GovInfoSecurity.com - Information Security News, Regulations, & Education

Government Information Security Articles

Online Fraud: An Insider's View of Today's Top Threats

Credit
Eligible
As a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info
RSA Researcher Shares Insights on Fraudsters, Tools of Their Trade
September 14, 2009 - Linda McGlasson, Managing Editor
Share

Comment on this article

Trojans. Harvesters. Mules. They're the backbone of the underground fraud economy, which is "vibrant" and worth billions, according to one international researcher.

And don't be swayed into a false sense of security by the recent indictment of Albert Gonzalez, who is charged with masterminding the Heartland Payment Systems breach of 130 million credit and debit cards. Gonzalez is but one representative of a thriving hidden network of fraudsters who are plying ever trickier tools of the trade, says Uri Rivner, lead researcher at RSA's Anti-Fraud Command Center in Israel.

"When I started my research, I believed, as many others did at the time, that a single fraudster could perpetrate fraud on their own," says Rivner. But after a decade spent researching the fraud economy, he now sees a sophisticated business model, replete with specializations and multi-levels of participants. "It's no longer the romantic notions of Matthew Broderick's character in 'War Games' penetrating the Pentagon's war computer."

Indeed, fraud is an international business - preying upon businesses internationally.

RSA alone stopped $1.2 billion worth of online fraud in 2008, Rivner says - and this represents what experts believe to be just a fraction of the crime's extent. "The economy of fraud is estimated into the billions, just in the U.S. alone," he says. "It is a very big issue."

Click to Get Updates on the Latest Information Security News

Careers in Fraud

The two main "career paths" in the online criminal economy are harvesting and cash-out, Rivner says.

Harvesting is where criminals are after credentials -- typically from a single user. These credentials are gained through skimming, phishing and trojans. "The harvesting fraudsters are interested in one thing -- access credentials to online bank accounts, pin numbers, account numbers, credit card numbers," Rivner says. Rivner says the number of incidents hitting regular online users each month is in the millions.

There are forces, such as the group Gonzalez is accused of masterminding, that, rather than focusing on individuals, try to breach payment processors and retailers such as Heartland and TJX. "These fraudsters are bent on getting into large databases to try and get as much information as possible, sometimes using an insider in the retail side or company," he observes.

The harvesting fraudster's weapons of choice are phishing kits and Trojans. Once the harvesting is done, Rivner says, "At the end of the day, they have to empty these accounts they've taken. They have stolen 1000 credit card numbers, but they don't know how to cash them out. Or they have information on 10,000 online bank accounts, but they don't have the infrastructure to cash in on those accounts."

The harvester will then turn to sell the information to the cash-out side of the criminal model. Cash-out fraudsters are adept at getting money either through ecommerce transactions or online banking transfers, without leaving a trail that can be traced back to them.

How the fraudsters do this is by using the cards online. Or in the case of ATM fraud, if they have the pin number, they clone the card and use it to remove money from ATMs. In online banking, they remove the money from the victim's account and send it into an account that they control. It does not have to be their own account, otherwise they would be caught very quickly, Rivner says. "But, instead, the cash-out fraudster will use another online banking account (hired money mules) to transfer the money to the fraudsters.

Sadly, Rivner says, most times the unwitting money mules don't realize they are part of a money laundering ring until their bank or law enforcement agencies contact them. Typically, money mules are recruited, "given some story, receive money transfers, take the money out and wire it internationally to a money drop. Then the money goes to the cash-out fraudsters," he says.

The two sides of the fraud economy -- the cash-out and the harvesting fraudsters -- know each other only virtually, Rivner says. "They do all of their business online, they collaborate, establish business relationships in fraud forums or chat rooms." There are dozens that are active these days, with thousands of users all looking for business ventures. The fraudsters share tools, give advice, sell information and basically do business on these sites. All makes for an interesting "dark" economy that has sprung up in the last couple of years.

Tools of the Trade


1 | 2



Question
Question
?Where have you seen the greatest growth in attempted fraud this year?
Here's your chance to be a part of the dialogue and engage with your peers! Just enter your comment to the right, click submit to send it to our Editor. All entries are posted anonymously.
Please login if you would like to post a comment on this question.

"Great article and great comment!!!

To 'ditto' the previous comment, everyone keeps talking about the problem and continue to expect major companies who keep selling the same mature technology to provide better protection.

Adding enhanced updates and new releases or versions to the same old technology here and there may help justify the purchase price but in truth, they serve to give companies the false sense they are more secure than before.

However, these solutions themselves are no longer robust enough in their basic technology to combat sophisticated crime rings who have long ago figured out how to beat long standing industry security tools. Cyber thieves' time to market is swift, and the damage they do is accomplished in less time than it takes a security company to hold a development meeting... let alone get enhancements to market.

What we SHOULD be doing in looking at the efficacy of those products that are budgeted for year-after-year, look at the level of risk they mitigate, and then explore INNOVATIVE solutions to incorporate into a layered security program. What is that old expression... "Penny wise and pound foolish"?

There is zero hope of mitigating creative and organized cyber theft with tools that have lost their effectiveness if we do not invest time exploring innovative security solutions.

If we keep excepting solutions that can't keep pace with the threat landscape to provide optimum security, again, we can only expect our systems and computers to be hacked and breached.

The time required and the cost to recover (if ever) is many times higher than incorporating innovative solutions and building sound DLP. The price paid to recover from the damage done to our branded name in addition to high legal expenses is not worth clinging minimum 'checklist' compliance. Case-in-point... Heartland Payment Systems. This was a true "teaching moment" we all need to learn from.
"Great article. Wonder at what point this insight is going to make a difference in how all businesses & government view security.

From what I've seen, most have adopted bare bones DLP coupled with a reactive security approach. And let's not forget doing the bare minimum to be PCI compliant and not moving beyond the "checklist" certification to adopting a sound data security program. Bob Carr just spoke last week, or rather warned other companies WRT to utilizing the services of QSA low bidders... as they did.

I say this over and over: We devote a considerable amount of time and ink to talking about the problem, but when it comes to solutions ... we are not ready to budget for innovative security.

We are expecting the tools trusted partners have developed, and which we've been using for years as our security foundation (such as firewalls, gateway security, filters, AV,etc.) to do a better job. But they haven't proven much beyond how vulnerable their tools have become and how the efficacy of their products in fighting the threat landscape is tough because the bad guys appear to be much smarter at developing effective tools.

And consider the cyber criminals' 'time-to-market.' Their malware hits with ligthening speed and is proliferated faster than any groomed sales force can get through the sales cycle. Info to clients, demos, evalutions, trials, team approval, signature authority for purchase approval. By the time this process is completed, the thieves have made off with millions. ;-)

What is that expression? "... keep doing the same things and expecting different results." ;-)

Topics of Interest

Audits Investigations Reports

Office of Management and Budget

Clinger-Cohen Act

Virtualization

Insider Threat

White House

Latest Tweets & Mentions

GovInfoSecurity.com Research

Recent Blog Entries

More Blogs Posts

Vendor Solutions

  • MarkMonitor MarkMonitor

    Solutions For:

    Anti-Phishing, Authentication, Fraud Detention Network

  • MessageLabs MessageLabs

    Solutions For:

    Anti-SPAM, Authentication, Email Security

More Vendor Solutions

Marketplace

Advanced Search
Browse Topics
close

Agencies

Audits Investigations Reports

Business Continuity & Disaster Recovery

Collaboration & Interagency

Congress

Governance & Standards

Laws, Regulations & Directives

Leadership & Management

Physical Security


Privacy


Risk Management

Technology

Training & Education


White House