In part one, we covered the basics of wire fraud, which starts with social engineering, a compelling phishing email, and credential harvesting through the website fabricated and controlled by the hacker. If successful, the attacker has the victim's email credentials. The actor surveys the victims' emails and learns what happens during observation. Depending on the victim, the attacker may access the trove of information and multiple real estate transactions. During this time, he identifies all parties to the targeted transaction and builds the runbook for his execution. Part of that exercise could be registering a look-a-like domain he later diverts inconspicuous victim who does not pay attention to details. In this step, hackers check registrars for the available domain that may look similar to the target by dropping, adding, or substituting a single letter - for example, xyzconpany.com. He will likely go for a comparable domain if he can't find a suitable match. For instance, if xyzcompany.com is a target, he may look for xyzcompanyinc.com or xyzcompanyllc.com. Any of these steps will allow him to create an email address he controls that looks close to the original email he needs to replicate. If that is not an option, he will go for plan b and register an email address with an open platform (i.e., Gmail, Outlook, Yahoo, etc.) by creating a random email address under the target's display name. For example, Judy Realtor <[email protected]>. Where Judy Realtor is the name of a genuine realtor, loan officer, or escrow officer. The attacker will later use the fabricated email address to send "updated" wiring instructions.
One of the possible next steps is email manipulation. The attacker can actively be in the victim's mailbox or abuse mail rules. For example, during the course of the transaction, emails are sent to a group of participants for various actions or informational purposes. If an attacker wants to inject himself into the string, they may create mail rules. For example, suppose the attacker wants to send new (fraudulent) wiring instructions to a seller from the email account he controls, portraying to be from an escrow officer. In that case, he needs to ensure that the correspondence does not go to the "real" escrow officer. So he may set up a mail rule to manipulate recipients' addresses or intercept and delete the email an actual recipient should never see.
Remember, at this point, the attacker potentially reads every email in the victim's mailbox. So he knows who each party is and their role in the transaction. He also can copy everyone's signature block so that when he is ready to send an email from the "fake" account, he inserts the authentic signature of the person he is trying to impersonate. Pay attention to the details in the signature. Sometimes, the criminal will replace a phone number in the genuine signature with one he controls in case the victim calls for confirmation.
Remember, if a hacker penetrates a party that works on multiple transactions, he has access to different sets of buyers, sellers, brokers, attorneys, lenders, and closing and escrow companies. Now he can skip a social engineering step and go directly to the phishing credentials of new potential victims. I call it a vicious circle, where potential fraud is not limited to a single transaction.
From here, everything is staged and ready for the last-minute wiring instructions change. Modern attackers are versed in the real estate transaction process. They learn all steps in our cycle and make their email very convincing, especially for inconspicuous buyers or sellers not versed in wire fraud attacks our industry faces daily.
In part three, we will talk about the basic steps each participant should take to protect the integrity of the transaction.
------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------