Rising Attacks: CEO Fraud, Ransomware, Tech-Support Fraud, Extortion
Reported losses due to internet crime last year totaled $1.3 billion, according to the FBI’s Internet Complaint Center, or IC3.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
That’s, based on 298,728 complaints registered with the bureau by U.S. residents in 2016.
“This past year, the top three crime types reported by victims were non-payment and non-delivery, personal data breach and payment scams,” Scott S. Smith, assistant director of the FBI’s cyber division, writes in its new Internet Crime Report 2016. “The top three crime types by reported loss were BEC [business email compromise], romance and confidence fraud, and non-payment and non-delivery scams.”
The report calls out four increasingly seen types of scams: business email compromise, aka CEO fraud or email account compromise; ransomware; tech-support fraud; and extortion.
The findings, however, include a big caveat, in that the Department of Justice estimates that only 15 percent of internet-related crime gets reported to authorities (see FBI to Ransomware Victims: Please Come Forward).
To help respond to such crime, the FBI says it’s been continuing Operation Wellspring, which Smith describes as “an initiative through which state and local law enforcement officers are embedded in, and trained by, FBI cyber task forces and serve as the primary case agents on internet-facilitated criminal investigations.”
Internet-enabled crime does not occur exclusively online. In the case of tech-support fraud, for example, the FBI says such schemes can involve a cold call, a pop-up window or locked screen on a PC, criminals using search engine optimization techniques to ensure their organization appears at the top of “technical support” search results, or URL hijacking or “typo-squatting,” involving registering websites in the names of companies that look legitimate.
“The IC3 has received thousands of tech-support-related fraud complaints,” according to the report. “While the majority of tech-support fraud victims are from the U.S., the fraud was reported by victims in 78 different countries.”
One increasingly seen variation of this attack involves criminals contacting victims and offering a refund for overpayment, then requesting access to the victim’s PC to help them log into their online bank account and process the transaction. The FBI says the “support provider” will “mistakenly” transfer too much, and then transfer the supposedly excess amount back, while in reality attempting to drain the victim’s bank account.
Internet-Enabled Crime Abroad
Extortion: DDoS, Breaches, Sextortion
Attempts to psychologically compel victims into paying attackers also continue, albeit with an increasingly online twist.
Some of the top types of extortion reported to the FBI in 2016 included the following six schemes, often designed to elicit a payment from victims:
- Data breaches: As defined by the FBI, “sensitive, protected or confidential data belonging to a well-known or established organization is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.”
- Denial of service: This involves threatening to knock a business site offline, often via distributed denial-of-service attacks. Attackers may temporarily disrupt a site using DDoS-on-demand, referring to stresser/booter services – to increase the pressure to pay.
- Government impersonation schemes: While these schemes come in many forms, one common version involves con artists reaching out to harmed investors, offering to help them recover their funds in return for a fee.
- Hitman schemes: These involve email-based extortion in which a perpetrator threatens to kill a victim or their family.
- Loan schemes: Criminals impersonate a debt collector, threatening legal consequences unless funds are remitted.
- Sextortion: Criminals threaten to distribute private or sensitive material relating to the victims, unless they provide money, sexual favors or images of a sexual nature.
The bureau says IC3 received 17,146 extortion-related complaints with adjusted losses of over $15 million in 2016. It notes that extortionists are increasingly tapping virtual currency to attempt to make their efforts – and identities – tougher to trace.
13 Internet-Enabled Attacks
Here is a selection of some of the top attacks logged by IC3, including 2016 losses.
- Business email compromise ($360.5 million): Attackers trick an employee into making a wire-transfer payment. “These sophisticated scams are carried out by fraudsters compromising email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds,” the FBI says.
- Confidence fraud/romance ($219.8 million): Tricking an individual into thinking they’re in a relationship – family, friendly or romantic – to extract funds, personal information or other assistance from them.
- Corporate data breach ($95.9 million): When confidential, sensitive or private business data leaks or is spilled.
- Advanced fee ($60.5 million): Scammers trick an individual into paying money, for the promise of receiving an even greater amount of money in return. Victims typically receive “significantly less than expected or nothing,” the FBI says.
- 419/overpayment ($56 million): The “419” term refers to a section of Nigerian law associated with fraud. The scammers request help, as well as money transfers. “The sender offers a commission or share in the profits, but will first ask that money be sent to pay for some of the costs associated with the transfer,” according to the FBI. The “overpayment” variation involves attackers sending some money to victims, instructing them to retain some and forward on the rest to a designated individual or business.
- Payment card fraud ($48.2 million): Theft and fraud involving payment cards as well as payment mechanisms such as ACH, EFT and recurring charges.
- Employment ($40.5 million): Scams that trick individuals into believing they are legitimately employed, but which lead to them losing money or laundering money or items while “employed.”
- Phishing/vishing/smishing/pharming ($31.7 million): Using unsolicited email, text messages or telephone calls – from purportedly legitimate firms – to steal individuals’ personal details or financial or online access credentials.
- Extortion ($15.8 million): Extracting money or property from an individual via “intimidation or undue exercise of authority,” according to the FBI. “It may include threats of physical harm, criminal prosecution or public exposure.”
- Tech-Support fraud ($7.8 million): Schemes that trick users into paying for unnecessary and often bogus technical support.
- Malware/scareware ($3.9 million):
Confidence/romance, investment and non-payment fraud, as well as BEC and data breaches accounted for the greatest internet-crime losses in California in 2016, as shown on this logarithmic scale. (Source: FBI)
Underreporting Remains Rampant
As noted, the above findings include the notable caveat that according to the FBI,
only one in seven internet victims may be reporting such crime to authorities.
Reporting such incidents, however, helps the FBI ensure that it’s obtaining sufficient funds from Congress to investigate these crimes. In addition, IC3 gives law enforcement agencies a centralized view of many types of attack. The FBI’s field office in Boston, for example, notes that it reviews BEC complaints logged with IC3 on a daily basis.
“The information is always up to the minute, which is important in these types of schemes,” according to a testimonial from an unnamed, Boston-based FBI agent included in the FBI report. “IC3 also proactively reaches out to the field when large BEC complaints involving recently wired funds are filed.”
Where wire transfers are concerned, time is of the essence, and the FBI says that having IC3 serve as the centralized repository for reporting BEC attacks in the United States has already been paying off. “In one instance, IC3 proactively reached out to the Boston field office to alert us to a $1.8 million wire,” the agent’s testimonial reads. “Based on the early notification, Boston [field office] was able to take the necessary steps to successfully recover the entire amount on behalf of the victim.”