Fraud In The Cloud - Amazon Web Services › uploads › sites › ...Session Overview •A Phishing...

#ACCOUNTEXUSA @accountexusa September 6-8, 2017

Fraud In The Cloud New Risks In A New Environment

Prepared and Presented by

Randy Johnston

K2 Enterprises, LLC


What About Randy? Inducted Accounting Hall of Fame, Feb 2011 2004-2016 Accounting Today 100 Most Influential in

Accounting for 13 years Top 25 Thought Leader 2011-2017 40+ years of technology experience, Top rated speaker for

over 30 years Monthly columns on technology in CPAPractice Advisor Published author of six books, From Hutchinson, KS [email protected] or [email protected] 620-664-6000 x 112

mailto:[email protected]

mailto:[email protected]


What About NMGI? CRN top 100 technology company

MSPMentor top 100 company

NetCare – National CPA support services

NetRescue and NetStore – Backup Appliances and web-based backup

Boutique Technology and Business Continuity consulting – CPA Firm Technology Assessments, Paperless, Accounting Software Selection (ERP, BI, HR, SaaS, CRM)

WebCare and NetHosting – Custom Web site and Cloud services


About K2 Enterprises Provides live and on-demand Continuing Professional Education (CPE) in 48

U.S. states and in Canada

Largest provider of technology-focused CPE for accountants and financial professionals in North America

Services Offered

Live in-person presentations (conferences & seminars)

Webinars

On-site training

On demand self-study materials

www.k2e.com for more information

http://www.k2e.com/


K2 Enterprises Web Sites – No Tracking (75% of all web sites do!)

www.k2e.com - CPE Info

www.CPAFirmTech.com – CPA Firm Info

www.AccountingSoftwareWorld.com – Accounting Software Info

www.TotallyPaperless.com – Paperless Info

https://www.youtube.com/user/K2Enterprises - The K2 Enterprises YouTube channel with over 160 free technology training videos

http://www.k2e.com/

http://www.cpafirmtech.com/

http://www.accountingsoftwareworld.com/

http://www.totallypaperless.com/

https://www.youtube.com/user/K2Enterprises


Session Description • Cloud-based applications have changed the way we work, play, and access

information • The benefits and risks associated with software-as-a-service (SaaS) and

hosted applications are very different than traditional on premise information technology

• Some traditional items used in an on-premises forensic investigation like the transaction audit trail, user access logs, and computer access logs are often difficult to obtain for cloud solutions, and may even be unavailable by the time you or your client suspect a crime

• In this session, you will learn about some of the new risks associated with cloud solutions as well as some techniques which can be used to limit these risks


Learning Objectives • Define phishing and explain how it is used to gain

access to systems and data • Describe at least two of the data breaches covered

in the materials and list at least one control which could have mitigated or prevented the data loss in the breach

• List and explain at least three significant issues associated with a cloud-based fraud investigation


Session Overview • A Phishing Primer

• Tax-Related Identity Theft

• Data Breaches

• Issues Associated with a Cloud-based Fraud Investigation


A PHISHING PRIMER


How Phishing Attacks Work

• Real credentials harvested from the “fake” website are used against company portals

• Data is harvested and used to further attack individuals and perpetrate crimes

Fake website resembling Outlook Web Access


In Focus: Phishing


FIN4’s Approach: Get Data For Insider Trading • E-mail targeted at C-suite,

regulatory, legal, and investor relations personnel

• Security consultants FireEye report that FIN4 have penetrated “80 public companies and 20 banks”

• Messages also may include: – Word/Excel/PowerPoint files

with macros which prompt the user to enter Outlook password

– Links to fake “Outlook Web Access” portals which gather credentials

• Sample message =>

Source: Ars Technica, 12/1/2014 http://bit.ly/fin4phishing


Quotes From FireEye On FIN4 FireEye Threat Intelligence Manager Jen Weedon said

“The hackers only targeted people with access to highly insider data that could be used to profit on trades before that data was made public. They sought data that included drafts of U.S. Securities and Exchange Commission filings, documents on merger activity, discussions of legal cases, board planning documents and medical research results.” "They are pursuing sensitive information that would give them privileged insight into stock market dynamics.“ Jen Weedon, FireEye Threat Intelligence (As reported by Yahoo! News)

Source: Yahoo News 12/1/2014 http://bit.ly/fin4-finfraud


Timeline Of The FIN4 Phishing Attack

Source: Ars Technica, 12/1/2014 (http://bit.ly/fin4phishing)


Target Of RSA Phishing Attack: Defense Secrets And Related Intellectual Property

Source: Speech by ORNL Director Thom Mason to Friends of ORNL August 25, 2011:

Winter 2011 March 17 May 31 June 1 April 1 May 21 June 7

• Lockheed Martin computer systems detect an intruder

• Company statement: “Our systems remain secure”

• Attack on L-3 Communications reported

• Attributed to leverage of information from RSA breach

• Low-level RSA staff receive email apparently from colleague

• Subject line: “2011 Recruitment Plan”

• Northrop Grumman cuts off remote access to its network

• RSA discloses attack in SEC filing and on company web site

• RSA official admits compromise of entire SecureID system

• RSA web site post: “Anatomy of an Attack”

• Describes exploitation of zero-day Flash vulnerability


Phishing And Spear Phishing At ORNL • Oak Ridge National Lab • National security and nuclear

weapons research • National Supercomputer Center • Hacked in April 2011 • Attacked used a “spear phishing” attack • Gained root access to key systems • ORNL shut down its systems for two

days while it responded to the crisis


April 7 April 11 April 15 April 12

• 573 phishing emails

• 50 users clicked

• 2 systems infected • 1 system with admin

privileges compromised

• ORNL notified of suspicious activity by DOE-CIRC, DOE-CI, and ORNL local cyber staff

• Increased

activity • Web services

shut down

• Domain controller and Active Directory compromised

2011 ORNL Phishing Attack Timeline

Source: Speech by ORNL Director Thom Mason to Friends of ORNL August 25, 2011


Sign #1: This is NOT an ORNL mailing address. Do you know the sender? Were you expecting an email? When in doubt, delete.

Sign 4: Nowhere in this email is there any specific reference to ORNL; all references are generic. No affiliation should raise your suspicion level.

Sign #3: Hovering your mouse over these links shows that both point to the same destination: http:/www.ansme.com/topic/index.htm. This does not match the topic of the reference in the link or the email.

Phishing Email Example – Oak Ridge National Lab


Sign #2: Always beware of general salutations!


April 7 April 11 April 14 April 15 April 29

• 4 staff reported phishing email to cyber security

• Cyber security disabled embedded link in phishing email

• Incident response team activated and began network monitoring

• Infected machine removed from network

• All other machines that clicked on email removed from network

• 2 trojaned systems exfiltrated files (~4 MB)

• Microsoft web servers shut down; ORNL disconnected from Internet

• Network reconnected to Internet with restricted/monitored communications

Source: Speech by ORNL Director Thom Mason to Friends of ORNL August 25, 2011:

ORNL Response To Phishing Incident


ORNL Ongoing Efforts To Increase Security

• Education and awareness of social engineering techniques

• Limits on administrative privileges

• Segmentation of computer network architecture

• Additional monitoring and tracking tools


User awareness

Organizational segmentation

Block outbound connections

Internet

Least user privileges Network flow

monitoring

Desktop log aggregation


MONETIZING STOLEN CREDIT CARDS


How Stolen Credit Cards Are Monetized • Perpetrators steal data from brick and mortar stores, POS breaches

like Target, and other crimes/scams • Data thieves bundle cards by bank ID and geography and sell

online anonymously in underground marketplaces – Cards are valued based on the age of the data and the guaranteed validity

(%) – The geography component is needed so that the ill gotten gains can be

purchased from areas near the victim’s home (avoid suspicion by credit card companies)

• Purchasers buy things online and at big box stores • Remailers receive the goods and forward them to others


Example: Services like Label City

Card data sold in “carding shops”

like “McDumpals”

Card Data Purchasers Buy Merchandise and

Sell Online or Ship Overseas to Monetize

Stolen Data

How Offshore Cyber Crooks Steal Credit Cards, Sell Stolen Data, Buy Goods, And Turn Them Into Cash

Source: http://krebsonsecurity.com/2014/08/white-label-money-laundering-services/


Stolen Card Data Reliability Drops With Age

Source: http://krebsonsecurity.com/2014/02/fire-sale-on-cards-stolen-in-target-breach/


The Effects Of Breach Aging On Data Value

• The early cards from the Target Breach were advertised as “100% valid” and sold for between $26.60 and $44.80 each in mid-December 2013 – Target announced the breach on 12/19/2013 – A 1/21/2014 batch (+32 days) claimed an “83% valid rate” – A 1/29/2014 batch (+40 days) claimed a “70% valid rate” – A 2/6/2014 batch (+48 days) claimed a “65% valid rate” – By 2/14/2014, Krebs reports that some Target breach cards were selling

for as little as $8-$28 per card, and were boasting a “60% valid rate”

• Some non-US Target breach cards retrieved as much as $120 per card, a significant premium over the US records

Source: http://krebsonsecurity.com/2014/02/fire-sale-on-cards-stolen-in-target-breach/


“Work At Home” Scam Respondents

Used To Reship Goods For Those

Using Stolen Cards

Source: http://krebsonsecurity.com/2011/10/shady-reshipping-centers-exposed-part-i/


TAX-RELATED IDENTITY THEFT


What Is Tax-related Identity Theft? • Tax-related identity theft occurs when someone uses a

stolen Social Security number to file a tax return claiming a fraudulent refund

• Generally, false returns are filed early in the filing season

• Most are unaware they are a victim until the taxpayer files and the preparer learns one already has been filed using that SSN when the eFiling of the legitimate return is rejected


Identity Theft Is A Significant Problem For Practitioners And Taxpayers

Source: IRS Taxpayer Advocate Annual Report to Congress 2015, Vol 1, MSP #16

Source: FTC Release promoting Tax Identity Theft Awareness Week - 1/25-1/29/2016


2013 2014 2015

Tax or Wage ID Theft Complaintsto FTC during Yr

87,206 109,250 221,854

IRS IDT Inventory at EOFY 475,861 242,575 601,799

IRS CID IDT InvestigationsCommenced

1,492 1,063 776

-

200

400

600

800

1,000

1,200

1,400

1,600

-

100,000

200,000

300,000

400,000

500,000

600,000

700,000

Inve

stig

atio

ns

Co

mm

ence

d

Du

rin

g FY

(Li

ne)

ID T

hef

t C

om

pla

ints

Op

ene

d

or

Op

en a

t EO

FY (

Bar

s)

Tax/Wage ID Theft Complaints Vs. IRS CID Investigations, 2013-2015


Selected Stats On Tax Identity Theft • The number of ID theft (IDT) claims is up significantly,

while the number of open IRS CID investigations at the end of each fiscal year is down by almost 50% in the last two years (2013-2015)

• IRS working with states, tax software companies, and payroll providers to address this growing problem

• Be very careful when sharing confidential data- a breach from you could be financially catastrophic


IRS Phishing Scams


Examples Of IRS Phishing E-mails

Source: IRS.gov


IRS Security Issues In Focus • IRS reported a breach in its “Get

Transcript” application affecting 724,000 taxpayers

• IRS provided credit monitoring and ID protection PINS

• IRS suspended the PIN program in early March 2016 amid issues, and may use a different authentication method next year

• Group of law firms still pursuing a class action against IRS


Know The Warning Signs • Be alert to possible identity theft if you receive an

IRS notice or letter that states that: – More than one tax return was filed using your SSN

– You owe additional tax, refund offset or have had collection actions taken against you for a year you did not file a tax return

– IRS records indicate you received wages from an employer unknown to you

http://www.irs.gov/Individuals/Employment-related-identity-theft

http://www.irs.gov/Individuals/Employment-related-identity-theft


Steps To Take If You Become A Victim • File a report with law enforcement. • Report identity theft at www.ftc.gov and learn how to respond to it

at identitytheft.gov • Contact one of the major credit bureaus to place a ‘fraud alert’ on

your credit records: – Equifax, www.Equifax.com, 1-800-525-6285 – Experian, www.Experian.com, 1-888-397-3742 – TransUnion, www.TransUnion.com, 1-800-680-7289 – Innovis.com, www.Innovis.com 1-800-540-2505

• Contact your financial institutions, and close any accounts opened without your permission or those which have been compromised

http://apps.irs.gov/app/scripts/exit.jsp?dest=https://www.ftccomplaintassistant.gov/Information?OrgCode=IRS

http://apps.irs.gov/app/scripts/exit.jsp?dest=http://www.consumer.ftc.gov/features/feature-0014-identity-theft


SSN Compromised? • If your SSN is compromised and you know or suspect you are a victim of

tax-related identity theft, take these additional steps: – Respond immediately to any IRS notice; call the number provided on the notice – Remember that the IRS NEVER makes its first contact via telephone or e-mail -

Uncle Sam uses old-school snail mail – Complete IRS Form 14039, Identity Theft Affidavit

• Use a fillable form at IRS.gov, print, then mail or fax according to instructions

– Continue to pay your taxes and file your tax return, even if you must do so by paper

• If you previously contacted the IRS and did not have a resolution, contact the Identity Protection Specialized Unit at 1-800-908-4490

• The IRS has teams available to assist, but the Taxpayer Advocate reports that the time to resolve an identity theft case in FY 2015 was 179 days – so be patient, and FOLLOW UP!


Resources For Tax Preparers • Publication 5199 Tax Preparer Guide to Identity Theft

• Publication 5027 Identity Theft Information for Taxpayers

• Publication 4535 Identity Theft Protection and Victim Assistance

• Publication 4600 Safeguarding Taxpayer Information

• Publication 4557 Safeguarding Taxpayer Data

• Publication 1345 Handbook for Authorized IRS e-file Providers

http://www.irs.gov/pub/irs-pdf/p5199.pdf







Identity Theft Resources

• http://www.irs.gov/Individuals/Identity-Protection

• https://www.identitytheft.gov/

• https://www.fbi.gov/about-us/investigate/cyber/identity_theft

http://www.irs.gov/Individuals/Identity-Protection



https://www.identitytheft.gov/

https://www.identitytheft.gov/

https://www.fbi.gov/about-us/investigate/cyber/identity_theft




Some Steps To Help Protect Your Organization Against Breaches And Phishing

• Conduct annual (or more frequent) user security training sessions • Don’t click on links in e-mail messages – with one exception

– Online password reset e-mails where you have personally initiated the reset e-mail in the last five minutes

• Configure your organization’s junk e-mail filters to reject messages whose origin address does not match the sender’s expected IP address and country

• Inventory the types of confidential data stored in your organization • Identify the key controls which protect each type of data • Assess the identified risks, and document the likelihood and expected damages

related to a breach for each type of confidential data • Adjust your procedures and related controls to provide your desired level of control in

response to the identified risks


Summary • Phishing is always a concern – be vigilant

– Don’t click on links in e-mail messages – Don’t give out data to people who call you without

authentication

• IRS has had significant issues with breaches which may affect you, your friends, and your clients

• Data breaches affect everyone, and compliance with breach reporting statutes is expensive and requires cyber insurance

• Cloud applications may lack the audit trails and data needed to support an investigation

Fraud In The Cloud - Amazon Web Services › uploads › sites › ...Session Overview •A Phishing...

Documents

Transcript of Fraud In The Cloud - Amazon Web Services › uploads › sites › ...Session Overview •A Phishing...