Online fraud is becoming more and more prevalent in our society. As the use of technology grows and evolves, so do the methods criminals can use to access important, confidential information for individuals and businesses. Is your special district prepared against cyberattacks? Are your employees properly educated on what to look out for?
California Special District asked Michael Bazzell, a computer crime specialist currently assigned to the Federal Bureau of Investigation’s Cyber Crimes Task Force, to explain the current trends in online fraud, what forms of attack special districts are vulnerable to and how to best prepare against those attacks.
You have extensive background in law enforcement. Tell us more about your experience.
I began my career as a street patrolman and was promoted to investigations after three years. Computer crime was just starting to become popular, and my background in computers made me a decent candidate for computer forensic training. Much of it was being in the right place at the right time. I had always had an interest in computers, and few cops had the desire to learn about technology at that time (1999-2000). From there, I helped form the Regional Computer Crime Enforcement Group in the metro-east St. Louis area. We became the primary resource for computer crime investigation for most surrounding police departments.
In 2004, the FBI formed a new cyber task force in the area, and I transitioned into the new role. I spent several years investigating incidents involving child solicitation and the distribution of child pornography. After many cases, search warrants, and rescued children, I was requested to join the computer intrusion unit. I now focus on intrusions into computer networks and breaches of data. I work with large corporations and small companies when they are “hacked,” and try to track down every aspect of the incident.
What are some of the recent trends of online fraud?
Online fraud changes every day. Cyber criminals adapt their techniques constantly in order to always stay one step ahead of victims. Lately, many hacking groups focus on stealing a large amount of data from a company. This may be credit card numbers, login credentials, or private personal information such as SSN’s. The groups find it much more lucrative to put the time into stealing large databases of information instead of targeting individuals. Recent attacks such as those againstTarget and Adobe are typical of these cases. In the Target attack, criminals stole the credit card details of millions of people, while the Adobe attack provided millions of email addresses and password hints of victims.
Explain what cyberattacks you think local government agencies are most susceptible to.
I believe the most probable attack against local government agencies is spear-phishing. Standard phishing has been around for many years. When you receive an email that appears to be from your bank, it is likely a phishing attack. These messages use a scare tactic to make you think that your account has been compromised, and provides an internet link that will allow you access to your account to protect your money. Of course, the link forwards to a cloned website that is visually similar to the real bank website, and the criminals hope that you provide your user name and password to gain access. As soon as you do, they access your real account and do as much damage as possible in a short amount of time. Spear-phishing takes things to a different level. The following is a scenario that I would use if I were going to target a specific entity.
I would do my homework and research the entity. I would look up current and previous hiring opportunities for a position such as computer technician or network administrator. These posts probably include a reference to the type of systems that are present, such as the operating system of your network or the type of database that is used. It is common for a recruitment post to mention required skills such as “SQL Server Administration” or “Microsoft Exchange Administration.” Both of these tell me enough about your environment to start an attack.
I would then create a list of employee names that I want to target. I would do this through Facebook, Twitter and LinkedIn. In my presentations, I show how a hacker can create a list of over 75 percent of a business’ employees by scraping these social networks in less than five minutes. I would then locate a few official email addresses from the company’s website in order to identify the format of all email addresses for the employees. For example, if I find Bob Wilson’s email address is email@example.com, I know that Mary Johnson is firstname.lastname@example.org, and Tom Williams is email@example.com. I would use Excel to generate the list for me.
Now that I have the email addresses of my targets, I would generate a custom bulk message similar to the following:
As you may know, our Microsoft Exchange Server was partially compromised in an early morning attack. Fortunately, all of your information is safe; however, we need you to reset your password immediately. Any accounts that have not been converted by the end of the day will be disabled. Please click the following link to update your account.
This email would be sent from a free program that will “spoof” an email address and name to be anything desired. I would search on LinkedIn to find the name of your computer network administrator and make the email appear to be from him or her. The shady link in the message would forward to a server that I have full access to. As soon as you log in, I have your current credentials to your email account. I would use these to access your real account and look for bank statements, company accounts, etc. I might even send a quick note to everyone in your contact list telling them that I (you) are stuck in the U.K. and need $1,000 to get a new passport. I only need one person to respond and wire me money to make it worth my effort.
Ultimately, I will use your user name and password combination on any business networks that you may have access to such as online email or private VPNs. It is likely that most of your readers have received several messages similar to these. If these methods did not work, we would not receive so many of them. Every day, several employees fall for these scams.
What advice do you have for public agencies in protecting themselves from online fraud and hacking?
The first priority is to protect your passwords from several angles.
Never log into any suspicious website. If there is anything that does not appear legitimate, get out. Never click on a link within an email and then log into the responding website. If you receive an email from your computer administrator telling you to reset your password, don’t click any links. Instead, navigate to your login process as you normally would and see if you are prompted to change your password.
Make sure that you have a strong password. During my live demonstrations, I allow someone to set up a password to protect a file. This is usually something simple such as a child’s name. I then allow a free program to crack that password in less than two seconds. This is why so many websites demand that your password has letters, numbers, and special characters. These rules make the cracking process much more difficult.
Finally, make sure that you do not have one password for everything. Never use the same password on your Facebook account and your work email account. I recommend different passwords for personal websites, financial accounts, work-related accounts, and online shopping outlets. You are likely to have one of your personal accounts compromised at some point. Don’t allow that to affect your more valuable accounts.
Local government agencies often times operate with tight budgets. What are cost-effective methods these agencies can use to prevent a data breach?
I believe that absolute best method for tight budgets is training. Many of the companies I have spoken with rarely train their employees. They purchase very expensive software and hire security monitoring companies to help thwart off amateur hackers. These solutions cannot catch everything. I prefer to focus on detailed explanations and demonstrations to employees of how these criminals are attacking entities every day. You can have the best security software ever created and a hacker can still get through your system. All it takes is one untrained employee whot does not know to closely examine every link within an unsolicited email and to verify that he or she is really talking on the telephone with a representative of their payroll company (and not a hacker). Thieves rely on businesses to place more emphasis on high-tech protection and to have less interest in employee awareness. Fortunately, I also see organizations that continuously train employees of the latest cyber threats. These groups tend to see less successful attacks.
What are the first steps an agency should take if they fall victim to a data breach or other online fraud?
If the compromise involves a breach to the business network, I recommend contacting the local FBI office. Cyber task forces have been implemented nationwide and are prepared to tackle these events. If the fraud involves a personal account, such as a hacked bank account, I recommend contacting your local police department. There will be very little they can do, especially if the suspect is in a different country. However, you will be issued a report number that will be needed when you cancel your credit cards and demand reimbursement of any lost funds. If you believe your password was compromised, change all of your passwords associated with other accounts right away. Due to the majority of these attacks occurring from overseas, much of the responsibility will lie with the victim.
What are some steps an individual should take to protect their own personal data?
The previously mentioned information about passwords is relevant here too. Additionally, I encourage people to consider the following:
- Be cautious about the content that you post online. If your Twitter account mentions your upcoming vacation to Hawaii, you are helping a burglar. If your LinkedIn account summarizes your duties at your workplace, you are helping a potential cyberattacker. If your Facebook page has photos of your child with a nickname of “Mikey”, and your security question on your bank account is “What is my son’s nick-name?”, you are really asking for trouble. Surprisingly, hackers have all of the time in the world to identify the smallest of vulnerabilities in your life.
- Be suspicious of “Free Wireless” networks. These are broadcasted by criminals in order to monitor your activity and steal your credentials. If you are at an airport, hotel or coffee shop using the free wireless network, consider the type of data that you are transmitting. Reading a news article, printing a boarding pass, or researching a restaurant are all fine. However, you will never see me check my primary email account or financial accounts on these networks.
- Finally, people need to protect their computers. Most business systems are guarded by software running from the server. However, your home networks are equally as important. Every PC should have active antivirus running at all times. A scan for malicious software and “spyware” should be conducted weekly. Cleaning unnecessary files such as “cookies” and temporary files will also help keep things tidy. I always maintain a web page with access to the free resources that I recommend at computercrimeinfo.com.
Overall, I know that we cannot stop all computer crime. However, I truly believe that you can prevent it from happening to you. Following some general rules will prevent you from being the easiest target for the criminal. Keeping a close eye on your online activity will help you avoid becoming the next victim on my incident list.
* * *
Reprinted with permission of the California Special Districts Association from California Special District magazine, Volume 9, Issue 1.