Paul Moore

Paul Moore


Security consultant, researcher & CISO at Icebook.

Share


Twitter


Phishing attacks are evolving. The Vivian Gabb story...

Paul MoorePaul Moore

"We have detect some unauthorized active on your account. Please update your detail as soon as possible"

We've all had them; the notorious and grammatically inept phishing emails designed to strip us of our hard-earned money.

The vast majority are destined for immediate deletion, but a growing number of sophisticated attacks are starting to emerge. Nobody understands this better than Vivian Gabb, a tennis coach from London who recently lost nearly £50,000 to fraudsters.

Before you cast aspersions, this was not your average phishing attack. Far from it.

Vivian's email account was breached by the fraudster. Rather than spam her contact list with a desperate plea for financial help, the fraudster opted to sit and wait. Unfortunately for Vivian, her conversations with her solicitor were being monitored. When the time came to transfer a deposit to purchase a house, the fraudster took a high-risk approach and assumed the identity of the solicitor.

Apart from the "sit & wait" strategy, this phishing attack stands out for the sheer level of sophistication demonstrated by the fraudster. Rather than sending an email which Vivian would likely spot, the fraudster first registered a new domain name which closely resembled her solicitor's and even opened a new business bank account!

So when the carefully-crafted email arrived, Vivian didn't give it a second thought. They addressed her by name, referred to their correspondence on the previous day and even mirrored the tone used by her solicitor. A quick bank transfer later... and Vivian lost her life savings.

To make matters worse, neither her bank (Halifax) nor the receiving bank (TSB) were able to recover any money until it was too late.

Should the bank cover her losses?

Morally, I believe they should. Technically, perhaps not.

You see, the bank has to prove that Vivian acted negligently. Can you, hand on heart, say you'd never fall for this well-executed scam? In reality, £50,000 is peanuts and discretion really should apply.

BBC Coverage

I first became aware of Vivian's plight via a BBC article. Unfortunately, the advice from Tony Neate @ GetSafeOnline will only exacerbate the problem... so I'll say this as succinctly as I can.

Do NOT change passwords regularly.

A password, regardless of length & strength, has a finite value; it’s only useful until the user changes it. Of infinite value however, is knowing how a user chooses a password. Each time you choose a password (which is subsequently leaked/cracked etc), you're inadvertently leaking information about how you choose a password. Does it start with an uppercase letter and end in a 4 digit date? Does it contain special characters but only at the end of the password? Does it resemble another password associated with you and if so, are there any common denominators (numbers, dates, words, layout etc)?

With this information, an attacker doesn’t need to know your current password… they can predict (with great accuracy) what your next password will be. I’m yet to meet anyone who enjoys choosing another password, so choices are made purely from a usability point of view, not security.

Using Tony’s flawed logic, a site which forces a password change every 3 months is much safer. Likewise, forcing a password change every day would be even stronger. Sadly, that’s just not true. Instead of choosing an entirely new, unique, long & strong password… the user is far more likely to add a “1” to the end of the password (MyPasswordForThisSite20151). We’ve all done it, but it’s a problem made significantly worse when you’re forced to make frequent and unnecessary changes.

Ultimately, passwords should only be changed when there’s suspicion or proof that it’s no longer a secret (assuming it’s reasonably strong in the first place).

The only caveat to that being the use of a password manager. Many password managers choose & subsequently store random passwords for the user, removing the burden of choosing & remembering something comparably weaker. In this instance, repeated password changes (necessary or not) would not leak any significant information to an attacker.

Who's responsible?

The more I think about it, the more it doesn't quite add up.

It's almost certainly a targeted attack; someone who knew Vivian was in the process of buying a property. Why? Attackers rarely sit on breached accounts for a significant length of time... as each passing day increases the likelihood of being discovered. I'm struggling to believe a sophisticated attacker just happened upon her account at such a convenient time.

Personally, I'd start by looking closer to home. Friends, family... even the solicitors aren't exempt from suspicion. Although it's highly unlikely Vivian will ever see a penny of her money, it's only right to put those responsible before a court. As far as I can gather, she's approached an "IT expert" with a view to investigating exactly what happened; with quotes of roughly £1000 being mentioned.

In truth, £1000 wouldn't even scrape the surface and would likely be more money down the drain.

You could argue that consistently bad & misleading advice from "experts" is also to blame, to a certain extent.

I've invited GetSafeOnline and the BBC to comment and issue a retraction, but I'm yet to hear from either party. I will update the article if necessary.

Paul Moore
Author

Paul Moore

Comments