Developing a High-Impact

Fraud Prevention Program

Jack Johnson

Manager, Security Operations Center

MarkMonitor

Stefanie Ellis

Product Marketing Manager, Anti-Fraud

MarkMonitor

Agenda

The Evolving Cybercrime Landscape

Internal and External Fraud Prevention Programs

Protect Your Brand: Actionable Steps

The Evolving Cybercrime

Landscape

The Evolving Cybercrime Landscape

Phishing BEC Scams Malware

The Evolving Cybercrime Landscape

Phishing BEC Scams Malware

Sophisticated Social Engineering

Social engineering: the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.

The Evolving Cybercrime Landscape

Phishing BEC Scams Malware

Sophisticated Social Engineering

Targeting New Industries

Retail: 1 in 690 Emails, Financial: 1 in 2,200

55% increase, 43% targeting SMB

430 Million, 36% increase

Phishing

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. Source: Wikipedia

Top Phishing Targets by Industry 2015

New Phishing Targets on the Rise

Number of Phishing Attacks

0

20000

40000

60000

80000

100000

120000

140000

160000

2013 2014 2015 2016

Amazon

Dropbox

Google

Example: Cloud File Sharing Spoofed E-mail

Cloud File Sharing Spoofed E-mail Analysis

Malware binary will automatically download

Business Email Compromise (BEC)

Source: www.ic3.gov

Business Email Compromise (BEC) is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

BEC: How Big is the Impact?

Source: theguardian.com

BEC: By the Numbers

# Victims Total exposed loss

US 7,066 $747,659,840

Non-US 1,113 $51,238,118

Total 8,179 $798,897,958

Source: These BEC statistics were reported to the Internet Crime Complaint Center from Oct.2013 to Aug.2015; www.ic3.gov

270% increase in identified victims and exposed loss from January To August 2015

# Victims Total exposed loss

Total 17,641 $2,300,000,000

Source: https://www.fbi.gov/cleveland/press-releases/2016/fbi-warns-of-rise-in-schemes-targeting-businesses-and-online-fraud-of-financial-officers-and-individuals

According to the Internet Crime Complaint Center

According to the FBI

Who Gets Targeted by BEC Scams?

Are you an employer? Are you an employee? Are you connected to the internet? Do you have access to money? Do you make money? Do you spend money? Do you pay bills? Do you like shiny things? Are you on Earth?

Choosing the Right Bait

<< Fishing Lures

Choosing the Right Bait

<< Fishing Lures

Phishing Lures >>

Harvested Look-alike Domains

westwindaviatlon.ca goc0ntec.com bioagilytlx.com llarnasoft.com

ctcavlation.com plainscapltal.com somersfurnlture.com loginloglstics.com

expresssjet.com tcaholdlngs.com marvlngroup.com rnatson.com

capexlifeassurance.co mac--aero.com flyietedge.com plslogistlcs.com

landmarkaviatlon.com rishworthavlation.com ics--stl.com equitranslogistlcs.com

kuehne--nagel.com cplaero.com amerlcold.com unifiedlogistlcs.com

milestoneaviatlon.com dercoaer0space.com schnelder.com alliedlogistlcs.com

amerifllght.com craneea.com backhauldlrect.com matchmakerlogistlcs.com

berkleyaviatlon.com aipearospace.com logistlcsplus.net amxtrucklng.com

jetleasecapilal.com provalr.com capstoneloglstics.com tradewlnds.net

atlasalr.com cornpacsort.com clserviceslnc.com americuslogistlcs.com

burnsrncd.com contravlr.com randloglsticsinc.com brlttontransport.com

unlcal.com glenrnarkpharma.com dlamondfoods.com holtlogistlcs.com

ameminlng.com watsc0.com radiantdellvers.com shoaiblgroup.com

ukc0al.com citadeldrllling.com rttenterprlses.com reycogrannlng.com

alexanderminlng.com altex--energy.com mohebiloglstics.com gracedigltal.com

aur0racoop.com clementlapharma.com sekologlstics.com rnicron.com

nascorp0rate.com rarockwelll.com pottergruop.co.uk wisegatelt.com

appliedmlnerals.com myomnlpod.com shandongtaihegroup.com payltsimple.com

frontstraem.com fibrocellsclence.com chainalytlcs.com ravlxgroup.com

BEC Scenario: Executive Impersonation

Simulates a communication from an executive requesting a payment or data

Targets finance team and/or purchasing departments, or Payroll/HR departments

Employee responds by processing wire transfer or providing W-2 files equating to financial loss and/or massive data breach

BEC Scenario: Invoice Scheme

Compromised legit vendor account

False notifications regarding payment

Request to pay multiple vendors

Finance submits payment

Payment transfer

Payout

Evasion and Obfuscation

Geographic IP address blocking

Language blocking

• Browser Language detection

URL Shortening services

• Know which can be repurposed

URL Redirections

• Daisy chained

Extremely long URLs

• String too long for database (1024)

No TOR allowed

One Time URLs

URL Tracking Services being used

Scam Redirector v0.1

Insider Threat

Source: Office Space, 1999, 20th Century Fox

Using Social Media and Targeting HR

Business/professional Social Media sites like LinkedIn provide a treasure trove of data about an organization & employees

• Fake professional profiles connect with legitimate users to allowing easily delivered fraudulent direct messages

• Six degrees of separation: access to a subset of employees adds legitimacy and access to executives or accounts payable team members

Threat actors are using internal distribution lists to deliver malicious attachments

HR personnel commonly open .pdf attachments to review resumes

Malware and Ransomware

Malware is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software. Source: Wikipedia

Ransomware is a type of malware that can be covertly installed on a computer without knowledge or intention of the user that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. Source: Wikipedia

MaaS - Malware as a Service

Provides Malware builder and control panel to manage the campaigns

Remote Access Trojans (RATs)

• Collect keystrokes

• Steal cached passwords and grabs data from web-forms

• Takes screenshots

• Take pictures and record video from the webcam

• Record sound from the microphone

• Transfer files

• Collect general system and user information

• Steal keys for crypto-currency wallets

• Manage SMS (for Android)

• Steal VPN certifications

JSocket

AlienSpy

AdWind

AnglerEK

COTS Malware

Rogue Wi-Fi

Source: http://krebsonsecurity.com/2016/04/new-threat-can-auto-brick-apple-devices/

USB Drives

RaaS – Ransomware as a Service

Major ransomware families

• Cryptowall – 85% of all detected ransomware

• Locky – can encrypt files via the network

• TeslaCrypt

Apple OS X compatible

• Locky (deletes itself if the OS is Russian)

• Cerber (will terminate if the host machine comes from 13 Eastern European countries)

• KeRanger – appeared in March 2016

Locky introduced profit sharing model

• Locky author receives 15-20%

EC-Council Waterhole Attack

• March 21, 2016 • Angler Exploit Kit serving TeslaCrypt ransomware • Victims were asked to pay 1.5 Bitcoin = $600

Locky E-mail

Locky JS Payload

Internal and External Fraud

Prevention Programs & Action Steps

What Can You Do Externally?

Get help! An anti-fraud service provider has extensive industry expertise and is equipped for quick mitigation on the visible internet:

• Monitor for look-alike domain registrations

• Utilize Fraudcasting/Blocking to prevent consumer access to the malicious website

• Disable fraud email addresses or phishing/malicious websites quickly

What Can You Do Internally?

Block emails from new domains for a specified period of time

Aggressively and persistently educate employees

Understand why you are a target and make your company harder to target

Preparation is Key

Have fraud processes identified before the firefighting starts

Good email skepticism isn’t about reducing trust but increasing education and awareness

Empowered employees make better decisions

Is your organization ready?

Q&A

Thank You!

For information on MarkMonitor solutions, services and complimentary educational events:

Contact via email: field.marketing@markmonitor.com

Visit our website: www.markmonitor.com

Contact via phone: US: 1 (800) 745 9229 Europe: +44 (0) 203 206 2220