Leveraging Technology to Combat Fraud

Information Security
Association (ISA)
November 14, 2007
Leveraging Technology
to Combat Fraud
Dan VanBelleghem, Technical Director
Security and Systems Engineering Solutions, SRA
DISCLAIMER
Points of view or opinions expressed in this presentation do not necessarily represent the official position or
policies of SRA or any past, future or present bosses.
About Me
• SRA
• Leading provider of technology and strategic consulting
services and solutions - including systems design,
development and integration; and outsourcing and managed
services.
• Comprehensive information assurance practice integrating
security architecture, risk assessments, and certification &
accreditation. SRA’s IA practice currently rated at NSA-CMM
Level 3.
• Dan VanBelleghem
• Technical Director of SRA Security Systems and Engineering
Solutions Team. Conducts security-related research and
consulting activities including providing strategic guidance to
customers, analyzing network traffic for security-related
incidents, and designing security solutions to maintain
integrity and prevent loss of intellectual capital
• Member of the faculty at the George Washington University’s
Computer Security and Information Assurance program.
Agenda
• Introduction
• Attack Description
• Threats
• Recent Threat Examples
• Organized Crime
• Additional resources
• Q&A
Network Attack Methodology
Information
Gathering
Create
Backdoor
Cover
Tracks
Service
Identification
Trophy
Hunting
Exploit and
Gain Access
Attacks range from focused
attempts for a specific target
to random scans looking for
a vulnerable victim.
Vulnerability
Analysis
Denial of
Service
2007 SRA International, Inc. - Proprietary
Aim Versus Effect
Common Attacks
•Operational
•Architecture
Architecture
•Mission Operations
•Technical
•Architecture
Focus on vulnerability of a component (e.g., poor
authentication)
Potential to affect the host system or platform
Network becomes affected
Which could impact a mission process
•Systems
•Networks
•Components
Customer Case Studies
• Common Security
Assessment Findings
• Storage area networks
default administrative
accounts
• Printers, switches and
routers discovered with no
authentication enabled
• Security officer’s files found
on open network share with
vulnerability reports
• Databases discovered with
default system accounts and
passwords
Attack Sophistication
• Attack sophistication continues to increase
while the amount of knowledge an attacker
needs is decreasing
• Tools are getting better
• Script Kiddies
• Target the Internet for a known vulnerability;
however, only 1 percent of the systems may be
vulnerable. If you can scan 1 million host, you will
find 10,000 vulnerable victims.
• Black Hats
• Will focus their attack to a specific victim or target.
2007 SRA International, Inc. - Proprietary
Yesterday’s Attacks
• Common attacks in 2000 & 2001 were web
defacements and Denial of Service attacks against
your IRC foe.
• Hacker underground bragging rights
• Elevate IRC user control
• Fun and curiosity
• Old school tools include NetBus, Sub7, Back Orifice
• Open CD tray
• Remote administration
• Key logging
2007 SRA International, Inc. - Proprietary
Today’s Attacks
• More focused on financial and identity theft
• Underground economy that exists to buy and
sell financial and identity data
2007 SRA International, Inc. - Proprietary
Common Attack Scenario
Sell Data in
Underground
Market
Scan for
Vulnerable
web servers
Exploit &
Escalate
Privileges
(admin)
Discover
Backend
Customer
Database
Infect Web
Server with
Bot code
Capture Credit
Compromise
Card Data
Customer
Database
Users
Download Bot
& join Bot heard
Attacker builds
army of
zombies
Key Stroke
Logger
2007 SRA International, Inc. - Proprietary
Threat Environment is Changing
• Gartner, via the March 2007 issue of CIO
Decisions:
• "By the end of 2007, 75% of enterprises will be
infected with undetected, financially motivated,
targeted malware. These attacks will evade
traditional perimeter and host defenses. The threat
environment is changing: Targeted attacks for
financial gain are increasing, and automated
malware generation kits allow simple creation of
thousands of variants quickly. But our security
processes and technologies haven't kept up."
2007 SRA International, Inc. - Proprietary
Recent Security Breaches
• TJX
• 45.7 Million User Credit Cards and debit cards were
stolen over 18 month period
• USDA
• Up to 63,000 Social Security Numbers for farmers
receiving aid were disclosed
• University of Missouri
• Over 22,000 Students’ PII compromised
2007 SRA International, Inc. - Proprietary
Topic: Transnational Cyber-Crime
• Traditional Organized Crime: smuggling, trafficking,
drugs, gambling, etc.
• Anonymity and financial lure has made cyber-crime
more attractive
• Separation between the physical and virtual world.
The virtual world is another universe where groups
form and engage in illegal activities
• Organized cyber-crime groups can conduct operations
without ever making physical contact with each other.
All can be independent, anonymous cells.
• Organization can be networked or hierarchical
Motivation…
Who Are They ?
• A highly organized criminal network based
primarily in Eastern Europe
• Consist of Specialized Cells for Specific
Functions– “a network of networks”
• Utilize Web Forums such as Carderportal,
IAACA, Mazafaka, Shadowcrew, Carderplanet
• Inflict a significant amount of damage to the U.S.
and international financial industry
Where are they?
• Global: All continents
• Concentrations in: Middle East, Eastern Europe, Russia, Brazil,
SE Asia, USA.
What do they do?
• Conduct network intrusion on merchant
processors
• Write Viruses, Malware, and trojans
• Use of Spam/Phishing to exploit eBay/PayPal
users, banks, credit card users, online account
holders, etc
• Software piracy, illegal pharmaceuticals
• Escrow and Auction Fraud
• Use of compromised credit cards and
compromised online accounts to conduct
reshipping operations
Other Characteristics
• Geopolitical/Cultural Perspectives:
• Lax Cyber-Laws in some countries, but getting
better
• Poorly funded, untrained, and inadequately
equipped police forces w/ little expertise in cyber
crime or computers
• Highly literate, educated, and skilled work force +
no jobs leads young adults to find creative ways
to make “easy money”--little incentive to find legit
job.
• Part of the Culture: young adults spending much of
their day online.
Carding
networks:
past, present,
future
Key Facts: ICA
Formed: 2001 during meeting in Odessa, Ukraine
Founders: Dmitriy Golubov and Roman Vega
150 Original members
Status: The group’s members are still somewhat active with
many actors involved in other forums and groups
• Dozens have been arrested
•
•
•
•
Inactive Sites
Active Sites
•CarderPlanet
•CarderPortal
•Darkprofits
•Dumpsmarket
•IAACA
•Mazafaka
•ShadowCrew
•Carders Market
•Carders Army
•Cardingworld
•Darkmarket
•The Grifters
•TheftServices (IAACA)
•Mazafaka
•Tanec Hackerov
• Vendorsname
•TalkCash
•Carder.info
Dmitriy Golubov
“Script”
Arrested: July 2005
Roman Vega
“BOA”
Arrested: May 2003
Carding Lingo
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Carder - Slang used to describe individuals who use stolen credit card account information to conduct fraudulent transactions.
Carding - Trafficking in and fraudulent use of stolen credit card account information.
Cashing - The act of obtaining money by committing fraud. This act can be committed in a variety of ways: The term can stand for cashing out Western
Union wires, Postal money orders and WebMoney; using track data with PINs to obtain cash at ATMs, from PayPal accounts, or setting up a bank
account with a fake ID to withdraw cash on a credit card account.
CC - Slang for credit card.
Change of Billing (COB or COBs) - Term used to describe the act of changing the billing address on a credit account to match that of a mail drop. This
act allows the carder full takeover capability of the compromised credit card account and increases the probability that the account will not be rejected
when being used for Internet transactions.
CVV2 - CVV2 stands for credit card security code. Visa, MasterCard, and Discover require this feature. It is a 3 digit number on the back of the card.
DDoS - Acronym for Distributed Denial of Service Attack. The intent when conducting a DDOS attack is to shut down a targeted website, at least for a
period of time, by flooding the network with an overflow of traffic.
DLs - A slang term that stands for counterfeit or novelty driver's licenses.
Drop - An intermediary used to disguise the source of a transaction (addresses, phones etc.)
Dumps - Copied payment card information, at least Track 1 data, but usually Track 1 and Track 2 data.
Dump checking - Using specific software or alternatively encoding track data on plastic and using a point of sale terminal to test whether the dump is
approved or declined. This provides carders a higher sense of security for obtaining quality dumps from those who offer them and also a sense of security
when doing in store carding.
Full info(s) - Term used to describe obtaining addresses, phone numbers, social security numbers, PIN numbers, credit history reports and so on. Full
Info(s) are synonymous with carders who wish to take over the identity of a person or to sell the identity of a person.
Holos - Slang for the word Holograms. Holograms are important for those who make counterfeit plastic credit cards to emulate an existing security
feature.
ICQ - An abbreviation for "I Seek You". ICQ is the most widely used instant messaging system for carders. Popular among Eastern Europeans in their
Internet culture, it continues to be used for carding activity.
IRC - An abbreviation for "Internet Relay Chat". IRC is a global system of servers through which users can conduct real-time text-based chat, exchange
files, and interact in other ways.
IDs - Slang for identification documents. Carders market a variety of IDs, including bills, diplomas, driver's licenses, passports, or anything that can be
used as an identity document.
MSR (Magnetic Strip Reader) - Device that can be used for skimming payment card information and/or encoding track information on plastic.
Phishing - The extraction of information from a target using a hook (usually an e-mail purporting to be from a legitimate company). Phishers spam the
Internet with e-mails in hopes of obtaining information that can be used for fraudulent purposes.
POS (Point of Sale) - Acronym for a terminal through which credit cards are swiped in order to communicate with processors who approve or decline
transactions.
Proxies - Term used for proxy servers. The use of proxy servers to mask ones identity on the Internet is widely practiced amongst carders. Many vendors
sell access to proxy servers, socks, http, https, and VPN (Virtual Private Networks), which aide in hiding the user's actual IP address when committing
fraud or other illegal activity on the Internet.
Track 1/Track 2 data - Track 1 and Track 2 data is the information stored on the magnetic stripe of a payment card that contains the account
information.
How They Market Themselves
Stages of Carding
• Collection:
• Technical Means
• Social Engineering means
• Desired Data:
• Account Holder’s
Information
• Expiration Date
• Primary Acct No. (PAN)
• PIN No.
• CVV No.
• Processing
• Production
• Distribution
Collection:
Acquisition of Data
Processing:
Sell “Dump” to
Databroker
Distribution:
ATM Cashing/
Reshipping
Production:
Documents and
Merchandise
Collection of Data
• Technical Methods:
• Skimming
• Hacking
• Malicious Programs
• Social Engineering:
• Phishing (via web or phone)
Collection via Phishing
As reported by the Anti-Phishing Working Group
Targeted
Industry
Sectors
A subset of Digital Phishnet
* Gary Warner
Copyright CastleCops®
2 Nov 2006
Metrics
• 485 ‘harvest’ (‘drop’) e-mail accounts identified
associated with phish
• 400 deactivated & evidence preserved
• Each ‘harvest’ account contains dozens to
thousands of cards
• Average ‘value’ to each card is $5,000 according to
several US Court Districts
• Realistic loss = $300 to $2,000 per card
• 400 accounts * 100 cards/account * $600/card =
$24,000,000 USD
Processing and Production
• Processing includes filtering the credible data and
selling to a data broker.
• Production can include:
• Fake Documents: Passports, License, Birth Certificates, etc.
• Fake Credit Cards:
• Dump Data: Track 1 and 2
• An example of a “dump” (Track 1 and Track 2):
B412345123456789^John/Doe^06101011123400567000000;;41234
5123456789=061010111234005679991
• Data is recorded onto a blank “white card” via a Magnetic Strip
Reader (MSR)
Distribution: Cashier/Reshipping
• ATM Cashing: Cashiers will receive “white plastic”
cards and withdraw funds from an ATM machine.
• Reshipping Fraud: A scheme where a scammer
overseas has purchased merchandise with illegal
credit cards and has it shipped to a co-conspirator
(aka reshipper), often in the USA. The reshipper
repackages the item and sends it to a destination
usually overseas. The reshipper is paid for his/her
services.
Vladuz
Bluetooth
1. Hacker/Programmer
2. Spammer
3. Data Broker
4. Documents & Mechandise
5. Reshipper/Cashier
DMS
6. Money Launderer
BOA
KLAD
SINJII
Financial: Money Laundering
• Money Orders
• Western Union
• Speedy
• Highly anonymous
• Ability to pickup money
wordwide
• Many outlets are owned
by carders themselves
• Paypal
• Avaliable currencies:
Canadian Dollar, Euro,
Pound Sterling, USD,
Yen, Australian Dollar
• Easy Setup
• All transactions logged
Financial: Money Laundering
• E-Gold
• Uses “virtual gold” for payment
• Cashout services available
• Webmoney.ru
• Z-Wallet accounts
• Easy transactions via the internet, cellphone, or Webmoney
outlet (170 countries)
• Fee based cashout service
Mazafaka
Screenshot
CardingWorld
Screenshot
Where are they going?
Use of malicious code in the carding world
Phishing based trojans and keyloggers
As reported by the Anti-Phishing Working Group
International Challenges
• Cyber Crime has no geographical boundaries
• Some countries just starting to recognize the
need for adequate cyber laws.
• Law Enforcement cooperation often based
upon personal relationships.
• Hard for U.S. law enforcement to gain venue
within the U.S. as many key targets are located
overseas.
Questions
Slide - 45
Who We Are – SRA
SRA is a leading provider of technology and strategic
consulting services and solutions to clients in national
security, civil government, and health care and public
health
We offer cutting-edge business solutions in a wide range
of different areas, including:
•
•
•
•
•
•
•
•
Business Intelligence
Text & Data Mining
Contingency & Disaster Response Planning
Environmental Strategies
Enterprise Architecture
Wireless Integration
AND
Information Assurance & Privacy! 
Who We Are – SRA Factoids
Founded by Dr. Ernst Volgenau in 1978
•
IPO in May 2002 (SRX)
•
Began operations out of Dr. Volgenau’s Reston basement
Stock Price = $29.51 (as of 11/13/07)
6,300+ employees (more than doubled in size in the last four years)
300+ government clients; 900+ active engagements
Headquartered in Fairfax, VA; offices in 17 states, DC, France, Germany, &
the United Kingdom
$1.269 billion in revenue in FY07 (doubled in size in just three years)
Goal $5 billion in revenue by FY12
Chosen by Fortune magazine as one of the “100 Best Companies to Work
For” for eight consecutive years
Strong community service orientation (SRA “CARES” Committee) &
environmental focus (SRA’s “Green Team”)
Rolling out new college recruiting, internship, and co-op programs
Major training and development initiatives underway (career paths and
training opportunities)
More than 200 immediately-billable open positions currently available
Who We Are – IA & Privacy
Began operations with fewer than a half dozen practitioners c. 2000
200+ IA & Privacy professionals work within the practice today
We have helped more than 300 federal information systems achieve
certification and accreditation (C&A) and are currently performing
physical- and cyber-security services Government-wide
SRA’s IA analysts and engineers have obtained the highest
professional certifications in the industry, including:
•
•
•
•
•
•
•
NSA’s Information Assurance Methodology (IAM)
NSA’s Information Engineering Methodology (IEM)
Certified Information System Security Professional certification (CISSP)
Certified Business Continuity Planner (CBCP)
Project Management Professional (PMP)
Certified Information System Auditor (CISA)
Certified Information Security Management (CISM)
What We Do
Forensics
Penetration Testing
Vulnerability Assessment
Compliance
Risk Assessment
System Testing and Evaluation
Incident Response
Operations
Staff Augmentation
Security Awareness & Training
Privacy
FOIA