View
6
Download
0
Category
Preview:
Citation preview
The Many Faces of Fraud How cyber criminals attack financial institutions
Ken Jochims, Sr. Product Marketing Manager
Guardian Analytics
Established Industry Experts
Community of 260 FIs Fighting Fraud
Pioneered individual behavioral analytics
Extended patented technology to multi-channel offerings
Fraud Intelligence and fraud analyst teams
Industry Engagement
• ABA • FS-ISAC Board Advisor • NACHA Internet Council • NCFTA • Bank Info Security
Advisory Council
Successfully managing risk, enhancing offerings, building customer trust
Networking and sharing fraud prevention/ operational best practices
"Guardian Analytics…has a proven and effective fraud detection risk-scoring engine."
Leading Fraud Prevention Technology
"Guardian Analytics possess one of the clearest visions for how to tackle fraud management.”
Agenda
Latest fraud trends
Analyzing current attack trends
Cyber-Crime technological innovation
Proactively defending against threats
Recent Fraud News
ACH Fraud as a % of losses are growing . ACH
fraud now accounts for 56% of fraud losses.
Jan 13, 2013
Jan 13, 2013
New ZeuS source code based rootkit available for
purchase on the underground market
March 14, 2013 by ddanchev
FraudINTELLIGENCE - 90% of fraud incidents don’t include a payment
- Fraudsters successfully authenticate in 3 out of 5 attempts
Mar 21, 2013
Mar 15, 2013 12:41 Jan 17, 2013 9:50
Malware Spends Significant Effort Avoiding Security
52% of observed malware behaviors focused on evading security or analysis
The Modern Malware Review, March 2013
Malware Spends Significant Effort Avoiding Security
52% of observed malware behaviors focused on evading security or analysis
The Modern Malware Review, March 2013
Criminals Better On Every Dimension
Advancing Organizing Expanding Scaling Evolving
Retail
Business
Platforms
Bank Employee
3rd Party
Mobile
Wide Array of Attacks Creating Billions in Losses
E mail Breach
Call Center Social Engineering
SMS Phishing Vishing
Purchased Credentials
Malware
Offline transactions
- Check fraud - Wire fraud
- Fax - Email - Call center - Online chat
Malware
Online transactions
- Wire - ACH - Bill Pay - External Transfers
Credentials widely available • 40% of PCs already infected (APWG) • Thousands of credentials stolen by Gozi (US
Attorney)
Phishing and Social Engineering Resurfacing • Social engineering on the rise (Gartner) • Trend in using mobile/tablets to compromise
credentials (Aite) • Email breaches connected to banking fraud (Aite) • Bad password practices leave Internet accounts at
risk - 60% of passwords reused
Rapid malware innovations steal credentials and bypass authentication
Zeus SpyEye Gameover ICE IX Ramnit Carberp Shylock Gozi Zitmo Spitmo CitMo Eurograbber
Move funds through online and offline transactions • 2012-2013 account reconnaissance attack - ~1000
accounts at 75 FIs; connected to offline fraud • ACH – 56% of losses (FS-ISAC) • Wire – 76% of attempts (FS-ISAC) • New combinations – e.g. online chat (GA) • Focus on defeating manual controls and verification
(GA)
Customer Account
Customer Account
Criminals Using Email Breaches to Gain Access
Weak passwords – password, 12345678…
Password reuse –research shows 60% of credentials re-used from one site to another
Forgotten password reset – used in hundreds of account takeovers last year
E mail Breach
Password Reset
Mobile/Tablet As Source of Credentials
Mobile or tablet users more likely to click on phishing text or email
Gather credentials via mobile or tablet, then log into online banking
SMS Phishing
User clicks on link in SMS message and gives
up credentials for online banking
Customer Account
Trends in Cyber Threats
Vishing • Criminals spoof caller ID
• Call bank customer victims pretending to be a bank officer
• Extracting information from the victim over the phone
• Take over their account
Call center social engineering • Criminals engage call center with enough information to
pretend to be the victim
• Trick call center agent into resetting credentials or performing transaction
Targeting branch employees socially
• Determine how best to meet these employees in social settings, such as fitness clubs or restaurants near the branch locations.
• Fraudsters engage in social interactions with the employees • Rope them into their crime schemes, usually with the
promise of a lucrative financial reward for their cooperation and efforts.
Account Reconnaissance Attack
E mail Breach
Call Center Social Engineering
SMS Phishing
Tablet Phishing Vishing
Purchased Credentials
Malware
Offline fraud - Check fraud - Wire fraud via fax - Wire fraud via email - Wire fraud via call center
Consistent and methodical account reconnaissance only • Log in (including MFA) • Password Reset • Check account summary • Access bill pay • View check images
Customer Online Account
Seen at a thousand accounts at 75+ financial institutions
Live Chat Scheme – A New Twist Combining Online Fraud and Call Center Fraud
Human fraudster successfully
authenticates using user credentials
1. Explores all accounts 2. Consolidates funds to
checking account 3. Initiates chat session
from online banking
1. Ask for general help 2. Then ask for help with wire transfer
Online Banking
Opportunity to detect suspicious activity at each step
Trends in Payments Fraud – FS-ISAC Survey
Customer Account
E mail Breach
Call Center Social Engineering
SMS Phishing
Tablet Phishing Vishing
Purchased Credentials
Malware
•Wire - most popular channel – 76% of attempts (FS-ISAC)
• ACH - growing number of losses – 52% of losses from ACH
Attacks on ACH Files - Criminals Getting Past Caps, Limits, Validations
1
2
3
4
FRAUDULENT FILE
BOGUS BATCH
ROGUE RECIPIENT
TAMPERED TRANSACTION
Fraudster submits a new ACH Batch file, all of which is fraudulent. Fraudulent files may or may not violate caps or calendar rules.
Fraudster breaks into an existing batch file and adds a new payments which will change the number of transactions in the file and the total amount of all transactions in the file. Files may still be below established caps/limits.
Fraudster breaks into an existing batch file and adds some new credit transactions (steals some money), but simultaneously adds some new debit transactions that leave the total dollar movement for the file as a whole unchanged.
Fraudster breaks into an existing batch file and edits specific parts of existing transactions (e.g. The payee account number), which leaves the number of transactions and the total dollar movement for the file as a whole unchanged.
Progressive levels of fraud infiltration Effort to find fraud with traditional rules-based monitoring and reports
Fraudster takes over corporate account
Progressive levels of fraud infiltration Effort to find fraud
Increasing effectiveness at defeating caps. rules, limits
Distributed Denial of Service (DDoS) Attacks
DDoS attacks continue, with enhanced methods/capabilities
More horsepower: Use cloud – used networks of servers in data centers around the world as botnet (rather than individual computers)
Extreme bandwidth capability – up to 300Gbps
Consume more resources: Flooded sites with encryption requests
Criminals starting to collaborate – OCC alert
Fraud Motivated Denial of Service Attack
62 money mules recruited to steal money from Calif. construction company
ACH And Wire Transfers
• Mules with consumer accounts received $4-$9K transactions
• Mules with business accounts to hide large dollar transactions - $80K-$100K
Possibly Gameover Zeus Trojan blocking controller’s access to site to set up fraudulent transactions and launch DDoS on bank’s website
Customer called the bank after they were blocked from online banking, but no action taken to investigate the account
Law enforcement speculating multiple victims at the bank
$900K transferred, bank able to recover half, with more expected
TDoS
Criminals use automated dialing programs and multiple accounts to overwhelm the phone lines of unsuspecting citizens
Diversion - while the lines are tied up, the criminals—masquerading as the victims themselves—are raiding the victims’ bank accounts
Continuous Malware Innovations Zeus/ SpyEye Citadel
Shylock
Carberp
Gozi Prinimalka
ICE IX Zitmo/Spitmo Gameover
Social Platform
Customer service number injection
Detect remote desktop connections to avoid research detection
Spread via Skype
Boot kit
Targeted attacks planned against 30 banks
Professional Offering
Spoofs device ID information
Mastermind behind Gozi arrested • 40,000 US computers
already infected • One C&C Server housed
3000 stolen credentials
Eurograbber – comprise two factor authentication • $47M in losses; 30,000 retail and corporate accounts affected • Infects computer and mobile • Tricks two factor authentication
Fake chat injections
Coupled with Reveton ransomware
On-the-fly injections Targeting enterprises
Carberp-in-the-mobile
Zeus Rootkit
Catching up with Zeus
March 2013 - New ZeuS source code based rootkit available for purchase on the underground market
Rootkit functionality
Hide files on disk
Hide running processes in memory
Claims undetected by all major anti-malware products
Works on Windows 2003/XP/Windows 7
Ramnit in the spotlight
March 2013 - Ramnit – Back and Better at Avoiding Detection
Ramnit began as a worm, now transformed into banking malware
Rootkit style upgrades hide components from anti-malware programs
Anti-Detection Command and control server provides dynamic list of anti-malware product process names Kills any matching processes on the infected computer Blocks API calls used by anti-malware products Modules are encrypted on the disk and decrypted on the fly when needed
Independent banking module New Hook&Spy module: credential-stealing component, native to Zeus Replaced by custom built hook module, doesn’t rely on Zeus anymore
Malware take away…
Evolution continues Developer breathes new life into Zeus Malware being repurposed for financial gain – Ramnit Added functionality adds further monetization opportunities
Increased emphasis on evading detection More focus on rootkit technology Increased use of encryption Motivation behind both hiding from anti-malware programs
Stopping malware is not a cure Fraudsters change tactics as the need arises Solutions focusing on malware always challenged at keeping up
Mobile Devices – Facilitating Criminal Activities
Malware increasing: Android malware up from 28,000 to 175,000 in the third quarter
Malware downloaded via infected SMS, weblinks, infected apps
FBI alert on Loozfon and FinFisher Loozfon – steal phone number/IMEI and contact details FinFisher – spyware targeting android phones to
remotely control and monitor phones
Mobile as source of credential stealing – SMS Phishing
Bypassing mobile text-based authentication Eurograbber (Zitmo)
$47M attack in Europe
Combination online and mobile malware attack
Targeted 30,000 corporate and private banking accounts
• Botnet (Spam, DDoS) • Steal online banking credentials • Compromise transactions • Premium service texts
It’s Getting Easier for Criminals
You can rent a botnet to send your Trojan-laced emails and steal online banking credentials from thousands who click the booby-trapped attachments.
You can purchase Web injects that allow you to change the behavior of targeted bank Web sites as they are displayed in the victim’s browser.
If you want help hauling the loot, you can rent access to money mules that are hired by mule recruitment gangs.
And if you need a diversion to distract or otherwise occupy your victims while you rob them, you can rent this service.
From Krebs on Security
Threat Summary
Innovation is rapidly occurring on all fronts • Account takeover • Money movement • Defeating common controls
Multiple groups involved in cybercrime
• Working together for bigger impact • Where one leaves off, another picks up
There is no one threat that is the greatest
Criminals Innovating Account Takeover Strategies
E mail Breach
Call Center Social Engineering
SMS Phishing Vishing
Purchased Credentials
Malware Malware
Customer Account
Offline transactions
- Check fraud - Wire fraud
- Fax - Email - Call center - Online chat
Online transactions
- Wire - ACH - Bill Pay - External Transfers
Understanding Individual Behavior in Accounts
• Challenges • Device • Cookie • IP Address • Time of day • Network • …
• Add new user • Change limits • Set up batch • Set up template • Add payees • …
• View balance • View check image • Updated address • Update email • Update password • …
Login Finance Mgmt & Acct Maintenance
• ACH • Wire • Bill Pay • External Transfers • Internal Transfers • Loan Draw • …
• ACH • Wire
Online Request Offline
Online
Mobile
Call Center
Branch
Malware and Human Attacks Payments Fraud
In any fraud attack, the criminal does something unusual relative to the real user
Each individual customer has their own unique banking behavior
FraudMAP End-to-End Behavioral Analytics
Is the client accessing
online/mobile banking
in an expected way? (When, where, how)
Are the client’s banking
actions normal? (occurrence,
frequency, sequence, timing,
what’s missing)
Are the transactions typical?
For this time in their history? (type, amount, payees, sender-receiver
relationship, frequency of transaction,
velocity)
• Challenges • Device • Cookie • IP Address • Time of day • Network • …
• Add new user • Change limits • Set up batch • Set up template • Add payees • …
• View balance • View check image • Updated address • Update email • Update password • …
Login Finance Mgmt & Acct Maintenance
• ACH • Wire • Bill Pay • External Transfers • Internal Transfers • Loan Draw • …
• ACH • Wire
Online Request Offline
Online
Mobile
Call Center
Branch
Malware and Human Attacks Payments Fraud
Anomaly Detection/Behavioral Analytics
New FFIEC Minimum Expectations for Online/Mobile
1. Ongoing Risk Assessments
3. Customer Education/Transparency
2. Layered Security for Retail and Business
Must Include the Following Minimum Elements:
1. The ability to detect and respond to anomalous and suspicious behavior at login and transaction
2. Enhanced controls over administrative functions often used in fraud attacks
Identifies anomalous behavior for each individual account holder
Monitors login to account reconnaissance to transaction
Covers retail and business accounts Provides early indicators of account
takeover and fraud Detects widest array of attacks,
including Man In The Browser Online and mobile
Add Additional Layers Based on Risk
FraudMAP identifies high risk administrative actions (adding new users, changing approval limits, changing contact information)
FraudMAP can help drive response and intervention with 3rd party systems
2012 Focus
2013 Focus
Why FIs Prioritize Anomaly Detection
Instant, 100% coverage, no adoption issues
Stops widest array of fraud attacks
Longest lifespan – can’t be studied and not threat specific
Fast time to security with no customer impact
Little to no impact on ongoing workload
Rapid deployment, low maintenance
Most complete protection Transparent customer experience Protection for them
No action by them
Customers respond positively
Your Institution
Account Holders
Anomaly Detection For Institutions of All Sizes
Proactively Prevent Fraud Stop fraud before the transaction, defends against wide array of attacks
Conform to FFIEC Expectations All banks expected to have anomaly detection
Grow Confidence in Online Channel Reduce risk, increase online adoption and enhance online services
Know Your Customers Gain insight into your customers & their behaviors
Optimize Fraud and IT Resources Fast time to security, minimal alerts, fast investigation, no ongoing maintenance
FraudMAP Fraud Prevention Platform Dynamic Account Modeling Alerting and Visual Analytics
Retail/Business
Frau
dM
AP
Liv
e
For More Information
Email info@guardiananalytics.com to sign up for: • Periodic Fraud Informers • Monthly Fraud Factor newsletters
Visit www.guardiananalytics.com • Sign up for a demo • Visit our research
Email us with any questions • kjochims@guardiananalytics.com
Recommended