Phishing in the dark: how cyber intel can prevent fraud

By James Parry, Technical Manager, Auriga

When asked why he robbed banks, serial bank robber Willie Sutton is reported to have said “because that’s where the money is.” The same motivation is driving online fraud and saw UK businesses lose £1 billion last year. According to a report from Action Fraud and Get Safe Online released in June, cybercrime is up 22 percent for the year ending March 2016.

Fraud can take many forms, from internal fraud carried out by employees, to external fraud carried out by organised criminal gangs. Like many other forms of attack, fraud is constantly evolving and adapting to exploit new avenues. Large scale phishing campaigns, for instance, have morphed into more targeted campaigns, firstly as spearphishing and more recently, whaling fraud, where the attackers go after the big catches such as the CFO or CEO.

Another interesting development has seen a subversion of the ‘Accounts Payable’ fraud. Rather than sending a bogus invoice, the criminals now simply change the payment mandate. Recurring payments for goods or services are then channelled direct into the criminal’s bank account. The same report cited above found mandate fraud had increased 66 percent over the course of the last financial year.

Typically these frauds are preceded by a cyber attack, be it phishing or social engineering. Information is obtained and used to hone the fraud give the fraudsters credence. For instance, Snapchat disclosed that its payroll department was tricked into sharing employee data by scamware purporting to come from the CEO. So what should companies do to prevent such cleverly engineered fraud?

To date the emphasis has been on identifying, isolating and reporting incoming emails or scams. Perhaps the company has even looked at automating this with an anti-phishing or fraud detection solution which aims to look for anomalies such as discrepancies between the sender and the email address or suspicious domains. But this brings the fight to the shore. It’s not proactive enough.

It is possible to look for earlier indicators and to use an adaptive technology to match the evolution of these attacks. Going out into the deep waters of the dark web may sound intimidating but it’s where you’ll get the earliest indications of a crafted attack. Indeed, the deep web is so active in this respect that some have even labelled it as ‘Fraud-as-a-Service’ with its own business model and crypocurrencies.

Spear phishing campaigns are usually sector specific and are take careful planning. There will usually be some indicators from chat on underground forums to the buying and selling of malware to tentative exploratory attacks that give some indication of an evolving attack.

By listening in to this chatter with a self-learning Security Operations Center (SOC) the business can anticipate and prepare for such phishing campaigns. Moreover it’s also possible to look for evidence of prior attacks on the business or staff through analysis of stolen records that are ‘for sale’ on the dark web.

Overtime, the SOC uses key indicators to recognise particular patterns and it’s this machine learning aspect that sees the SOC service come into its own. Essentially, the SOC arms the business with the fore knowledge to stall or counter an attack by using additional parameters, such as socio-economic or legislative changes, to predict and elevated risk and forecast potential outcomes.

Ultimately, of course, phishing preys upon the user, the idea being that the fraudster can persuade the user to do something they would not usually do. And for that reason, there is no substitute for internal protection methods such as anti-spam, anti-virus, enforced access privileges, and multi-factor authentication. But defence is best when applied in depth and that means extending out our security to effectively access and interpret all of the information at our disposal. In this respect, the SOC makes a very effective trawler, able to plumb the depths and sift through the small fry to catch the phishers at source.


Auriga Consulting Ltd, a centre of excellence in Cyber Security and Monitoring Services. With a renowned track record of succeeding where others have failed. Offering its clients a cyber protection journey from design through to continuous monitoring, Auriga’s Consultants and Analysts have tailored solutions no matter the size of your organisation.