Current Trends in Corporate Criminal Activity€¦ · •Russian hackers where behind cyber...

Current Trends in Corporate Criminal Activity

1:15 PM - 2:15 PM

4/28/2015

Presenters:

• John McCullough, Financial Crimes Service• [email protected]

• Fred Laing, Upper Midwest Automated Clearing House Association• [email protected]

4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 2

mailto:[email protected]

mailto:[email protected]

Agenda

• Transition and New Approaches to Crime Trends

• Cybercrimes

• Mitigation Techniques


Transition and New Approaches to Crime Trends


Physical Attacks Merging with Technology(Blow Torching ATMs, Madison, WI)

4/17/2015FRPA and UMACHA Copyright 2015 all rights reserved

5

Sophisticated Skimmers on ATM’s for Data Physical Attacks with Technology


Criminal EvolutionFocus on Gathering Data

• The

Device placed inside gas pumps, blue tooth connect,

not as detectable

First generation gas pump skimmers place on the

outside


Technology to Clone Cards, Just Add DataTarget Data, Home Depot, etc.


Images removed

You’re Hired to Shop (Mules)

Be a "Secret Shopper” letter…

US residents in all 50 states being approach

letter instructing them to deposit the check into their personal account for 24 hours

Send on series of "secret shopper" tasks

Test Wal-Mart by sending a wire transfer/MoneyGram using these funds

“Shopper” Complete customer service report and keeps $350

Letters post marked from Spain

This check turns out to be counterfeit and is drawn against Wal-Mart’s Payroll Account

1

2

3


Letters sent to “mules”

Letter looks real,Individuals with no jobs find this offer as a great opportunity

Greed does play a role in this process

This person ends up as the looser

4


It Just Doesn’t End There


Images removed

Cybercrimes

• Criminals are seeking business, government and personal data

• Data is valuable to other criminals (i.e., Darknet) and sold

• Its all about data used for impersonations of a businesses, government agencies, employee PII or consumer data used to take over accounts, steal funds, illegal purchase goods/services, create new identity, open accounts, buy and trade, terrorism activities, and so on …


Common Thread in Financial Crimes:

• Always impersonations • The representations may appear creditable• Data breaches seek personal, business or government data • Methods of detection and apprehension are difficult to detect and prove• The virtual world and physical world have merged • Virtual currency is becoming a common pathway for financial funding of

organized criminal and terrorist activity to avoid detection

Being a little paranoid is a good thing when it comes to fraudster!


Financial Crime Trends (What Are We Seeing)• Banks:

• Data Breaches, debit and credit frauds followed by check fraud and new wire frauds methods deployed and mobile deposits frauds…

• Retailers: • Data breaches, debit card fraud, cloned cards, gift card fraud and return frauds, and

scams to fraudulent purchase and resale smart phones…

• General businesses: • “Network system attacks”, data breaches, counterfeit checks, account takeover,

employee impersonations on tax return frauds, business impersonations

• Medical; • “System attacks”, fraudulent claims, patient impersonations, medical prescriptions frauds


JP Morgan Chase (Give Me Derivatives)


Images removed

The intrusion likely resulted, as many cyber breaches do, from an employee clicking on a malicious link and/or attachment in a so-called “phishing email”. That’s how investigators believe the hackers accessed the State Department’s systems

U.S. Officials Say Russians Hacked White House Computers


What is Thought to Have Happened:• Russian hackers where behind cyber intrusion of the State Department in

recent months used malware called “perch” to penetrate sensitive parts of the White House computer system, according to a U.S. official

• This malware is a “low and slow process”, which overtime steals data and avoids detection in network systems.

• The White House has said the breach affected an unclassified system. But that gave the hackers access to such sensitive information as real-time nonpublic details of the President's schedule.

• One official says the Russians have "owned" the State Department system for months


White House Asks For Our Help!(Fred and John)

• Here is what we found:• We found the employee that open the malware

• This employee opened an email

• The employee downloaded an attachment

• This let the Russians “in”

• Who is it? (Next Slide)


Fred and John Found Him Opening This Email and Downloading it…


Images removed

USPS - Missed package deliveryFW: Invoice <random numbers>ADP Reference #<random numbers>Payroll Received by IntuitImportant - attached formFW: Last Month RemitScanned Image from a Xerox WorkCentreFwd: IMG01041_6706015_m.zipMy resumeVoice Message from Unknown Caller (<phone number>)Important - New Outlook SettingsFW: Payment Advice - Advice Ref:[GB<random numbers>] New contract agreementImportant Notice - Incoming Money TransferPayment Overdue - Please respondFW: Check copyCorporate eFax message from <phone number>FW: Case FH74D23GST58NQS

Email: The Subject Matter is Meant to Fool Your Employees

{


Images removed

It Takes Only One Employee to Make Mistake!


Images removed

How Effective Are These Criminals

780 Corporations

85 million known victims


Images removed

The Report List 24 Pages of Corporations with Data Breacheshttp://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf


Images removed

Survey by April 2015 CompTIA on Data Breach Causes

• Human error accounts for 52%

• Technology errors account for 48%

Other Comments:

• 32 % respondents did not have the ability to prevent an attack

• 51 %, lacked training to deal with insider threats

• 43 % cited budget issues

• 40 % did not have Sufficient staff


Substantial Increase of Tax Return Fraud


“Someone Filed My Tax Return”… Beware!

• Intuit • CATO, breaching business networks• Acquire payroll records• Criminal impersonates person tax filing• If a pattern develops, consider possible data breach• Have contingency plans for employees to reporting such incidents


Tax Fraud Season

• If you become a victim of identity theft, the IRS recommends you take the following steps right away:• Contact the IRS Identity Protection Specialized Unit at 800-908-4490 x245 so

that steps can be taken to secure your tax account• Complete IRS Identity Theft, IRS Form 14039• Report ID theft incidents to the Federal Trade Commission at

consumer.ftc.gov or the FTC Identity Theft Hotline at 877-438-4338.• File a report with the local police• Contact the fraud departments of the three major credit bureaus: Equifax,

equifax.com, 800-525-6285; Experian, experian.com, 888-397-3742; and TransUnion, transunion.com, 800-680-7289

• Close any accounts that have been tampered with or opened fraudulently


Wire Frauds Are Increasing• The FBI Denver Division has received an increase in “business e-mail

compromises” criminal complaints.

• The fraud occurs when the controller, treasurer, or accounting officer at the business receives an e-mail that appears to be from the company executive.

• The e-mail is a request that a wire transfer be sent. The fraudulent e-mail appears to have originated from an executive within the company or appears to be an e-mail chain forwarded from company executives.

• The e-mail includes an attachment with instructions for the wire transfer.domain name used to send the fraudulent e-mail is similar to the company’s domain name with a minor change.


Common Wire Frauds Today(This April Example, CA)

Homeland Security Investigators in San Francisco are currently investigating an organization that creates domain names, which are similar to known organizations and sends fraudulent wire instructions to employees via email. The employees believes the requests are originating from a high level manager within their company, and proceeds…

On 4/10/2015, HSBC Hong Kong received a $375,000.00 wire transfer from the United States. The wire transfer was sent to BROTENT TENTNOLOGY, LTD Account # 801-1X85XX-838. If your institution wired funds to this account, please contact SSA Michael Shinn. Thank you.


Why do people still fall for phishing attacks, especially finance people in charge of wire transfers at corporations?

• Organization with 10,000 employees, even if only one out of a thousand employees opens the phishing document, there compromised, leading to loss of information and attacks

• Criminals target selected employees with authority and attempt to fool them with fake emails

• The targeted employees are busy and trusted employees, likely overworked, under deadlines, mistakes happen…


Dave Jevans, Co-founder of the Anti-Phishing Working Group Stated:

• The hacker attack against Anthem Inc. (data breach)

• Started with a spear-phishing campaign which targeting five of its employees

• The real risk here is an increase in targeted attacks against a handful of key employees within your organization (people with authority)

• Data breach malware have spread to vendors with the intent to come through the “side door” of the vendors corporate clients being serviced (i.e., Target and Vendor)


https://www.youtube.com/watch?v=PnSSGu8UMYU

https://www.youtube.com/watch?v=aSYIz8df58k

https://www.youtube.com/watch?v=SL9P9nSquv8

Mitigation: Training of Employees


https://www.youtube.com/watch?v=PnSSGu8UMYU

https://www.youtube.com/watch?v=aSYIz8df58k

https://www.youtube.com/watch?v=SL9P9nSquv8

Other Risks to Consider

• Disgruntled employee(s)• Criminal partners, “insider”


Images removed

Taking Your Computer/Smart Phone Hostages


Example “Ransomware”:

• Your system is locked by cyber criminals with message denying access to files

• The Ransomware attacks are waged in two parts. First, a PC or mobile device is infected with malware that locks the corporate user out or encrypts files so that the user can longer access them

• Then a ransom is demanded through an automated message that appears on the device's screen. The user is told he or she has a limited amount of time to pay the ransom before the device will be wiped clean or the files will be erased

• How doe it start: Criminals will use various ploys to get staff to click on links or download attachments, which, in turn, infect their computers


http://www.bankinfosecurity.com/anti-malware-c-309

Lance James, head of cyber-intelligence at the consultancy Deloitte & Touche.• Now experts are calling attention to one of the reasons why

“ransomware” attacks are becoming more common - because organizations say they'd rather not deal with the fallout that trails a breach or cyber-attack that goes public. Instead of getting law enforcement involved, they'd rather try their hands at making deals with their attackers first.

• But paying ransom is short-sighted and is never a good idea. Why? Because cybercriminals rarely keep their end of the bargain. Organizations that negotiate with hackers often end up with lost data after paying a hefty ransom.


Extortion Methods Expanding


Cyber Extortion is Successful

• 1/3 of US corporations who experience cyber extortion would negotiate for data return

• Corporations do not want to report extortions to Law enforcement

• Corporations do not want the publicity

• Corporations expenses to clean-up and notify parties is costly

• Corporation Stock shares drop

• Potential regulatory issues and fines

• CEO and CIO’s on the hook


Distributed DoS attack

“So the bad guys took our servers down…”

Answer: They are testing your response and planning other activity. They may use DDoS Attack as a

distraction from another event they are executing against the company


Distributed Reflection DoS attack

•Combines Reflection and Amplification

•Uses third-party open resolvers in the Internet (unwitting accomplice)

•Attacker sends spoofed queries to the open recursive servers

•Queries specially crafted to result in a very large response

Impact:

•Causes DDoS on the victim’s server

http://www.networkworld.com/article/2886283/security0/top-10-dns-attacks-likely-to-infiltrate-your-network.html#slide6


Cache poisoningCorruption of the DNS cache data

1. Attacker queries a recursive name server for IP address of a malicious site

2. The recursive server does not have the IP address and queries a malicious DNS resolver

3. The malicious resolver provides requested rogue IP address and also maps the rogue IP address to additional legitimate sites (e.g. www.mybank.com)

4. The recursive name server caches rogue IP address as the address for www.mybank.com

5. User queries the recursive server for IP address of www.mybank.com

6. The recursive server replies to user with cached rogue IP address

7. Client connects to site controlled by attacker, thinking it is www.mybank.com

Impact: Logins, passwords, credit card numbers of the user can be captured


TCP SYN floods•Uses the 3-way handshake that begins a TCP connection

•Attacker sends spoofed SYN packets with the source IP address of bogus destinations

•The server sends SYN-ACKs to these bogus destinations

•It never receives acknowledgement back from these destinations and the connections are never completed

•These half-opened connections exhaust memory on the server

Impact

•Server stops responding to new connection requests coming from legitimate users


DNS tunneling•Uses DNS as a covert communication channel to bypass firewall•Attacker tunnels other protocols like SSH, TCP or Web within DNS•Enables attackers to easily pass stolen data or tunnel IP traffic without detection•A DNS tunnel can be used for as a full remote control channel for a compromised internal host.•Also used to bypass captive portals to avoid paying for Wi-Fi serviceImpact:•Data exfiltration can happen through the tunnel


DNS hijacking

•Modifies DNS record settings (most often at the domain registrar) to point to a rogue DNS server or domain.

•User tries to access a legitimate website www.mybank.com

•User gets redirected to bogus site controlled by hackers that looks a lot like the real thing.

Impact

•Hackers acquire user names, passwords and credit card information

http://www.networkworld.com/article/2886283/security0/top-10-dns-attacks-likely-to-infiltrate-your-network.html#slide6See all Ten:


Why Does This Keep Happening

"The reality is: The dark element is much better at information-sharing than the corporations are.“ (Usman Choudhary, ThreatTrack):

• Advance Persistence Attack (APT: Attack networks and low and slow method)

• Organize

• Motivated

• Well funding

• Smart and share information better than corporations

• Information is valuable information on the black market (Sony)


Mitigation Techniques and Tips

Training Employee education is Missing…..

• Do you have a formalized ongoing training program?

• Human error accounts for 52% of data breaches

• AND – Educate, Educate, Educate

• Focus on specialized training with personnel with authority


Mitigation Techniques

• Companies can open email attachments in a secure container or virtual machine, to avoid infection of the target computer

• Employ multiple anti-virus to detect various malware techniques• Training users to avoid opening spam emails is also very important• Bankers need to educate users about the limits of two-factor

authentication• Employees should not rely on the information presented on the screen

(links, phone numbers, pop-ups, domains names)• Analytics software that can detect, say, that an organization is sending

$500,000 to an account the bank has never seen before• DNS attack indicator you have been or are being hit…It is a distraction to

keep you from detection of the real threat or execution of a crime


• Anti-virus software

• Firewalls

• Anti-Malware software

• Install software updates ASAP

• Monitor Internet traffic

• Manage passwords

• Strong policies defining what employees can do with their work computers when it comes to internet access, use of external devices, etc.

• An educated employee base

From a Network Standpoint

50FRPA and UMACHA Copyright 2015 all rights reserved

4/17/2015

• Use Dual Control whenever handling financial transactions

• Change vendor supplied defaults

• Encrypt data when you can

• Develop and implement a data retention, storage and destruction policy

• Ensure terminated employees credentials are deleted

• Ensure hiring policies include verifying application data and check references

• Regularly test systems for vulnerabilities

• AND – Educate, Educate, Educate

Physical/Network Security

FRPA and UMACHA Copyright 2015 all rights reserved514/17/2015

Cash Management Products

• Positive Pay, Reverse Positive Pay

• Debit blocks and filters• Stop all debits vs. stop all but specific debits

• Separate accounts for separate processes• One for payroll, another for receivables, etc.

• Account reconciliation• DAILY!!

• Balance Reporting

52

FRPA and UMACHA Copyright 2015 all rights reserved

4/17/2015

Out-of-Band Authentication Between You and Your FI

• What is it?• Phone call (voice authentication or just a simple phone call)

• Text message (SMS)

• Secure e-mail

• Fax

• Why do it?• To authenticate that the file or transaction is what you

intended to generate

• Fraud prevention method but may also assist in preventing unintentional processing errors (sending the wrong week’s payroll file to your FI)

53 FRPA and UMACHA Copyright 2015 all rights reserved4/17/2015

Ways to Authenticate

• User ID and password (and/or picture) – this is single factor and not sufficient by themselves, Challenge Questions fall into this too

• Token(s) – a second factor, somewhat effective but there needs to be more, could be a cell phone or other similar device

• Biometric – a third factor, hard to control in a virtual exchange but it’s effective when used

• FFIEC defined three factors; what you know, what you have, and what you are


Exposure Limits• Usually based on a credit review but can be used to limit

fraud loss exposure

• Company and bank should work together to set the limit(s)

• Can be for a file, batch, or entry and can be daily, weekly or even monthly

• Should be set close to the size of the largest anticipated file

• Monitoring should be real time

• Limit should be reviewed regularly

• There should be well defined over-limit procedures


Anomalous Detection & Layered Security

• Look for trend lines that are “out of band”• Sudden increases in transaction volume, dollar amounts, or

returns

• Review ALL the data in a file, has anything changed from the last file?

• Where did the instructions come from

• When do you access the network to generate the transactions

• In other words, LOOK FOR ANYTHING THAT’S DIFFERENT FROM WHAT YOU NORMALLY SEE!


4/17/2015

1. Train employees in security principles

2. Protect information, computer and networks from Viruses, spyware and Malware

3. Provide firewall security for your internet connection

4. Download and install software updates as they become available

5. Make backup copies of important business data

6. Control physical access to your computers and networks

FCC Recommendations for Small Businesses


7. Secure your Wi-Fi networks

8. Require individual user accounts for each employee

9. Limit employee access to data & information, limit authority to install software

10. Regularly change passwords

FCC Recommendations for Small Businesses (cont.)


Mitigation Recommendations for Business Customers Using Online Payments

(Spear Phishing and Business Account Takeover Attacks)

• Initiate payments under dual control

• Use dedicated computer where email and web browsing are not possible.

• Limit admin rights on users’ workstations

• Reconcile transactions on a daily basis.

• Implement an employee awareness program

• Implement fraud detection systems with predictive analytic and transaction monitoring capabilities

• Use Out-Of-Band authentication systems• manual client callback• SMS text messaging• Interactive Voice Response

• Fourteen additional in-depth defenses

59 FRPA and UMACHA Copyright 2015 all rights reserved 4/17/2015

File Server

Endpoint Applications StorageFilesNetwork

Production Data

Data warehouse

DR

Staging

WW Campuses

WW Customers

WW Partners

Remote Employees

WAN

WAN

WWW

VPN

Disk storage

Back up disk

Back up tape

Outsourced Development

Enterprise email

Business Analytics

Customer Portal

Security is a TOTAL System, Process, and Procedure Issue!!


60

4/17/2015

Network

Media TheftDevice Theft

Takeover

Fraud

Intercept

File Server

Endpoint Applications StorageFiles

Production Data

Data warehouse

DR

Staging

WW Campuses

WW Customers

WAN

WAN

WWW

VPN

Disk storage

Back up disk

Back up tape

Outsourced Development

Enterprise email

Business Analytics

Customer portal

Media Loss

UnauthorizedAccess

DOS

Corruption

Unavailability

Eavesdropping

Data Theft

Remote Employees

WW Partners

Data Loss

Device Loss

Unintentional Distribution

UnauthorizedAccess

UnauthorizedActivity

UnauthorizedActivity

61


Security is a TOTAL System, Process, and Procedure Issue!!

4/17/2015

What Happens If Your Organization Is a Victim?

• Discontinue using whatever piece of hardware is infected and disconnect it from any network (Use an expert on removal)

• Determine what “connections” that computer had with others and check those for problems

• Let corporate security know immediately so they can contact the authorities and any outside organization they feel may be needed to fix the problem

• Change passwords, ID’s, etc. for anyone accessing systems tied to the infected system and disable the old ones

• Notify your provider(s) within 24 hours


4/17/2015

• (Who is in the best position to provide solutions?)

• Detecting fraud earlier and automate solutions

• Increase employee awareness training

• Better hiring practices

• Employee monitoring systems (Who touched it?)

• Investments in new fraud technology

• Sharing crime issues in real time with others (your bank, like companies, etc.)

• Seek out help from: (Local Law Enforcement, your vendors, organizations like FS-ISAC)

Recommendations (cont.)

FRPA and UMACHA Copyright 2015 all rights reserved 63 4/17/2015

The End (“kind of”)

Thank You!


Current Trends in Corporate Criminal Activity€¦ · •Russian hackers where behind cyber...

Documents

Transcript of Current Trends in Corporate Criminal Activity€¦ · •Russian hackers where behind cyber...