ONGC 197 CR. FRAUD: HACKER USING APT FOR CYBERHEIST
International business trade is facing an unprecedented threat of frauds from organized crime, particularly, an intelligent, knowledgeable group of hackers and recent fraud with ONGC is one of the crime involving huge amount of Rs. 197 Cr. Such scams earlier known as Man-In-the-Email Scam now involves sophisticated modus operandi and targets businesses working with foreign suppliers that regularly perform wire transfer payments . Cyber Crimes have become lucrative with a high returns coupled with low risk and as such the hackers have become very focused and motivated. They are not in hurry to launch and attack quickly but act in a slow and steady but aggressively and successfully penetrate the network with various different attack methods and then, clandestinely hide its presence while achieving a well developed, multi-level foothold in the environment. The “advanced” aspect of this term pertains to the expansive knowledge, capabilities, and skill base of the APT. The “persistent” component has to do with the fact that the attacker is not in a hurry to launch and attack quickly, but will wait for the most beneficial moment and attack vector to ensure that its activities go unnoticed .
New research into a notorious Eastern European organized cybercrime gang accused of stealing more than $100 million from banks and businesses worldwide provides an unprecedented, behind-the-scenes look at an exclusive “business club” that dabbled in cyber espionage and worked closely with phantom Chinese firms on Russia’s far eastern border .
Facts of the Case
The fact of the case as revealed from various news in the media indicates that the commercial transactions regarding sale of naptha between ONGC and Aramco, a Saudi Arabia based Oil Company were exploited by the hackers to commit Cyberheist crime involving the misappropriation of the highest money so far in India. The ONGC aggrieved to deliver 36,000 ton of naptha to Aramco for Rs. 100 Cr. and communication on behalf of ONGC were being carried out from email address ‘email@example.com. The company did not get the money for the consignment on time and on enquiry, got the response on the email that the payment has been delayed due to public holiday and meanwhile, the company has also delivered the second consignment of naptha worth of Rs. 97 Cr. to Aramco. Later on, the company came to know from Aramco that the money have been transferred to Bangkok Bank Public Company Ltd. on the request of ONGC which has been received from email id firstname.lastname@example.org. The said account in which the money was transferred does not belong to ONGC nor the ONGC has sent any request.
These scams are now rampant in the international trade and requires the hackers to collect the details about the transactions between the entities. The hacker will observe these transactions and wait for the most beneficial moment to ensure that its activities go un-noticed. These attacks are more coordinated by human involvement and the virus/malware is used only to access the sensitive information.
The first phase of the attack requires the hacker to identify the target entities and the access to the commercial transactions which may become soft target for cyberheist fraud which is done through phishing. Through phishing, the hackers identifies the potential and soft targets and for the purpose of phishing the hackers may use various techniques such as spoofed emails, deceptive URL, URL Obfuscation, Link Manipulation, DNS Based Attack, Malware Based Attack, Content Injection, SQL Injection & Cross site Scripting etc. The information based on the successful compromise of the targets are analyzed and the targets are identified.
In the second phase, after identifying the target, hackers collects the complete information of the entities involved, authentication details as well as systems and designated employees as such crimes require update and continuous information of the transactions. For this purpose, Remote- Access Trojans are used which will install itself, in such a way, at the target computer that it would become active every time the computer is started subsequent to the installation. Once a Trojan client, such as W32.Shadesrat, FAKEM, BlackShades, Back Orifice, Netbus, Bionet, or SubSeven, is installed on the target computer, the controlling computer is able to intercept information about the target computer. Through this covered channel the master computer will be able to download files from and upload files to the target. These crimes are committed by the fraudsters who are highly intelligent and knowledgeable and takes over the communication between the parties and would act as Man-In-Middle. These intelligent fraudsters monitor and analyze the identified targets and protocol necessary to perform wire transfer within specific business environment .
In the third phase, the attackers would execute the attack by either changing the bank details in the invoice which are being sent by the seller to the buyer or would sent a separate mail for change of bank detail to receive the payment from the buyer. At this stage, since sensitivity is high and any suspicion to either of the parties may foil the game plan of hacker, the hacker normally resort to the creation of fake emails so that the seller may not come to know about the change of bank detail and if any query regarding the change of bank detail is raised, the same is also replied by the hacker to satisfy the buyer regarding the genuineness of the bank details.
The forging of identity or impersonation of identity in electronic mailing systems is done by exploiting a weakness in the SMTP protocol and its implementation. SMTP does not include any sender authentication to verify the authenticity of the sender and apart from the flaws of SMTP protocol, various other flaws like open relays and open proxies are used by the hackers to send fake mails. Further, there are various websites which allows the hackers to create email server with anonymity and the hackers send the mails through these servers by link manipulation or link obfuscation. There are various websites such as www.emkei.cz which not only allow sending the fake email but also allow the fraudsters/hackers to receive back the reply by separately providing the ‘reply to’. Simply, hitting the ‘Reply’ button would send the reply to the hacker and not to the actual email id and as such this technique is used by the hacker for communicating with both the parties as per the requirement for committing the frauds.
In the fourth phase, the attackers after receiving the money immediately transfer the money to various other accounts over different jurisdictions and even can convert the same into virtual currencies whereby, through different layering, it is not possible for the investigation agencies to find out the beneficiaries. The money is transferred to the accounts of unwitting money mules who are recruited as a bogus work-at-home jobs and as such these person also become victim of these scams and they receive the fraudulent funds in their accounts and then, directed by the fraudsters to transfer the funds to other jurisdictions.
Complexity of Investigation
Can it be a insider job, yes, but the probability is quite low. The insider may have limited role to providing the information regarding the transactions or of soft targets. However, it has also been surfaced in some cases that the buyers companies themselves are involved into such scams. During the course of trading, they will make a small initial payment and then, would manipulate the transactions similar to the hackers and would intimate the sellers that they have made the payment in some other accounts on the request of seller and would create a dispute for not making the payment while the actual payment is being transferred to some other account at the behest of buyer itself. Such frauds were detected in various business deals between Chinese and Trukese companies . Such fraudulent malpractices are also used by terrorist organizations and international mafia for money laundering and terrorist financing.
The offence is scattered in international sphere as the fake email may have been originated from one country, target computer is in another country, funds may have been misappropriated in another country or subsequently transferred to different countries. As the crime crosses international boundaries, the investigation of such complex issues shoots up exponentially and the chances of the criminal been identified, recovery of misappropriated money and prosecution of the criminal decreases. Further, the police may lack the skill to investigate these technical crimes and to find the type of malware with which the system is infecting, source of malware etc. The investigation of such cases requires the analysis of various interdependencies and the information which may be required from various countries. In the absence of any International Treaty to expedite and facilitate the investigation of such crimes and extradition of offenders makes it difficult to bring the case to the logical conclusion. Further, the volatile nature of electronic evidence, different legal systems and lack of cooperation between countries ultimately reduces the probability of detection, prosecution to nullity.
A number of such cases, where Indian companies, small as well as big have become victims and reported such crimes to the Economic Offence Wing of Delhi and Bombay Police but the police fails to solve any of these matters. Further, the use of encryption and even carrying out of such APT attacks through secure tunnel have reduced the probability of any success to the police agencies in collecting admissible evidence and as such even though the investigation agencies may having some suspicion but would not be in a position to catch and prosecute the cyber offenders.
Further, the investigation agencies needs to look such reporting of frauds with suspicion as the same may have been committed by one of the party to defraud other party, or both the parties in collusion for money laundering and thus, needs to verify the veracity of transactions itself.
Legal Responsibilities of the Parties
The ONGC may not have lost the funds as reported widely in the media. It was upon the buyer to act with due diligence and care and should not have made the payment and the ONGC have a good case for claim against the buyer. However, the various factors would determine the liabilities of the parties:-
- The hackers have obtained the sensitive information regarding the transactions and as such, the finding whether the system of buyer or seller have been compromised would be a key in determining the strength of claim of each party. In such a case, getting the forensic analysis of the system would help in ruling out the possibility by party that the malware was not installed on their system and making the other party liable for not adhering to due diligence and thus, liable for contributing to fraud.
- The content of the fake email may also indicate the origin of the fraud and can lead to the inference as to whose email account have been compromised by the hacker. Such inference can be drawn to the content of the email as it normally contains the descriptions of previous email communication to convince and induce the recipient of the genuineness of the email. So, if a party is able to prove that the system/email account of the opposite party has been compromised, it would have a bearing on the claim of the party.
- In a number of such cases, it has been seen that the accounts of both the parties have been compromised and the hackers were in complete dominion over not only the communication, email and system but they were also leading the communication by manipulating the email id of both the sides. However, in such cases, the determination of the disputes arising from such transactions depends upon how the parties present their case, prove the due diligence/care and negligence on both the opposite parties and as such the role of the cyber expert is very important. The cyber expert can analyze or recreate the environment from the available communication, email headers, computer forensic and accordingly, present the case which cannot be done by a party without the help of cyber expert.
- The terms and conditions of the agreement between the parties would determine the violation of communication procedures, chain control procedures and much depends upon whether there are clauses which incorporates the threats emerging from such offences. In most of agreements, it was found that the parties does not incorporate the specific terms and conditions to cater online communication and other clauses of threat to Information Technology framework due to lack of knowledge.
Protection from such Crimes
- All the requests regarding change to the account details should always be treated with suspicion and verified through out of band channel. The companies should have change control procedures inter-twin separation of duties, dual control etc. to avoid becoming the victim of such scam.
- The contract should include the bank detail, designated and alternative email id, change control procedure and may involve officially signed notification through out of band channel for any change of bank detail.
- The email communication should be confidential and for this purpose PGP alongwith link-to-link encryption is the best choice and also PGP is a public domain software and is a great product.
- Do not respond to the reply option or any of the HTML link within the email and always type the correct email address or use it from the email address book to ensure that the email is addressed to the correct addressee.
- Review the address bar to see if the domain name is correct and do not accept the email in HTML format.
- The Anti-Malware Systems may be installed on individual hosts, in the network, in the email, web gateways and as well as Unified Threat Management devices. These solutions must be monitored to ensure that updates are received and active and should be configured for automatic scanning for new media and email attachments.
- The internet based access should have atleast two-factor authentication and as far as possible the corporate should introduce security control, mechanism and safeguards to provide availability, integrity and confidentiality protection for all critical assets.
- As these threats have high stakes, the companies should define the baseline to have a high level of protection for the critical systems and the system with appropriate Evaluation Assurance Level (EAL) should be maintained for critical functions. A system that has a common criteria rating of EAL 6 has fewer covert channel than a system with a EAL rating of 4 and thus, would provide higher assurance level and degree of protection.
- The companies need to develop a good information security architecture and need to build the security controls by implementing ISO 27001, COBIT, SP 800-53 depending upon the threats and vulnerabilities a company may be subjected to.
- The company should have incident response team which can collect the relevant evidence and have the requisite technical skills to support the investigation agencies in detecting the frauds and prosecuting the criminals.
The government or industry association can create the awareness about the need of the companies to avoid becoming victim of such crimes. It can be done by educating the communities regarding the new crimes and also making it mandatory the disclosure of such crimes so that other may not become victim of the crime.
Given the present scenario and the manner in which cyber crimes are exponentially increasing, becoming more and more technical and organized by intelligent criminals, the companies cannot eliminate these threats but it can protect itself by introducing appropriate security mechanism, security awareness, security training and preventing these threats from exploiting vulnerabilities in its environment. The cyber threats have acquired alarming proportion particularly in India due to non-registration of the cases, lack of skill with the police to investigate and absence of forensic capabilities with the law enforcement agencies. The cyber security skills are still being interpreted in terms of security softwares, forensic hardware/software, firewall etc. and the recent breaches in the case of Sony Hack, JP Morgan, Target etc. have clearly establish that these gadgets would play very limited role in protecting the information security enterprise architecture. The need of the hour is to have strong security structure of the enterprise information framework and to implement preventive model which can be supported by the detective, recovery and corrective mechanism to strength the enterprise security infrastructure. The companies need to include the clauses in the agreement with the parties which can cater to the risk emerging from the cyber threats which are dynamically changing and would require the involvement of information technology expert. Business E-mail Compromise – https://www.ic3.gov/media/2015/150122.aspx
 CISSP Guide, 6th Edition – Shon Harris
 Inside the $100M ‘Business Club’ Crime Gang – http://krebsonsecurity.com/2015/08/inside-the-100m-business-club-crime-gang/
 Business E-mail Compromise – https://www.ic3.gov/media/2015/150122.aspx
 Fraudulent bank details email scam in export-import deals –http://www.todayszaman.com/columnist/berk-cekti-r/fraudulent-bank-details-email-scam-in-export-import-deals_346238.html