Cybercrime-fighters reveal business weaknesses, suggest defenses


In the murky realm of cybercrime against businesses, bad guys have the upper hand, according to Francis Tam, who heads a west coast nine-person cybersecurity unit of Moss Adams from his Los Angeles office. “They have unlimited budgets,” especially with time, Tam said of hackers, who may attack a business over months or years, patiently seek vulnerabilities then exploit them.

“I only work when someone pays me,” Tam said, noting that hackers can work any time and be based anywhere in the world. Tam appeared as one of the speakers at a recent cybercrime symposium hosted by Exchange Bank in Santa Rosa.

In 27 years helping business clients with information technology, Tam’s worst case hit a company that sold DVDs online. “The company got hijacked,” he said. Hackers contacted the company’s CFO just as the peak holiday sales season opened and demanded that the company pay $15,000 a month or they would damage the business in unspecified ways.

“It was just before Thanksgiving. They did their homework,” Tam said of the hackers. Because nearly 40 percent of the company’s revenue came during the holidays, the company met the extortion demand. “They paid up until Christmas,” he said.

When the holidays ended, the victim company revamped its entire IT platform. The attack cost a total of nearly $100,000 to replace all hardware and software. “They had to nuke the entire environment just to make sure,” Tam said.

Companies make themselves most vulnerable when they don’t keep up with software security patches sent by companies such as Microsoft, Tam said. Even if a firewall, virus-checker, Internet operating system, web server or other outward-facing device is ’the best today, it could be the worst in a week,” he said. “If you fall behind and don’t do it, it could be pretty bad.”

Such patches should be installed only when an IT expert takes the initiative to go to the software provider’s site to download the fix. “You don’t want to open anything” that comes as an unsolicited email attachment, he said, even if it is a known name. “They can be spoofed,” or deliver a “gift-wrapped executable,” sometimes by impersonating someone you know. “You have to verify the sender” with authenticated and secure connections. “I wouldn’t trust anybody who sends me a link,” he said. “That way you minimize the risk of going to a rogue website.”

FBI beefs up cyber-squads

“The odds are in the criminal’s favor,” said Enrique Alvarez, a supervisory special agent for the FBI’s 200-agent cyber-intrusion unit in Oakland. Before joining the FBI, he worked at several Internet companies in San Francisco and served as a Navy intelligence officer in Iraq. Cybercrime has drawn greater FBI attention especially since 2012, particularly on intrusions, Alvarez said.

The FBI has 40,000 employees in 56 field offices. The San Francisco office, the fifth-largest in the country, has five “cyber squads,” with the fifth added on Oct. 1. Three of these focus entirely on national security threats “ foreign-state-sponsored intrusions.

Social networking accounts provide cyber criminals with rich troves of information that can be used to invade and attack through business and personal routes. “We track a lot of crime data,” Alvarez said. “That’s one of the strengths of the FBI.”

Cyber criminals, particularly in Eastern Europe, are “using a lot of infrastructure to conduct nefarious activities targeting” the financial services sector of the economy, Alvarez said. “Those actors are hiding behind foreign infrastructure.”

In massive intrusions such as attacks on JP Morgan Chase, Target and Home Depot, “we mobilize cyber action teams,” Alvarez said. They can work remotely because of the nature of the intrusion. “We can get access virtually to where the victim is,” he said.

“You are dealing with lots of potential violations when you?re dealing with a bank,” Alvarez said. “Things happen to banks. We look at practically every bank robbery in the country.” He did not find any evidence of cybercrimes against Exchange Bank, he said. All bank robberies automatically become FBI cases because banks are federally insured.

Most physical bank robberies today are not takeovers, but “note jobs,” Alvarez said, where the robber hands a teller a note demanding money. Even more are electronic, as nearly 40 percent of people worldwide are online.

“We have sources in every industry,” Alvarez said, ’that give us the pulse of what’s going on.” The aim is to identify signs of cyber-attacks before they happen.

“Criminal activity is ruthlessly efficient,” Alvarez said. “They do a lot of experimentation. They understand what doesn’t work. Dumb operators in the criminal element usually end up dying “ very Darwinistic. In cybercrime, it’s the same thing. They keep trying. What works becomes tactics and procedures” that are continually refined.

Every five seconds, about 112 terabytes (112,000 gigabytes) of data flow through the Internet, Alvarez said, a vast torrent of information in which criminals can find ample opportunities. “Retail and commercial” bank customers are “big, fat targets for the criminal element,” Alvarez said. “Large companies are continually victimized. They are not looking at how their data is stored and accessed, how they authenticate users. Where are the holes, and how can you plug them?”

Dedicated hackers in other countries consistently seek opportunities online to steal money from businesses and their customers. “They want to transfer money to a foreign bank, socially engineer your employees to convince them to move money from one account to another,” he said. When a bank’s online service system goes down, “how much does that cost the bank per minute?” Alvarez said. “Loss of trust with your customers is a big deal.”

Rebuilding a network after a breach is like ’trying to rebuild a plane while it’s flying,” he said, “very difficult.” Malicious cyber activity is not always motivated by money, but sometimes for political ends.

Businesses need to conduct insider-threat training, Alvarez said. “What’s an insider threat” A disgruntled employee “ the person you just fired,” he said. “A person who was passed over for a promotion. Someone who has a lot of access to your internal network who is not happy, who has virtual keys to the kingdom. Make sure you are taking care of your employees. If they are frustrated, give them the opportunity to vent.”

Poorly trained employees can unwittingly jeopardize a business network, he said, such as bringing thumb drives from home in order to play music on a work computer. “Hiding in that thumb drive could be all sorts of horrific things that are not visible to the user, but visible to the operating system,” he said.

“Don’t open enclosures” to emails, Alvarez said. Use a service that scans enclosures for threats. Gmail is good at this, for example, scanning enclosures. ’sending a malicious enclosure is 90 percent of how people get into your network.”

Disgruntled or activist hackers might aim to attack critical infrastructure: turn off electric power, shut down water supply, gas and oil delivery, banking and finance, transportation and air traffic control, communication systems. “All these sectors of the economy use computer networks,” he said. Attacks originate as cyber actions on industrial control systems or supervisory control and data acquisition (SCADA) that can have very physical results, ’the way PG&E transmits power to your house, how sewers are controlled. The cyber-caliphate wants to launch SCADA missiles. We try to harden those targets,” including wireless access points.

Spear phishing targets contacts

Spear phishing is a targeted malicious email that appears to be from someone you know “ such as someone on your contact list in Outlook. “For banks, the people who get spear-phished are the senior executives,” Alvarez said. ’senior executives tend to open enclosures. It’s like shiny little objects. Senior executives are the worst offenders. Spear phishing can look like an email coming from within the bank.”

The FBI uses LinkedIn frequently to find out about people. “People overshare,” he said. “It’s kind of embarrassing. People are proud of their achievements. It’s a center of intelligence research for good and for bad. I can craft some fantastic spear phishing emails based on what you put in LinkedIn. Be careful about what you share online. Lock your privacy settings down.”

Big companies often don’t report when they are hacked, Alvarez said. “It’s embarrassing, it affects stock prices, consumer confidence,” he said. “It’s tough stuff from a PR standpoint. Do you want to admit that?”

The FBI collects and analyzes malware samples, and may try to assess a malicious enclosure that somebody clicked. “Who had access, motive and opportunity,” he said. “We?re not going to take over your system or repair your system. That’s not our job.”

Multiple passwords essential

Having one password that is used on multiple applications is a huge blunder that allows hackers easy access, Alvarez said. “It’s hard for the human brain to remember strong passwords that are unique for 20 different sites. It’s the single biggest problem with technology right now,” he said.

“Make your clients use strong passwords,” he said. “Make them change those passwords every 90 days. It limits your liability and their liability. You don’t want to be the low-hanging fruit on the criminal target list. Make it hard for criminals to target and access your company. I can break a 10-digit password in about three minutes with completely available software.” A message on a hackers' news bulletin in 2013 showed a free public program that would launch a “brute force” attack on a password, trying 8 million times per second to guess it.

A strong password should be long, and have uppercase and lowercase letters and numbers. Special characters (shift on number keys) make them much harder to crack.

Alvarez has 80-year-old parents who send him nearly every piece of spam they receive, asking, ’should I click on this?” Alvarez shakes his head. “No, and don’t send it to me,” he said. “People in their eighties have computers and, sadly, those are the people who are getting taken. Don’t open any enclosures. The criminal element is ruthlessly efficient, and they are continuously innovating.”

Accountant error loses business $300,000

Sean Kerr, a criminal investigator for the Central Marin Police Authority, is a detective on the Northern California Computer Crimes Task Force. The nine-person task force works on cybercrime in Sonoma, Marin, Solano, Napa, Mendocino, Lake, Humboldt, Del Norte and Contra Costa counties. Much of the work involves forensic examination of digital devices obtained as evidence.

Some digital trails are tricky, such as Snapchat, a popular application that allows users to send photographs, videos, text and drawings that exist on servers only up to 10 seconds before being deleted. “It was a game-changer,” Kerr said, “as far as how you do search warrants for that.”

In a network intrusion case in the past year that affected a local business, “one of the accountants decided to check her personal email,” Kerr said, and clicked on a link that said, “AT&T bill update. She clicked on it. It looked legitimate. It had an enclosure with her billing statement. That’s when the network intrusion just happened, defeated the firewalls and everything else the company’s IT structure set up.”

For two and a half months, the perpetrators stayed in the company’s network, monitoring activity. “They got account numbers, passwords, employee information, addresses, names, dates of birth, Social Security numbers.” The company had implemented two-factor authentication using a separate device resembling a small pager that a user has to click to obtain a series of numbers to enter within 30 seconds after log-in. “That was the one thing the suspects couldn’t defeat,” Kerr said.

One day when the CPA tried to log in to an account at a local bank, a different screen appeared saying the site was under construction. Immediately she received a phone call from a person who claimed to represent the bank. The person acknowledged her difficulty logging on then offered to log on from his terminal and conduct whatever transactions were needed. “The token got clicked, the numbers given,” Kerr said. Within four hours, the business lost about $300,000.

“Everything in cyber world can be spoofed, hidden, but money, we?re going to know where it ends up,” he said. The money “went through a bunch of banks in the Midwest then through Spain and ended up in the Czech Republic. Police could not retrieve the funds.

The first email to the CPA originated in South Africa and came through the server of a toy company in San Diego, Kerr said. The phone call she received was a Skype number.

Once an intruder gains access to the company network, vulnerabilities balloon, Kerr said. “Cyber-criminals get top talent based on the money they can make,” he said. “They were able to circumvent antivirus safeguards.”

Fake business names

In another case, criminals near Sacramento created fake businesses by changing one letter of the name of a known business “ such as Walt-Mart instead of Wal-Mart. “When they were making online transactions on people’s accounts, it looked legitimate,” he said. “When people look at their bills, they don’t pay attention exactly to what they?re reading. These perpetrators were able to get credit card numbers, make charges to fictitious businesses and get the money laundered.”

If employees check personal email on the business network, “whatever is on that email is now on your network,” Kerr said.

An upset student in a local high school found a web service, paid it the equivalent of 300 bitcoin and was able to launch a distributed-disruption-of-service attack against the district’s network, bombarding the server with so much traffic that it crashes. The damage over six months: $500,000. Police caught the student in the act, and arrested him. “We trace bitcoin and do warrants,” Kerr said. “A disgruntled employee could do this type of activity.”

Criminals discovered that they could access e-receipts from any customer who made purchases at a big-box store chain. “It was all about marketing,” Kerr said. ’security wasn’t at the forefront. None of the information was verified. All you needed was a working email address.”

Using the app to find cash sales and the day’s receipt code, the criminals would print duplicate receipts, walk into the store and grab the item sold to a previous customer, demand a refund and collect the money. “In 14 months, they did about $50,000 in damages,” Kerr said. “They accessed over 9,000 e-receipts and used 794 of those.”

For police investigation, all the evidence was on the business server located in another state. When police went to arrest the criminals, none of the evidence appeared on their smart phones. “Those $200 or $300 returns are misdemeanors,” Kerr said, “and I can’t get the proof from the phone. Those crimes get dismissed.”

Some car-wash businesses purchased software that was embedded with malware that transmitted transactions, Kerr said. “It affected one bank in this county.” Criminals stole card information from the bank and would geo-locate it. When they went on the Dark Web to sell those counterfeit credit cards, they would target it regionally so it would seem normal that the victim would make purchases in that area. “You bought stolen credit cards by region to make them look legitimate.”

Police waited until the criminals made online purchases then tracked IP numbers back to the originating computers. “We find out their physical location and then hit the house,” Kerr said. It can take months to unravel such a case and collect evidence for a conviction.

Kerr noted that iPhones store location data on places their owners frequent via the settings icon, privacy setting, location services and system services to frequent locations. By pressing on any such stored location, the address pops up. The phone records the time the phone’s owner was at that location. “This is huge when it comes to property crimes, placing people in locations” using their phones, he said. Police can search without warrants the phones of suspects on parole or probation. “It’s a huge resource.”

For Android phone users, “I can do a search warrant to Google and get six years of your location history if I need it,” Kerr said.

“Routers store information about smart-phone users who connect through the Wi-Fi service,” Kerr said. A router might show that a suspected bank robber’s phone was on location at a string of bank robberies, for example. “There’s your digital fingerprint,” he said. “We use technology to help solve those crimes.”

A few years ago, Marin police worked with the FBI to apprehend the “Highway 101 bandit,” who hit banks near the freeway. “They downloaded the hard drive from his car,” Kerr said, “and found another 20 bank robberies” they were able to link to him.