Phishing the DoD for Millions

Ok, let's start with the obvious - these attacks never feel real when it's government funny money being lost.

But the simple complexity of this one should hit home for every organization. There is little technical know-how in this attack. Instead, they exploited human behaviors.

Let's see what that means.

Attackers Sercan Oyuntur and Hurriyet Arslan designed a multi-layered, but straightforward, attack. And they came away with a massive pay day of $23 million.

The attack started with a phony lookalike domain. They then used this domain to send Phishing emails to government contractors.

The attackers sent Phishing emails from "dia-mil.com", which looks a lot like the real "dla.mil" domain.

Specifically, they sent Phishing emails to organizations on the the government's System for Award Management (SAM). This is where government contractors register and update their payment information.

Remember, Phishing is a numbers game. Once hackers find a list of potential victims, they just start firing away. Sending an email costs just about zero dollars.

These attackers only need one key person to stumble for a Phishing email. That can happen at any time.

At least one organization did fall for the attack. This is where the attackers snagged login credentials.

Once they clicked on the link in the Phishing email, the user landed on a lookalike "login.gov" website.

With the login info in hand, Oyuntur and his co-conspirator logged back into the SAM database and changed the victim's banking information for US government payments.

This is where the government would end up sending the $23 million payment.

But the good news was that this bank account was flagged by the DoD for additional investigation. This stopped the payment from proceeding - at least for a moment.

The social engineering continued.

At this point, the attackers called the Defense Logistics Agency (DLA) - their final obstacle in receiving these looted funds.

In speaking with the DLA, the hackers reportedly offered up some phony (but realistic) explanations on why the bank account was updated. They successfully got the updated bank account approved.

That's a lot of money. And a not-so-technical attack.

So what does an organization do to avoid this?

Not shockingly, we've got answers. This comes down to instilling safe cyber behaviors in your employees.

Misstep 1: In the first step of the attack, a user stumbled for a Phishing email that contained a real-enough lookalike domain.
Solution 1: Train your team to never click on the link in a notification email when you can go directly to your browser and login. This eliminates the risk and work of studying a url for any tricks.

Misstep 2: The victim landed on a lookalike login.gov page and entered his or her login credentials. This handed over the keys to the attackers.
Solution 2: Train your team to avoid clicking a link to a sensitive login page - whether it's facebook, dropbox or your bank account. Save those pages and login directly.

Misstep 3: This is where the government employee was fooled by the attacker's phone call.
Solution 3: This comes down to process. It's difficult to overcome when the fraudster has all the right information, though. The most critical defense at this stage is creating strong processes and training employees to follow those steps.

How does automated Security Awareness Training play a role?

Many organizations have implemented a Security Awareness Training program. The issue is that too many organizations don't keep their program active.

There's a right way and a wrong way to do it. At INFIMA, we believe we've found and built the right way.

And we make it easy for you to determine if INFIMA's automated Security Awareness Training program is right for your team.

If you're an MSP and want to learn more, go check out how we work with Partners here. If you like what you see, book a time to chat!

Photo by Jp Valery on Unsplash