Saturday, October 20, 2018

[CyberSecurity Awareness Series] When George Got Whaled



The button clicked. An exact amount of 9,99,000 $ was transferred immediately to an offshore untraceable account. This triggered an alert on the bank’s server. The response team quickly swung into action. Suddenly multiple alerts came rushing in like a raging torrent. Multiple transactions of 9,99,000 $ started popping up on the screen. The response team immediately knew it was under attack and triggered the alarm bell, but by then it was rather too late.  

3 Hours Earlier

It was a quiet afternoon and George was enjoying his cup of coffee. Looking outside his glass window, the view from the 22nd floor was amazing. The bank was doing well and the record quarterly profit cemented his position and power as the top man for the bank. George’s phone chimed. He quickly looked at it and smiled. The smile was palpable. The picture message sent made George bring back the memories of last night.

His smile continued and he logged on to his laptop. Due to the regulatory compliance and a freezing period, all major transactions were on hold. Since the declaration period was over yesterday, George was waiting for the go-ahead from the regulatory committee to lift the ban on high-value transactions. Before we go further, it would be nice to introduce the man here. George, a 37-year-old man with great looks and an MBA from the Ivy League was one of the youngest CEOs of the Elegant Bank Corp. Married to a beautiful wife, George was living a dream. Well, and sometimes, dreams do crash.
The mail came and as per process, George had to log in to the bank’s main server and confirm the process of allowing high-value transaction from the evening. He logged on to the bank’s server remotely using his credentials. He received an alert on his phone that the bank’s server is being accessed now. He had to enter a code on his RSA token and voila, it was done. 

The Investigation

George received a call from the response team alerting him that multiple transactions were happening and it could be an attack. George panicked and for a moment he felt as if a white flash of light crossed his eyes. He gathered himself and tried logging in the bank’s server, but to his shock, he was logged out. He tried logging in again and the message said “Wrong Password”. He called up the response team only to find another shocking news. According to the response team, George had changed his password 2 hours earlier and had updated the access control list too. Only George and Mr. Rishabh, one of the boards of directors could access the bank’s server remotely. 
George immediately called in an emergency meeting of the board of directors. He instructed the response team to take any measures to disable the bank’s servers. He also called in the law enforcement and explained to them about the situation.

Swipe Me In

The law enforcement took complete control of all the devices of the bank and started the forensic investigation. Meanwhile, the media had a field day as the news broke out in the morning that the Elegant bank had been hacked to the tune of 4.5 billion $. Funds transferred to the offshore accounts were untraceable and recovering the money was next to impossible. But what lead to this attack? Who could have cracked the high-level security deployed by the bank? The cyber security team of the bank was carrying out their own internal investigation too. 

George was feeling miserable. He felt as if he had been torn apart. He took his mobile phone and logged onto the app “SwipeIt”. The user “FlowerAngel” was not accessible. That was strange for George. He checked it again, but the app said that the profile was no longer accessible.  George was focused on understanding the problem when the desk phone rang. 

The law enforcement agencies had come to meet George. They asked George to hand over his phone and also showed him the search warrant for his office and his home. The next day a story got published in the national daily which shocked quite a many.

The Night Before

The law enforcement agencies were quick to join the dots from the logs and George’s confession was the final confirmation. George had a terrible habit of meeting strangers through the SwipeIt app and spending the nights with them. You could find people nearby who wanted to enjoy and a person had to just swipe in to confirm that.

The night before, George met “Flower Angel”, a young 19-year-old girl. They instantly hit it off and ended up in the hotel nearby. While George was completely drunk, the girl had to just plug in the flash drive into his laptop. The Trojan installed itself on the laptop and the next day when George logged on to the bank’s server, the Trojan replicated his exact moves and gave complete control to the hacker. While there were other security aspects deployed by the bank to mitigate such threats , the technology alone cannot solve the problem when the password is known and complete admin privilges are available with a person of such a high stature.

This is an example of The Whaling attack. Top people are always on the radar of people having malicious intent. They need to be careful. As a cybersecurity professional, we also need to keep in mind such cases when developing a cybersecurity protection mechanism for the top management personnel. 

What are your thoughts on this?

No comments: