Post on 29-May-2020
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Fraud In The Cloud New Risks In A New Environment
Prepared and Presented by
Randy Johnston
K2 Enterprises, LLC
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
What About Randy? Inducted Accounting Hall of Fame, Feb 2011 2004-2016 Accounting Today 100 Most Influential in
Accounting for 13 years Top 25 Thought Leader 2011-2017 40+ years of technology experience, Top rated speaker for
over 30 years Monthly columns on technology in CPAPractice Advisor Published author of six books, From Hutchinson, KS randy@k2e.com or randyj@nmgi.com 620-664-6000 x 112
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
What About NMGI? CRN top 100 technology company
MSPMentor top 100 company
NetCare – National CPA support services
NetRescue and NetStore – Backup Appliances and web-based backup
Boutique Technology and Business Continuity consulting – CPA Firm Technology Assessments, Paperless, Accounting Software Selection (ERP, BI, HR, SaaS, CRM)
WebCare and NetHosting – Custom Web site and Cloud services
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
About K2 Enterprises Provides live and on-demand Continuing Professional Education (CPE) in 48
U.S. states and in Canada
Largest provider of technology-focused CPE for accountants and financial professionals in North America
Services Offered
Live in-person presentations (conferences & seminars)
Webinars
On-site training
On demand self-study materials
www.k2e.com for more information
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
K2 Enterprises Web Sites – No Tracking (75% of all web sites do!)
www.k2e.com - CPE Info
www.CPAFirmTech.com – CPA Firm Info
www.AccountingSoftwareWorld.com – Accounting Software Info
www.TotallyPaperless.com – Paperless Info
https://www.youtube.com/user/K2Enterprises - The K2 Enterprises YouTube channel with over 160 free technology training videos
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Session Description • Cloud-based applications have changed the way we work, play, and access
information • The benefits and risks associated with software-as-a-service (SaaS) and
hosted applications are very different than traditional on premise information technology
• Some traditional items used in an on-premises forensic investigation like the transaction audit trail, user access logs, and computer access logs are often difficult to obtain for cloud solutions, and may even be unavailable by the time you or your client suspect a crime
• In this session, you will learn about some of the new risks associated with cloud solutions as well as some techniques which can be used to limit these risks
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Learning Objectives • Define phishing and explain how it is used to gain
access to systems and data • Describe at least two of the data breaches covered
in the materials and list at least one control which could have mitigated or prevented the data loss in the breach
• List and explain at least three significant issues associated with a cloud-based fraud investigation
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Session Overview • A Phishing Primer
• Tax-Related Identity Theft
• Data Breaches
• Issues Associated with a Cloud-based Fraud Investigation
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
A PHISHING PRIMER
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
How Phishing Attacks Work
• Real credentials harvested from the “fake” website are used against company portals
• Data is harvested and used to further attack individuals and perpetrate crimes
Fake website resembling Outlook Web Access
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
In Focus: Phishing
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
FIN4’s Approach: Get Data For Insider Trading • E-mail targeted at C-suite,
regulatory, legal, and investor relations personnel
• Security consultants FireEye report that FIN4 have penetrated “80 public companies and 20 banks”
• Messages also may include: – Word/Excel/PowerPoint files
with macros which prompt the user to enter Outlook password
– Links to fake “Outlook Web Access” portals which gather credentials
• Sample message =>
Source: Ars Technica, 12/1/2014 http://bit.ly/fin4phishing
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Quotes From FireEye On FIN4 FireEye Threat Intelligence Manager Jen Weedon said
“The hackers only targeted people with access to highly insider data that could be used to profit on trades before that data was made public. They sought data that included drafts of U.S. Securities and Exchange Commission filings, documents on merger activity, discussions of legal cases, board planning documents and medical research results.” "They are pursuing sensitive information that would give them privileged insight into stock market dynamics.“ Jen Weedon, FireEye Threat Intelligence (As reported by Yahoo! News)
Source: Yahoo News 12/1/2014 http://bit.ly/fin4-finfraud
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Timeline Of The FIN4 Phishing Attack
Source: Ars Technica, 12/1/2014 (http://bit.ly/fin4phishing)
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Target Of RSA Phishing Attack: Defense Secrets And Related Intellectual Property
Source: Speech by ORNL Director Thom Mason to Friends of ORNL August 25, 2011:
Winter 2011 March 17 May 31 June 1 April 1 May 21 June 7
• Lockheed Martin computer systems detect an intruder
• Company statement: “Our systems remain secure”
• Attack on L-3 Communications reported
• Attributed to leverage of information from RSA breach
• Low-level RSA staff receive email apparently from colleague
• Subject line: “2011 Recruitment Plan”
• Northrop Grumman cuts off remote access to its network
• RSA discloses attack in SEC filing and on company web site
• RSA official admits compromise of entire SecureID system
• RSA web site post: “Anatomy of an Attack”
• Describes exploitation of zero-day Flash vulnerability
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Phishing And Spear Phishing At ORNL • Oak Ridge National Lab • National security and nuclear
weapons research • National Supercomputer Center • Hacked in April 2011 • Attacked used a “spear phishing” attack • Gained root access to key systems • ORNL shut down its systems for two
days while it responded to the crisis
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
April 7 April 11 April 15 April 12
• 573 phishing emails
• 50 users clicked
• 2 systems infected • 1 system with admin
privileges compromised
• ORNL notified of suspicious activity by DOE-CIRC, DOE-CI, and ORNL local cyber staff
• Increased
activity • Web services
shut down
• Domain controller and Active Directory compromised
2011 ORNL Phishing Attack Timeline
Source: Speech by ORNL Director Thom Mason to Friends of ORNL August 25, 2011
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Sign #1: This is NOT an ORNL mailing address. Do you know the sender? Were you expecting an email? When in doubt, delete.
Sign 4: Nowhere in this email is there any specific reference to ORNL; all references are generic. No affiliation should raise your suspicion level.
Sign #3: Hovering your mouse over these links shows that both point to the same destination: http:/www.ansme.com/topic/index.htm. This does not match the topic of the reference in the link or the email.
Phishing Email Example – Oak Ridge National Lab
Source: Speech by ORNL Director Thom Mason to Friends of ORNL August 25, 2011
Sign #2: Always beware of general salutations!
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
April 7 April 11 April 14 April 15 April 29
• 4 staff reported phishing email to cyber security
• Cyber security disabled embedded link in phishing email
• Incident response team activated and began network monitoring
• Infected machine removed from network
• All other machines that clicked on email removed from network
• 2 trojaned systems exfiltrated files (~4 MB)
• Microsoft web servers shut down; ORNL disconnected from Internet
• Network reconnected to Internet with restricted/monitored communications
Source: Speech by ORNL Director Thom Mason to Friends of ORNL August 25, 2011:
ORNL Response To Phishing Incident
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
ORNL Ongoing Efforts To Increase Security
• Education and awareness of social engineering techniques
• Limits on administrative privileges
• Segmentation of computer network architecture
• Additional monitoring and tracking tools
Source: Speech by ORNL Director Thom Mason to Friends of ORNL August 25, 2011
User awareness
Organizational segmentation
Block outbound connections
Internet
Least user privileges Network flow
monitoring
Desktop log aggregation
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
MONETIZING STOLEN CREDIT CARDS
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
How Stolen Credit Cards Are Monetized • Perpetrators steal data from brick and mortar stores, POS breaches
like Target, and other crimes/scams • Data thieves bundle cards by bank ID and geography and sell
online anonymously in underground marketplaces – Cards are valued based on the age of the data and the guaranteed validity
(%) – The geography component is needed so that the ill gotten gains can be
purchased from areas near the victim’s home (avoid suspicion by credit card companies)
• Purchasers buy things online and at big box stores • Remailers receive the goods and forward them to others
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Example: Services like Label City
Card data sold in “carding shops”
like “McDumpals”
Card Data Purchasers Buy Merchandise and
Sell Online or Ship Overseas to Monetize
Stolen Data
How Offshore Cyber Crooks Steal Credit Cards, Sell Stolen Data, Buy Goods, And Turn Them Into Cash
Source: http://krebsonsecurity.com/2014/08/white-label-money-laundering-services/
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Stolen Card Data Reliability Drops With Age
Source: http://krebsonsecurity.com/2014/02/fire-sale-on-cards-stolen-in-target-breach/
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
The Effects Of Breach Aging On Data Value
• The early cards from the Target Breach were advertised as “100% valid” and sold for between $26.60 and $44.80 each in mid-December 2013 – Target announced the breach on 12/19/2013 – A 1/21/2014 batch (+32 days) claimed an “83% valid rate” – A 1/29/2014 batch (+40 days) claimed a “70% valid rate” – A 2/6/2014 batch (+48 days) claimed a “65% valid rate” – By 2/14/2014, Krebs reports that some Target breach cards were selling
for as little as $8-$28 per card, and were boasting a “60% valid rate”
• Some non-US Target breach cards retrieved as much as $120 per card, a significant premium over the US records
Source: http://krebsonsecurity.com/2014/02/fire-sale-on-cards-stolen-in-target-breach/
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
“Work At Home” Scam Respondents
Used To Reship Goods For Those
Using Stolen Cards
Source: http://krebsonsecurity.com/2011/10/shady-reshipping-centers-exposed-part-i/
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
TAX-RELATED IDENTITY THEFT
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
What Is Tax-related Identity Theft? • Tax-related identity theft occurs when someone uses a
stolen Social Security number to file a tax return claiming a fraudulent refund
• Generally, false returns are filed early in the filing season
• Most are unaware they are a victim until the taxpayer files and the preparer learns one already has been filed using that SSN when the eFiling of the legitimate return is rejected
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Identity Theft Is A Significant Problem For Practitioners And Taxpayers
Source: IRS Taxpayer Advocate Annual Report to Congress 2015, Vol 1, MSP #16
Source: FTC Release promoting Tax Identity Theft Awareness Week - 1/25-1/29/2016
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
2013 2014 2015
Tax or Wage ID Theft Complaintsto FTC during Yr
87,206 109,250 221,854
IRS IDT Inventory at EOFY 475,861 242,575 601,799
IRS CID IDT InvestigationsCommenced
1,492 1,063 776
-
200
400
600
800
1,000
1,200
1,400
1,600
-
100,000
200,000
300,000
400,000
500,000
600,000
700,000
Inve
stig
atio
ns
Co
mm
ence
d
Du
rin
g FY
(Li
ne)
ID T
hef
t C
om
pla
ints
Op
ene
d
or
Op
en a
t EO
FY (
Bar
s)
Tax/Wage ID Theft Complaints Vs. IRS CID Investigations, 2013-2015
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Selected Stats On Tax Identity Theft • The number of ID theft (IDT) claims is up significantly,
while the number of open IRS CID investigations at the end of each fiscal year is down by almost 50% in the last two years (2013-2015)
• IRS working with states, tax software companies, and payroll providers to address this growing problem
• Be very careful when sharing confidential data- a breach from you could be financially catastrophic
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
IRS Phishing Scams
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Examples Of IRS Phishing E-mails
Source: IRS.gov
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
IRS Security Issues In Focus • IRS reported a breach in its “Get
Transcript” application affecting 724,000 taxpayers
• IRS provided credit monitoring and ID protection PINS
• IRS suspended the PIN program in early March 2016 amid issues, and may use a different authentication method next year
• Group of law firms still pursuing a class action against IRS
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Know The Warning Signs • Be alert to possible identity theft if you receive an
IRS notice or letter that states that: – More than one tax return was filed using your SSN
– You owe additional tax, refund offset or have had collection actions taken against you for a year you did not file a tax return
– IRS records indicate you received wages from an employer unknown to you
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Steps To Take If You Become A Victim • File a report with law enforcement. • Report identity theft at www.ftc.gov and learn how to respond to it
at identitytheft.gov • Contact one of the major credit bureaus to place a ‘fraud alert’ on
your credit records: – Equifax, www.Equifax.com, 1-800-525-6285 – Experian, www.Experian.com, 1-888-397-3742 – TransUnion, www.TransUnion.com, 1-800-680-7289 – Innovis.com, www.Innovis.com 1-800-540-2505
• Contact your financial institutions, and close any accounts opened without your permission or those which have been compromised
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
SSN Compromised? • If your SSN is compromised and you know or suspect you are a victim of
tax-related identity theft, take these additional steps: – Respond immediately to any IRS notice; call the number provided on the notice – Remember that the IRS NEVER makes its first contact via telephone or e-mail -
Uncle Sam uses old-school snail mail – Complete IRS Form 14039, Identity Theft Affidavit
• Use a fillable form at IRS.gov, print, then mail or fax according to instructions
– Continue to pay your taxes and file your tax return, even if you must do so by paper
• If you previously contacted the IRS and did not have a resolution, contact the Identity Protection Specialized Unit at 1-800-908-4490
• The IRS has teams available to assist, but the Taxpayer Advocate reports that the time to resolve an identity theft case in FY 2015 was 179 days – so be patient, and FOLLOW UP!
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Resources For Tax Preparers • Publication 5199 Tax Preparer Guide to Identity Theft
• Publication 5027 Identity Theft Information for Taxpayers
• Publication 4535 Identity Theft Protection and Victim Assistance
• Publication 4600 Safeguarding Taxpayer Information
• Publication 4557 Safeguarding Taxpayer Data
• Publication 1345 Handbook for Authorized IRS e-file Providers
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Identity Theft Resources
• http://www.irs.gov/Individuals/Identity-Protection
• https://www.identitytheft.gov/
• https://www.fbi.gov/about-us/investigate/cyber/identity_theft
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Some Steps To Help Protect Your Organization Against Breaches And Phishing
• Conduct annual (or more frequent) user security training sessions • Don’t click on links in e-mail messages – with one exception
– Online password reset e-mails where you have personally initiated the reset e-mail in the last five minutes
• Configure your organization’s junk e-mail filters to reject messages whose origin address does not match the sender’s expected IP address and country
• Inventory the types of confidential data stored in your organization • Identify the key controls which protect each type of data • Assess the identified risks, and document the likelihood and expected damages
related to a breach for each type of confidential data • Adjust your procedures and related controls to provide your desired level of control in
response to the identified risks
#ACCOUNTEXUSA @accountexusa September 6-8, 2017
Summary • Phishing is always a concern – be vigilant
– Don’t click on links in e-mail messages – Don’t give out data to people who call you without
authentication
• IRS has had significant issues with breaches which may affect you, your friends, and your clients
• Data breaches affect everyone, and compliance with breach reporting statutes is expensive and requires cyber insurance
• Cloud applications may lack the audit trails and data needed to support an investigation