Hello, welcome to the Thursday, August 1st, 2019 edition of the Sandcent Storm Center's Stormcast. My name is Johannes Ulrich.

I'm recording from Boston, Massachusetts. Today we actually have the rare trade to look at a targeted

fishing attack that was directed at loan officers in financial companies.

The fish came thanks to Justin Trullo, a cybersecurity analyst from Loan Depot, who not only

identified this fish, but also was able to retrieve a good part of the fishing kit, which is

essentially the website being used to collect the credentials.

What distinguishes these targeted fishing attacks is that the emails being used here

are specifically crafted for the respective industries. In this case, the email claimed to come

from a title company and then enticed the victim into clicking on a link to download documents.

The fishing website did emulate box.com. Box.com, of course, being sort of one of those big enterprise

file sharing sites, and it did allow the victim to log in using various other cloud services,

and the goal here in the end was to obtain those respective credentials.

And we don't, of course, know for sure what would have happened if one of the Lone Depot loan

officers would have fallen for this particular fish.

But typically, the attacker will collect these credentials to then log into the victim's

email account and use it for business email

compromise. For example, waiting for someone to ask for wire transfer instructions and then

replying with a fake bank account. When you're installing software and hardware in your environment, it all too often

does connect back to the particular Wenders network. Now often this is just to check for updates,

for example, but sometimes it also infiltrates data about the network the system is installed in or

the host it is installed on. Security company ExtraHop now released a report with a couple of case

studies where enterprise software actually did exfiltrate data back to the vendor's network.

...