CYBER FRAUDTHE NEW FRONTIERS

Albert Hui GREM, GCFA, GCFE, GNFA, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA, CISM, CRISC

Principal Consultant

2014 Asia-Pacific Fraud ConferenceNovember 17th 2014 @ Hong Kong

WHO AM I?

• Spoken at Black Hat, High Tech Crime Investigation Association (Asia Pacific Conference), and Economist Corporate Network.

• Risk Consultant for Banks, Government and Critical Infrastructures.

• SANS GIAC Advisory Board Member.

• Co-designed the first Computer Forensics curriculum forHong Kong Police Force.

• Former HKUST Computer Science lecturer.

Albert Hui GREM, GCFA, GCFE, GNFA, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA, CISM, CRISC

Principal Consultant

albert@securityronin.com

FOCUS

• Cyber Fraud

• External Fraud

• Mechanisms and Facilitators

AGENDA

Overview of 2 Prominent Fraud Scenarios

• Phishing / Whaling

• Man-in-the-Browser

Monetization

• Hacker Supply Chain

• Underground Economy

• Money Laundering

Cyber Security Countermeasures

PHISHINGFROM AN END-USER PROBLEMTO A CORPORATE PROBLEM

CLASSIC PHISHING SCAM:NIGERIAN LETTER

ADVANCED FEES SCAMIS 200+ YEARS OLD

“Spanish Prisoner” scam letter from 1905

PHISHING EVOLUTION

more targetedmore transparent

spear phishing

phishing

whalingpharming

WHALING EXAMPLE

trojan

CLASSIC PHISHING AND WHALING COMPARED

Classic Phishing

• Ridiculous contents

• Opportunistic

• Straight-forward financial scam

Whaling

• Make-Believe contents

• Targeted

• Lateral compromises possible,often leads to corporate espionage

CYBER KILL CHAIN

Recon Weaponize Deliver Exploit Install C2 Action

MONETIZATIONTURNING EXPLOITS INTO CASH

SOME MONETIZATION POSSIBILITIES

bank accounts

computer

file server

customer data stored values(e.g. Q-coins, Taobao credit)

credit cards

MAN-IN-THE-BROWSER ATTACK:SPOOFED SCREENS

trojan (e.g. Zeus)

MAN-IN-THE-BROWSER ATTACK:REAL-TIME REDIRECT

trojan (e.g. Zeus)

FOOD CHAIN

Fraud Rings(can launder money

“safely”)

Hackers(cannot)

MONEY LAUNDERING

MONEY MULES

STORED VALUES

HACKER SUPPLY CHAIN

Anon Payment

Hacker Tools /

Bulletproof Hosting

MonetizationImplications

• Sophisticated attacks now available to non-experts

• Lower breakeven point for attacks

• More “worthwhile” targets

ECONOMY

BITCOIN FOR MONEY LAUNDERING

Dark Wallet

CoinJoin

HIDDEN INTERNET

Dark Net / Deep Web Silk Road

The OnionRouter

CYBER SECURITY COUNTERMEASURES

PHILOSOPHY

Defender’s Dilemma

• Must secure all possible vulnerabilities

Intruder’s Dilemma

• Must evade all detections

Reason’s Swiss Cheese ModelPicture from NICPLD

ESSENTIALS FOR DETECTING CYBER ATTACKS

• Layered defense-in-depth

• Redundant security (e.g. two different brands of FWs)

• Security event correlation (e.g. SIEM)

• Trustworthy logging

• Up-to-date threat intelligence

• Security awareness and reporting channel

• Incident response capability (e.g. CSIRT)

ANY QUESTIONS?

??

THANK YOU

albert@securityronin.com