Why the AFP wants you to know about "drift netting" attacks

The Australian Federal Police has coined a new term for a specific type of phishing attack targeting human resources and payroll platforms, revealing a rise in successful "drift netting" attempts over the past year.

Speaking to the Australian Cyber Security Centre conference in Canberra today, AFP cybercrime operations team leader Scott Mellis revealed how attackers are infiltrating payroll systems to exfiltrate money for mules.

His team has appropriated the term "drift netting" - traditionally used to describe a fishing technique where nets hang vertically in water without anchors - to describe the growing type of attack.

"Phishing has been such a big deal in cyber security and cyber crime for such a long time. I'm hoping to create a new word, hopefully it will catch on," Mellis said.

"[Drift netting] refers to the process where a crook changes something, waits for the natural process to run on the platform, and then cashes out. We saw this against payroll systems especially towards the end of last year."

Mellis said the AFP had been made aware of multiple victims of drift netting attacks in the past 12 months.

Typically, attackers infiltrate HR and payroll platforms through credentials purchased on the black market, allowing them to impersonate staff members.

Criminals can be known to first make small, insigificant changes to an employee payroll account to test the waters, Mellis said.

The standard approach is log in with the stolen credentials, check for the date of the next pay run, and log out until closer to the date. When the affected employee is due to be paid, the attacker logs back in and alters payee account details to those of multiple mules "so there's no single point of failure", Mellis said.

The pay is then delivered to the mule accounts, with the criminals immediately transfering the funds elsewhere.

"Employee rebellion [once their pay is not received] is usually the first sign to the organisation that there's a problem," Mellis said.

He said similar attacks had been noted using invoice software over the last year, where attackers similarly use stolen credentials to log in and alter payee account details to redirect funds to money mules.

"It can take months for an organisation to detect [these attacks] until they get a call from an angry supplier," Mellis said.

"That was quite rampant at the end of last year." 

Mellis was outlining trends in cybercrime identified by the AFP over the last two years, also singling out attacks on share trading and investment platforms.

He highlighted the case of a single IP address within a Queensland business being used to access black markets for credentials and control panels used to adminster malware to target Australian financial institutions.

Mellis said he was advised by several banks that $30,000 of fraud had emanated from that IP address.

"We executed a search warrant on a small business. We had a hunch it was a compromised box, we didn't think we were dealing with a local actor - the business had no idea they were compromised. We took an image and tapped the network overnight," he said.

"Using Internet Evidence Finder we rebuilt the browsing history to show a focus on share trading platforms, like Commsec. Further analysis of the data revealed the compromised box was also being used to access repositories of stolen data."

The AFP then discovered a server in Moldova with around 70GB of keylog data being accessed by the IP address, Mellis said, and found that the credentials being sought were solely from Australian share trading and investment platforms and superannuation fund managers.

"\We hadn't seen too much of that before," Mellis said.

"Then [later] we came across some attacks on super brokers - so those who manage super accounts on behalf of investors. We noticed suspicious sums of money being transferred from Australian financial institutions into mule accounts

"We found two brokerage services making quite unusual transactions and ... after a bit of analysis we found were artefacts of financial malware on those platforms, possibly Citadel."

The common theme among affected platforms, Mellis revealed, was a lack of verification.

"Controls were in place but they were quite weak. [As an example] email notifications were only sent to investors after the money was transferred, and that email address was also unverified," he said.