During last year’s presidential election, the group responsible for phishing the Hillary Clinton campaign made a crucial error. According to the Associated Press, the hackers screwed up a setting in the Bitly link-shortening service. 

That gaffe helped an Atlanta cybersecurity firm, SecureWorks, amass a database of thousands of malicious links. Eventually, a team of security researchers was able to trace the scheme back to Iron Twilight (dually-dubbed Fancy Bear). An outfit “highly likely” to be sponsored by the Russian government, known to target journalists, militaries, and politicians.

While the breadth and depth of these individual crimes and the resulting investigation are staggering, what this anecdote shares with others is just as stunning. The same marketing tools that help banks track down potential customers through email campaigns also allowed Russian-backed crooks to steal John Podesta's emails.

Between October 2013 and December 2016, business email compromise – which targets executives in the same way Iron Twilight did DNC officials – cost firms more than $5.3 billion, according to an FBI alert

To be clear, link-shortening services have long obscured malicious links for phishing campaigns. The tools aid those messages in bypassing SPAM filters. Other free tools have equally helped criminals perform reconnaissance. That’s the homework that comes before criminal clamps down on, say, an executive email address. 

At a recent meet-up of penetration testers in Oakland, Calif., two presenters, who previously worked on Salesforce’s Red Team, called out a few marketing services that can be used subversively:
  • LinkedIn allows crooks to identify bank employees. 
  • Namechk.com allows phishers to find unregistered usernames and domains that closely resemble those people’s names so they can impersonate them. 
  • Hunter.Io provides both emails and hints on the format of corporate addresses. 

Sometimes, to avoid tripping reputation filters, attackers will take over vulnerable academic websites or blogs. The outcome often looks like .edu domains (think, websites) hawking Cialis. Those overtaken URLs, however, can also harbor viruses or other malicious content. 

The Takeaway: Since the information hackers are utilizing, and marketing services are profiting from, is public there isn’t much network defenders inside banks can do to disrupt them.  Knowing that, financial services provider – like they always have – should be aware of the trend, and take appropriate defensive measures. For instance, banks can block shortened links inside emails. Some financial institutions might even choose to white-label employee emails all together – not allowing some business email inboxes to receive messages from outside a pre-approved list of people. 

There are of course other solutions, such as the open-standard DMARC (Domain Message Authentication Reporting and Conformance), which allows email senders and receivers to identify one another better. And, vendors that identify and block malicious links proactively. 

It all boils down to this: your employees, not your systems, are your biggest weakness. 


About Sean Sposito

Sean Sposito is an analyst in the fraud & security practice at Javelin Strategy & Research. His primary focus is the intersection of retail banking and information security. The topics he’s keenly interested in are vulnerability disclosure, cybersecurity insurance, threat intelligence, and the overall challenges facing security executives inside financial institutions. 

Before joining Javelin, Sean worked as a reporter at the San Francisco Chronicle, the Atlanta Journal-Constitution, and American Banker, among others. As a content strategist at the Christian Science Monitor, he counseled security vendors, PR agencies, and in-house communications executives on storytelling techniques and media engagement. 

He has moderated panels at the Visa Security Summit, the ATM Debit & Prepaid Forum, the Emerging and Mobile Payments Card Forum, the Mobile Banking and Commerce Summit, and the Mobile Payment Conference, among others. He holds a bachelor’s degree from the University of Missouri’s School of Journalism. 

Stay in Touch!