The FBI has identified successful spearphishing campaigns directed at college and university students, especially during periods when financial aid funds are disbursed in large volumes. In general, the spearphishing emails request students’ login credentials for the University’s internal intranet. The cyber criminals then capture students’ login credentials, and after gaining access, change the students’ direct deposit destination to bank accounts within the threat actor’s control.
In February 2018, the FBI received notification of a spearphishing campaign targeting students at an identified University in the south eastern United States. The campaign occurred in January 2018 when an unidentified number of students attending the University received an email requesting their login credentials for the University’s internal intranet. Using the University’s intranet portal, the cyber criminals accessed a third-party vendor that manages the disbursement of financial aid to students and changed the direct deposit information for 21 identified students to bank accounts under the cyber criminal’s control. The threat actor stole approximately $75,000 from the 21 students. The student accounts were accessed by at least 13 identified US Internet Protocol (IP) addresses.
On 31 August 2018, the Department of Education identified a similar spearphishing campaign targeting multiple institutions of higher education. In this campaign, the cyber criminals sent students an email inviting them to view and confirm their updated billing statement by logging into the school’s student portal. After gaining access, the cyber criminals changed the students’ direct deposit destinations to bank accounts under the threat actor’s control.
The nature of the spearphishing emails indicates the cyber criminals conducted reconnaissance of the target institutions and understand the schools’ use of student portals and third-party vendors for processing student loan payment information. In addition, the timing of the campaigns indicates the cyber criminals almost certainly launched these campaigns to coincide with periods when financial aid funds are disseminated in large volumes.
The FBI recommends providers implement the preventative measures listed below to help secure their systems from attacks:
Notify all students of the phishing attempts and encourage them to be extra vigilant
Implement two-factor authentication for access to sensitive systems and information
Monitor student login attempts from unusual IP addresses and other anomalous activity
Educate students on appropriate preventative and reactive actions to known criminal schemes and social engineering threats
Apply extra scrutiny to e-mail messages with links or attachments directed toward students
Apply extra scrutiny to bank information initiated by the students seeking to update or change direct deposit credentials
Direct students to forward any suspicious requests for personal information to the information technology or security department
(U//FOUO) On January 27, 2019 at approximately 12:15pm local time, a vehicle resembling an ambulance and laden with explosives detonated after it passed through a police checkpoint in Kabul, Afghanistan. The explosion killed more than 100 people and wounded approximately 235 others. According to the deputy spokesperson for the Afghanistan Interior Ministry, the vehicle was painted to resemble an ambulance and had successfully passed through a checkpoint after the attacker allegedly told police he was transporting a patient to a nearby hospital. While stopped at a second checkpoint farther inside the city limits, the attacker detonated the explosives concealed in the vehicle. The explosion occurred in an area known as Chicken Street, which includes a prominent shopping zone and is in close proximity to foreign embassies and government buildings. A Taliban spokesman released a statement claiming responsibility and alleged the attack was in retaliation to an increased presence of U.S. troops and an increase in airstrikes throughout Afghanistan.
(U//FOUO) Individuals may consider using a variety of official vehicles or altering vehicles to look like official vehicles to further their terrorist objectives. The use of ambulances, law enforcement vehicles, fire vehicles, or other government vehicles could enable attackers to enter into secure areas to access sensitive sites or carry attackers, weapons, and/or explosives to an intended target location. Individuals may clone first responder vehicles by modifying unofficial vehicles with paint and decals to make them appear to be official; steal vehicles from residences, vulnerable vehicle lots, or while first responders are at a scene; or purchase retired, official vehicles and potentially re-equip them with equipment that was removed prior to sale to make them appear more legitimate. Incidents involving stealing or cloning first responder vehicles in the United States have often been associated with criminal activity, but individuals in the United States could also gain insight from international attacks to attempt similar tactical use of emergency response and government vehicles in terrorist attacks in the United States.
(U//FOUO) First responders should follow agency protocols for responding to suspicious incidents and safeguarding equipment and vehicles. The following non-exhaustive list identifies potential indicators of misuse or misrepresentation of first responder vehicles.
(U//FOUO) Drivers of government vehicles who are not knowledgeable or who become increasingly nervous when questioned about the organization represented on the vehicle they are driving
(U//FOUO) Incorrect vehicle decals, verbiage, colors, word font, and size
(U//FOUO) Visible identifiers, such as phone number or license plates, that are inconsistent with the vehicle’s operating area or mission are very suspicous.
(U//FOUO) Heavily loaded vehicles, possibly beyond capacity must be considered as dangerous.
The FBI is the lead federal agency for investigating cyber attacks by criminals, overseas adversaries, and terrorists. The threat is incredibly serious—and growing. Cyber intrusions are becoming more commonplace, more dangerous, and more sophisticated. Our nation’s critical infrastructure, including both private and public sector networks, are targeted by adversaries. American companies are targeted for trade secrets and other sensitive corporate data, and universities for their cutting-edge research and development. Citizens are targeted by fraudsters and identity thieves, and children are targeted by online predators. Just as the FBI transformed itself to better address the terrorist threat after the 9/11 attacks, it is undertaking a similar transformation to address the pervasive and evolving cyber threat. This means enhancing the Cyber Division’s investigative capacity to sharpen its focus on intrusions into government and private computer networks.
For more information on the FBI’s cyber security efforts, read our “Addressing Threats to the Nation’s Cybersecurity” brochure.
Computer and Network Intrusions
The collective impact is staggering. Billions of dollars are lost every year repairing systems hit by such attacks. Some take down vital systems, disrupting and sometimes disabling the work of hospitals, banks, and 9-1-1 services around the country.
Who is behind such attacks? It runs the gamut—from computer geeks looking for bragging rights…to businesses trying to gain an upper hand in the marketplace by hacking competitor websites, from rings of criminals wanting to steal your personal information and sell it on black markets…to spies and terrorists looking to rob our nation of vital information or launch cyber strikes.
Today, these computer intrusion cases—counterterrorism, counterintelligence, and criminal—are the paramount priorities of our cyber program because of their potential relationship to national security.
Combating the threat. In recent years, we’ve built a whole new set of technological and investigative capabilities and partnerships—so we’re as comfortable chasing outlaws in cyberspace as we are down back alleys and across continents. That includes:
- A Cyber Division at FBI Headquarters “to address cyber crime in a coordinated and cohesive manner”;
- Specially trained cyber squads at FBI headquarters and in each of our 56 field offices, staffed with “agents and analysts who protect against investigate computer intrusions, theft of intellectual property and personal information, child pornography and exploitation, and online fraud”;
- New Cyber Action Teams that “travel around the world on a moment’s notice to assist in computer intrusion cases” and that “gather vital intelligence that helps us identify the cyber crimes that are most dangerous to our national security and to our economy;”
- Our Computer Crimes Task Forces nationwide that combine state-of-the-art technology and the resources of our federal, state, and local counterparts;
- A growing partnership with other federal agencies—including the Department of Defense, the Department of Homeland Security, and others—which share similar concerns and resolve in combating cyber crime.
Law enforcement at all levels has the legal authority to intercept and access communications and information pursuant to court orders, but often lacks the technical ability to carry out those orders because of a fundamental shift in communications services and technologies. This scenario is often called “Going Dark” and can hinder access to valuable information that may help identity and save victims, reveal evidence to convict perpetrators, or exonerate the innocent.
Read more about the FBI’s response to the Going Dark problem.
Identity theft—increasingly being facilitated by the Internet—occurs when someone unlawfully obtains another’s personal information and uses it to commit theft or fraud. The FBI uses both its cyber and criminal resources—along with its intelligence capabilities—to identify and stop crime groups in their early stages and to root out the many types of perpetrators, which span the Bureau’s investigative priorities.
More on the FBI’s efforts to combat identity theft.
The FBI’s online predators and child sexual exploitation investigations are managed under our Violent Crimes Against Children Program, Criminal Investigative Division. These investigations involve all areas of the Internet and online services, including social networking venues, websites that post child pornography, Internet news groups, Internet Relay Chat channels, online groups and organizations, peer-to-peer file-sharing programs, bulletin board systems, and other online forums.
Read more about our Violent Crimes Against Children Program.
The Internet Crime Complaint Center
The mission of the Internet Crime Complaint Center (IC3) is to provide the public with a reliable and convenient reporting mechanism to submit information to the FBI concerning suspected Internet-facilitated fraud schemes and to develop effective alliances with law enforcement and industry partners. Information is analyzed and disseminated for investigative and intelligence purposes to law enforcement and for public awareness.
Cyber Action Team
It can be a company’s worst nightmare—the discovery that hackers have infiltrated their computer networks and made off with trade secrets, customers’ personal information, and other critical data. Today’s hackers have become so sophisticated that they can overcome even the best network security measures. When such intrusions happen—and unfortunately, they occur frequently—the FBI can respond with a range of investigative assets, including the little-known Cyber Action Team (CAT). This rapid deployment group of cyber experts can be on the scene just about anywhere in the world within 48 hours, providing investigative support and helping to answer critical questions that can quickly move a case forward.
Established by the FBI’s Cyber Division in 2006 to provide rapid incident response on major computer intrusions and cyber-related emergencies, the team has approximately 50 members located in field offices around the country. They are either special agents or computer scientists, and all possess advanced training in computer languages, forensic investigations, and malware analysis. And since the team’s inception, the Bureau has investigated hundreds of cyber crimes, and a number of those cases were deemed of such significance that the rapid response and specialized skills of the Cyber Action Team were required. Some of those cases affected U.S. interests abroad, and the team deployed overseas, working through our legal attaché offices and with our international partners.
Members of the team make an initial assessment, and then call in additional experts as needed. Using cutting-edge tools, the team look’s for a hacker’s signature. In the cyber world, such signatures are called TTPs—tools, techniques, and procedures. The TTPs usually point to a specific group or person. The hackers may represent a criminal enterprise looking for financial gain or state-sponsored entities seeking a strategic advantage over the U.S.
National Cyber Forensics & Training Alliance
Long before cyber crime was acknowledged to be a significant criminal and national security threat, the FBI supported the establishment of a forward-looking organization to proactively address the issue. Called the National Cyber-Forensics & Training Alliance (NCFTA), this organization—created in 1997 and based in Pittsburgh—has become an international model for bringing together law enforcement, private industry, and academia to build and share resources, strategic information, and threat intelligence to identify and stop emerging cyber threats and mitigate existing ones.
Since its establishment, the NCFTA has evolved to keep up with the ever-changing cyber crime landscape. Today, the organization deals with threats from transnational criminal groups including spam, botnets, stock manipulation schemes, intellectual property theft, pharmaceutical fraud, telecommunications scams, and other financial fraud schemes that result in billions of dollars in losses to companies and consumers.
The FBI Cyber Division’s Cyber Initiative and Resource Fusion Unit (CIRFU) works with the NCFTA, which draws its intelligence from the hundreds of private sector NCFTA members, NCFTA intelligence analysts, Carnegie Mellon University’s Computer Emergency Response Team (CERT), and the FBI’s Internet Crime Complaint Center. This extensive knowledge base has helped CIRFU play a key strategic role in some of the FBI’s most significant cyber cases in the past several years.
Because of the global reach of cyber crime, no single organization, agency, or country can defend against it. Vital partnerships like the NCFTA are key to protecting cyberspace and ensuring a safer cyber future for our citizens and countries around the world.
With cyber threats continuing to emerge at the forefront of the FBI’s criminal and national security challenges, engaging public-private partners in information exchange alongside law enforcement and intelligence communities…
Each Cyber Task Force synchronizes domestic cyber threat investigations in the local community through information sharing, incident response…
In 2007, eGuardian was developed to help meet the challenges of collecting and sharing terrorism-related activities amongst law enforcement agencies across various jurisdictions. The eGuardian system is a sensitive but…
Below are some key steps to protecting your computer from intrusion:
Keep Your Firewall Turned On: A firewall helps protect your computer from hackers who might try to gain access to crash it, delete information, or even steal passwords or other sensitive information. Software firewalls are widely recommended for single computers. The software is prepackaged on some operating systems or can be purchased for individual computers. For multiple networked computers, hardware routers typically provide firewall protection.
Install or Update Your Antivirus Software: Antivirus software is designed to prevent malicious software programs from embedding on your computer. If it detects malicious code, like a virus or a worm, it works to disarm or remove it. Viruses can infect computers without users’ knowledge. Most types of antivirus software can be set up to update automatically.
Install or Update Your Antispyware Technology: Spyware is just what it sounds like—software that is surreptitiously installed on your computer to let others peer into your activities on the computer. Some spyware collects information about you without your consent or produces unwanted pop-up ads on your web browser. Some operating systems offer free spyware protection, and inexpensive software is readily available for download on the Internet or at your local computer store. Be wary of ads on the Internet offering downloadable antispyware—in some cases these products may be fake and may actually contain spyware or other malicious code. It’s like buying groceries—shop where you trust.
Keep Your Operating System Up to Date: Computer operating systems are periodically updated to stay in tune with technology requirements and to fix security holes. Be sure to install the updates to ensure your computer has the latest protection.
Be Careful What You Download: Carelessly downloading e-mail attachments can circumvent even the most vigilant anti-virus software. Never open an e-mail attachment from someone you don’t know, and be wary of forwarded attachments from people you do know. They may have unwittingly advanced malicious code.
Turn Off Your Computer: With the growth of high-speed Internet connections, many opt to leave their computers on and ready for action. The downside is that being “always on” renders computers more susceptible. Beyond firewall protection, which is designed to fend off unwanted attacks, turning the computer off effectively severs an attacker’s connection—be it spyware or a botnet that employs your computer’s resources to reach out to other unwitting users.
Safe Online Surfing
The FBI Safe Online Surfing (FBI-SOS) program is a nationwide initiative designed to educate children in grades 3 to 8 about the dangers they face on the Internet and to help prevent crimes against children.
It promotes cyber citizenship among students by engaging them in a fun, age-appropriate, competitive online program where they learn how to safely and responsibly use the Internet.
The program emphasizes the importance of cyber safety topics such as password security, smart surfing habits, and the safeguarding of personal information.
DEPARTMENT OF JUSTICE
(U//FOUO) National Domestic Communications Assistance Center Presentation: Quantifying Law Enforcement’s “Going Dark” Problem
March 4, 2019
The following presentation was obtained from the public website of a professional organization for prosecutors.
Quantifying Law Enforcement’s “Going Dark” Problem: Statistics Collection Tool
Page Count: 20 pages
Date: January 27, 2017
Restriction: For Official Use Only
Originating Organization: Department of Justice, National Domestic Communications Assistance Center
File Type: pdf
File Size: 2,780,451 bytes
File Hash (SHA-256): C0F20581F51C4D6C1132647470301B511E0366ED7E12BD7B315425BC906DE077
• As a result of the fundamental shift in communications services and technologies, criminal and national security investigations are unable to obtain needed evidence and intelligence despite having the legal authority to do so
• We continue to lose ground to rapidly-changing global communications services and technologies
• Public disclosures have created an environment that makes even the discussion of new lawful intercept legislation very difficult and provider cooperation tenuous
• Regulatory process is not timely and judicial process unproductive
• Stakeholders in legislative process have different equities
• Industry is very organized and proactive in its opposition to the development of new capabilities and legislation
Encrypted Communications Applications
Modern communication applications have begun to implement encryption on data in motion, resulting in law enforcement’s inability to access the plain text of data in transit (intercepted)
Challenges with Record Requests
The lack of a mandate on the retention of communications metadata or content and the increasing globalization of communication services have greatly complicated law enforcement’s ability to obtain information on historical communications
Communication devices have begun to deploy encryption on stored data, resulting in law enforcement’s inability to access the plain text of data stored on a device or system (or cloud)