Current Trends in Corporate Criminal Activity€¦ · •Russian hackers where behind cyber...
Transcript of Current Trends in Corporate Criminal Activity€¦ · •Russian hackers where behind cyber...
Current Trends in Corporate Criminal Activity
1:15 PM - 2:15 PM
4/28/2015
Presenters:
• John McCullough, Financial Crimes Service• [email protected]
• Fred Laing, Upper Midwest Automated Clearing House Association• [email protected]
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 2
Agenda
• Transition and New Approaches to Crime Trends
• Cybercrimes
• Mitigation Techniques
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 3
Transition and New Approaches to Crime Trends
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 4
Physical Attacks Merging with Technology(Blow Torching ATMs, Madison, WI)
4/17/2015FRPA and UMACHA Copyright 2015 all rights reserved
5
Sophisticated Skimmers on ATM’s for Data Physical Attacks with Technology
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 6
Criminal EvolutionFocus on Gathering Data
• The
Device placed inside gas pumps, blue tooth connect,
not as detectable
First generation gas pump skimmers place on the
outside
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 7
Technology to Clone Cards, Just Add DataTarget Data, Home Depot, etc.
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 8
Images removed
You’re Hired to Shop (Mules)
Be a "Secret Shopper” letter…
US residents in all 50 states being approach
letter instructing them to deposit the check into their personal account for 24 hours
Send on series of "secret shopper" tasks
Test Wal-Mart by sending a wire transfer/MoneyGram using these funds
“Shopper” Complete customer service report and keeps $350
Letters post marked from Spain
This check turns out to be counterfeit and is drawn against Wal-Mart’s Payroll Account
1
2
3
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 9
Letters sent to “mules”
Letter looks real,Individuals with no jobs find this offer as a great opportunity
Greed does play a role in this process
This person ends up as the looser
4
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 10
It Just Doesn’t End There
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 11
Images removed
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 12
Cybercrimes
• Criminals are seeking business, government and personal data
• Data is valuable to other criminals (i.e., Darknet) and sold
• Its all about data used for impersonations of a businesses, government agencies, employee PII or consumer data used to take over accounts, steal funds, illegal purchase goods/services, create new identity, open accounts, buy and trade, terrorism activities, and so on …
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 13
Common Thread in Financial Crimes:
• Always impersonations • The representations may appear creditable• Data breaches seek personal, business or government data • Methods of detection and apprehension are difficult to detect and prove• The virtual world and physical world have merged • Virtual currency is becoming a common pathway for financial funding of
organized criminal and terrorist activity to avoid detection
Being a little paranoid is a good thing when it comes to fraudster!
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 14
Financial Crime Trends (What Are We Seeing)• Banks:
• Data Breaches, debit and credit frauds followed by check fraud and new wire frauds methods deployed and mobile deposits frauds…
• Retailers: • Data breaches, debit card fraud, cloned cards, gift card fraud and return frauds, and
scams to fraudulent purchase and resale smart phones…
• General businesses: • “Network system attacks”, data breaches, counterfeit checks, account takeover,
employee impersonations on tax return frauds, business impersonations
• Medical; • “System attacks”, fraudulent claims, patient impersonations, medical prescriptions frauds
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 15
JP Morgan Chase (Give Me Derivatives)
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 16
Images removed
The intrusion likely resulted, as many cyber breaches do, from an employee clicking on a malicious link and/or attachment in a so-called “phishing email”. That’s how investigators believe the hackers accessed the State Department’s systems
U.S. Officials Say Russians Hacked White House Computers
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 17
What is Thought to Have Happened:• Russian hackers where behind cyber intrusion of the State Department in
recent months used malware called “perch” to penetrate sensitive parts of the White House computer system, according to a U.S. official
• This malware is a “low and slow process”, which overtime steals data and avoids detection in network systems.
• The White House has said the breach affected an unclassified system. But that gave the hackers access to such sensitive information as real-time nonpublic details of the President's schedule.
• One official says the Russians have "owned" the State Department system for months
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 18
White House Asks For Our Help!(Fred and John)
• Here is what we found:• We found the employee that open the malware
• This employee opened an email
• The employee downloaded an attachment
• This let the Russians “in”
• Who is it? (Next Slide)
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 19
Fred and John Found Him Opening This Email and Downloading it…
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 20
Images removed
USPS - Missed package deliveryFW: Invoice <random numbers>ADP Reference #<random numbers>Payroll Received by IntuitImportant - attached formFW: Last Month RemitScanned Image from a Xerox WorkCentreFwd: IMG01041_6706015_m.zipMy resumeVoice Message from Unknown Caller (<phone number>)Important - New Outlook SettingsFW: Payment Advice - Advice Ref:[GB<random numbers>] New contract agreementImportant Notice - Incoming Money TransferPayment Overdue - Please respondFW: Check copyCorporate eFax message from <phone number>FW: Case FH74D23GST58NQS
Email: The Subject Matter is Meant to Fool Your Employees
{
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 21
Images removed
It Takes Only One Employee to Make Mistake!
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 22
Images removed
How Effective Are These Criminals
780 Corporations
85 million known victims
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 23
Images removed
The Report List 24 Pages of Corporations with Data Breacheshttp://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 24
Images removed
Survey by April 2015 CompTIA on Data Breach Causes
• Human error accounts for 52%
• Technology errors account for 48%
Other Comments:
• 32 % respondents did not have the ability to prevent an attack
• 51 %, lacked training to deal with insider threats
• 43 % cited budget issues
• 40 % did not have Sufficient staff
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 25
Substantial Increase of Tax Return Fraud
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 26
“Someone Filed My Tax Return”… Beware!
• Intuit • CATO, breaching business networks• Acquire payroll records• Criminal impersonates person tax filing• If a pattern develops, consider possible data breach• Have contingency plans for employees to reporting such incidents
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 27
Tax Fraud Season
• If you become a victim of identity theft, the IRS recommends you take the following steps right away:• Contact the IRS Identity Protection Specialized Unit at 800-908-4490 x245 so
that steps can be taken to secure your tax account• Complete IRS Identity Theft, IRS Form 14039• Report ID theft incidents to the Federal Trade Commission at
consumer.ftc.gov or the FTC Identity Theft Hotline at 877-438-4338.• File a report with the local police• Contact the fraud departments of the three major credit bureaus: Equifax,
equifax.com, 800-525-6285; Experian, experian.com, 888-397-3742; and TransUnion, transunion.com, 800-680-7289
• Close any accounts that have been tampered with or opened fraudulently
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 28
Wire Frauds Are Increasing• The FBI Denver Division has received an increase in “business e-mail
compromises” criminal complaints.
• The fraud occurs when the controller, treasurer, or accounting officer at the business receives an e-mail that appears to be from the company executive.
• The e-mail is a request that a wire transfer be sent. The fraudulent e-mail appears to have originated from an executive within the company or appears to be an e-mail chain forwarded from company executives.
• The e-mail includes an attachment with instructions for the wire transfer.domain name used to send the fraudulent e-mail is similar to the company’s domain name with a minor change.
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 29
Common Wire Frauds Today(This April Example, CA)
Homeland Security Investigators in San Francisco are currently investigating an organization that creates domain names, which are similar to known organizations and sends fraudulent wire instructions to employees via email. The employees believes the requests are originating from a high level manager within their company, and proceeds…
On 4/10/2015, HSBC Hong Kong received a $375,000.00 wire transfer from the United States. The wire transfer was sent to BROTENT TENTNOLOGY, LTD Account # 801-1X85XX-838. If your institution wired funds to this account, please contact SSA Michael Shinn. Thank you.
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 30
Why do people still fall for phishing attacks, especially finance people in charge of wire transfers at corporations?
• Organization with 10,000 employees, even if only one out of a thousand employees opens the phishing document, there compromised, leading to loss of information and attacks
• Criminals target selected employees with authority and attempt to fool them with fake emails
• The targeted employees are busy and trusted employees, likely overworked, under deadlines, mistakes happen…
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 31
Dave Jevans, Co-founder of the Anti-Phishing Working Group Stated:
• The hacker attack against Anthem Inc. (data breach)
• Started with a spear-phishing campaign which targeting five of its employees
• The real risk here is an increase in targeted attacks against a handful of key employees within your organization (people with authority)
• Data breach malware have spread to vendors with the intent to come through the “side door” of the vendors corporate clients being serviced (i.e., Target and Vendor)
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 32
https://www.youtube.com/watch?v=PnSSGu8UMYU
https://www.youtube.com/watch?v=aSYIz8df58k
https://www.youtube.com/watch?v=SL9P9nSquv8
Mitigation: Training of Employees
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 33
Other Risks to Consider
• Disgruntled employee(s)• Criminal partners, “insider”
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 34
Images removed
Taking Your Computer/Smart Phone Hostages
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 35
Example “Ransomware”:
• Your system is locked by cyber criminals with message denying access to files
• The Ransomware attacks are waged in two parts. First, a PC or mobile device is infected with malware that locks the corporate user out or encrypts files so that the user can longer access them
• Then a ransom is demanded through an automated message that appears on the device's screen. The user is told he or she has a limited amount of time to pay the ransom before the device will be wiped clean or the files will be erased
• How doe it start: Criminals will use various ploys to get staff to click on links or download attachments, which, in turn, infect their computers
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 36
Lance James, head of cyber-intelligence at the consultancy Deloitte & Touche.• Now experts are calling attention to one of the reasons why
“ransomware” attacks are becoming more common - because organizations say they'd rather not deal with the fallout that trails a breach or cyber-attack that goes public. Instead of getting law enforcement involved, they'd rather try their hands at making deals with their attackers first.
• But paying ransom is short-sighted and is never a good idea. Why? Because cybercriminals rarely keep their end of the bargain. Organizations that negotiate with hackers often end up with lost data after paying a hefty ransom.
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 37
Extortion Methods Expanding
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 38
Cyber Extortion is Successful
• 1/3 of US corporations who experience cyber extortion would negotiate for data return
• Corporations do not want to report extortions to Law enforcement
• Corporations do not want the publicity
• Corporations expenses to clean-up and notify parties is costly
• Corporation Stock shares drop
• Potential regulatory issues and fines
• CEO and CIO’s on the hook
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 39
Distributed DoS attack
“So the bad guys took our servers down…”
Answer: They are testing your response and planning other activity. They may use DDoS Attack as a
distraction from another event they are executing against the company
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 40
Distributed Reflection DoS attack
•Combines Reflection and Amplification
•Uses third-party open resolvers in the Internet (unwitting accomplice)
•Attacker sends spoofed queries to the open recursive servers
•Queries specially crafted to result in a very large response
Impact:
•Causes DDoS on the victim’s server
http://www.networkworld.com/article/2886283/security0/top-10-dns-attacks-likely-to-infiltrate-your-network.html#slide6
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 41
Cache poisoningCorruption of the DNS cache data
1. Attacker queries a recursive name server for IP address of a malicious site
2. The recursive server does not have the IP address and queries a malicious DNS resolver
3. The malicious resolver provides requested rogue IP address and also maps the rogue IP address to additional legitimate sites (e.g. www.mybank.com)
4. The recursive name server caches rogue IP address as the address for www.mybank.com
5. User queries the recursive server for IP address of www.mybank.com
6. The recursive server replies to user with cached rogue IP address
7. Client connects to site controlled by attacker, thinking it is www.mybank.com
Impact: Logins, passwords, credit card numbers of the user can be captured
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 42
TCP SYN floods•Uses the 3-way handshake that begins a TCP connection
•Attacker sends spoofed SYN packets with the source IP address of bogus destinations
•The server sends SYN-ACKs to these bogus destinations
•It never receives acknowledgement back from these destinations and the connections are never completed
•These half-opened connections exhaust memory on the server
Impact
•Server stops responding to new connection requests coming from legitimate users
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 43
DNS tunneling•Uses DNS as a covert communication channel to bypass firewall•Attacker tunnels other protocols like SSH, TCP or Web within DNS•Enables attackers to easily pass stolen data or tunnel IP traffic without detection•A DNS tunnel can be used for as a full remote control channel for a compromised internal host.•Also used to bypass captive portals to avoid paying for Wi-Fi serviceImpact:•Data exfiltration can happen through the tunnel
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 44
DNS hijacking
•Modifies DNS record settings (most often at the domain registrar) to point to a rogue DNS server or domain.
•User tries to access a legitimate website www.mybank.com
•User gets redirected to bogus site controlled by hackers that looks a lot like the real thing.
Impact
•Hackers acquire user names, passwords and credit card information
http://www.networkworld.com/article/2886283/security0/top-10-dns-attacks-likely-to-infiltrate-your-network.html#slide6See all Ten:
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 45
Why Does This Keep Happening
"The reality is: The dark element is much better at information-sharing than the corporations are.“ (Usman Choudhary, ThreatTrack):
• Advance Persistence Attack (APT: Attack networks and low and slow method)
• Organize
• Motivated
• Well funding
• Smart and share information better than corporations
• Information is valuable information on the black market (Sony)
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 46
Mitigation Techniques and Tips
Training Employee education is Missing…..
• Do you have a formalized ongoing training program?
• Human error accounts for 52% of data breaches
• AND – Educate, Educate, Educate
• Focus on specialized training with personnel with authority
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 48
Mitigation Techniques
• Companies can open email attachments in a secure container or virtual machine, to avoid infection of the target computer
• Employ multiple anti-virus to detect various malware techniques• Training users to avoid opening spam emails is also very important• Bankers need to educate users about the limits of two-factor
authentication• Employees should not rely on the information presented on the screen
(links, phone numbers, pop-ups, domains names)• Analytics software that can detect, say, that an organization is sending
$500,000 to an account the bank has never seen before• DNS attack indicator you have been or are being hit…It is a distraction to
keep you from detection of the real threat or execution of a crime
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 49
• Anti-virus software
• Firewalls
• Anti-Malware software
• Install software updates ASAP
• Monitor Internet traffic
• Manage passwords
• Strong policies defining what employees can do with their work computers when it comes to internet access, use of external devices, etc.
• An educated employee base
From a Network Standpoint
50FRPA and UMACHA Copyright 2015 all rights reserved
4/17/2015
• Use Dual Control whenever handling financial transactions
• Change vendor supplied defaults
• Encrypt data when you can
• Develop and implement a data retention, storage and destruction policy
• Ensure terminated employees credentials are deleted
• Ensure hiring policies include verifying application data and check references
• Regularly test systems for vulnerabilities
• AND – Educate, Educate, Educate
Physical/Network Security
FRPA and UMACHA Copyright 2015 all rights reserved514/17/2015
Cash Management Products
• Positive Pay, Reverse Positive Pay
• Debit blocks and filters• Stop all debits vs. stop all but specific debits
• Separate accounts for separate processes• One for payroll, another for receivables, etc.
• Account reconciliation• DAILY!!
• Balance Reporting
52
FRPA and UMACHA Copyright 2015 all rights reserved
4/17/2015
Out-of-Band Authentication Between You and Your FI
• What is it?• Phone call (voice authentication or just a simple phone call)
• Text message (SMS)
• Secure e-mail
• Fax
• Why do it?• To authenticate that the file or transaction is what you
intended to generate
• Fraud prevention method but may also assist in preventing unintentional processing errors (sending the wrong week’s payroll file to your FI)
53 FRPA and UMACHA Copyright 2015 all rights reserved4/17/2015
Ways to Authenticate
• User ID and password (and/or picture) – this is single factor and not sufficient by themselves, Challenge Questions fall into this too
• Token(s) – a second factor, somewhat effective but there needs to be more, could be a cell phone or other similar device
• Biometric – a third factor, hard to control in a virtual exchange but it’s effective when used
• FFIEC defined three factors; what you know, what you have, and what you are
54 FRPA and UMACHA Copyright 2015 all rights reserved4/17/2015
Exposure Limits• Usually based on a credit review but can be used to limit
fraud loss exposure
• Company and bank should work together to set the limit(s)
• Can be for a file, batch, or entry and can be daily, weekly or even monthly
• Should be set close to the size of the largest anticipated file
• Monitoring should be real time
• Limit should be reviewed regularly
• There should be well defined over-limit procedures
55 FRPA and UMACHA Copyright 2015 all rights reserved4/17/2015
Anomalous Detection & Layered Security
• Look for trend lines that are “out of band”• Sudden increases in transaction volume, dollar amounts, or
returns
• Review ALL the data in a file, has anything changed from the last file?
• Where did the instructions come from
• When do you access the network to generate the transactions
• In other words, LOOK FOR ANYTHING THAT’S DIFFERENT FROM WHAT YOU NORMALLY SEE!
56FRPA and UMACHA Copyright 2015 all rights reserved
4/17/2015
1. Train employees in security principles
2. Protect information, computer and networks from Viruses, spyware and Malware
3. Provide firewall security for your internet connection
4. Download and install software updates as they become available
5. Make backup copies of important business data
6. Control physical access to your computers and networks
FCC Recommendations for Small Businesses
FRPA and UMACHA Copyright 2015 all rights reserved574/17/2015
7. Secure your Wi-Fi networks
8. Require individual user accounts for each employee
9. Limit employee access to data & information, limit authority to install software
10. Regularly change passwords
FCC Recommendations for Small Businesses (cont.)
FRPA and UMACHA Copyright 2015 all rights reserved584/17/2015
Mitigation Recommendations for Business Customers Using Online Payments
(Spear Phishing and Business Account Takeover Attacks)
• Initiate payments under dual control
• Use dedicated computer where email and web browsing are not possible.
• Limit admin rights on users’ workstations
• Reconcile transactions on a daily basis.
• Implement an employee awareness program
• Implement fraud detection systems with predictive analytic and transaction monitoring capabilities
• Use Out-Of-Band authentication systems• manual client callback• SMS text messaging• Interactive Voice Response
• Fourteen additional in-depth defenses
59 FRPA and UMACHA Copyright 2015 all rights reserved 4/17/2015
File Server
Endpoint Applications StorageFilesNetwork
Production Data
Data warehouse
DR
Staging
WW Campuses
WW Customers
WW Partners
Remote Employees
WAN
WAN
WWW
VPN
Disk storage
Back up disk
Back up tape
Outsourced Development
Enterprise email
Business Analytics
Customer Portal
Security is a TOTAL System, Process, and Procedure Issue!!
FRPA and UMACHA Copyright 2015 all rights reserved
60
4/17/2015
Network
Media TheftDevice Theft
Takeover
Fraud
Intercept
File Server
Endpoint Applications StorageFiles
Production Data
Data warehouse
DR
Staging
WW Campuses
WW Customers
WAN
WAN
WWW
VPN
Disk storage
Back up disk
Back up tape
Outsourced Development
Enterprise email
Business Analytics
Customer portal
Media Loss
UnauthorizedAccess
DOS
Corruption
Unavailability
Eavesdropping
Data Theft
Remote Employees
WW Partners
Data Loss
Device Loss
Unintentional Distribution
UnauthorizedAccess
UnauthorizedActivity
UnauthorizedActivity
61
FRPA and UMACHA Copyright 2015 all rights reserved
Security is a TOTAL System, Process, and Procedure Issue!!
4/17/2015
What Happens If Your Organization Is a Victim?
• Discontinue using whatever piece of hardware is infected and disconnect it from any network (Use an expert on removal)
• Determine what “connections” that computer had with others and check those for problems
• Let corporate security know immediately so they can contact the authorities and any outside organization they feel may be needed to fix the problem
• Change passwords, ID’s, etc. for anyone accessing systems tied to the infected system and disable the old ones
• Notify your provider(s) within 24 hours
62FRPA and UMACHA Copyright 2015 all rights reserved
4/17/2015
• (Who is in the best position to provide solutions?)
• Detecting fraud earlier and automate solutions
• Increase employee awareness training
• Better hiring practices
• Employee monitoring systems (Who touched it?)
• Investments in new fraud technology
• Sharing crime issues in real time with others (your bank, like companies, etc.)
• Seek out help from: (Local Law Enforcement, your vendors, organizations like FS-ISAC)
Recommendations (cont.)
FRPA and UMACHA Copyright 2015 all rights reserved 63 4/17/2015
The End (“kind of”)
Thank You!
4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 64