Something I regularly get asked is, “How do enterprises use HYAS Insight to accelerate their investigations?” I spoke with a HYAS customer a few weeks ago and to understand how they track and identify fraudsters. First West Credit Union is a financial institution in western Canada with $8.4B USD in assets and 1,400 employees. I had the pleasure of interviewing First West’s Manager of IT Security and Operations to understand his perspective and experience in leveraging HYAS Insight. What follows is an excerpt from a First West Credit Union case study that provides a few examples of the institution undertook fraud investigations and responded to security incidents with help from HYAS.
Some fraud and cyber security incidents that HYAS has helped First West resolve include:
- APT-C: The team was able to locate an email address that was tracked back to an individual in Central America and profile the threat actor. The adversary, internally dubbed APT Carlos, established domains for phishing attacks. The adversary typically took two weeks between establishing the domains and employing them in an attack. The advanced knowledge provided by HYAS Insight enabled First West to request the takedown of the domain for brand infringement before it was used in an attack, as well as locate and block other domains that were obviously nefarious. “If you have good intelligence and are able to quickly react, you can avoid significant financial damage. We had good intelligence with HYAS Insight and were able to react quickly to avoid a big fraud bill.”
- APT-P: Financial institutions face adversaries that can be well-funded and sophisticated in their tactics, techniques and procedures (TTPs). First West recently encountered a growing fraud bill for reasons that could not be determined. The team puzzled over this until one day the team stumbled across a fake ad on Google Ads. The advertisement led to a compromised Wordpress site that redirected to a phishing site that mimicked the First West website. The adversaries had established their own hidden infrastructure that mimicked the First West website, and led consumers to the site through “trustworthy” Google ads. The fake phishing site was not indexed by search engines, so it was difficult to locate. “The adversary was capturing credentials as users would click on what they thought was a legitimate ad that they could trust. They were paying for the ad clicks that led to their phishing site. HYAS allowed us to investigate the phishing domains using WHOIS information and other data to identify the infrastructure and quickly shut it down.”
The gang behind fraud was dubbed “APT-P” because it probably originated in Eastern Europe. Investigating each of the fraud incidents yielded IP address information that proved to be particularly interesting. The information provided by HYAS was able to geolocate what the First West team thought to be an open WiFi network used by APT-P. After identifying a number of potential locations apparently used by the attacker, the team identified a fraud incident originating with an isolated, rural house and visited the homeowner to ask if anybody suspicious had been lurking to use the WiFi. The WiFi network turned out to be locked, and the homeowner confirmed that the WiFi was closed and had seen no suspicious activity. After realizing that it was not open wireless, the team did some more digging and realized that the adversaries were using insecure and inexpensive DVR surveillance camera systems as a passthrough channel to attack traffic. The team was able to go to the corporate security team and block additional IPs that used the same DVR camera system. The team has subsequently identified fraud episodes that leveraged similar surveillance camera logins.
Digital Forensics and Incident Response
The First West Security Operations team also investigates and resolves potential compromise within the credit union infrastructure. One credit union employee responded to a phishing attack and gave up their credentials. The threat actor attempted to log in from overseas using the credentials, and the user approved the two factor authentication request without much thought. This generated an alert in internal systems that locked the account. The Security Operations team investigated the incident and was able to geolocate the adversary in Cyprus and rule out a potential false positive alert. Commented Smith, “HYAS Insight precise geolocation enables us to distinguish between traveling employees and potential bad actors.”
There are loads of lessons that can be gleaned from the First West experience to improve how your team goes about investigating fraud and responding to security incidents. If you want to talk with us about how HYAS can help your organization investigate adversary infrastructure and understand the threat actors behind cyber incidents, we'd love to connect with you.