Threat Spotlight: Spear Phishing for Mortgages ó Hooking a Big
August 1, 2017
Buying a house is one of the most important purchases people ever make, and often one theyíve been saving for years in order to finally place their signature on the closing documents. When you think about the amount of time and effort it takes to not only find the perfect house, get an offer accepted, and ultimately make it through the signing process ó the deep breath at the end is truly refreshing. But what if that breath got delayed, or worse ó never came because a cybercriminal interfered with the process and had the loan payment wired to them instead of the seller? This nightmare scenario can have substantial financial consequences for the homebuyer. They could end up losing the house, a whole lot of money, personal information, and much more.
Sadly this is a real scenario, and as spear phishing attacks continue to increase ó people, businesses, and brands should be on high alert. In this monthís Threat Spotlight, we take a look at a recent attack attempt that was made at the eleventh hour of a mortgage deal in an effort to trick a home buyer into wiring a large payment into the wrong hands.
Spear Phishing for Mortgages ó the attacker attempts to interfere with a mortgage closure and almost runs off with a large sum of money if it wasnít for an alert user.
*Some sensitive information has been changed in the details below to protect the privacy of the people involved in this attack.
All seemed to be going according to plan. The homebuyers had just a few last-minute tasks to complete, and theyíd have the keys to their new home. Of the remaining tasks ó the time had come for the buyers to wire funds to close escrow. However, on the day that the buyers were set to wire funds, they received an email from their mortgage company stating that they switched banks, and to follow the updated wiring instructions in the email attachment.
Fortunately in this instance, the message raised a red flag and the client immediately called his mortgage agent to investigate before proceeding. Aside from the curious message itself, when the client took a closer look at the actual senderís email address ó the domain didnít match the one listed in the real mortgage agentís email signature. The attackers spoofed the domain to appear like it was an actual message from the clientís mortgage agent. An easy way to tell if the domains match is to hover your cursor over the senderís address and a window will appear that identifies the actual address.
In addition to the spoofed domain, the attacker includes an attachment and asks the client to follow the instructions inside to make the wire transfer. If the request itself isnít odd enough, thereís always a risk involved in opening an attachment. Even though the attacker is clearly trying to convince the homebuyer to wire money, an attachment like this could contain other malicious activity such as ransomware or other types of malware. When in doubt, donít open attachments.
In this attempted scam, the homebuyer did everything right to avoid a cyber catastrophe. He was alert enough to question the initial request, then identified the spoofed domain, and immediately called his mortgage agent to confirm that the message was, in fact, a scam. What he found even more alarming with his situation, was the reaction that he received from the mortgage company. They mentioned that itís a wide-spread problem, but they didnít seem interested in looking into the issue any further.
In this incident, the target did not fall for the hook. However, there have been several news reports of other similar incidents, where unfortunately the victims were not as lucky.
To recap, the techniques used in this attack were:
Although the example above was ultimately sniffed out by the instincts of a savvy home buyer, there are some approaches along with simply being aware of such frauds that users can take to avoid these types of scams. Training is obviously a big one because if users are more aware of what to look out for in potential attacks, theyíll be much less likely to fall victim or even engage in any type of questionable communication with criminals. Taking a proactive approach with not only user training, but by also addressing any threat vectors with the proper IT security technologies can significantly lower the risk for an attack. One of the reasons spear phishing continues to be so successful for criminals is because traditional email security gateways often fail to detect these highly-personalized, social engineering attacks. Along with user training, Barracuda recommends an approach with multiple layers of security to stay safe from spear phishing ó this could include:
Lastly, if youíre curious whether your company has been the victim of a spear phishing attack, try our Barracuda Email Threat Scanner. Itís a free tool that scans your Office 365 account for advanced persistent threats and phishing risks.