Stay Alert: Here are Ways Cyber Attackers Target Real Estate Transactions

October is Cyber Security Awareness Month and our Chief Information Security Officer, Genady Vishnevetsky is offering a few words of advice when it comes to securing real estate transactions especially as we bring back in-person transactions. Read his insights below.

Cyber Security Series

Part 1: Steps Hackers Take

Wire Fraud has dominated the real estate and financial services space for more than a decade and has exploded in the last five years. It's plaguing our industry with reputational risk and massive losses to consumers and businesses. In this three-part series, I will explain the fundamental pillars of these attacks and give some guidance on how individuals and companies can protect themselves.

You may ask, "why is it so prevalent in a real estate transaction?" While there are arguably more sophisticated attack methods and potentially a higher reward (i.e., ransomware), wire fraud can net hackers thousands, if not millions, of dollars with minimal effort. I will also explain why a hunt for a single fish often keeps the food supply for the hacker for a long time.

While there are several ways to get started, most attacks start with reconnaissance and phishing for a person's email credentials. Starting points can include searching for a multiple listing service (MLS) listing, for example on Zillow or Redfin, which house public information about properties and ownership. Listing agent/agency's phone and email is also publicly available on these platforms. After the attacker gathers this information, they may send a phishing email that would resonate with the realtor. It can be a transaction relater or not. The attacker's goal is to lure the victim into entering the email credentials on some fake website staged by the attacker to portray a login portal the victim will recognize.

In some cases, an attacker can start with a target’s personal email and traverse to business. The most common phishing attack on personal credentials is through OpenID and chances are you’ve seen it before. OpenID allows a person to use an existing account to sign into multiple websites without the need to create a new password. The most commonly used OpenID providers are social networks like Facebook, Instagram and LinkedIn and email platforms like Google, Microsoft and Yahoo. What makes OpenID lucrative to the hacker is that bait can be anything - any orchestrated website. As long as users are accustomed to using OpenID for their login, they won't think twice about typing it on a fabricated attacker's control landing page.

Once a hacker steals a victim's email credentials, they log in to the user's email system. What’s worse is that most email platforms are accessible from the internet via a browser. If the user does not have two-factor authentication protecting their email account, the hacker becomes them and starts monitoring all email flow. The first course of action for the attacker is frequently establishing a backchannel in case the user sees any suspicious activities and changes the email password. They will do it through mail rules manipulation. For example, the hacker will configure a rule to send a copy of every incoming and outgoing email to the email address they control.

Another common way to get in is to find weaknesses in victims' computer, operating systems, browser, or axillary tools and install malware. The two most common types of malwares are key logger and (remote access) trojan. The keylogger collects any key stokes user types on their keyboard, including URLs, usernames, and passwords, and sends them to the attacker. Remote access trojan establishes a secure tunnel between the hacker and the victim's computer and allows the attacker to monitor and control the target's computer.

At this point, the groundwork is done; patient zero has been identified and secured. The attacker is actively monitoring the email stream.

Special thanks to Genady for sharing this detailed breakdown. Make sure to follow us on social media to see when the next blog in this series goes live.