slant to it," he says. "It's similar to what we saw many years ago as criminals were attacking banking systems. ... But now, rather than attacking the banking systems directly or trying to fool the banks, they use, in some cases, very low-tech methods to fool the customers," such as simply sending masquerading e-mails that fool the business's employees into scheduling a fraudulent wire transfers.
During this interview, Pollino discusses how:
- Masquerading attacks are getting around DMARC - Domain-based Message Authentication, Reporting & Conformance, which aims to standardize how e-mail receivers perform e-mail authentication by providing a uniform reporting mechanism;
- Information sharing among banking institutions and law enforcement is helping to uncover these types of schemes sooner; and
- Bank of the West is spearheading education campaigns to address masquerading attacks.
Pollino is a senior vice president at Bank of the West, where he has worked since 2011. Previously, he served as manager of online fraud-prevention strategy and analytics for Wells Fargo and was the online risk officer for Washington Mutual. He has a background in information security and combating online fraud. Pollino also is an information security author and conducts ongoing research on cybercrime techniques.