Phishing Campaign Targets Anti-Money Laundering CU Contacts

A highly-targeted malware-laced phishing campaign against certain credit unions, reported by Brian Krebs in his Krebs on Security blog, raised concerns because they were specifically directed at anti-money laundering contacts.

The USA Patriot Act, approved subsequent to the Sept 11, 2001 terror attacks, requires all financial institutions to appoint at least two Bank Secrecy Act contacts responsible for reporting suspicious financial transactions that may be associated with money laundering. U.S. credit unions are required to register these BSA officers with the NCUA.

Krebs revealed on the morning of Wednesday, Jan. 30, BSA officers at credit unions across the nation started getting emails spoofed to look like communications from BSA officers at other credit unions.

“The missives addressed each contact by name, claimed that a suspicious transfer from one of the recipient credit union’s customers was put on hold for suspected money laundering, and encouraged recipients to open an attached PDF to review the suspect transaction,” Krebs reported. The body of the PDF includes a link to a malicious site.

According to Krebs, many credit union sources suspected the non-public data may have been somehow obtained from the NCUA.

In a release on Feb. 8, 2019 the NCUA said, “Upon learning of the recent spearphishing campaign targeting Bank Secrecy Act officers at credit unions, the NCUA conducted a comprehensive review of its security logs and alerts. This review is completed, and it did not find any indication that information was compromised.”

Kevin Epstein, vice president of threat operations, Sunnyvale, Calif.-based security firm Proofpoint, said, “The recent string of attacks aimed at financial institutions, including credit unions, illustrates just how targeted cybercrime has become. Threat actors have shifted away from infrastructure attacks and are instead targeting individual people with customized attacks.” He added in this latest campaign, attackers combined multiple layers of social engineering, addressed individuals by name, and spoofed emails to appear as if they were sent by colleagues at other financial institutions.

“This heightened level of personalization is a mainstay in phishing attacks that continue to hit organizations worldwide, every day,” Epstein pointed out. “Regardless of what an organization’s security architecture looks like, attackers are adept at using two of the most powerful information tools of our era—LinkedIn and Google—to conduct reconnaissance on potential individuals to target.”

Epstein maintained cybercriminals continue to use the email channel as their top threat vector because it’s cheap, effective, and continues to produce high return on investment. “In fact, Proofpoint recently found that 83% of global infosecurity respondents experienced phishing attacks in 2018, an increase from 76% in 2017.

“As a best practice, we recommend financial organizations implement a comprehensive security approach that protects all parties (their employees, customers, and business partners) against phishing and email fraud. We also recommend layered defenses at the network edge, email gateway, and endpoint, along with strong user education to provide the best defense against these types of attacks,” Epstein said.

According to Colin Bastable, CEO of Austin, Texas-based cybersecurity test and training company, Lucy Security, “This phishing campaign is a classic, multi-stage ‘Golden Keyholder.’” Bastable explained a Golden Keyholder is a highly trusted employee or associate with access to and influence over core systems, people and information. “This attack has yielded a treasure trove of Golden Keyholders throughout the U.S. financial industry – not just credit unions.”

The Lucy Security CEO noted by obtaining the names, the employer identities and the email addresses of the nation’s BSA staff, the attackers are leveraging the special roles and credibility of these individuals to drop malicious code into those organizations’ IT infrastructure. “BSA staff have a high level of trust with each other, as well as being authority figures inside their financial institutions.”

This attack is designed to maximize the impact of the PDF-borne payload. “Unfortunately, PDFs are wrongly considered to be trustworthy, inert attachments,” Bastable said. “So, an email from a trusted peer at another financial institution, containing a PDF attachment, has a high probability of being read, and the PDF opened.”

Will LaSala, director security solutions, security evangelist at Chicago-based OneSpan, stated, “Spearphishing attacks are becoming more and more common as the wealth of personal information leaked from the massive amount of new data leaks in 2018.”

It is important users stay vigilant and look for the common hallmarks of an attack. For example, it appears this attack contained numerous grammatically and spelling errors throughout the campaign. “These should immediately tipoff users to stop interacting with the email and to contact their security team or to delete the email immediately. Technologies such as risk analytics play a big part in monitoring for fraud that occurs as a result of successful attacks,” LaSala noted.

LaSala suggested implementing the capability to identify attack patterns across multiple solutions in real-time with machine learning and artificial intelligences will help credit unions and other financial institutions protect themselves from these spearphishing attacks.