image of breaking badness
Breaking Badness
Breaking Badness

[Special Report] Ransomware and Mortgage Brokers

It’s a special report episode of Breaking Badness! This week we’re joined by Austin Northcutt, Solutions Engineer here at DomainTools, along with Yelisey Bohuslavskiy, Chief Research Officer at RedSense

At DomainTools, Austin works closely with our clients ensuring they are getting the most out of the products that they purchase from DomainTools and helps them identify pivot points and furthers some of their investigations by providing additional insight as to what he sees. He also gets into some cybersecurity research on the side that would be of interest to our community (this is also the reason we gathered to record this episode!) 

Yelisey is a partner and Chief Research Officer at RedSense, previously Head of Research and co-founder of Advanced Intelligence. His main role has been tracking top tier ransomware groups, primarily from Russian-speaking communities. His role is to ensure that the damage they are capable of delivering is mitigated or prevented. 

Below are some highlights from our episode, but be sure to listen in for the full details of our exciting discussion. 

Ransomware and Mortgage Brokers

As stated above, Austin’s research is the reason the three of us gathered around the mic. Over the past few months, there has been a pattern of ransomware attacks against mortgage brokers – specifically large US mortgage brokers. Most recently on January 9, 2024, we saw that Loan Depot had publicly stated they were victims of a ransomware attack by a threat actor who has not yet been named – that’s when Austin really began noticing the pattern and began going backward to November when Fidelity National Financial also acknowledged a cyber incident. 

Why Are Mortgage Brokers Targets of Ransomware? 

Although ransomware is still considered extremely primitive and sometimes it’s more about luck and being at the right place at the right time, these actors are still adapting and able to understand which industries are good or viable targets. The mortgage broker industry is viewed as a cash-flush industry and the victims may be more likely to pay due to the sensitivity of the data they are handling. Exfiltrated, or stolen, data is of high value whether or not the threat actor even deploys a crypto locker. It’s also a highly regulated industry of which the government is concerned, so these entities don’t want to be penalized by corporate or their government. 

Mortgage Broker Targets

We have five major mortgage brokers who have been hit with ransomware thus far: Mr. Cooper, Fidelity, National Financial, First American Financial, and Loan Depot who have all acknowledged some sort of breach or cyber attack. In addition, we have Meridian Link, which is a web-based loan organization system that’s used by a number of credit union customers, including some of those victims, we’re able to see some information linked to those.

Noteworthy Tactics and Techniques

From Austin’s understanding, we’re seeing a lot of targeting and variations of account compromise, maybe some MFA (multi-factor authentication) reset activity that’s going on, things that could lead back to Scattered Spider-related initial compromises or social engineering. 

One of the biggest weaknesses these threat actors are exploiting is that of the Help Desk. The problem is, it’s right there in the name – “Help Desk” – they want to be helpful to employees (or those they believe to be employees), but their mindset should shift from “help” to “security.” Attacks such as these could come down to how you can better train our employees to protect their credentials. 

Retroactive Domain Hunting

Prior to recording, Austin mentioned he would perform some retroactive domain hunting to see if there were any domains that might have been used to support the credential harvesting or targeting of the mortgage brokers involved. He didn’t find anything that stuck out, which he believes is indicative of the FBI notifications regarding Scattered Spider and the domain naming structures they used. The actors are very well aware of this and they will adapt their tactics to say, “well everyone knows I’m going to the left, so I’m instead going to go to the right.”

What Austin did see was an interesting pattern of what he would call “cyber ambulance chasers,” where in the day of, or the day after these breaches were announced by the companies, threat actors began setting up domains that used naming structures related to the victim company. We saw a pattern in Iris Investigate regarding the server type used (registrar), so this is indicative that perhaps these are some fraud groups that are setting these up and responding. 

Ransomware Prediction for 2024

Kali asked Yelisey if he feels that ransomware gangs will use AI more to their advantage, and the response was surprising! He shared that he has been working on prevention for six years, and every year he’s still shocked by the de-sophisication of ransomware actors, which is possibly a good thing, but when you can take the simple route on the social side, you don’t really need to evolve too much on the technical side. 

Yelisey thinks this might actually be the last year for ransomware because the government is feeling pretty comfortable taking these actors down. Once you remove the social aspect of ransomware, you’ve most likely killed the group, and he hasn’t seen successful rebrands once the takedown occurred. Ransomware as a concept emerged so quickly and it could go just as fast as it came. He admits it’s an optimistic prediction, but his hope is that is what could happen this year.

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!