Cyber Thieves Are Getting More Creative

媒體經(jīng)常提及錯誤信息，通常是在政治背景下，并且與假新聞同日而語。雖然這些都是嚴(yán)重的問題，但一個更大、更個人化的危險通常遭到了忽視：網(wǎng)絡(luò)犯罪分子是如何利用虛假信息從企業(yè)和個人那里實(shí)施盜竊的？

Misinformation?is frequently mentioned in the media, usually in the context of politics and viewed synonymously with?fake news. Although these are serious issues, a bigger and more personal danger is often overlooked: How cyber criminals use misinformation to steal from companies and individuals.

虛假信息的一個定義是：“虛假或不準(zhǔn)確的信息，尤其是為欺騙刻意而為之的信息?！笨墒牵?dāng)虛假信息與大量真實(shí)、準(zhǔn)確的信息，特別是只有少數(shù)人知道的信息摻和在一起時，它可能最有具效力和欺騙性。通過利用網(wǎng)絡(luò)攻擊來竊取真實(shí)信息，犯罪分子可以將其與少許虛假信息混雜在一起，給公司和個人帶來重大的財(cái)務(wù)影響。

One definition of?misinformation?is: “false or inaccurate information, especially that which is?deliberately intended to deceive.” But misinformation can be most effective and deceptive when it is combined with large amounts of true and accurate information, especially information that is only known to a few. By exploiting cyberattacks that steal?true?information, criminals can combine that with just a?bit?of misinformation to result in major financial impacts for companies and individuals.

下面我舉幾個例子。由于這些情況非常敏感，受影響的企業(yè)只同意在匿名的條件下向我解釋這些情況。這是一種普遍要求，也是為何人們會認(rèn)為公開報道的網(wǎng)絡(luò)攻擊只占實(shí)際網(wǎng)絡(luò)攻擊的一小部分。

I give several examples below. Because these situations were very sensitive, the organizations affected only agreed to explain the situations to me under the condition of anonymity. This is a common requirement, which is why it is believed that publicly-reported cyberattacks only represent a small fraction of actual cyberattacks.

利用電匯

Exploiting Wire Transfers

我們大多數(shù)人都聽說過竊取信用卡號碼的騙局。在大多數(shù)情況下，你可以質(zhì)疑或撤銷不當(dāng)?shù)男庞每ㄊ召M(fèi)，所以你最終不會損失任何金錢。可是，電匯存在一個關(guān)鍵的區(qū)別：電匯通常是即時到賬且不可撤銷。也就是說，電匯一旦被使用，錢就不見了，尤其是在這種欺騙行為未被即時發(fā)現(xiàn)的情況下。網(wǎng)絡(luò)犯罪分子已經(jīng)以各種方式利用了這一特點(diǎn)。

Most of us have heard about scams that steal credit card numbers. In most cases, you can challenge or cancel improper credit card charges, so you don’t ultimately lose any money. But there’s a key difference with wire transfers: they’re?usually immediate and irreversible. That is, when a wire transfer is used, the money is gone, especially if this deception is not discovered immediately. Cyber criminals have taken advantage of this feature in various ways.

一個例子是犯罪分子進(jìn)入了某公司的計(jì)算機(jī)系統(tǒng)，然后花時間閱讀電子郵件并了解內(nèi)部程序。犯罪分子知悉了哪些官員有權(quán)向財(cái)務(wù)辦公室發(fā)出電匯指令，以及程序是什么。然后，他們偽裝成這些官員，在幾天內(nèi)逐一發(fā)出電匯指令，向罪犯的賬戶匯入資金，有些金額超過了50萬美元。

One example involves criminals getting into a company’s computer systems, where they then spend time reading emails and learning internal procedures. The criminals learn which officials are authorized to issue wire transfer instructions to the financial office and what the procedures are. They then masquerade themselves as these officials, one-by-one over several days, issuing instructions for wire transfers, some for more than $500,000, to the criminal’s accounts.

我訪談過的一家公司意識到這一代價高昂的問題后，制定了程序，要求核實(shí)此類電匯是否確實(shí)是由得到授權(quán)的人員申請的。這包括直接與得到授權(quán)的人通電話并核實(shí)交易的細(xì)節(jié)。不幸的是，這種合理的程序通常是在犯罪已然發(fā)生之后才落實(shí)到位。

After this costly problem was realized at one company I spoke with, procedures were put in place to require verification that such wire transfers were actually requested by authorized personnel. This involved speaking on the phone directly with the authorized person and verifying the details of the transaction. Unfortunately, such sensible procedures are often only put in place?after?a crime has already been committed.

因電匯欺詐而可能損失錢財(cái)?shù)牟粌H僅是企業(yè)。高級住宅購房者也是熱門目標(biāo)。在大多數(shù)購房交易中，一個關(guān)鍵步驟是通過電匯將大量資金轉(zhuǎn)賬到產(chǎn)權(quán)公司或第三方存管公司，該公司會持有這些資金，直到房產(chǎn)的產(chǎn)權(quán)轉(zhuǎn)移到新業(yè)主手中，然后——也只有在那時——第三方存管公司才會將這些資金轉(zhuǎn)給賣房者。

It’s not only corporations that can lose money via wire fraud. Executive?home buyers?are popular targets. A key step in most home buying transactions involves the transfer of a substantial amount of money by wire to a title or escrow company that holds onto the money until the title for the property has been transferred to the new owner and then — and only then — the escrow company transfers those funds to the home seller.

在這種情況下，犯罪分子會使用一個多步驟的過程來獲取他們的利益。首先，他們闖入房地產(chǎn)經(jīng)紀(jì)人、律師或產(chǎn)權(quán)代理人的計(jì)算機(jī)系統(tǒng)。他們可能會花幾周、甚至幾個月的時間來了解即將進(jìn)行的交易、該公司的辦事程序以及包括電匯指令樣本在內(nèi)的各種細(xì)節(jié)。由于最后一刻可能會出現(xiàn)復(fù)雜的情況，購房者通常會被奉勸提前一兩天進(jìn)行電匯。產(chǎn)權(quán)公司通常是提前一天發(fā)送指令，因此網(wǎng)絡(luò)犯罪分子會提前兩天發(fā)送指令。這些指令看似來自產(chǎn)權(quán)公司，因?yàn)樗鼈兪腔谡嬲闹噶?，但目的地信息遭到篡改。他們僅僅在一批真實(shí)信息中隱藏了一丁點(diǎn)虛假信息。

Criminals use a multi-step process to reap their gains in these situations. First, they break into the real estate agent, attorney, or title agent’s computer systems. They may spend weeks or even months learning about upcoming closings, the company’s procedures, and details including samples of wire transfer instructions. Since there can be complications at the last minute, home buyers are often encouraged to do the wire transfer a day or two in advance. The title company usually sends the instructions one day in advance, so cyber criminals will send the instructions two days in advance. These instructions appear to be from the title company, since they are based upon the real instructions, but the destination information is altered. They have buried just a bit of misinformation in a batch of true information.

一年內(nèi)以此方式被盜的資金有數(shù)億美元。事實(shí)上，根據(jù)聯(lián)邦調(diào)查局的數(shù)據(jù)，2020年房地產(chǎn)業(yè)和租賃行業(yè)有13000多人成為電匯欺詐的受害者，損失超過2.13億美元——自2017年起算，增長了380%。你可能會發(fā)現(xiàn)自己陷入這樣一種處境：你已賣掉之前的房子，用收到的現(xiàn)金加上你的積蓄，在不同的城市買了一套更新、更好的房子。你可能正在驅(qū)車前往新城市的半路上，準(zhǔn)備第二天搬進(jìn)新家，這時你接到房地產(chǎn)經(jīng)紀(jì)人的電話，問你的付款在哪里。在多次瘋狂的通話之后，你意識到你的錢被盜了，你現(xiàn)在無家可歸，身無分文。

Hundreds of millions of dollars have been stolen this way in a single year. In fact, more than 13,000 people were victims of wire fraud in the real estate and rental sector in 2020, with losses of more than $213 million — an increase of 380% since 2017,?according to FBI data. You could find yourself in a situation where you had sold your prior home and used the cash received plus your savings to buy a newer, better home in a different city. You might be in your car halfway to the new city to move into your new home the next day when you receive a call from your real estate agent asking where your payment is. After many frantic calls, you realize that your money has been stolen, and that you’re now homeless and broke.

個人和企業(yè)都可以采取各種措施來減少以電匯方式實(shí)施網(wǎng)絡(luò)犯罪的風(fēng)險。首先，在電匯之前，始終要通過電話與應(yīng)該收款之人確認(rèn)電匯指令。可是，務(wù)必要確保你能夠確認(rèn)自己確實(shí)是在與正確的對象通話——犯罪分子可能在你收到的指令中包含了一個假電話號碼，所以務(wù)必要事先使用官方網(wǎng)站核實(shí)正確的號碼，或者直接與某位能夠核實(shí)正確信息的熟識人士交談。

There are various things that both individuals and companies can do to reduce the risk of cyber crime via wire transfer. First, always confirm the wire transfer instructions on the phone with the person who?should?be receiving the money before wiring the money. But, be sure that you can confirm that you are actually talking to the right person — the criminals might have included a phony phone number in the instructions that you received, so always verify the correct number in advance using an official website, or by speaking directly to a known source who can verify the correct information.

竊取工資

Stealing Paychecks

許多企業(yè)提供的系統(tǒng)允許員工維護(hù)和更新他們的個人信息，如家庭住址、電話和銀行賬戶資料，以便直接存入他們的月薪。犯罪分子闖入了一些高薪員工的賬戶，并在發(fā)放工資的前一天，修改了銀行賬戶資料。然后，在第二天，他們又將銀行資料改回正常狀態(tài)，因此不會有人發(fā)現(xiàn)出了什么問題。他們連續(xù)好幾個月使用這種伎倆，直到一位高管收到一張支票資金不足的通知，這才意識到他的銀行沒有收到理應(yīng)到賬的月度款項(xiàng)。（我猜這些高管都沒有每月查對他們的銀行賬戶余額?。＿@說明了經(jīng)常檢查你銀行賬戶的重要性，以發(fā)現(xiàn)異?；蝈e誤活動，尤其是要確認(rèn)預(yù)期的存款正在存入。

Many companies provide systems that allow employees to maintain and update their personal information, such as home address, telephone, and banking details for direct deposit of their monthly paycheck. Criminals have broken into the accounts of some well-paid employees and, the day before the payment was to be sent, changed the bank details. Then, the day after, they changed the bank details back to normal, so nothing would be noticed to be out of order. They continued this scheme for several months until an executive got a notice of insufficient funds on a check and only then realized that the expected monthly payments had not been received by his bank. (I guess none of these executives were balancing their bank accounts monthly!) This illustrates the importance of checking your bank account frequently enough to detect unusual or erroneous activity, especially to confirm that expected deposits are being made.

誘騙員工幫助“老板”

Tricking People Into Helping the “Boss”

我們中的大多數(shù)人都聽說過這樣的經(jīng)典騙局：公司的首席執(zhí)行官（CEO）要求首席財(cái)務(wù)官（CFO）把資金送往某個地方。如果你不是CEO，你可能會認(rèn)為這種騙局與你無關(guān)，但事實(shí)并非如此。

Most of us of have heard about the classic scam where the CEO of the company asks the CFO to send funds somewhere. If you are not a CEO, you might assume that such scams are not relevant to you, but that is not the case.

這種騙局的一種形式在大學(xué)校園里尤其盛行，那就是讓某位工作人員收到一封看似來自上級的電子郵件，通常來自系部主任。該工作人員會被告知這樣一個故事：“我剛剛意識到，我今晚要去參加我侄子的生日聚會，而我整天都要開會，所以我沒有時間買禮物。你能不能幫我一個小忙，買一張100美元的禮品卡，然后把背面的數(shù)字用電子郵件發(fā)給我？”正如一位受害者所感嘆的那樣：“這不僅是來自我的一個同事，而且它是以我的系主任的名義來的。”在我聽說的一個案例中，有一個系每10名教師中就有8人上當(dāng)受騙。還是那句話，重要的是要核實(shí)信息是否真的來自你的老板。

One form of this scam, especially popular on university campuses, is for a staff member to receive what appears to be an email from a superior, typically the department head. The staff member is told a story such as, “I just realized that I am going to my nephew’s birthday party tonight and I am in meetings all day, so I won’t have time to buy a gift. Could you do me a small favor and buy a $100 gift card and email me the numbers on the back?” As one victim lamented: “It was not just coming from one of my colleagues; it came?in the name of my department chair.” In one case that I heard of, eight out of 10 faculty in a single department fell for the scam. Once again, it is important to verify that the message is really coming from your boss.

小心謹(jǐn)慎為何十分重要

Why It’s Important to Be Cautious

所有這一切的重點(diǎn)在于，盡管以假新聞形式出現(xiàn)的虛假信息是一個問題，但將大量真實(shí)信息與一丁點(diǎn)虛假信息摻雜在一起，可能會產(chǎn)生毀滅性的結(jié)果。上述例子只是最近的一些事例。如前所指出的，我們可以采取一些措施來消除或至少大大減少此類犯罪，但這些程序和預(yù)防措施現(xiàn)在就需要落實(shí)到位，而不是在犯罪發(fā)生之后。

The point of all of this is that although misinformation, in the form of fake news, is a problem, combining lots of?real?information with just a?tiny bit?of misinformation can be devastating. The examples above are just some recent examples. As noted, there are things that can be done to eliminate or at least dramatically reduce such crimes, but those procedures and precautions need to be put in place now, not after the crime.

不過，請注意，網(wǎng)絡(luò)犯罪分子具有驚人的創(chuàng)造力，而且通常掌握了大量關(guān)于你的信息。更多狡猾的伎倆可能正向我們走來，因此，不斷了解新詭計(jì)、小心謹(jǐn)慎并做好防范十分重要。

But note, cybercriminals are amazingly creative, and are often armed with lots of information about you. More treacherous schemes may be heading our way, so it is important to continually learn about new schemes, be cautious, and prepare your defenses.

斯圖爾特?馬德尼克是麻省理工學(xué)院斯隆管理學(xué)院信息技術(shù)學(xué)約翰?諾里斯?馬奎爾（1960）教授（Norris Maguire （1960） Professor），麻省理工學(xué)院工程學(xué)院工程系統(tǒng)學(xué)教授，以及麻省理工學(xué)院斯隆學(xué)院網(wǎng)絡(luò)安全聯(lián)盟主任：改善關(guān)鍵基礎(chǔ)設(shè)施網(wǎng)絡(luò)安全的跨學(xué)科聯(lián)盟（the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity）。自1979年與人合著《計(jì)算機(jī)安全》（Computer Security）一書以來，他一直活躍在網(wǎng)絡(luò)安全領(lǐng)域。

時青靖 | 編輯