The DoD was tricked into paying $23.5 million to a phishing actor.
Tricked the Department of Defense?
Even the most elaborate social engineering schemes can be broken down into simply understood parts. Most social engineering is the act of pretending to be someone else, whether that means pretending to be an individual or impersonating a company.
Let’s revisit social engineering in general. Social engineering is the act of impersonating someone or something else to gain access to sensitive information, restricted areas of a company (like private rooms or online document storage), or to steal money and other valuable items.
How did a Phishing actor trick the Department of Defense?
In this case, The Department of Defense was tricked into paying an enormous sum of money to the wrong bank account because a malicious actor was able to gain access to restricted accounts and divert large payments to his own bank.
The first question we should ask is “how did this happen? Let’s walk through this step by step: First, the criminals registered a suspicious domain “dia-mil.com”. The criminals purchased this domain because they were attempting to impersonate the official military website of the Defense Logistics Agency, “dla.mil”.
Buying a similar domain name and using it to impersonate an actual company is called “Root Domain Impersonation” and is a common method criminals use to socially engineer people into giving up information or to steal their credentials. In this case, the criminals purchased a domain that had an “i” instead of an “l” because they look extremely similar, and these differences are hard to spot unless you are already looking for them.
Second, the criminals then started sending phishing emails to users of this website. This is a perfect example of business email compromise. The criminals purchased fake domains and represented official military personnel to steal information and access from unsuspecting employees.
Once the criminals had their tactics set up (Domain Impersonation and Phishing), all they needed to complete the social engineer was a directed action; something they could tell the user to do that would eventually lead to the exfiltration of sensitive data or actual money. In this case, the criminals included links to a phishing website they had put up that was a copy of an actual military website “login.gov”. Once users landed on the fake website, they would put in their credentials and unknowingly hand them over to the criminals.
One of the users that did not recognize the scam until it was too late was a corporation that had fuel contracts with the United States Military. This user’s credentials were then eventually abused to redirect a $23.5 million dollar payment from the United States Military directly into the criminal’s bank account However, this story has somewhat of a happy ending. The criminals were tracked down and apprehended and convicted of bank fraud, money laundering, and several other crimes.
What exactly did the phishing actors do to trick the department of defense?
Let’s break down how these phishing actors created and executed their plans. Understanding how the methods of social engineering all fit together is how we can train ourselves and others to recognize potential threats more easily before they become a problem.
Step 1: The Criminals purchased a similar domain name to an organization they wanted to impersonate. (Domain impersonation) How to recognize: Always take a quick glance at the website you are browsing before entering in any information. Make sure there is a lock in the search bar and be very careful of similar-looking web addresses.
Step 2: After purchasing this similar domain and impersonating a few members of that organization, the criminals sent targeted phishing emails to people they already knew were interacting with the legitimate website. (Business Email Compromise and Spearphishing) How to recognize: Before clicking on a link, hover of it to see where it goes. Any link that has been shortened or weird website address should be treated with extreme caution. Also, be sure to verify the person/company that is sending you emails and phone calls. Open the sending information or look on the company’s website to validate the phone number and email domain.
Step 3: These phishing emails would direct individuals to a fake website that was a carbon copy of “login.gov” to trick people into giving up their account credentials. (Credential theft) How to recognize: Be careful where you click and always check the search bar of the website you are browsing.
Step 4: Once the criminals had access to the accounts, they redirected a $23.5 million dollar payment directly into their accounts. (Credential Abuse) How to recognize: Unauthorized access is hard to detect all the time. Having Multifactor Authentication enabled and systems in place to detect unusual login behavior is a great start to preventing credential abuse.
Step 5: The criminals were caught and convicted for their crimes. (Reality sets in)
Grab a drink and celebrate, the good team won this one.