A high-level overview of the growing problem of BEC (business email compromise) fraud and the money laundering mechanism behind it, followed by practical prevention advices that FIs and firms alike can implement right away.
2. Who Am I
⢠Spoke at Black Hat, ACFE (Association of Certified
Fraud Examiner) Asia Pacific Fraud Conference,
HTCIA (High Tech Crime Investigation Association)
Asia Pacific Forensics Conference, and Economist
Corporate Network.
⢠Risk Consultant for Banks, Government and Critical
Infrastructures.
⢠SANS GIAC Advisory Board Member.
⢠Co-designed the first Computer Forensics curriculum
for Hong Kong Police Force.
⢠Former HKUST Computer Science lecturer.
Albert Hui GREM, GCFA, GCFE, GNFA, GCIA, GCIH, GXPN, GPEN, GAWN,
GSNA, GSEC, CISA, CISM, CRISC
Global Security Architect
Copyright Š 2016 Albert Hui 2
3. Implications to FIs
Financial LossesLawsuit from
Customers
(breaching
Duty of Care)
AML & CTF
Implications
Criminal Liability
(handling
Proceeds of Crime)
3Copyright Š 2016 Albert Hui
4. CEO Fraud or BEC(Business Email
Compromise)
Goals
⢠Primarily to scam victims into wiring money out
⢠Some scam victims to give out identity information
Natures
⢠Targeted Attack
⢠Spear Phishing â Whaling Attack
⢠Social Engineering Attack
Mechanism
⢠MITE (Man-in-the-Email) Attack
4Copyright Š 2016 Albert Hui
7. BankStaff
How does it work?
(The Spoofing Variant)
From: CEO@<the real domain>
Reply-To: CEO@<a typo-domain>
Hacker
CEO
Wire Transfer
7Copyright Š 2016 Albert Hui
8. Staff
How does it work?
(The Hacking Variant)
CEOHacker
Bank Wire Transfer
No spoofing, no typo-domain
Very realistic: Modified from previous emails, bear correct signature
8Copyright Š 2016 Albert Hui
9. Commonly Posing AsâŚ
CEO or other
senior exec
Foreign
Suppliers
AttorneyBank / FI
Customers
9Copyright Š 2016 Albert Hui
10. Victims
Banks / FIs Large EnterprisesSmall
Companies
10Copyright Š 2016 Albert Hui
11. Why So Effective?
By Nature
⢠Delayed detection
⢠Efficient underground money laundering mechanisms
Defeat Cybersecurity Controls
⢠No malicious payload or links to detect
⢠Bypass dual-custody
⢠Bypass 2FA
Defeat Procedural Controls
⢠Bypass bank call-back
11Copyright Š 2016 Albert Hui
12. Cyber Security and Fraud
People
TechnologyProcess
12Copyright Š 2016 Albert Hui
13. How Can FIs Be Affected?
Financial LossesLawsuit from
Customers
(breaching
Duty of Care)
AML & CTF
Implications
Criminal Liability
(handling
Proceeds of Crime)
13Copyright Š 2016 Albert Hui
14. Money Laundering
1. Via Cyprus, Latvia, Hungary, Estonia, Lithuania, SlovakiaâŚ
2. âŚprimarily via Hong Kong and China
3. Traditional placement-layering-integration via money mules
4. Flying Money money laundering networkâŚ
14Copyright Š 2016 Albert Hui
15. éŁé˘ (Flying Money / Fei Qian)
1. Invented in the Tang Dynasty (618-907 AD) in Medieval China
2. Inspired the Hawala (Arabic: âŤŮاŮ؊⏠ŮâŤ,Ř⏠meaning âtransferâ)
alternate remittance system
3. A core part of underground banking system
4. Essentially: Value transfer without moving moneyâŚ
15Copyright Š 2016 Albert Hui
16. The Workings of éŁé˘
⢠Funds balance out in agentsâ books,
therefore no real money movement
16Copyright Š 2016 Albert Hui
17. The Agents of éŁé˘
⢠Many are Chinese immigrants
⢠Connected via family ties and Guanxi
⢠Many run their own businesses
17Copyright Š 2016 Albert Hui
18. Preventive Measures
Awareness
Training
Verification
Protocol
Response
Plan
How to handle victim?
Who to call, what parties to notify?
What forms to fill in?
AML? Compliance? Legal? PR?
etc. etc.
Check for typo-domain
Check for spoofed email
New payment account
due diligence
(tech controls can help)
More⌠(see next slide)
Cyber Security
Defences
Management
Buy-In
18Copyright Š 2016 Albert Hui
19. Verification Rule-of-Thumbs
+ +
1. Use out-of-band verification mechanisms
2. Do not trust incoming calls or SMS messages
3. Do not authenticate yourself before the counterparty identity is verified
(or contact information comes from trusted source)
e.g. or
e.g.
1234-5678 Look up phone number on trusted siteâ
19Copyright Š 2016 Albert Hui
20. How Can FIs Help?
1. Improve threat model to address heightened
CEO fraud schemes.
2. Donât place undue trust on verified client reps.
3. Strengthen controls surrounding new payees.
4. Client security awareness campaigns.
Bank-Firm-LE
Collaboration
20Copyright Š 2016 Albert Hui
21. One Last Thing
21
For the purpose of one-time PIN code,
Are SMS messages secure enough?
Are mobile app messengers secure enough?
Are messengers with end-to-end encryptions secure enough?
Copyright Š 2016 Albert Hui
23. What actually is this
SS7 Protocol anyway?
23
Messengers
Instant Messengers
Data
SMS
Phone Calls
SS7
End-to-End
Encrypted
Copyright Š 2016 Albert Hui