For more than a decade, wire fraud has dominated the real estate and financial services industries, and it has expanded in the last five years. It is endangering our industry's credibility and causing significant losses to consumers and businesses. In this Article, the fundamental components of these attacks will be explained and advice on how individuals and businesses can protect themselves will be offered.

"Why is it so common in a real estate transaction?" you may wonder. While more sophisticated attack methods and potentially higher rewards exist (e.g., ransomware), wire fraud can net hackers thousands, if not millions, of dollars with minimal effort. 

While there are several approaches, most attacks begin with reconnaissance and phishing for an individual's email credentials. Searching for a multiple listing service (MLS) listing, such as on Zillow or Redfin, can be a good starting point. MLS listings contain public information about properties and ownership. The phone number and email address of the listing agent/agency are also publicly available on these platforms. After obtaining this information, the attacker may send a phishing email that appears to be from the realtor. It may or may not be a transaction relater. The attacker's goal is to trick the victim into entering their email credentials on a fake website set up by the attacker to look like a login portal that the victim is familiar with.

In some cases, an attacker can begin with a target's personal email and progress to their business email. The most common phishing attack on personal credentials is via OpenID, and you've probably seen it before. OpenID enables a person to sign into multiple websites using an existing account without having to create a new password. Social networks like Facebook, Instagram, and LinkedIn, as well as email platforms like Google, Microsoft, and Yahoo, are the most popular OpenID providers. The fact that the bait can be anything - any organized website - makes OpenID appealing to hackers. Users who are accustomed to utilizing OpenID for login will not hesitate to enter it on a bogus attacker's control landing page.

After stealing a victim's email credentials, the hacker logs into the user's email system. Worse, most email solutions are available via the internet via a browser. If the user's email account is not protected by two-factor authentication, the hacker assumes their identity and begins monitoring all email traffic. The attacker's first course of action is to frequently establish a backchannel in case the user notices any suspicious activity and changes the email password. They will accomplish this through the manipulation of mail rules. For example, the hacker may set up a rule to send a copy of every incoming and outgoing email to an email address that they control.

Another common method is to exploit flaws in victims' computers, operating systems, browsers, or ancillary tools and install malware. Key loggers and (remote access) trojans are the two most common types of malware. Any keystrokes a user types on their keyboard, including URLs, usernames, and passwords, are collected by the keylogger and sent to the attacker. The remote access trojan creates a secure tunnel between the hacker and the victim's computer, allowing the attacker to monitor and control the victim's computer.

The groundwork has been completed; patient zero has been identified and secured. The attacker is watching the email stream intently.

How Hackers Use Lookalike Email Domains to Derail Transactions

We already discussed the fundamentals of wire fraud, which begin with social engineering, a convincing phishing email, and credential harvesting via the hacker-created and controlled website. If the attacker is successful, he or she has access to the victim's email credentials and survey correspondence to learn more about the victim and possibly acquire real estate transaction details. Now, let's talk about how hackers proceed with their attack and identify all parties to the targeted transaction in order to create the runbook for execution.

Part of that activity could be registering a similar domain to divert the unnoticed victim who may not pay attention to details. In this step, hackers search registrars for available domains that are identical to the target by dropping, adding, or swapping a single letter - for example, xyzconpany.com - or choosing a comparable name. For example, if xyzcompany.com is a target, the hacker may try to use xyzcompanyinc.com or xyzcompanyllc.com to construct an email address that appears extremely similar to the original email.

Double-check the email domain.

If that is not a possibility, the hacker will proceed to plan B, which is to create a random email address under the target's display name and register it with an open platform (e.g., Gmail, Outlook, Yahoo, etc.). Judy Realtor, for example, realtor xyzcompanyinc@gmail[.]com, where Judy Realtor is the name of a real estate agent, loan officer, or escrow officer. The attacker will later provide "updated" wiring instructions using the forged email account that appears familiar.

Email manipulation is one of the possible next stages. The attacker can actively access the victim's mailbox or circumvent mail regulations. During the transaction, for example, emails are sent to a group of participants for various actions or informational objectives. An attacker who wishes to intervene may build a set of mail rules. Assume the attacker wishes to send new (false) wiring instructions to a seller via the email account they control, posing as an escrow officer. In that instance, they must make certain that the letter does not reach the "true" escrow officer. As a result, they may set up a mail rule to modify recipients' addresses or intercept and delete emails that should never be seen by the actual recipient.

Pay attention to the details in the signature.

Remember that the attacker may have seen every email in the victim's mailbox at this stage, so they are familiar with each party and their position in the transaction. They can also duplicate everyone's signature block so that when it's time to send an email from the "fake" account, they can substitute the authentic signature of the person they're attempting to mimic. Take note of the subtleties in the signature. In the event that the victim phones for confirmation, the criminal will sometimes swap a phone number in the legitimate signature with one they control.

Remember that if a hacker gains access to a party involved in several transactions, they will have access to a variety of buyers, sellers, brokers, attorneys, lenders, and closing and escrow businesses. They can now bypass social engineering and go straight to the phishing credentials of new potential victims. It's what we call a vicious circle, and it's not restricted to a single transaction.

Be suspicious of last-minute wiring instruction changes.

Everything is now staged and ready for any last-minute wiring instructions changes. Modern attackers are well-versed in the property purchase process. They learn all stages of our cycle and craft convincing emails, especially for unassuming buyers or sellers who are unfamiliar with the wire fraud attempts that our industry suffers on a daily basis.

To be continued…