Wire Fraud has dominated the real estate and financial services space for over a decade. It has increased substantially in the last five years. It's a threat our industry with reputational risk and losses to consumers and businesses. This is the first of three-part series explaining the fundamental pillars of these attacks and guiding individuals and companies to protect themselves.
You may ask, "Why is it so prevalent in a real estate transaction?" While there are arguably more sophisticated attack methods and potentially a higher reward (i.e., ransomware), wire fraud can net hackers thousands, if not millions, of dollars with minimal effort. I will also explain in this series why a hunt for a single fish often keeps the food supply for the hacker for a long time.
While there are several ways to get started, most attacks start with reconnaissance and phishing for a person's email credentials. One of many starting points can be an MLS (i.e., Zillow, Realtor, Redfin) listing. These and many other records about properties and ownership are publicly available. What else is publicly available is the listing agent/agency's phone and email. The next step is a phishing email purporting something that would resonate with the realtor. It can be a transaction relater or not. The phishing email is coming, and the adversary aims to lure the victim into entering the email credentials on some fake website staged by the attacker to portray a login portal the victim will recognize.
Sometimes, an adversary can start with a target's personal email and traverse to business. The most common phishing attack on personal credentials is through OpenID. You have most likely seen it before. OpenID allows a person to use an existing account to sign into multiple websites without the need to create a new password. The most commonly used OpenID providers are social networks (i.e., Facebook, Instagram, LinkedIn) and email platforms (i.e., Google, Microsoft, and Yahoo). OpenID is lucrative to the hacker because bait can be anything - any hacker's orchestrated and controlled website. As long as users are accustomed to using OpenID for their login, they won't think twice about typing it on a fabricated attacker's control landing page.
Once a hacker steals a victim's email credentials, they log in to the user's email system. Whether you know it, most email platforms are accessible from the internet via a browser. If the user does not have two-factor authentication protecting their email account, hacker becomes them and start monitoring all email flow. The first course of action for the adversary is frequently establishing a backchannel in case the user detects any suspicious activities and changes the email password. He will do it through mail rules manipulation. For example, the hacker will configure a rule to send a copy of every incoming and outgoing email to the email address he controls. We will talk more about mail rules manipulation in part two.
Another common way to get in is to find weaknesses in the victim's computer, operating system, browser, or axillary tools and install malware. The two most common types of malware are key logger and (remote access) trojan. The keylogger collects any key stokes user types on their keyboard, including URLs, usernames, and passwords, and sends them to the attacker. Remote access trojan establishes a secure tunnel between the hacker and the victim's computer, allowing the adversary to monitor and control the target's computer.
At this point, the groundwork is done; patient zero has been identified and secured. The adversary is actively monitoring the email stream.
------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------