Newly organised methods of online criminal activity are threatening to democratise fraud and undermine banks and online traders, according to security experts at this year’s RSA Conference Europe.
Head of new technologies at security vendor RSA Uri Rivner shared new data and trends spotted by the firm’s Anti Fraud Command Centre, which has now shut down over 100,000 phishing attacks.
Rivner warned of a new trend where criminals offer fraud services in a software-as-a-service (SaaS) model, which can be purchased from internet chat rooms and forums. This “fraud-as-a-service” could feature information-stealing Trojans, together with bulletproof hosting to ensure zero downtime, and a fully integrated infection service to provide patching and upgrades so the Trojan escapes detection by security software.
“You can then sit back and watch how many computers are infected with the Trojan and how many user credentials come rolling in,” Rivner said. “Anyone can do fraud these days – you just need to go to the right place to get user credentials.”
Rivner explained that roughly half of phishing attacks are now carried out by individuals or small groups who meet, exchange information and trade each other’s services in internet chat rooms. He added that most online fraudsters can be broken down into two groups: harvesting fraudsters, who specialise in stealing user credentials; and cash-out operators, who focus on laundering the money from stolen accounts or fraudulently purchased goods.
While the former can now easily buy fraud-as-a-service packages to help them harvest account details, the latter work on the operational side, transferring money from these accounts into a network of so-called “mule” accounts. The money is then sent via Western Union from these accounts to someone else, who will take a cut and pass on the funds to the cash-out fraudster. At the end of the chain the cash-out operator and harvester will share their gains.
Banking e-crime experts echoed Rivner’s evaluation of the current threat landscape.
Marc Cramer, information security consultant at insurance group ING, warned that hacking and phishing tools are now “very customer friendly”, while Mark Stanhope, senior e-crime manager at Lloyds TSB, argued that fraudsters are “a lot more agile than we are”.
“They are a lot smaller than we are and will always evolve faster than us,” Stanhope added. “We have to make it as difficult as possible for them to target mass attacks.”
To mitigate the risk of being defrauded, Rivner advised firms to employ several key strategies. They involve limiting credit harvesting by detecting, blocking and shutting down attacks and then rolling out two-factor and adaptive authentication to customers, and finally transaction monitoring.
“It’s not all doom and gloom. The most effective method of defence is a multi-layered approach,” Rivner said. “The threats are becoming more mass market and scalable, but the industry is developing an arsenal of tools to fight them.”
Xavier Serrano Cossio of Spanish bank Banco Sabadell explained that his firm has had success using SMS messages to alert customers of unusual account activity, as well as using one-time password generators integrated into their mobile phones with which to log on to online banking.
“We have also had a good experience of transaction monitoring – we use a lot of parameters and have grown very comfortable with it,” Cossio said.
Fraud-as-a-service looms over firms
By Phil Muncaster on Oct 29, 2008 11:56AM