Direct Deposit Phishing Attack

Brian Allen
brianallen@wustl.edu
Network Security Analyst
Washington University in Saint Louis
May 2014
Topics for Today
• Brief overview of the Washington University
network
• Brief look at first incident in Sept/Oct 2013
• Brief look at second incident in Jan/Feb 2014
• Potential phishing defenses
• Some examples of real phishing emails
• Who attacked us?
• Final thoughts
NSS


NSO
Business School
Law School
Arts & Sciences
Medical School
Engineering School
Internet
Decentralized Campus Network
NSS = Network Services and Support
NSO = Network Security Office
Library
Social Work
Art & Architecture
Washington University in St. Louis
Numbers from Sept/Oct 2013 Attack:

• 13 total victims
• 11 Medical School faculty
• 2 Business School faculty
• 11 had direct deposit info changed
• 1 account caught by the new HRMS blacklist
and immediately blocked
Round 1a Phishing Attack
Round 1b Phishing Email
Numbers From Jan/Feb 2014 Attack
• 17 Users were victims
– 15 Medical Faculty or Staff
– 1 Engineering School Faculty
– 1 Law Student
• 4 Victims had their Direct Deposit info
changed
• 7 Users were protected by the Blacklist
• 10 Victims were logged into from new IP
addresses which were quickly added to the
Blacklist
Round 2 Phish Three Months Later
Criminals seemingly have a huge
advantage
They send hundreds of phishing
emails and only need ONE user to fall
for it to succeed
We can turn the tables on them
Force the criminal to run through
a gauntlet of defenses to succeed
Reconnaissance Phase
Phishing Email Phase
Criminal Login Phase



HR/SSO Application Suggestions

Payroll Alerting Suggestions
Communication Suggestions

Phishing Examples
WUSTL Site or Phish Site?
WUSTL Site or Phish Site?
WUSTL Site or Phish Site?
Real Email or Phish Email?
Spammers log in and use
account to send spam
Sept/Oct Attack 1

Jan/Feb Attack

Numbers from September/October:

• 13 total victims
• 11 Medical School faculty
• 2 Business School faculty
• 11 had direct deposit info changed
• 1 account caught by the new HRMS blacklist
and immediately blocked
How Much $ Did the Criminals Get in
October?
• $97,210.28 Total was Transferred Out
• $91,470.53 Was Recovered by Payroll
• $5,739.75 Was Lost
$97,210.28
$91,470.53
$5,739.75
$0.00 $20,000.00 $40,000.00 $60,000.00 $80,000.00$100,000.00$120,000.00
.
Lost
Recovered
Total
Numbers From Jan/Feb Attack
• 17 Users were victims
– 15 Medical Faculty or Staff
– 1 Engineering School Faculty
– 1 Law Student
• 4 Victims had their Direct Deposit info
changed
• 7 Users were protected by the Blacklist
• 10 Victims were logged into from new IP
addresses which were quickly added to the
Blacklist
How Much $ Did the Criminals Get in
January?
• $0 Total was Transferred Out
• $0 Was Recovered by Payroll
• $0 Was Lost

• Thanks!
• Questions?
• brianallen@wustl.edu

Sign up to vote on this title
UsefulNot useful