RBC | “This seems like a very precise in-and-out sort of operation” professional ethical hacker Kyle Suero told the HT when asked about the wire transfer fraud reported by the Rio Blanco Water Conservancy District and County last month. Suero has a breadth of technical experience that includes system administration, application and infrastructure security, full-stack engineering, penetration testing and more. He also operates a non-profit dedicated to mentoring young people interested in learning computer/security skills.
He speculated that recent wire transfer fraud perpetrated against RBWCD in which a “significant portion of the CCITF Grant funds were lost” was a targeted operation that likely involved the use of open source intelligence gathering (OSINT) and “social engineering” to pull off a common type of attack broadly referred to as spear-phishing. “It’s hard to tell without more indicators, like the sort of tools that they were using, what we call TTPs — tactics, techniques and procedures,” said Suero.
TACTICS, TECHNIQUES AND PROCEDURES
Scammers, hackers, criminals and even nation state adversaries make use of a variety of simple and sophisticated methods to exploit vulnerable people. They also target governments and companies large and small for personal/financial data and other sensitive information. Suero said examples of such tactics that may have led to the loss of CCITF funds likely would have started with reconnaissance/information gathering. “A huge part of reconnaissance is seeing what’s publicly available on a target and then you move on from there,” said Suero. He noted this process includes everything from scanning social media profiles and government websites to impersonating prospective employees, trusted vendors, etc.
The goal of collecting information is for attackers to understand their target so they can more effectively engage in social engineering, and ensure their efforts are directed at appropriate targets. “Maybe you’re targeting individuals who have access to the particular thing that you want, in this case, obviously monetary funds,” said Suero. He added that for wire transfer fraud specifically, it would be “somebody who had the capability to be an accounts decision maker.”
SOCIAL ENGINEERING
“Social engineering” is a form of psychological manipulation used in all kinds of scams and targeted attacks. It involves tricking people into compromising their own security by engaging in behaviors they might otherwise avoid. For example, someone who wouldn’t normally divulge personal financial information over the phone might be tricked into doing so because of a very convincing scammer on the other end of the call. More often than not, scammers manipulate their victims with a specific set of techniques, like creating an “unusual sense of urgency” about an action they need to take.
MEDICARE SCAMS
“They try to use guilt and say that you ‘have to sign up now’ and ‘you have to give them the number now,’” said Meeker resident Sharon Day, who in her role as a volunteer for the State Health Insurance Program (SHIP) often works with seniors who have been targeted by scammers. She described how Medicare impersonators attempt to get sensitive information from seniors using social engineering methods. According to the Federal Trade Commission, other common methods employed by scammers are:
Pretending to be someone you trust such as a family member, company or government agency
Using intimidation and fear like threatening arrest or other consequences if you don’t give information
Insisting you make payments with untraceable methods like wire transfers and reloadable cards, gift cards, etc.
All of these methods, in addition to the “sense of urgency” are examples of red flags or indicators that a scammer is targeting you. Regardless of where someone says they’re contacting you from, never send money or release personal information to strangers over the phone, via email, text message or other form of digital communication. If you’re unsure about someone’s intentions, seek an outside opinion before complying with their requests, especially if those demands are posed as urgent. “If people call you I don’t care what they tell you. Do not give it out. Do not give them personal information. Period,” said Day, adding that residents with questions about a call they received can contact her through RBC’s human services department.
HOW TO PROTECT YOURSELF
“Mainly, I think the number one thing is just always learning,” said Suero. He emphasized maintaining security is an ongoing process that requires active effort to understand how scammers and other criminals operate. People with a knack for technology and security can assist their friends and family members by educating them about best practices and procedures to avoid having their information compromised. “Security is definitely becoming more of a prolific issue,” Suero said, when spotlighting a general lack of investment and attention to the issue by larger organizations, companies and governments alike. “Eventually it’s going to catch up to you. We call it ‘technical debt,’ but the later you push it off, the more tragic it’ll likely be,” he said.
This kind of technical debt accumulates for a variety of reasons, including a general mentality of resistance to change, especially in organizations with long standing practices that once sufficed but may now be outdated. More commonly, security upgrades and improvements are simply put on the back burner in favor of other budget priorities.
COUNTY RESPONSE
RBC IT and Communications Director Trevor Nielsen said his department engages actively in education of county staff and other security measures to mitigate potential security breaches, though their efforts can only go so far. “You can get the basics and you can kind of go all the way to Fort Knox,” said Nielsen, adding “and so, without spending all the tax dollars, we really want to get as secure as we can.”
He explained that while the county shares some security assets with larger entities like schools, hospital districts and towns, their resources don’t extend to other taxing entities. Those districts also generally do not employ IT/security staff of their own, if they employ any staff at all. Due to recent events Nielsen said the county IT department is planning a security presentation for the board of county commissioners in the near future. “It’s not like this is the first time we’ve ever thought about it or presented it, it’s just, we always re-present it after there’s another issue.”
RESOURCES
Individuals, organizations and businesses seeking educational materials on security and how to protect themselves from scams can find some handy guides at the following links
- https://www.consumerfinance.gov/ask-cfpb/how-can-i-protect-myself-and-others-i-care-about-from-fraud-and-scams-en-1935/
- https://www.crowdstrike.com/cybersecurity-101/phishing/spear-phishing/
- https://consumer.ftc.gov/consumer-alerts/2019/10/what-you-can-do-fend-hackers
- https://www.consumerfinance.gov/ask-cfpb/what-are-some-common-types-of-scams-en-2092/
You can find additional information and resource links at ht1885.com
By LUCAS TURNER | [email protected]om
