Online Fraud: An Insider's View of Today's Top ThreatsRSA Researcher Shares Insights on Fraudsters, Tools of Their Trade
And don't be swayed into a false sense of security by the recent indictment of Albert Gonzalez, who is charged with masterminding the Heartland Payment Systems breach of 130 million credit and debit cards. Gonzalez is but one representative of a thriving hidden network of fraudsters who are plying ever trickier tools of the trade, says Uri Rivner, lead researcher at RSA's Anti-Fraud Command Center in Israel.
"When I started my research, I believed, as many others did at the time, that a single fraudster could perpetrate fraud on their own," says Rivner. But after a decade spent researching the fraud economy, he now sees a sophisticated business model, replete with specializations and multi-levels of participants. "It's no longer the romantic notions of Matthew Broderick's character in 'War Games' penetrating the Pentagon's war computer."
Indeed, fraud is an international business - preying upon businesses internationally.
RSA alone stopped $1.2 billion worth of online fraud in 2008, Rivner says - and this represents what experts believe to be just a fraction of the crime's extent. "The economy of fraud is estimated into the billions, just in the U.S. alone," he says. "It is a very big issue."
Careers in Fraud
The two main "career paths" in the online criminal economy are harvesting and cash-out, Rivner says.
Harvesting is where criminals are after credentials -- typically from a single user. These credentials are gained through skimming, phishing and trojans. "The harvesting fraudsters are interested in one thing -- access credentials to online bank accounts, pin numbers, account numbers, credit card numbers," Rivner says. Rivner says the number of incidents hitting regular online users each month is in the millions.
There are forces, such as the group Gonzalez is accused of masterminding, that, rather than focusing on individuals, try to breach payment processors and retailers such as Heartland and TJX. "These fraudsters are bent on getting into large databases to try and get as much information as possible, sometimes using an insider in the retail side or company," he observes.
The harvesting fraudster's weapons of choice are phishing kits and Trojans. Once the harvesting is done, Rivner says, "At the end of the day, they have to empty these accounts they've taken. They have stolen 1000 credit card numbers, but they don't know how to cash them out. Or they have information on 10,000 online bank accounts, but they don't have the infrastructure to cash in on those accounts."
The harvester will then turn to sell the information to the cash-out side of the criminal model. Cash-out fraudsters are adept at getting money either through ecommerce transactions or online banking transfers, without leaving a trail that can be traced back to them.
How the fraudsters do this is by using the cards online. Or in the case of ATM fraud, if they have the pin number, they clone the card and use it to remove money from ATMs. In online banking, they remove the money from the victim's account and send it into an account that they control. It does not have to be their own account, otherwise they would be caught very quickly, Rivner says. "But, instead, the cash-out fraudster will use another online banking account (hired money mules) to transfer the money to the fraudsters.
Sadly, Rivner says, most times the unwitting money mules don't realize they are part of a money laundering ring until their bank or law enforcement agencies contact them. Typically, money mules are recruited, "given some story, receive money transfers, take the money out and wire it internationally to a money drop. Then the money goes to the cash-out fraudsters," he says.
The two sides of the fraud economy -- the cash-out and the harvesting fraudsters -- know each other only virtually, Rivner says. "They do all of their business online, they collaborate, establish business relationships in fraud forums or chat rooms." There are dozens that are active these days, with thousands of users all looking for business ventures. The fraudsters share tools, give advice, sell information and basically do business on these sites. All makes for an interesting "dark" economy that has sprung up in the last couple of years.
Tools of the Trade
Most recently, fraudsters have moved away from phishing to Trojans, Rivner says. Trojans are invisible, hard to detect, and the infection rates are very high. They also are very sophisticated and can be tailored to counter specific defenses, making them the malware of choice for the fraudsters. Examples: Two trojans being sold in the online underground are Zeus, typically sold for $1,000, and Limbo, which goes for $350.
How they work: Zeus and Limbo do not breach a bank or lead a customer to a spoofed website. Instead, "[the Trojan] is running on the same html of the bank web site, but right before the session starts, Limbo injects extra fields into the page," he explains. The session is real, it is recorded locally, and sent over to the hacker, who can record everything the bank customer is doing while on the site.
RSA's Anti Fraud Command Center set up a dummy online banking website to test the trojans. Limbo added two extra fields on the site -- the ATM number and the ATM Pin number. "If an average consumer is asked for additional information, they'll become a little suspicious," Rivner says. "If they are technology savvy, they'll click on the yellow lock and see it's the real SSL session."
Not many people are aware of the sophistication of these new trojans, Rivner observes. What is more worrying is the speed at which they are spreading. On a weekly basis, "there are thousands of sites that are infected, and if visitors don't have the most updated security, then they'll most probably be infected," Rivner says. "The fraudsters are very good about adding these vulnerabilities, and end up infecting users visiting these sites until a patch is released."
Other forms of infection are legitimate websites that have been infected by malicious code. Anyone browsing these pages may get infected if they have certain vulnerabilities. This is known as "Drive by Infection." Mitigation is mainly via making sure one's operating system automatically patches itself with the latest security patches, and that the antivirus and firewall are up to date. This reduces the risk of infection dramatically.
The security industry has set up prevention measures such as phishing takedown services and anti-trojan services. These services are also augmented with information from malware labs, Rivner says. The shutdown operations monitor the fraudsters, how they move information. Through intelligence monitoring of cash-out operations, these services often are stopping the transactions from taking place, and implementing adaptive authentication methods that change the questions or add a third method of authenticating the transaction.
Knowledge-based authentication is also used, especially in other cross channels such as the telephone, which is also being hit with heightened fraud attempts.
When a customer calls and asks for something out of the ordinary or high risk, then the customer service rep will ask questions that only the customer would know, i.e. previous assets that they owned, or previous addresses lived at, says Rivner.
These emerging threats are here to stay, and the arms race is on, Rivner says. "The best bet is to have a flexible framework to respond to emerging threats," he adds. "It is a celestial alignment for fraudsters: So much better technical infrastructure, so much better infection, and the poor economy makes it easy to recruit the mules ... the atmosphere is right for fraud."