There is a perception among the general population that cyber fraud is some modern esoteric art perpetrated by alpha geeks sitting behind keyboards, clothed in hoodies, hiding in a darkened room. But in reality, present-day fraudsters tend to use old tricks to gain access to people’s bank accounts. They can still earn plenty of money by using trusted methods in the cyber realm without having to invest in the latest, sexiest hacking tools, which can cost upwards of £10,000.
The telephone remains a popular launch pad for identity theft. Using internet-enabled services such as Skype, hackers are able to hide their true identity, while voice manipulation software allows them to tweak the frequency of their speech and easily dupe call centre staff, says Vijay Balasubramaniyan, chief executive and co-founder of Pindrop Security.
Where relevant some even pretend to have a speech impediment or to be a carer for a disabled caller. Once they have access to people’s online accounts and have changed the relevant usernames and passwords, they can quickly shift funds to their own coffers.
In one case, Pindrop looked at the records of a large bank, reviewing 300,000 calls. The bank knew of ten cases where fraudsters had called in, but Pindrop uncovered 115, including one that led to an illicit $97,000 (£58,000) wire transfer to Cambodia. Most companies think that just 2 per cent of their fraud exposure comes from the phone channel, but in reality it’s more like between 30 and 80 per cent, says Mr Balasubramaniyan.
There are more sophisticated campaigns, ones that have resulted in huge profits for criminals. Considered by US law enforcement to be one of the evil geniuses of the online dark markets, Evgeniy Mikhailovich Bogachev is alleged to have run two of the slicker cybercriminal operations of recent memory, known as Gameover Zeus and Cryptolocker.
The former saw as many as one million PCs infected with the Zeus malware, which siphoned off victims’ bank logins. The Cryptolocker “ransomware” encrypted hundreds of thousands of people’s files, making them inaccessible before asking for payment to unlock them. Bogachev and his crew were believed to have earned at least $100 million through such illicit means.
Kroll, which carries out fraud investigations for businesses, has seen a recent rise in e-mail and social media account takeover, using similar strategies as the Gameover Zeus and Cryptolocker crooks. “In such cases, criminals will compromise e-mail and social media accounts and then send out communications as the true account holder attempting to trick the recipients into an action, such as clicking a link, installing credential-stealing malware or even paying a fake invoice,” says E.J. Hilbert, head of cyber investigations at Kroll Europe, Middle East and Africa.
Phishing websites, which look like they’re genuine versions of web services, are also common. As the sites appear to be legitimate, users are happy to enter their personal data, not realising they are being duped by identity thieves. Such data, however it is acquired, is often sold on underground web forums, making it more likely the victims’ accounts will be compromised. “Trade secrets and the intellectual property of a business can also be targeted,” notes Darren Hodder, director at Fraud Consulting.
Then there are insiders to fret about. “We are increasingly seeing cases where trusted insiders are being used to assist cyber attacks from within the firms themselves,” says Paul Walker, head of forensic technology and discovery services at EY.
Trade secrets and the intellectual property of a business can also be targeted
These moles are either purposefully placed within the target organisation or identified and turned, says Mr Walker. They can then be used to initiate attacks. Certain cases have seen infected USB sticks shoved into company systems installing malicious software or malware on the corporate network to hoover up information. In other cases, the moles are used to identify weaknesses for subsequent attack.
“By directly bypassing the firm’s security measures and installing malware directly on the target’s network, a wealth of information is made available for hackers to steal and distribute, and by use of insider targeting agents, attacks can be stealthy and focused,” Mr Walker adds.
One reason why cyber fraudsters are causing such chaos – £266 billion a year in economic damage, according to computer security software company McAfee, though this figure has been disputed – is that many companies are not using adequate tools to respond to attacks. A recent study from consultancy Protiviti revealed that only 10 per cent of organisations are taking full advantage of technologies such as anti-malware and digital intelligence systems that could help them detect and repel strikes on their infrastructure.
“Businesses need to recognise that they simply cannot protect everything – better to focus on protecting the digital assets that matter the most and would result in a material loss to the business. The first step in this process is understanding what is most important for the business to protect,” says Ryan Rubin, managing director and leader of Protiviti’s UK security and privacy practice. “Companies will need to accept a degree of inconvenience in areas that matter most. However, if they are honest about the risks they can live with and prioritise the risks they are not willing to accept, solutions can be implemented to minimise this inconvenience.”
Active incident response processes, proactive monitoring and greater “situational awareness” will all help businesses learn normal behaviour and detect anomalies, which may be early indicators of fraud, Mr Rubin adds.
In the case of financial institutions, though, they have to offer high levels of security by necessity and they rely on customers to be vigilant too. When cybercriminals steal money from customer accounts, the cost is passed on to the banks once they hand out compensation. It’s not just businesses that have to wise up when it comes to security.
PERSONAL DATA AND PORN
Privacy-conscious consumers, like criminal hackers, have a reason to target data brokers, organisations whose sole purpose is to collect people’s information to sell on to interested parties, primarily marketers. Given the nature of such businesses, company insiders at the brokers might not suffer paroxysms of guilt if they carried out their own attack on their employer’s network.
A US case tracked by investigators at Kroll in 2012 involved a particularly entrepreneurial employee who chose to use his role and access to company information to make thousands of dollars. Startlingly, the insider had actually contracted Kroll to investigate a missing laptop that contained sensitive data six weeks prior to the start of the investigation into his own activities.
The affected company noticed something odd when old equipment, which was supposed to have been decommissioned, was still in use. Why was it still running when new servers, worth as much as $50,000, had been purchased? It emerged the perpetrator of this particular fraud had bought up fresh systems so he could use the old ones to store certain business data and sell it off to interested outside parties.
He set up websites on the systems for that very purpose, selling background information on his employer’s staff to any willing bidders, including hacktivists looking to de-anonymise people they believed to be wrongdoers, according to Kroll.
It got worse. Not only had he set up chat forums to discuss deals with potential buyers of the data, he decided to run a pornography site on one of the servers. All this was done using the business’ systems, sucking up power and bandwidth, at a further cost to the organisation.
Once Kroll had uncovered his activities, swift action was taken to fire the employee and begin criminal proceedings. Everything was kept under the radar, due to the obvious embarrassment the company would have felt, hence the continued anonymity.
But the breach could have easily been prevented, says E.J. Hilbert, head of cyber investigations at Kroll Europe, Middle East and Africa. For starters, the firm wasn’t properly monitoring inbound and outbound connections into the company network. If the firm had layered automated tools designed to pick up on anomalous activity on gateways into the organisation, they would have been alerted to the unauthorised use of corporate computers.
The business also gave too much power to the fraudster, granting him access to all information on the network. There were close to zero checks on his activity. Indeed, it was only through an audit of new purchases that suspicions were raised.
Mr Hilbert believes the company relied too much on technologies, such as firewalls and intrusion detection systems, to counter threats. “We think tech is going to capture everything for us,” he adds. “But don’t just rely on the technology… You can’t throw a bunch of words at a computer and hope it writes a novel.”
Handpicked employees also need to be given oversight powers to watch the watchers, he urges. “Trust but verify is the key. Putting the keys to the kingdom in one person’s hand is a bad idea,” he adds. “You’ve got to put employees in the position where they are being watched and you don’t want to put them in a tempting situation. If you put someone in that situation, they’re liable to do something stupid.”