Welcome to our “Threat Analysis” series of blogs! These posts cover a specific industry and the threats targeting them. The goal with this series is to raise awareness about cybercriminal threats, one post at a time. We will explain the threat and provide a pathway to remediating the vulnerabilities exploited by the threat. Generally, these articles are geared towards organizational leadership and we try to provide a non-technical overview of the dangers lurking in the world of cybercrime.
Wire Fraud Attacks in Real Estate and Title Companies
Remember the good ol’ days of the internet? It was a place of knowledge sharing and community. You could find yourself lost on a single site for hours – browsing community posts, talking to friends with AOL Instant Messenger, and endlessly viewing GIFs of dancing babies. Unfortunately, all good things must come to an end. Cybercriminals learned to exploit the implicit trust of the internet to engage in the act of social engineering. By utilizing well-known communication methods, bad guys manipulate human psychology and get people to perform nefarious deeds on their behalf.
Real estate and Title companies have found themselves in a precarious situation regarding the ever-increasing social engineering attacks. Malicious attackers have discovered that real estate and title companies move large sums of money at an incredible pace, often only confirming the wire transfers via a routing number and bank account. More and more, attacks have been affecting these industries with the express goal of manipulating an agent into sending the money directly to the attacker’s account. This is a serious threat with the capability to completely ruin an organization within a single afternoon. The harsh reality is that the real estate and title industry is vastly unprepared for these attacks and the sky-high success rate incentivizes attackers to continue their activities.
The Anatomy of a Wire Fraud Attack
To understand why these types of attacks might be a threat, we must first understand what the “normal” avenue looks like for one of these attacks. While there is no template for a cyberattack, we can cover the major avenues that enable an attacker to perform the steps necessary to get the funds transferred to their account.
Step 1 – Infiltrate the Network
The most important step for the attacker is the account takeover and reconnaissance phase. During this phase of the attack, the bad guy will try to get into a system or account associated with the victim. Generally, the attackers prioritize taking an account from the real estate/title company and maintaining a low profile within the environment. There are far too many methods for attackers to obtain access, but we can cover a few here. The easiest method for attackers to obtain access to an account is via previously stolen and reused credentials. This is the scenario in which a company user has had their credentials stolen in some manner and has reused these credentials. Check this site to see if you are a victim of one of these breaches: haveibeenpwned.com. Another common method is to place Remote Access Control malware on a device. Once these backdoors are installed, attackers can use the system at will and cause havoc from behind the scenes. At the end of the day, it must be assumed that an attacker will exhaust their extensive toolset in order to breach a network and obtain an account. Security controls help counter this activity.
Step 2 – Wait and Exfiltrate
This might sound simple, but once the attacker is in the environment, their main goal is to gather information. They will steal email signatures, contact lists, current deals, and all sorts of valuable data for use in their attack and distribution on the dark web. Once the information is exfiltrated, there is very little a company can do to remove the sensitive data from the internet.
Step 3 – Send the Phish
The attackers will eventually exploit their foothold in order to launch an attack. In our experience, the attackers will set up an email account with similar naming conventions or spoofed information in order to trick their victims. The phishing email will likely be sent to a timely deal close, masquerading as the final payment information to finalize the deal. In almost all cases, the email will be very similar to others sent in previous communications. Attackers will even utilize the same email signature to add extra authority.
Step 4 – Profit
The customer will receive the phishing email and view the wiring information. No matter the amount of warnings given to customers and staff, people will eventually fall for the phish if given the opportunity. Once the money is transferred to the fraudulent account, it is very difficult to recover. Worse yet, it can take months to discover the fraudulent transaction and attackers can hit multiple customers before being discovered.
The internet and attack landscape has changed rapidly since those days of cat GIFs and Alta Vista. The threat presented by a modern wire fraud attack cannot be overstated. Once this money is transferred, authorities will need to get involved. Even organizations with cyber insurance can find themselves woefully unprepared for the costs associated with incident response and asset recovery. If the money cannot be recovered and the victim lacks the appropriate insurance, these attacks can be ruinous. Real estate and title companies are not the only victims of these attacks. Customers that transfer money to the attackers may have no easy route to recovery. In the coming posts, we will cover the defensive measures that can help detect, prevent, and respond to attacks like this.