Executive Editor AISA National Conference 2016 Interview Series: Trend Micro’s Rik Ferguson discusses liaison with International Law Enforcement Agencies and the two leading online scams, CEO Fraud and Ransomware
Editor: Can you give us some insight into Trend Micro’s relationship with Europol and Interpol, and law enforcement in general?
Rik – My work with Europol is part of an International cyber security advisory group. Europol and Interpol has reached out to the private sector and industry so they can expand their domain expertise and their reach. Obviously they’re very tightly involved with the European national law enforcement agencies (LEAs) and act as a coordinating body for the LEAs. They understand there is a wealth of intelligence and information that can be gleaned from the private industry to help out and they coordinate those relationships. Though organisations like Trend Micro do also have one to one relationships with pretty much every local law enforcement body anyway, such as the National Crime Authority (UK) and Dutch High-Tech Crime Unit. Trend Micro also has one full time staff member at Interpol’s Cyber Innovation Centre in Singapore.
While in Sydney for the AISA National Conference I was in a meeting with NSW Police but it is more our Australian Trend Micro personnel, such as John Oliver who will be liaising with Australian LEAs. John is part of the FTR (Forward Threat Research) teams and this team as a whole is responsible for managing the operation for LEAs.
Editor: How does the relationship work, are you assisting with investigations and operations?
Rik – The LEA relationship is a two way thing – so if we discover something in the course of our own research which we think may be useful or of interest to law enforcement we will reach out and by the same token law enforcement will contact us with enquiries as to what we may have in our holdings and to seeking information from us to assist them. This may be about infrastructure or individuals and we also provide expert witness statements if matters are proceeding to court.
The relationship is controlled under a Memorandum of Understanding and non-disclosure agreements and it’s not a paid operation. It is something Trend Micro does as part of being a security provider. The most effective way to keep our customer’s security is to help take the criminals out of business.
Editor: How is Trend Micro structured and assisting police on the ground?
Rik – Our research within Trend Micro is divided into two distinct teams. There is the Numerically Superior Team is called ‘Trend Labs’ with about 1,500 personnel globally and they’re responsible for sourcing and maintaining the bulk of the data that makes up the smart detection network, which is data about files, URLs, domains, IP addresses, emails which is the intelligence that makes up that backend database. Then there is a numerically smaller team called FTR, with about 40-50 people globally, and they are literally around the world and have linguistic skills and capabilities so they can tap into underground forums. This has allowed us to develop a series of white papers about the similarities and differences in the criminal underground community, be it from China, USA, Germany, France, Brazil, Russia and several others.
FTR is divided into three main groups, which are law enforcement cooperation and they’re actively involved in research which goes into a couple of different directions, one will be building a better beast, such as better, faster back end tools, sourcing data, mining and correlating data, so a lot of tool building and then there’s research into criminal underground, SCADA and ICS, point of sale malware, ransomware – they will continually rotate on various research projects.
Editor: The Asia Pacific is known to be prevalent in terms of cyberattacks and cybercrime – is this your understanding and what are the key trends you’re seeking?
Rik – The two things I’m presenting on at AISA are definitely rife and that is ‘Ransomware’ and BECs or business email compromise. BECs, also known as CEO Fraud, on the face of it is a very simple fraud operation which compromises an email account or spoof of an account used by a senior company executive and then their account is used to compromise another senior executive email account, generally someone with access to the finance in the company. It is a simple form of social engineering attack where they submit invoices and say they have to be paid urgently and immediately and because it appears as a senior executive direction, the victim then by-passes any normal checks and balances and pays the invoice.
According to the FBI, over the course of just the last two years, over US$3 billion has been paid as a result of the BEC fraud alone, affecting over 22,000 organisations globally and across over 100 countries. The top 5 includes Australia and is representative of English speaking countries, namely the US, UK, Canada, Australia and Belgium. Over 80 per cent of the email is from the General Manager and above, up to the CEO or President and From the CEO and 40 per cent will go straight to the Chief Financial Officer (CFO) or to customers of the organisation or internally to the customer – the key aspect to this is the losses of this scale and businesses don’t get back the money from the banks yet consumers do. There has been only one arrest which was a Nigerian scammer called Mike who was identified by Interpol. His network included Nigeria, Malaysia and South Africa. BECs are an evolution of the 419 scam with a majority of the sources from Africa, such as Nigeria.
Criminals are global and they have extensive networks and with multilinguistic skills also, including live chat windows in the language of your choice as they instruct victims to pay ransoms and the like, as well as distributing ransomware in different languages. It is something business and industry must get their head around and become aware that this is a significant and global issue.