Pierluigi Paganini June 03, 2013

According to a recent research of Group-IB on cybercrime senior management is considered among most privileged targets.

Group-IB is one of the leading companies in fraud prevention, cybercrime and high-tech crime investigations, it is IMPACT-ITU member and one of most active firms in the analysis if cyber criminal phenomena.

The firm reported that cyber criminals use personal and confidential data of senior management of different financial institutions and companies for targeted attacks, including fraud and online-banking theft.

C Level executives are being targeted and drilled down on with specific attacks meanwhile HR managers are targeted due the sensitive information they manage.

Why senior management?

The principal reason is that information related to personal details of senior management or key employees helps are used by attackers for recruiting of potential insiders, it is very actual in banks, online-trading companies and e-commerce nowadays.

I contacted Andrey Komarov, the head of international projects of Group-IB, CERT-GIB CTO to have more information on the research, he told me:

«We have faced with internal fraud by bank employees in face of managers and top staff, recruited by cybercriminals absolutely remotely on the first stage, related to SWIFT MT 130 and SWIFT MT 760 operations on huge amounts of money. Of course, on the second stage, criminals involve such kind of employees to own criminal groups for further close cooperation»

SWIFT MT 130 and SWIFT MT 760 are very specific SWIFT operations, used for bank guarantees as well, and with the help of some corrupted employees it is possible to make some fraud in large amounts of money. In rare cases some of such operations are approved by insiders in face of senior management, especially who is connected with stocks and operational risks, as they have connections with all departments in the bank.

One of the most referenced sources of information are social networks, in particular hacked accounts of the most popular platforms such as Facebook and Linkedin. The social networks are a mine of information, employees use to publish their private e-mails and other personal information used by hackers to gather design their profile and to design a map of contacts.

In regard of targeted attacks, hackers are interested in the credentials of middleware employees and senior management for placing malware and getting more information about the network topology of potential victims, sometimes they spawn a specially crafted code for reverse connection to use the infected machine for cyber espionage.

The specific targets of hackers are IT-administrators and IT-managers, as most of them have full access to the company’s infrastructure, which means that if they will be compromised, the attackers may gain access to different information resources, including corporate e-mails.

In the above image is reported a post from an underground forum that demonstrates the hacker’s interest to confidential data on CEO and top management of different well known brands, following the translation from Russian:

“Will buy information about the following companies: 

– Linkedin, Verizon, GoDaddy, British American Tobaco, Dupont, Pepsi, Names.co.uk, Facebook (private companies) 

– Commerzbank, Reiffeisen, RBS, Bank of America, Wells, Wachovia, Citibank + any russians, having online-banking

Interested in email + password, any stolen accounts of its employees in social networks (Facebook + Linkedin), will pay good, before selling need to have a garant and checking.

Interested in hacked accounts and data on:

– sustem administrators;

– top managers (operational managers, heads of the departments)

Reach me only through PM, confidential and in 1 hands

WIll talk only under OTR/NDC encryption in Jabber, don’t use ICQ “

Experts at Group-IB confirmed me that there is great market of confidential data trading, mostly it is used by competitive entities for intelligence in same segment of market, by big players on the market for struggling, and hackers as well.

According to the statistics, the most valuable types of information well traded on the black market are:Annual accounting balances and financial reports;

• Project plans and strategies of the company for several years;
• Intellectual property and innovations used for successful business;
• Customers databases and partners’ contacts (CRM);
• Employees databases (Intranet systems);
• Credentials to corporate e-mails and personal e-mails of employees;
• Internal network infrastructure and its specifics.

Once again the observation of criminal underground is giving us precious information on the trends in the cyber criminal environment, this information is fundamental for the security departments of enterprises and governments

Pierluigi Paganini

(Security Affairs – Cybercrime)