developing a high-impact fraud prevention program · developing a high-impact fraud prevention...
TRANSCRIPT
Developing a High-Impact
Fraud Prevention Program
Jack Johnson
Manager, Security Operations Center
MarkMonitor
Stefanie Ellis
Product Marketing Manager, Anti-Fraud
MarkMonitor
Agenda
The Evolving Cybercrime Landscape
Internal and External Fraud Prevention Programs
Protect Your Brand: Actionable Steps
The Evolving Cybercrime Landscape
Phishing BEC Scams Malware
Sophisticated Social Engineering
Social engineering: the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.
The Evolving Cybercrime Landscape
Phishing BEC Scams Malware
Sophisticated Social Engineering
Targeting New Industries
Retail: 1 in 690 Emails, Financial: 1 in 2,200
55% increase, 43% targeting SMB
430 Million, 36% increase
Phishing
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. Source: Wikipedia
Number of Phishing Attacks
0
20000
40000
60000
80000
100000
120000
140000
160000
2013 2014 2015 2016
Amazon
Dropbox
Business Email Compromise (BEC)
Source: www.ic3.gov
Business Email Compromise (BEC) is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
BEC: By the Numbers
# Victims Total exposed loss
US 7,066 $747,659,840
Non-US 1,113 $51,238,118
Total 8,179 $798,897,958
Source: These BEC statistics were reported to the Internet Crime Complaint Center from Oct.2013 to Aug.2015; www.ic3.gov
270% increase in identified victims and exposed loss from January To August 2015
# Victims Total exposed loss
Total 17,641 $2,300,000,000
Source: https://www.fbi.gov/cleveland/press-releases/2016/fbi-warns-of-rise-in-schemes-targeting-businesses-and-online-fraud-of-financial-officers-and-individuals
According to the Internet Crime Complaint Center
According to the FBI
Who Gets Targeted by BEC Scams?
Are you an employer? Are you an employee? Are you connected to the internet? Do you have access to money? Do you make money? Do you spend money? Do you pay bills? Do you like shiny things? Are you on Earth?
Harvested Look-alike Domains
westwindaviatlon.ca goc0ntec.com bioagilytlx.com llarnasoft.com
ctcavlation.com plainscapltal.com somersfurnlture.com loginloglstics.com
expresssjet.com tcaholdlngs.com marvlngroup.com rnatson.com
capexlifeassurance.co mac--aero.com flyietedge.com plslogistlcs.com
landmarkaviatlon.com rishworthavlation.com ics--stl.com equitranslogistlcs.com
kuehne--nagel.com cplaero.com amerlcold.com unifiedlogistlcs.com
milestoneaviatlon.com dercoaer0space.com schnelder.com alliedlogistlcs.com
amerifllght.com craneea.com backhauldlrect.com matchmakerlogistlcs.com
berkleyaviatlon.com aipearospace.com logistlcsplus.net amxtrucklng.com
jetleasecapilal.com provalr.com capstoneloglstics.com tradewlnds.net
atlasalr.com cornpacsort.com clserviceslnc.com americuslogistlcs.com
burnsrncd.com contravlr.com randloglsticsinc.com brlttontransport.com
unlcal.com glenrnarkpharma.com dlamondfoods.com holtlogistlcs.com
ameminlng.com watsc0.com radiantdellvers.com shoaiblgroup.com
ukc0al.com citadeldrllling.com rttenterprlses.com reycogrannlng.com
alexanderminlng.com altex--energy.com mohebiloglstics.com gracedigltal.com
aur0racoop.com clementlapharma.com sekologlstics.com rnicron.com
nascorp0rate.com rarockwelll.com pottergruop.co.uk wisegatelt.com
appliedmlnerals.com myomnlpod.com shandongtaihegroup.com payltsimple.com
frontstraem.com fibrocellsclence.com chainalytlcs.com ravlxgroup.com
BEC Scenario: Executive Impersonation
Simulates a communication from an executive requesting a payment or data
Targets finance team and/or purchasing departments, or Payroll/HR departments
Employee responds by processing wire transfer or providing W-2 files equating to financial loss and/or massive data breach
BEC Scenario: Invoice Scheme
Compromised legit vendor account
False notifications regarding payment
Request to pay multiple vendors
Finance submits payment
Payment transfer
Payout
Evasion and Obfuscation
Geographic IP address blocking
Language blocking
• Browser Language detection
URL Shortening services
• Know which can be repurposed
URL Redirections
• Daisy chained
Extremely long URLs
• String too long for database (1024)
No TOR allowed
One Time URLs
URL Tracking Services being used
Using Social Media and Targeting HR
Business/professional Social Media sites like LinkedIn provide a treasure trove of data about an organization & employees
• Fake professional profiles connect with legitimate users to allowing easily delivered fraudulent direct messages
• Six degrees of separation: access to a subset of employees adds legitimacy and access to executives or accounts payable team members
Threat actors are using internal distribution lists to deliver malicious attachments
HR personnel commonly open .pdf attachments to review resumes
Malware and Ransomware
Malware is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software. Source: Wikipedia
Ransomware is a type of malware that can be covertly installed on a computer without knowledge or intention of the user that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. Source: Wikipedia
MaaS - Malware as a Service
Provides Malware builder and control panel to manage the campaigns
Remote Access Trojans (RATs)
• Collect keystrokes
• Steal cached passwords and grabs data from web-forms
• Takes screenshots
• Take pictures and record video from the webcam
• Record sound from the microphone
• Transfer files
• Collect general system and user information
• Steal keys for crypto-currency wallets
• Manage SMS (for Android)
• Steal VPN certifications
JSocket
AlienSpy
AdWind
AnglerEK
RaaS – Ransomware as a Service
Major ransomware families
• Cryptowall – 85% of all detected ransomware
• Locky – can encrypt files via the network
• TeslaCrypt
Apple OS X compatible
• Locky (deletes itself if the OS is Russian)
• Cerber (will terminate if the host machine comes from 13 Eastern European countries)
• KeRanger – appeared in March 2016
Locky introduced profit sharing model
• Locky author receives 15-20%
EC-Council Waterhole Attack
• March 21, 2016 • Angler Exploit Kit serving TeslaCrypt ransomware • Victims were asked to pay 1.5 Bitcoin = $600
What Can You Do Externally?
Get help! An anti-fraud service provider has extensive industry expertise and is equipped for quick mitigation on the visible internet:
• Monitor for look-alike domain registrations
• Utilize Fraudcasting/Blocking to prevent consumer access to the malicious website
• Disable fraud email addresses or phishing/malicious websites quickly
What Can You Do Internally?
Block emails from new domains for a specified period of time
Aggressively and persistently educate employees
Understand why you are a target and make your company harder to target
Preparation is Key
Have fraud processes identified before the firefighting starts
Good email skepticism isn’t about reducing trust but increasing education and awareness
Empowered employees make better decisions
Is your organization ready?
Thank You!
For information on MarkMonitor solutions, services and complimentary educational events:
Contact via email: [email protected]
Visit our website: www.markmonitor.com
Contact via phone: US: 1 (800) 745 9229 Europe: +44 (0) 203 206 2220