SecureWorks Exposes Phishing Fraudster Using Social Engineering Tricks

Pretending to be a willing dupe can help security firms identify and shut down the bank accounts used by scammers, turning the tables on attackers.


SAN FRANCISCO—Punking online fraudsters has a long history among hackers.

Yet, managed security provider SecureWorks is recommending that some companies regularly play the dupe to hackers to cause them more pain and make their crimes less lucrative.

At the RSA Security Conference, SecureWorks researchers Joe Stewart and James Bettke described an incident where they led a fraudster along, collected information on eight bank account numbers used in the scheme, shut the accounts down, and then convinced the person to give up identifying information.

Calling the approach “offense-in-depth,” the company has argued that it increases the attackers’ risk, increases their effort, and decreases their rewards—all which impact criminals’ bottom line.

“Every time you get one of these emails, if we can get the account numbers and shut them down, it thwarts multiple schemes,” said Joe Stewart, director of malware research at SecureWorks.

The incident originally started when a U.S. technology company reported the original phishing email, which posed as the company’s CEO asking for payment for a third-party supplier. Rather than simply making a record of a failed fraud attempt and moving on, the SecureWorks team wanted to see how far they could take the reverse social engineering.

So they reached out to the attacker, pretending to trust the email, said Stewart.

“We convinced him that we are a willing dupe and to give us bank accounts, but anyone can do that,” he said. “We wanted to see, can we get this guy to give us enough information to identify himself.”

To do that, the researchers exploited a weakness in the phisher’s scheme. Victims who fall for the scam and pay typically are given a bank account owned by a third-party—the “money mules”—whose role is to launder the funds. To verify that the money was sent, the scammer will ask for the verification form sent by the bank.

SecureWorks’ researchers used a tool, called Vision, to create an online page that looked like an official bank receipt, but in reality, was a way to collect the attacker’s Internet addresses. The company also worked with financial institutions to close the money mule’s bank accounts.

The company later improved the process to require “verification” information from the fraudster and through this technique, gathered more information on the attacker, including his actual cell phone number and the authorization token for his Facebook identity. SecureWorks declined to name the fraudster as a criminal investigation is pending, the company said.

“They tend to be just as susceptible to phishing attacks as other people,” Stewart said.

While scamming the attackers is a labor intensive process, it does dramatically impact their profits. Money mules require time to establish bank accounts and identifying information could possibly lead to arrest, he said.

Yet, defenders need support from governments and law enforcement, the company said.

“We would be happy if there was a central point to report these types of attacks,” Stewart said.