REN-ISAC ALERT: wire transfer phishing targeting university presidents and VPs

[Doug Pearson <dodpears () REN-ISAC NET>]

ALERT: wire transfer phishing targeting university presidents and VPs

REN-ISAC is receiving reports from its members concerning a resurgence
of phishing attacks aimed to cause fraudulent wire transfers of funds.
In most of the reports, the message appeared to come from the university
president, by name, to a vice president, by name, asking for "help [to]
process an outgoing wire transfer". One report involved the combination
of CEO and CFO. Attacks are occurring today and extend back at least two
weeks (one outlier as far back as November). We recommend you share this
awareness alert among executive and security staff, and particularly
with persons who have authority to conduct wire transfers.

This attack, in some ways, parallels phishing attacks against
institutional online banking conducted in 2010-2011. At that time we
published technical and CIO/business officer Alerts [1][2] about the
attacks. Those Alerts are still relevant and may prove helpful in
defense against the current attacks.

In those Alerts we recommended:

+ Make sure your peers have a copy of this message.

+ Make certain that systems used in performing financial transactions
are protected by strict technical controls and receive periodic validation.

+ Make certain that personnel involved in performing online financial
transactions have the necessary security awareness and training. Those
persons should receive targeted training on phishing and this threat.

+ Make committed and purposeful use of banking transaction
initiator/approver roles. Most banks offer sophisticated role-based
controls, but it's up to the institution to put them to effective use.

+ Have written policies defining the controlled environment in which
online banking transactions can be conducted, e.g. what systems can be
used, how they must be maintained, required personnel training, etc.

+ Routinely audit compliance with established technical controls and
policies.

+ WE STRONGLY RECOMMEND THAT all online banking operations should be
conducted on special-use computers that are used SOLELY for banking
transactions. No other use of the machine should be permitted - no
e-mail, no web browsing, no general-purpose business use - nothing but
institutional online banking transactions.

And to those recommendations we add:

+ Never rely solely on received e-mail for instructions to conduct
financial or other sensitive transactions. Always conduct an out-of-band
(OOB) verification, e.g. via phone call. If you are the source of such
instructions, take the initiative to conduct OOB verification with your
recipients, and train them to that kind of expectation.

If you have questions don't hesitate to e-mail me directly or via
soc () ren-isac net.

[1] http://www.ren-isac.net/alerts/banking-attacks_cio-bo_201001.html
[2] http://www.ren-isac.net/alerts/banking-attacks_technical_201001.html


On behalf of the REN-ISAC team,

Doug Pearson
Technical Director, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)274-7228