How to (not to)becomean InternetFraudster

Boris Mutina

DisclaimerThere are so many kinds of the Internet frauds. It is possible to use

almost everything possible and impossible ...even the thingsyou've just discovered.

But don't try this at home. I've warned you.

btw1: everything mentioned in this presentation is realbtw2: i am sorry, if you've expected any new hacks against the

banksthere are no such things here

btw3: you can ask questions during the presentation

I want to become rich!1. legal ways are not all the time so boring but i recommend- quite big choice2. also a big choice of illegal ways- consequences can hurt

vaseline costs almost nothing but paying taxes hurts less

Who is the victim?

Two approaches observed:

1. victims are profiled thoroughly - their social status, position, age, possible knowledge of the IT technologies, profession etc., their colleagues, business partners, friends...Financial crisis is also considerable in these days as there's problem of getting the funds

2. randomly selected victims - less sophistication observed when the fraud amount is toohigh or too low

Accounts! Or?

Important is to understand what accounts the person uses- emails, FB, whatever!- Maltego Community is powerful enough to dig quite deep- various online tools offer quite comprehensive analysis of the online "existence"- understanding the habits, skills and other details turned outto be a crucial success factor

Fraudsters love FUD, NSA, MH370,but for financial sector this is too obviousand recognized. What about something

LESS

sophisticated?

Dump. Because the future is uncertain

But also quite effective

Yes, agree, pretty lame!

Fraudsters are sending the phishing emailsto any email address they can get. It makes them happy to find againnew passwords.

Btw

0:

con

sider

the r

eci

pie

nts

are

not

oft

en IT s

kille

dB

tw1:

pass

word

reuse

is a

real is

sue h

ere

!B

tw2:

wh

at

about

the c

redenti

al

leaks

?

Money mules? No prob bro!

I want your money!

Btw1: never reuse the money mules

Now the easier part. After analyzing the emails send fewto the bank, business partner or someone who can send the money.Money transfer to Singapore, China or even Austria, justbe inspired by the money mule location.

Social engineering tricks?

Oh yes, we love them very much, don't forget, we own allemails, we know even the grandma's birthday.

Fraudsters request often the SWIFT messages, use words"urgent", claim to be on a business trip unable to pickupthe phone (but respond to emails...).

In some cases they even call to the bank!

Btw1: vacation and Xmas time peaksBtw2: there's no plan B, success rate higher than Nigerian scam

Aftermath

After money arrives to the BNF bank, it becomes untraceable:Money mule takes it out and sends to another destinationwhile taking small fee (can be up to 30% - nice job of the money mules?)

Another scams?

Of course, this is not the only one scenario that works.I can give you couple of others but we're out of time and actually...... don't try this! remember?

But there are nice forms of advanced fee...

Hypothetical thoughts

Research techniques in terms of OSINT or crossing the border? How deep is the spear phishing involved? Other sources?

How deep is the target profiling?Does anybody collect the data, analyze it deeply?

If so, what do they know about me, my family, my company?What are the protective measures?

And what about security guys being sometimes too high?

Thanks!

Do you have questions?

I maybe have the answers :P