Episode 100: How to Lose 6 Figures the Easy Way

The recent SolarWinds attack was incredibly sophisticated. What happens when that level of sophistication targets a homebuyer during one of the largest transactions of their lifetime? On this episode, we tell the story of an extremely difficult-to-detect spearphishing attack that almost cost a homebuyer a significant amount. We review the warning signs seen in this attack and discuss steps you can take to protect against real estate wire transfer fraud. 

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 100 Transcript

Kathy Zant:
Welcome to episode 100 of Think Like a Hacker. This is the podcast about WordPress, security, and innovation. And for this special 100th episode, we have a special guest, Mark Maunder, with whom I started this whole journey just over a couple of years ago. Welcome back, Mark. How’s it going?

Mark Maunder:
It’s going, it’s going. It’s been quite a week. How are you?

Kathy:
Yeah. Doing pretty good. I’m freezing all the time, such is winter. But yeah, 100 episodes under the belt here at Think Like a Hacker. Did you ever think we’d get this far when you conceived of the whole idea to start podcasting?

Mark:
Yeah. When we do something at Defiant, we tend to follow through and then keep following through and so on. And I guess that’s one of the reasons before we embark on anything, we really think it through.

Kathy:
Yeah. Definitely. Well, we have some interesting things to talk about today. We did some research due to an event that happened with someone that we care about, in the world of real estate. And we found some interesting information about wire transfer fraud. Mark, what do you know about this?

Mark:
I tell you what. I think, as you said, it’s our 100th episode. So this is going to be a fun one. It’s something that I’ve recently become quite passionate about. So I think maybe a good way to approach this is let’s talk about… I think everyone’s a little sick of hearing about SolarWinds, but I want to revisit that just for a few minutes because the full picture is beginning to emerge. And I’d like to contrast that with cybersecurity as it affects individuals and small businesses. And so let’s chat about SolarWinds, if you don’t mind.

So basically this SolarWinds hack involved a company that makes monitoring software that’s used by enterprises around the world and their systems were hacked such that an attacker could… Every time their build server built their software and then distributed it to their customers, the attacker had installed malware on the server and it would monitor to see if the build process had been kicked off.

And when the build process was being kicked off, then what it would do is quickly put their malicious source files in place of the real files. And it would then build the Orion software and essentially turn that software into malware. And that software would then be distributed to tens of thousands of customers around the world. And so it’s a really wonderful way to distribute malware to a heck of a lot of people. And this is called a supply chain attack because it is the supply of software that is being compromised. It takes a fairly sophisticated actor, a threat actor, we call them in the industry, to conduct an attack like that. And it takes a lot of patience. If you look at the timeline of this attack, it started back in 2019 in September when the threat actor actually began to access SolarWinds.

And I think it was September 2019 when they injected their first code. And it was a test attack that they did and progressed from there. And so they’re playing a long game and a very sophisticated game because one of the companies that they actually compromised was CrowdStrike, which is a cybersecurity company. And so you have to be incredibly stealthy to be able to compromise a company like that and remain undetected and so on. And so where I want to take this conversation is I’d like to give you an example of this level of sophistication that can target an individual or a family. There’s been a lot of publicity around APTs (advanced persistent threats) around countries that target other countries. I think that there’s a lot of news coverage around that as folks are trying to get budget for either defense or research, or even just cybersecurity companies that are trying to draw attention to themselves and are working to say, “Hey, we are involved in this really big, serious hack that involve a nation state targeting another nation state, and we’re really good at this. So if you’re the Pentagon, you need to give us your billion dollars rather than the other guy.” And so we hear about the APTs a lot.

Well, what we don’t hear about is the individuals and the families and the small businesses that are beginning to be targeted by these sophisticated threat actors. Now I’m going to describe an attack and I’m going to keep some details, intentionally obscure, but this blew my mind in its sophistication and it’s, it’s targeting an individual. So we are Defiant. We make Wordfence. Wordfence is the most popular and most effective firewall for WordPress. That’s our beat, that’s our business. That’s what we do. We’re incredibly good at it. We lead the industry with research. And so on. What I’m going to chat about now is actually something that’s outside of what we do. I’m not trying to sell you anything.

This is more a conversation about the threats that face all of us. So what the story is, is you might’ve heard of wire transfer fraud and you’re like, “Oh, yeah. That’s not going to happen to me. I’m way too smart for that. I obviously make sure I know who I’m sending my money to and so on,” but the way this attack works and worked in the case that I’m aware of is, this individual was doing a real estate transaction. And when you do a real estate transaction in the United States, in case you’re living in another country, you have a title company that usually does escrow, as well. And so you’re working with them a lot to pull documentation on the property. They’re gathering everything that you sure that all everything works. One of the things that you do is you wire them earnest money, which is like a deposit that you lose if you decide to walk away from the real estate transaction.

And then ultimately you’ll also send them a very large wire transfer, which is your down payment for your house. And then the bank makes up the balance based on that: your loan. And so this transaction was progressing. The purchasers of the house were interacting with the title company, lots of emails, back and forth, lots of documentation back and forth, sent the earnest money, five or 10 grand, whatever it was. More documentation, more research and so on. And then it was coming close to time to actually wire the money and the person that the title company who’d been interacting with this buyer said, “So here’s all your documentation with the seller’s names, the buyer’s names, the property address, the serial numbers of documents and so on. Here are the wire instructions of where to send the money.

We need to get moving on this because of COVID and great. All right. So the buyer obviously calls if the title company confirms I’m sending in the wire, okay, sounds good. The buyer goes off and sends a six-figure wire to the title company. And then in this particular case, for some reason, the buyer, their spidey-sense kicked in. It just tingled. And they were like, it’s just like weird about this. So they go back to Gmail. Now, in Gmail, you cannot see the email address of where correspondence is coming from. If you’ve been talking to someone on an ongoing basis and you have their name, it’s like, Bob Smith and Bob just is continually emailing you, you’re just seeing Bob’s name and you’re seeing the signature that matches everything and you… So they go into Gmail, they can see Bob’s name and… I’m changing the names here, but they click on the name and they look at the email address and the different domain name.

And they get suspicious. They call up the title company again and say, “Hey, I think this might be fraud.” And they obviously compared the wire transfer details and it was the wrong account. And so what had happened in this case is the hacker had either compromised the title company, or they compromised the realtor. And we had a detailed conversation about this, but the realtor was the only one who had been sent an email, which contained the data that the attackers had sent like as a supporting data when they requested the wire. And so it was either the realtor or the title company. I actually spoke to the realtor in this case, and they were using Gmail. We looked at their login history and saw, and there was nothing suspicious there. So it seems to indicate that it was the title company that was compromised, which really makes sense to me because the title companies and I was chatting with a colleague of mine who used to work for a major bank.

They’re basically just a room of administrators, numbers, folks, maybe a lawyer or two. And that kind of thing. They’re not IT personnel. And they’re not cybersecurity aware. The standards for IT security for title companies, as far as I can tell are non-existent. So we think that it was the title company that was compromised. Now, the reason that this has really piqued my interest is because for most normal people like me who has a mortgage and you who has a mortgage and so on, we do our jobs, we get paid, we may have a liquidity event like selling a house two or three times in our lives if we move that many times. And you sell your house, you’ve done the responsible thing, you’ve plowed all of your savings into your mortgage. And then when you sell your house, you’ve got all that equity.

And that equity is released. It’s a liquidity event. And so there’s this moment where perhaps the biggest chunk of wealth that a family will see is in flight. And it drops into a bank account from the sale of the home. It sits there, and then it’s wired to escrow for the next purchase. And at that moment, that family, or that individual is extremely vulnerable. If an attacker can grab those funds, it is the most cash that they will be able to steal from you at perhaps any time in your entire life, more than it’s usually sitting in your checking account. So on and so forth, perhaps more than sits in your 401k. And what really fascinates me, and I was chatting with a realtor involved with this, and she was saying that, to get a realtor license… And I said this with great respect to the realtors out there, I’ve worked with some amazing realtors and some folks that are not so amazing, but she was saying that it’s a high school education and about 100 hours of study and you get your license.

Now, I’m sure that varies from state to state, but there’s no cybersecurity education or IT education or anything like that. And then the title companies are what really interests me because I have a feeling that they are wide open. I think these folks have offices with outdated machines and staff that isn’t trained on security and so on, and a fair amount of staff which is obviously increases the size of the attack surface. And I was reading some data on this and they’re saying the industry loses about a billion dollars a year from this. I really have a feeling that they’re underestimating the losses because I think folks that are affected like this don’t go out and broadcast it. It’s not the same culture and sort of press coverage that we see around the APTs, the nation-state actors involved in the big hacks.

But these hacks that go after individuals and families are far more impactful. You’ve got a major corporation that sees a breach. Maybe it costs them something. Maybe they are fined by the SEC or whoever gets involved the FTC perhaps, but with a family, it has the potential to utterly destroy 20, 30 years of careful, gradual wealth accumulation that our family has been doing, three decades of work gone. And so the modus operandi here is that the attackers asked the buyer to wire the funds to a U.S. bank account, believe it or not. It’s not offshore. And the reason it is U.S. is because the buyer would be a lot more suspicious. I mean, they’re not going to wire it to some offshore country somewhere, but the wire to U.S. bank account and that immediately is transferred out of there.

And if it’s what I heard, and I think I might’ve heard this from you, Kathy, is if it’s more than 24 hours, it’s gone.

Kathy:
Yeah.

Mark:
And so in this particular case, what happened was the funds were wired. The bank called up to make sure that the wire was legitimate. The buyer said, yes, the wire is legitimate and approved the wire transfer. And minutes later they caught it and call the bank back and they managed to pull that wire back. So it was literally by the skin of their teeth.

Kathy:
Wow.

Mark:
I find it fascinating. I’m really, really deeply interested in this. I think it’s a threat that’s under-reported and is perhaps the most impactful cybersecurity threat that is facing families in the USA because of the process. But I suspect that it may affect other countries as well. And so I’ve become very, very interested in this particular threat.

Kathy:
Right. Individuals, families our friends, they are being targeted by these threat actors with the sophistication of like a SolarWinds type of attack, but they don’t have the resources to defend themselves like FireEye, or the Justice Department, or the people who were targeted with the SolarWinds attack. But the sophistication of these particular threat actors going after such large nest eggs has the propensity to create much more havoc much more damage to our country, much more damage to our friends and family. And I think it’s incredibly important that we raise awareness about this.

There is a website, stopwirefraud.org, and they’ve got some… They use WordPress, by the way, and they have some interesting statistics on there about this. And it’s about 10,000 victims per year, but it’s looking like about only 15% of victims, it’s estimated, actually come forward stating that they have become a victim to this type of attack. So it’s much larger than the statistics that we could read off to you about what’s happening here, because a lot of people are embarrassed that this has happened to them, that they allowed themselves to fall victim to something like this. And we’re always, either on Wordfence Live or on the podcast, we’re talking about phishing, but this is such a complex attack. It doesn’t even appear to be phishing.

Mark:
That’s really what I want to try to get across here. I think I’ve heard of these attacks in the past and my knee-jerk reaction is, okay, they were idiots, most people aren’t. So most people aren’t going to fall prey to this. The folks that were involved in this are IT educated. And I cannot over emphasize the sophistication of this attack. And that’s really what I want to convey here is that the timing on this was absolutely immaculate. The communication was perfect English. The request for the wire transfer included documents that only the title company or the realtor could have had access to those documents appeared on a letterhead of the title company. They included all the exact correct information. The signatures in the emails were the exact same signatures that had been received. The person that sent the wire transfer request was exactly the same person who the buyer had been communicating with all along.

I could go on. It’s really their timing as well. That exactly when the buyer expected to send a wire transfer is when they’re requested it, but just slightly like maybe a day or two before the title company actually made the request. And yet the justification was, “We need to move a little quickly because things are a little slow now due to COVID.” It is mind blowing. And again, in Gmail, which most people use for their personal email accounts, you don’t see that email address by default. And so if it’s someone that you’ve been communicating with on an ongoing basis, and you just see their name again with the same style of language, with the same email signature, with the documents attached that you’ve been looking at all along. I didn’t mention this, but with the wire transfer request, the document that contained the account information was in an identical format to the original wire transfer request for the earnest money.

I mean, the detail was unbelievable, so that’s why I really am trying to get the awareness out here about this, because from the bottom of my heart, I can tell you that everyone out there, no matter how smart you think you are, no matter how IT literate you are, no matter how much of a cybersecurity professional you are, you are a potential victim in this attack. I mean, that can definitely take us to a broader conversation about how the threat landscape is going to change over the next few years, because wow.

Kathy:
Well, even being IT literate, being meticulous and trusting that you have those skills can be your Achilles heel because, you know you have those abilities. You’ve gone through tests of phishing scams and you’ve passed and you’ve taken security tests and you know the stuff, right?

Mark:
Yeah.

Kathy:
It gives you that false sense of security. And I think in any transaction, in any interaction, with every email, you have to double check everything. And even then.

Mark:
I think I might’ve mentioned Kahneman before on this podcast or perhaps in other conversations we’ve had. But yeah, I really think that he’s applicable in this case. Daniel Kahneman is a Nobel prize-winning psychologist who wrote Thinking Fast and Slow. I think he wrote it with a colleague. The basic idea is that you have two minds, you have system one and system two. And system one is your automatic reflex of fast thinking routine mind, and system one is what you use almost all the time when you’re engaged, going about your business and driving your car, stopping at a traffic lights, even when you’re transacting with someone at a fast food joint or at Starbucks, this is all system one. Everything’s normal. As soon as something is awry, is different or threatening, or surprising, or unexpected system two engages and that’s your slow thinking, analytical mind.

And if a scammer wants to scam you, what they want to do is they want to keep your system one min, constantly engaged. They don’t want to engage system two because as soon as they engage your system two mind means that they’ve presented you with something that you didn’t expect. Okay. You didn’t expect the certain email or whatever and you’re like, “Hey, wait a second.” And so whenever you say, wait a second, that’s system two, kicking it, all right. Now, if you’re a CIA analyst, if you’re a spy, you’re overseas, whatever, and you’re trying to get someone to do something, ideally you’d want their system one mind constantly engaged. And that’s the same in cybersecurity. And if you look at APTs, they don’t want to engage any IT administrator’s system two mind, all right. They want everything to be routine and normal and so on.

And this level of sophistication, we’re now seeing that targeting individuals. And so this attack that was going on after a significant amount of money, six figures, the whole idea that the whole goal of the attacker was to keep everything looking like it’s routine. Do not have that buyer of the property who is wiring that money, engage their system two mind. They have to just keep engaging system one. “Ah, yes. It’s the same name of the person that’d be talking to. Ah, yes, it’s the same letterhead that the document has. It’s the same data that I’ve seen before. How could they otherwise have this data other than being the legitimate person I need to wire to?” And so on and so forth, I’ve mentioned the amount of care that they took, but that’s the goal is to not engage system two. not engage that analytical mind.

And so if you’re thinking of ways to protect yourself, I would say when you’re doing transactions engage system two. Engage that analytical mind. Take a beat. And it’s hard, especially for those of us who are busy professionals. We have five things going on in addition to this new, exciting thing of buying a home, we have the other four things going on that comes with that, and it all seems routine. Yep, yep, yep, yep. Check the boxes. Bam, bam, bam, okay. And the bank calls up. “Yep, yep. That was me. Approve it. Done.” And that’s all just system one. And what you should do is say, “Wait. Slow it down. Let me engage my system two mind. Let me be suspicious and look a little closer.” And do an extra two, or three, or four things to protect myself as we say in the industry, that gives you a layered approach to securing yourself.

It’s not just the title company. It’s not just their say so. It’s not just the bank. It’s you having checked the email address, having gotten suspicious. Sometimes when we’re suspicious, other people get irritated. Other people start tapping their feet. They get impatient. They can wait.

Kathy:
Especially when you’re a buyer. I mean, you’re the one with the money, so everyone should be doing your bidding. So take that extra time. Call. You, get an email call and verify that, even if you feel weird, like verifying the numbers while I just can’t read this, it didn’t come through on the PDF correctly or something. There are plenty of things you can do.

Mark:
Well, just for fun, because I like messing with you a little bit, Kathy, let me ask you this. And then I’ll point that out this high powered lens of myself, but didn’t you buy a place recently?

Kathy:
Yes.

Mark:
Okay.

Kathy:
And I made my husband drive an hour to deliver a cashier’s check rather than wire money.

Mark:
Yeah.

Kathy:
That’s how paranoid I am.

Mark:
When you bought your house, how many times did you get to see it before you bought it?

Kathy:
Three times. And then my husband came and did he did two inspections, so, yeah.

Mark:
Oh, okay. Yeah. So I think you might be the exception.

Kathy:
I am an exception.

Mark:
You’re exceptional. I think a lot of people will see their house once before they buy it. It’s the walkthrough with the realtor and then it’s the offer. And then you’re into closing and you’re committed contractually, and then you close and it’s your house. And you’ve got to see it once. I mean, I spent more time buying a table saw than that recently. And so I think what I’m trying to illustrate is that, I think that there’s certain transactions that we engage in. There’s certain things that we do where we spend an inordinately little amount of time on the thing. And I think perhaps this wire fraud example is a bit of the same thing where one needs to kind of recalibrate and say, “What am I doing here? Oh, I’m wiring 20 years worth of savings to a title company. Do I know who they are? Who I was just speaking to?” And so on. So maybe a bit of recalibration in that department.

Kathy:
Title companies, they deal with so much legal stuff. So many surveys and filing of all of these different things that are, to the average house buyer, that’s like way over their head and they trust their realtor. They trust their lawyer. They trust their title company to just handle all of that. I’m just going to live in the house and change the drapes. That’s usually what a home buyer is focused on is making home rather than protecting themselves and a very complex transaction. So you end up turning over, because it feels so daunting, you end up turning over a lot of trust. And what is security is all about? It’s about trust. And if you can’t trust that they are as paranoid about security as you are. There’s your weakness. There’s your vulnerability right there.

Mark:
Yeah. So, I think in closing, I would say engage your system two mind. You’re a more deliberate, slow thinking, deeper thinking, analytical mind when it comes to these big transactions and to hell with anyone who’s rushing you.

Kathy:
Definitely. And the real lessons I think from this and from SolarWinds and from the sophistication in attacks that we’re starting to see even in the WordPress world is that, you can’t trust someone else to handle it for you. There’s always going to be a security element that you have to take responsibility for. And the sophistication of these actors is becoming much more daunting and we have to pace with them. It’s a cat and mouse game, right?

Mark:
Yeah. And in terms of how I think the landscape is going to evolve going forward. I think something that folks in developed countries in particular like the United States, Canada, the U.K., Australia, New Zealand and other countries, one risk that I see is that, I grew up in a developing country in South Africa and I’ve spent time in other developing countries. And a level of crime in general is a lot higher in developing countries than it is in developed countries. And if you are from a developing country, what you’ll know about yourself is that when you are in that environment, you develop your security routine. For me, I go back home to South Africa, I have to reboot my security routine. Okay. Lock at the house doors, set the alarm, don’t walk around looking like money is dripping from you or whatever. In other words, don’t be a giant target, lock your car, or park it in a secure place, that kind of thing.

Mark:
And so there’s this culture of being secure that a lot of folks around the world have that are in that environment. In places like the United States, now I know a lot of people might take me to task for this, but this country is incredibly safe, relative to other countries in the world. Okay, sure. There’s some crime, but relative to other countries in the world, this country is unbelievably safe. And it is a completely different lifestyle here. I’ve lived in California, Maine, Seattle, Colorado, and spent time in a lot of other areas. And in general, it’s incredibly safe. And so there’s no culture of security here. There’s no culture of vigilance or anything like that. The thing about cyberspace is that we are all living in the same space. We are living cheek to jowl with folks around the world. And in some cases, very, very high crime areas with groups of threat actors that are extremely motivated to engage in cyber crime.

Mark:
And so you have folks that are used to being safe now in that world. And I mean, not to be too jingoistic or anything like that, but we’ll talk about the U.S. because that’s where I’m based. And that’s where I tend to live. You have Americans, American families that are used to being safe and so on. All of a sudden they’re in the same neighborhood as all these bad people, all these bad guys. And I think that reality is going to become more and more apparent, very rapidly over the next few years, as you see more and more victims and more, more victim’s stories emerging. And I think that those developed countries, you know, whether it’s Germany or the U.K. Or the U.S., whatever we’re talking about, there’s going to have to be a profound cultural shift in those countries towards a culture of vigilance and being security aware and so on, especially in the cyber domain.

I don’t know how that’s going to happen. I hope it doesn’t just happen because all these victim stories emerge. And then it’ll be interesting to see what happens to the enforcement landscape. Right now when you talk about the government providing any sort of cybersecurity, we’re talking about NSA, DHS, FBI, and so on. We’re not talking about anything at any of the local police departments. And I wonder if what might make sense over the next decade is to perhaps quite soon, actually, have conversations about local law enforcement providing cyber capability to the local populace. Providing cyber protection. I mean, in this particular case with the wire fraud, who does that person go to? Do they go to FBI? The FBI is busy chasing APTs. They’re busy talking to CrowdStrike and chasing SolarWinds and that kind of thing.

There’s no special agent that wants to make their career on mom and pop taken down through a wire transfer fraud. And so the folks need to be able to think, talk to their local police departments about this and I’m sure the private sector wants to play their role. I am a private sector, cyber security company. I run a private sector, cybersecurity company. Sure. We’d like to buy your services and charge for it and so on, but I think if you consider that for physical security PD, the local police department is providing that. I think we should perhaps start having conversations about them also providing cyber capability.

Kathy:
Definitely. Yeah. So I think you’re very right about our world is changing and how we respond to it is going to have to change too.

Mark:
Yeah. Strange days we are living.

Kathy:
Right. That’s what we’re here for is to help people become aware of these things and to spread the word and keep you apprised of everything that’s happening. And so we’re really thankful that you listened. And if you know of anybody who is in the process of a real estate transaction, you might want to point them to listen to this episode. Pointing them to wordfence.com/podcast and they can get all of the details. We’ll have some links in the show notes as well. Any final thoughts, Mark?

Mark:
Yeah. I am very interested in this particular attack. In other words, wire transfer fraud as it relates to real estate transactions. If you are a victim, or you know of any victims of this, I’d love it if you could email me. My email address is Mark@defiant.com. Defiant is of course our parent company and a Defiant makes Wordfence. And anything that you communicate with me, I’ll treat in confidence, really just researching the landscape and understanding. And I really am serious when I think that this is a major growing threat facing families around the world. And I’m interested in understanding a bit more about it. That’s it for me, Kathy. Thanks so much for the chat.

Kathy:
Yeah. Thanks for joining me today. If you want to follow Mark on Twitter, it’s @MMaunder. You can find me @KathyZant and of course you should be following @Wordfence. We are Wordfence everywhere, Twitter, Instagram, Facebook, everywhere. Just follow us and listen to us on your favorite podcasting app. Make sure you subscribe to us and we will talk to you again next week.

Mark:
Thanks everyone. Bye.