Sophos Cloud Optix
A multination bust on Tuesday nabbed 49 suspects spread throughout Europe.
They were arrested on suspicion of using Man-in-the-Middle (MiTM) attacks to sniff out and intercept payment requests from email.
As Europol detailed in a statement, the raid was coordinated by Europol’s European Cybercrime Centre (EC3) and Eurojust, led by Italian Polizia di Stato (Postal and Communications Police), the Spanish National Police, and the Polish Police Central Bureau of Investigation, and supported by UK law enforcement bodies.
The suspects were arrested in parallel raids in Italy, Spain, Poland, the UK, Belgium and Georgia, where police searched 58 properties.
Police seized laptops, hard disks, telephones, tablets, credit cards and cash, SIM cards, memory sticks, forged documents and bank account documents.
The parallel investigations uncovered international fraud totaling €6 million (about £4.4 million or $6.8 million) – a haul that Europol says was snagged within a “very short time.”
The gang allegedly targeted medium and large European companies via MiTM attacks.
The suspects allegedly used social engineering and managed to plant malware onto the targeted companies’ networks.
Once they had established illegitimate access to corporate email accounts, they then allegedly monitored communications, sniffing around for payment requests.
The fraudsters then set up a simultaneous transaction with a targeted company’s real site.
An example of this type of attack was when crooks were targeting customers of Absa, one of the Big Four banks in South Africa, in 2013.
As Naked Security’s Paul Ducklin explained, the crooks in that scam managed to put up a page that looked perfectly professional – largely because they ripped off Absa’s own HTML and JavaScript code to make it look like the real thing.
That page, which customers accessed by clicking on the link in a phishing email (a good reason to avoid doing that; instead, type in the URL yourself), asked customers to enter their passwords.
The phishers next asked customers to put in the Random Verification Number (RVN) code that Absa sends to mobile phones as a one-time password.
Much of that varied from what and how Absa normally asked for logins, so as Paul recommended then (and it holds true today): it pays to familiarise yourself with what your bank tells you to watch out for.
After customers have entered all that sensitive data, crooks will use it to set up a simultaneous transaction with the real site; for example, if it’s a bank, they’ll tell it that you just agreed to pay out money to the crooks.
Europol says that the suspects they busted on Tuesday instructed customers to send payments to bank accounts controlled by the criminal group.
Those payments were then cashed out immediately.
The suspects, who were mainly from Nigeria, Cameroon and Spain, transferred the ill-gotten money to outside the European Union through what Europol called “a sophisticated network of money laundering transactions.”
Sophisticated attacks like this are why it’s vitally important to keep checking that you’re on a bank’s real site, not just once but throughout an online banking session.
One of the things to watch out for is the URL for your bank’s internet banking site. For example, Absa’s site uses HTTPS, or secure HTTP, which shows up in the URL, https://ib.absa.co.za/.
As Paul recommends, always look in the address bar (which can’t be directly modified by a web page, only by the browser itself) for the tell-tale HTTPS padlock.
Know what the real bank URL is, and type it in yourself instead of clicking on a link that’s purportedly sent from your bank.
Take these warning signs from the Absa case, and swap in your own bank’s details to help you spot a phishing scam:
- Writing and spelling errors in email.
- Clickable link to login page in email.
- Wrong link, going to a country or site that doesn’t make sense (in Absa’s case, it was Korea).
- Link redirects to wrong location, not where your bank is located (in Absa’s case, The Netherlands).
- Login site doesn’t match the “real” bank’s login.
- Login site not encrypted with HTTPS. Note that this isn’t infallible, but if the URL is missing the padlock or the stamp of secure HTTP, something’s probably not right.
- Non-standard procedure for password entry.
- Inappropriate request for Random Verification Number (RVN).
If you smell a phish, get off the hook as soon as possible in order to minimise the amount of sensitive data the crooks can pull out of you.
Image of Europol courtesy of robert paul van beets / Shutterstock.com .
I’d just point out that if they broke into the company servers then it was an endpoint attack, not a man-in-the-middle attack. Phishing (the sending of a forged email) is also not a MITM attack.
A MITM attack is where data is read or interfered with on the wire between one end and the other. Similarly to phone tapping.
Otherwise, good advice.
Well if you read up to the point right before they start talking about the Example Absa attack in South Africa. It is a MITM attack because they were suspected of sniffing out and intercepting payments requested by email.
Well if you read up to the point right before they start talking about the Example Absa attack in South Africa. It is a MITM attack because they were suspected of sniffing out and intercepting payments requested by email I’d just point out that if they broke into the company servers then it was an endpoint attack, not a man-in-the-middle attack. Phishing (the sending of a forged email) is also not a MITM attack.
A MITM attack is where data is read or interfered with on the wire between one end and the other. Similarly to phone tapping.
Otherwise, good advice
The Europol page is now eight years old… but it still reports that MiTM techniques were used as one part of this criminality. The fact that phishing was used to acquire network logins in the first place doesn’t itself mean that there was no MiTM-ing. (Back in 2015, it’s quite possible that a lot of email in and out went unencrypted, so a sniffer anywhere on the network would reveal a lot of emails secrets without leaving any tell-tale changes in the configuration of the mail server itself.
Technically, I’d still consider an attack to be a MiTM if the sniffing or traffic interception code ran on the same computer as the app being sniffed, as long as the interceptkion was done outside the targeted app, after that app had bundled up and transmitted its data.
(If you think of an-school local-loop phone wiretaptap, it’s still a “tap” whether you put your crocodile clips onto the wires at the exchange, on the cable run half-way along at a junction box in the street, or by cutting into the back of the phone jack in the victim’s own property by hacking a hole into the shared wall from the apartment next door.)