Full Report
Be sure to read PART 1! Metadata and a New-Fashioned Bank Robbery Let’s face it, some cases are just more interesting than others and, when you do incident response for […] The post OSINT for Incident Response (Part 2) appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Incident Report: Financial Institution Targeted by Customer Phishing Campaign
## Executive Summary
A highly regulated Financial Services Institution (FFSI Bank) experienced a significant increase in fraudulent financial transactions despite robust internal security controls. An external investigation utilizing Open-Source Intelligence (OSINT) revealed the incident was not an internal breach or sophisticated malware, but rather a targeted customer-facing phishing campaign utilizing lookalike domains and forged SSL/TLS certificates to trick customers into initiating fraudulent transfers. The OSINT investigation successfully identified the external attack infrastructure, significantly narrowing the scope of the issue.
## Incident Details
- Discovery Date: Recent months (as the fraudulent activity increased over a period)
- Incident Date: Ongoing over a period of recent months
- Affected Organization: Fictitious Financial Services Institution Bank (FFSI Bank)
- Sector: Financial Services
- Geography: Throughout the United States
## Timeline of Events
### Initial Access
- **Date/Time:** Not explicitly stated, but occurring over recent months leading up to the IR engagement.
- **Vector:** External phishing campaign targeting customers.
- **Details:** Attackers used domains superficially similar to the bank's legitimate infrastructure (e.g., slight misspellings where "bank" was replaced with "banking") and registered numerous forged SSL/TLS certificates via Let's Encrypt for these lookalike domains.
### Lateral Movement
- Attackers did not appear to gain internal network access based on the findings; the compromise vector was external, targeting the bank's customers directly.
### Data Exfiltration/Impact
- **Impact:** Financial loss due to fraudulent transactions, though the bank successfully caught and stopped *most* initiated transfers. The primary impact was the need to investigate the source of the customer-initiated fraud.
- **Data Stolen:** Credentials and financial data likely obtained from **customers** via malicious websites, not necessarily breached from the bank's internal systems.
### Detection & Response
- **Detection:** The financial institution detected a significant increase in external, fraudulent transaction attempts originating from customer accounts.
- **Response Actions:** Internal analysis failed to identify the source. External OSINT consulting engagement was commissioned to investigate external threat vectors.
## Attack Methodology
- **Initial Access (Targeted):** Utilizing phishing websites impersonating the bank (lookalike domains).
- **Persistence:** Not directly applicable to internal network persistence; external infrastructure was maintained for ongoing phishing efforts.
- **Privilege Escalation:** Not applicable to internal network escalation; achieved by convincing customers to willingly execute transactions.
- **Defense Evasion:** External infrastructure (domains and certificates) was rapidly deployed to mimic legitimate services.
- **Credential Access:** Likely accomplished through web forms on phishing sites capturing customer login details or financial authorizations.
- **Discovery:** (By IR Team) Used OSINT tools like Leakix and Censys to search for related domains and forged certificates associated with the victim bank's identifier ("ffsibank").
- **Lateral Movement:** Not applicable.
- **Collection:** Gathering customer credentials and transaction authorizations via lookalike sites.
- **Exfiltration:** Data/transaction credentials were sent from the customer to the attacker-controlled infrastructure.
- **Impact:** Unauthorized financial transfers.
## Impact Assessment
- **Financial:** Significant increase in fraudulent transaction losses, mitigated by internal detection systems. Costs associated with the IR engagement.
- **Data Breach:** Customer PII and financial details were compromised via the phishing sites. Volume unknown, but the campaign was sustained over several months.
- **Operational:** Internal teams were heavily engaged analyzing a perceived internal breach that turned out to be external fraud.
- **Reputational:** Potential damage due to customer fraud, though the swift external analysis allowed for targeted defense deployment.
## Indicators of Compromise
*(Note: These indicators relate to the external attacker infrastructure, not internal compromises)*
- **Network Indicators (Defanged):** IP addresses linked to Digital Ocean infrastructure hosting malicious sites.
- **File Indicators:** Presence of specific log files on compromised/related web servers, such as `visit_log.txt`.
- **Behavioral Indicators:** Use of certificates issued by Let's Encrypt for domains containing "ffsibank" variations.
## Response Actions
- **Containment:** Identification of the set of malicious lookalike domains and associated IP addresses.
- **Eradication:** Provided specific intelligence (domain patterns, certificate usage) to the customer to proactively take down the identified malicious infrastructure (implied, as they could now monitor for new malicious sites).
- **Recovery:** Customer systems and internal networks were deemed secure; focus shifted to customer education and monitoring for new phishing infrastructure.
## Lessons Learned
- **Internal vs. External View:** The bank's deep internal security visibility masked an external attack vector that was easily discoverable via OSINT focused on external-facing infrastructure (domains, certificates).
- **Value of OSINT:** A focused OSINT strategy can rapidly and cost-effectively identify external compromise vectors that internal forensics might miss, preventing time-consuming internal investigations.
- **Certificate Monitoring:** Attackers are leveraging certificate authorities like Let's Encrypt to quickly provision trusted-looking certificates for phishing infrastructure.
## Recommendations
- Implement continuous, active monitoring of external certificate transparency logs for certificates containing the institution's name or common misspellings.
- Expand OSINT monitoring to track lookalike domains registered against the institution's names across various public records and search engines.
- Increase customer security awareness training specifically regarding domain similarity and certificate examination.