Phishing to Fraud What if they don’t want one person’s account? Lee Heath ([email protected])

9
Phishing to Fraud What if they don’t want one person’s account? Lee Heath ([email protected])

Transcript of Phishing to Fraud What if they don’t want one person’s account? Lee Heath ([email protected])

Page 1: Phishing to Fraud What if they don’t want one person’s account? Lee Heath (madhat@gmail.com)

Phishing to Fraud

What if they don’t want one person’s account?

Lee Heath ([email protected])

Page 2: Phishing to Fraud What if they don’t want one person’s account? Lee Heath (madhat@gmail.com)

Phishing to Fraud

• Introduction • The Phishing Hole• New Targets – Beyond Banks• Fraud• Cash• Cracking• Downfall

Page 3: Phishing to Fraud What if they don’t want one person’s account? Lee Heath (madhat@gmail.com)

Phishing to Fraud

• Phishing• Fraud• Credit Cards– Sources– Card Not Present– Carding– BINs– CCV/CVC

Page 4: Phishing to Fraud What if they don’t want one person’s account? Lee Heath (madhat@gmail.com)

Phishing to Fraud• Phishing Hole – Compromised Server– Old School– Extremely Common– More Obvious

• Phishing Hole – Phished/New Hosting Account– Brandjacking– Register.com– GoDaddy– Yahoo!

• Scripting• Packageify it…

Page 5: Phishing to Fraud What if they don’t want one person’s account? Lee Heath (madhat@gmail.com)

Phishing to Fraud• Payment Processors

– PayPal– BoA Merchant Services– Chase Paymentech– Intuit Payment Solutions– Merchant One

• Hosting/Registrars– GoDaddy– Register.com– Intuit– Yahoo!

• Vulnerability Assessment Providers– Qualys– Trustwave

Page 6: Phishing to Fraud What if they don’t want one person’s account? Lee Heath (madhat@gmail.com)

Phishing to Fraud

• How are the CC’s used?– Purchasing– Selling to card numbers– Cash

• How to get Cash?– Refunds– Transfers– Phishing

Page 7: Phishing to Fraud What if they don’t want one person’s account? Lee Heath (madhat@gmail.com)

Phishing to Fraud

• Payment Processors– Credit Card No. Generation– Cracking CVV/CVC– Carding– BIN Attacks

Page 8: Phishing to Fraud What if they don’t want one person’s account? Lee Heath (madhat@gmail.com)

Phishing to Fraud• How they get caught…– Trending– Referencing Hosted Data

• Images• Javascript• CSS

• What is wrong with this picture?– Too many transactions per second– Too many authorizations – Sudden increase in cost to the victim merchant

Page 9: Phishing to Fraud What if they don’t want one person’s account? Lee Heath (madhat@gmail.com)

Phishing to Fraud

• Conclusion