Cyber Fraud Trends:

Tips for Protecting your business and yourself from todays cyber criminals

Agenda

• USSS Dual Mission – Protection/Investigation

• USSS Resources and Assets to Combat Cyber Crime

• Current Trends in Cyber Crime– Skimming Technology– Network Intrusions– Point of Sale– Targeted Malware– Data Breaches

• Network Intrusion Case Study

Dual Mission - Protection•President•Vice-President•Former Presidents•Foreign Heads of State•Major Candidates•Others as designated

Dual Mission - Investigative

•CounterfeitCurrency

Treasury Obligations

•Financial Crimes Identity Crime Check Fraud Access Device Fraud Bank Fraud

•Electronic Crimes Computer CrimesNetwork IntrusionsInternet Fraud

1865 - U.S. Secret Service created to fight counterfeit currency

1901 - Assigned Presidential Protection Duties

1948 - Title 18 USC Section 470-474 (Counterfeiting and Forgery)

1984 - Title 18 USC Section 1029 (Access Device Fraud)

1986 - Title 18 USC Section 1030 (Computer Fraud)

1990 - Title 18 USC Section 1344 (Bank Fraud)

1996 - Title 18 USC Section 514 (Fictitious Obligations)

1998 - Title 18 USC Section 1028 (Identity Theft)

2001 - PATRIOT Act (Expanded Cyber Crime Responsibilities)

2004 – Title 18 USC Section 1028A (Aggravated Identity Theft)

Jurisdictional History

6

Cyber Safety

• Social Engineering• Social Networking Vulnerabilities

• The act of manipulating people into performing actions or divulging confidential information for the purpose of information gathering, fraud, or computer system access.

Social Engineering

8

Types of Social Engineering skills

Following are the few skills to exploit users to get access to your system.

-Impersonating staff-Playing on users' sympathy-Intimidation tactics-Hoaxing-Creating confusion-Dumpster diving-Reverse social engineering-Mail-Phishing-Spearphising-A phishing technique that has received substantial publicity of late is “vishing,” or voice phishing

9

So what do they look like?

10

The link sends you to….

Social Engineering Ammo

Anything and Everything is Exploitable on your computer

• Finances• Pictures of your family• Personal letters /

correspondence• Personal & Business Address

Book - contacts (their title, their address, contact numbers, emails, personal info)

• Calendar / Itinerary• Vacation Logistics, Etc.

13

Location-based Social Networking

• Location-based social networking is quickly growing in popularity. A variety of applications are capitalizing on users’ desire to broadcast their geographic location.

• Most location-based social networking applications focus on “checking in” at various locations to earn points, badges, discounts and other geo-related awards.

• The increased popularity of these applications is changing the way we as a digital culture view security and privacy on an individual level.

o Skimming Technology

o Network Intrusions

o Point of Sale Breaches

o Malware

o Data Breaches

Current Trends in Cyber Crime

Skimming Technology

The equipment is available over the Internet.

The software and hardware are very user friendly and extremely mobile

The skimmed information can be transmitted via e-mail anywhere in the world within hours after it is skimmed

Cardholders are not aware that they have been victimized until they receive statements showing the fraudulent charges

Why is Skimming Popular?

• Common Skimming Locations– Restaurants– Hotels– Gas Stations (affixed to pumps)– ATMs (affixed to machine)

• Why are these locations so popular?– Heavy customer volume– Credit card is common payment method– Multiple employees (difficult to identify suspect)– Employee turnover (co-conspirators easy to recruit / emplace) – Covertly placed (gas pumps and ATMs)

Skimming Locations

Wireless Skimming The advent of wireless technology has led to passive wireless skimming, where perpetrators plant skimming devices that broadcast account information wirelessly in gas pumps, ATMs, and point of sale terminals.

These devices minimize physical interaction with the skimming device, increasing the odds that the skimmer will operate undetected.

Even if a wireless skimmer is found, it can be difficult to identify its owners.

FEATURES- Wireless access to stored data on all devices in range- Remote configuration of reader devices- Manage multiple devices- Hardware password protection

Handheld Skimming Devices

Gas Pump Skimming

Skimming Device

PIN hole camera assembly mount placed above key pad to capture PINs

ATM Skimming

PIN hole camera assembly mount placed above key pad to capture PINs

Mounted over original ATM card reader

ATM Skimming

NEW SKIMMING TECHNIQUES• Works Around Anti-Skimming Faceplate on

newer ATMS• Uses more technologically advanced

methods• Relies on having access to HDD of ATM

POINT OF SALE (POS) BREACHES

POINT-OF-SALE (POS) SKIMMING

PCIComplian

ce

Computer Security=

Point-of-sale Skimming Devices

Point-of-sale terminal Altered with skimming electronics

Yellow and green parasite board. The yellow board is a Bluetooth card and the green board is the storage board.

Point-of-sale Skimming Devices

Network Intrusions• Breaches stem from hackers wanting two things:

Information Access

Anatomy of a Hack

30

Point of Sale (POS) System

Port 5631Port 3389

Ports 5800 & 5900

32

Hackers use weaknesses in Remote Desktop Program configurations to gain

access!!!!

POSBOH

SERVER

UltraVNC

Remote Application Vulnerabilities

• Help desk teams love remote-control software because it allows them to:-Remotely take control of the user's machine-Copy over files -Set all application and operating system wrongs to right.

• Attackers love the software too, because it allows them to:-Avoid sneaking complex Trojan malware onto a targeted PC-They use previously installed remote control software to do the heavy lifting for them-Run attacks from memory, thus making the exploits more difficult to detect, trace or investigate.

Mathew J. Schwartz, Unpatched Remote Access Tools: Your Gift To Attackers, http://www.informationweek.com/security/vulnerabilities/unpatched-remote-access-tools-your-gift/240151523

POINT-OF-SALE (POS) Breaches

Problems we have seen with RDP configurations on POS Servers:

Weak or no password protection

Connection remains open all of the time

Multiple RDPs installed on the Server (sometimes the hacker installs their own after gaining access)

No firewall or firewall not configured correctly

POINT OF SALE (POS) SYSTEM CONFIGURATION

Front of House Server

Front of House Server

Front of House Server

Switch

INTERNET

Back of House Server Cable/DSL Router

KEYSTROKE LOGGER

NETWORKSNIFFER MEMORY

DUMPER

Breach Detection

• 71% of victims did not detect a breach themselves

----------------------------------------------------------------• 58% Regulatory, card brands, merchant banks• 29% Self-Detection• 7% Other 3rd Party• 3% Public Detection• 3% Law Enforcement

37

Median number of days from initial intrusion to detection was….

38

87 days

Median number of days from detection to containment was…

7 days

Common Breach Scenario

Infi

ltra

tion

Ag

gre

gati

on

Exfi

ltra

tion

1. POS system is located and attacker enters POS system via pcAnywhere using default-vendor supplied credentials.

− Username: admin

− Password: password

2. Memory dumper malware is installed on the POS system. Once installed, track data is captured from RAM and written to an encrypted output file.

− C:\WINDOWS\system32\ccdata.txt

3. Attacker returns periodically via pcAnywhere and uploads output file (ccdata.txt) containing encrypted track data.

- Automatic uploads, emails the data, FTP’s the data.

Malware captures track data from credit/debit cards.

Stolen credit/debit card information sent to hacker.

Hacker sells this information online (card dumps).

POINT-OF-SALE (POS) Breaches

Criminals around the world purchase these card dumps over the internet to resell them or use the compromised account numbers.

41

What can you do?• Use updated virus protection software.

• Weary of emails from strangers, especially downloads or hyperlinks. (Educate your Employees/Family)

• Firewall protection is essential for high-speed connections that leave your system connected to the internet.

• Secure browsers enable you to encrypt info that you send.

• Resist using automatic log-in features.

• Change your passwords frequently / Use Complex Passwords (uppercase / lowercase / number / special character)

• Check for open ports by scanning your public facing IP address (nmap)

Incident Response

• Don’t ask “IF” ask “WHEN”• Have a plan: Know who to involve & call in your initial

responders before it happens:– Have a central point of contact that has authority to act

• Legal counsel, human resources personnel, corporate security, IT security

– Establish a smooth flow of communications amongst the different parties involved

We have learned that cyber crime investigations must be conducted quickly. If evidence is not captured quickly it could be lost and the link to the suspect can be broken

RESOURCES

• FS-ISAC= Financial Services and Analysis Center

• NCCIC- National Cybersecurity & Communications Integration Center

• US-CERT= US Computer Emergency Readiness Team

• Verizon Data Breach Investigations Report• www.databreachtoday.com• Trustwave Global Security Report

Targeted Malware

45

• Malware collects on-line credentials:– Usually infects machines using a targeted phishing (spearphishing) attack.– E-mails are targeted to users suspected to have access to corporate bank

accounts.– Some variants can spread to other computers on the network.

• Banking credentials used to generate ACH transfers:– Transfers to money mules, recruited from on-line job hunting websites.– Mules sign up for a “work from home” program.– Mules receive ACH transfers into personal bank accounts, and then send

money overseas by wire or Western Union.

Targeted Malware

• Still one of the most widely investigated malware programs by law enforcement agencies.

– Serving as the model for newer toolkits.

• First detected in early 2007.

• Builder toolkit sold for between $700 - $4,000 on underground forums, depending on version.

– Older versions usually released for free to the public as advertising for new versions.

• Modified older versions also sold.

• Capabilities:– Accessed saved passwords in web browsers.– Keystroke logging.– Screenshots (to defeat anti-keystroke logging sites).– Modification of web sites (can ask for additional information on a bank

login site, such as PIN).– Installation of additional software.– Proxy service.

ZeuS

47

• ZeuS is designed to steal more than just financial data:

48

• Replacing ZeuS as the preferred crimeware toolkit over the past year.

– ZeuS author turned over code to the author of SpyEye trojan.

– New ZeuS variants still being developed for VIP customers.• Similar in form & function to ZeuS.• Features:

– Keylogger– E-mail grabber– HTTP authentication grabber– ZeuS-killer module

SpyEye

49

SpyEye Gribodemon, creator of SpyEye was interviewed by Malware

Intelligence. Claims to make approximately $50 Million per year. Sells ONLY SpyEye toolkit. Spends 12-13 hours per day coding malware. Believes that future versions will include a feature to remove

anti-virus from victim’s computer. Does NOT CARE about the financial loss his software causes.

Believes that banks suffer most of the loss.

Recent trends have seen versions of ZeuS-style malware written for mobile platforms.

Data Breaches

DATA BREACH 101

• Recognize when ILLICIT events occur– At the height of “NOISE”

DROP FILES, EXECUTION OF CODE, DATA HARVESTING

• Identify the problem and level of intrusionPYRAMID OF ATTACKS – virus to root intrusions

• Know your “Back to Business” ETA

• Mitigation Plan should include a decision maker not just information gatherers – key to keep decision makers informed.

• Measure, Improve, Measure again

DATA BREACH 101• How do breaches occur?

– 3rd Party Access (contractor) to systems connected to servers

– Compromised VPN (ability to login from home)– Sniffing/Open Ports– Phishing/Spoof emails targeted to employees (social media

sources)– Physical Devices (Fake POS terminals with malware

injected onto network)

• Where is your evidence? (local devices, network logs, mobile devices) -What are your BYOD policies?

-How long do you maintain network logs or back ups?

-Do you maintain a topology of your network?

DATA BREACH CASE STUDYHealth System Company

Intrusion Detection System was installed; within days alerted for unencrypted

PII/PHI as outbound TCP/IP traffic to port 80

• Further analysis (IT) of their network logs showed traffic from 2 internal IP addresses (locations within their network)

• Application (internet) and System logs from these computers were forensically examined and cross referenced with date/time/location found the same Security Identifier (SID) was logged in to each location at the time of the traffic

• IT intelligence confirmed SID assigned to employee

• Employee timesheets showed he was working at the time of the traffic transmissions

• Notified LEO IMMEDIATELY and continued to monitor SID traffic with increased level of granularity – captured larger data –including email addresses of employee and intended recipient(s).

• Investigation revealed employee was selling PII and PHI for profit.

• Many Cybercriminals are motivated by financial gain.

• Cybercriminals have the technical ability to severely damage cyber infrastructure and should not be dismissed since they do not work for sponsored organizations.

• Cybercrime can be committed by subjects with varying degrees of technical capabilities.

• Cybercriminals generally target opportunistically.

• Cyber criminals often specialize in a few areas requiring them to work with others.

Who are Cybercriminals?

Cybercriminal Networks

• Some online criminal networks are highly organized– Eastern Europe, especially with more than a decade of continued

development and growth– Certain individuals heading online criminal organizations approaching 15 years

experience and growth– Wide-ranging ties to real-world financial systems as well as government

structures

• Some online criminal organizations are very sophisticated– Fielding malware ecosystems on a very high level; some malware systems

survive and even thrive for years (Zeus/SpyEye)– Repeated successful attacks against financial encryption systems– No network or institution invulnerable to intrusion from dedicated and

motivated adversary (study of risk/reward)

55

Case Study

56

How Investigations Start

• Contacted by victim

• Industry tip to USSS

• “Common Point of Purchase” analysis• Multiple compromised accounts• Unauthorized purchases at common merchant

Special Challenges with Corporate Data Breach Victims

The problems:• Need investigative

assistance from victim – USSS can’t do corporate

“deep dive” forensics

• Victim has incentive not to investigate– Civil liability– Bad press – Remediation costs

The solutions:• Recommend hiring

reputable forensics firm• Recommend hiring privacy

counsel• Assure confidentiality

– Not named in indictment or plea

– Not named in press by USSS

• Consider issuing delayed notification letter

POS-Hacking Scheme

POS system

KSLHacked business servers

1. Crack admin password & install keystroke logger on merchant’s POS

2. Log & upload card data to “dump sites” for temporary storage

4. Encode data onto blank cards for use in stores, ATMs, casinos

3. Retrieve & sell card data on black market

Dirty servers

Legit servers

Via FTP

Summary of Data Breach

60

• 250 Branches

• 800 Other Merchants

• 5 Million Cardholders

• $50 Million Unauthorized Charges

Step 1: Investigate Hacked POS

• Network sniffer/image HD and capture RAM

• Forensics– Off-the-rack KSL– Stored card data – Hard-coded “dump sites” – Signatures

• File structure & naming • PWs & usernames (Romanian)• Matched other POS hacks

• Logs – ftp “dump site” IPs

Step 2: Investigate “Dump Sites”

• Search warrants – Stored card data

• Business confirmed

– Stored hacker tools

• Pen/trap orders – Romanian & proxy IPs– Hacked server IP– New victim IPs (notify)

Step 3: Investigate Hacked Server

• Forensics – Stored card data– Stored hacker tools

• Sniffer/full PCAP – Proxy to access e-mail & chat

accounts– “dump site” IP– New victim IPs

• Hiccups: partial encryption, victim’s substitute server

Step 4: Investigate E-Mail/Chat Accounts

• Search warrants – Stored data on “notepad”– Transferred stolen card data

• Victim confirmed

– Transferred PWs & tools – Chat wedding & arrest – E-mail from hacker acct to

personal account • Logs show hacker acct = own

personal acct• Date/time stamp same

Cyclical investigative steps• Dump site logs identify new

victims• New victim logs identify

new dump sites• E-mail identifies new targets• New target’s e-mail

identifies defendants

Hacked

Hacked

Step 5: Open-Source Investigation

• Facebook– “Friends” w/ other targets– Wedding photo of target– Gambling interest

• Online auctions– Mag stripe reader

• Linked-in– Classmates w/other target

Recap of Investigative Steps

What we investigated:• Step 1: Hacked POS• Step 2: “Dump sites”• Step 3: Hacked server• Step 4: E-mail and chat

accounts

Legal process we used:• Victim consent• Search Warrant• Consent• Search Warrant

Step 6: Finding the Targets

Target A e-mails self (with .exe & ccs) from hacker account to personal acct

Target B chats about own recent wedding and prior arrest

Target A posts Target B wedding photo

++

Three hacker slip-ups

Closing in on Target A

– E-mail order for Viagra• Target A’s name & home address

– E-mail to Target A’s work e-mail address

– Target A’s FB page• Gives actual name• Identified personal e-mail account• Target B’s wedding photo

Closing in on Target B– Target B chats about his wedding and arrest

• Target A‘s FB post with wedding photo and Target B as groom

– Romanian LE assistance • check arrest records in carding cases for Target B

– Has prior arrest

• recognize FB photo as Target B

– Target B’s wife • Facebook, linked in

Post-Script

• Lured Target A lured to U.S.– Lures require DOJ/OIA approval.

• Full confessions upon arrest• Target B extradited from Romania• Target A received a 7.5 year sentence• Target B was sentenced to 15 year sentence