In April 2013, the administrative assistant to a vice president at a French-based multinational company received an email referencing an invoice hosted on a popular file sharing service. A few minutes later, the same administrative assistant received a phone call from another vice president within the company, instructing her to examine and process the invoice. The vice president spoke with authority and used perfect French. However, the invoice was a fake and the vice president who called her was an attacker.
The supposed invoice was actually a remote access Trojan (RAT) that was configured to contact a command-and-control (C&C) server located in Ukraine. Using the RAT, the attacker immediately took control of the administrative assistant’s infected computer. They logged keystrokes, viewed the desktop, and browsed and exfiltrated files.
These tactics, using an email followed up by a phone call using perfect French, are highly unusual and are a sign of aggressive social engineering. In May 2013, Symantec Security Response published details on the first attacks of this type targeting organizations in Europe. Further investigations have revealed additional details of the attack strategy, attacks that are financially motivated and continue to this day.
Many organizations and their banks employ defenses to prevent unauthorized money transfers. However, the attackers exercised additional aggressive social engineering tactics to defeat each of the defensive practices. For example, in one instance:
- The attacker initially compromised systems within an organization using their RAT.
- Once the systems were infected with the RAT, the attacker retrieved identifying information, including disaster recovery plans, of the organization’s bank and telecom providers, its points of contact with both providers and its bank and telecom account data.
- Using this data, the attacker was able to impersonate a company representative and called the organization’s telecom provider. They proved their authenticity to the telecom provider, claimed that a physical disaster had occurred and said that they needed all of the organization’s phone numbers to be redirected to attacker-controlled phones
- Immediately following the phone number redirection, the attacker faxed a request to the organization’s bank, requesting multiple large-sum wire transfers to numerous offshore accounts.
- As this was an unusual transaction, the bank representative called the organization’s number on record to validate the transaction. This call was redirected to the attacker who approved the transaction.
- The funds were successfully transferred to multiple offshore accounts, which were subsequently laundered further through other accounts and monetary instruments.
In another case, the attacker needed to use a proprietary in-house system to transfer funds that employed a two-factor hardware dongle. In this operation:
- The attacker, who was impersonating IT staff, called the victim and informed them that some system maintenance was required on the fund transfer system.
- They convinced the victim that, due to customer privacy reasons, the monitor needed to be turned off while they performed the task.
- While the monitor was off, the attacker used the in-house system to transfer large sums of money to offshore accounts using the victims existing and active access to the system.
In yet another instance, the attackers didn’t utilize any malware at all. In this operation:
- The attacker impersonated a bank employee and sent an email to an actual bank employee, in impeccable French, mentioning that the bank’s computer systems were being upgraded.
- The following day the attackers called the email recipient, claiming to be working for the same bank, and requested a ‘test’ wire transfer.
- The ‘test’ wire transfer lead to money being sent to an offshore account.
Based on investigations into the attack, there were several different French-based organizations that were affected. The attacker’s goal was to wire funds from the accounting or equivalent department within the company to an offshore account.
Figure 1. Industries targeted by Operation Francophoned
In most cases, the first victim was an administrative assistant or accountant within the organization. In cases where the initial victim did not have rights to wire funds, the attacker used the victim’s credentials to identify an employee within the accounting department that had this authority. The attacker then conducted further social engineering activities to compromise that individual’s computer.
Attacking on the move
By examining emails and C&C traffic, we were able to determine that the attacker is located in, or routing their attacks through Israel. The originating IP addresses in Israel, however, are unusual as they are within a netblock for mobile customers of an Israeli telecom company. Furthermore, by performing traffic analysis, we were able to determine that the attacks are indeed originating from a mobile network and, crucially, that the attacker is using mobile Wi-Fi hotspots.
Figure 2. Operation Francophone C&C traffic
Mobile Wi-Fi hotspots act like GSM cellular radios (equivalent to a GSM phone) that can provide Internet access to a computer system through the mobile phone network. This potentially provides anonymity for the attacker if the GSM SIM card for the mobile Wi-Fi hotspot is purchased in cash at a bazaar or private sale. Many 3G providers around the world allow the purchasing of a prepaid data plan without verifying the identity of the buyer. As a result, telecom records will not lead to an individual.
Even more surprising, the traffic analysis indicates that the attacker was on the move when they were conducting the attacks. These operational security techniques make the attacker extremely difficult to trace. The use of such a technique for cybercrime illustrates the increasingly sophisticated techniques that attackers employ. Finding a moving mobile Wi-Fi hotspot requires active on-the-ground on-call personnel with special equipment and the telecom provider’s assistance to triangulate its location.
Francophoned is a good example of how cybercriminal operations are becoming increasingly sophisticated, a trend that is likely to continue in the future.
Symantec would like to thank the Computer Emergency Response Team of Ukraine (CERT-UA) for their assistance with this research.