The Many Faces of Fraud How cyber criminals attack financial institutions

Ken Jochims, Sr. Product Marketing Manager

Guardian Analytics

Established Industry Experts

Community of 260 FIs Fighting Fraud

Pioneered individual behavioral analytics

Extended patented technology to multi-channel offerings

Fraud Intelligence and fraud analyst teams

Industry Engagement

• ABA • FS-ISAC Board Advisor • NACHA Internet Council • NCFTA • Bank Info Security

Advisory Council

Successfully managing risk, enhancing offerings, building customer trust

Networking and sharing fraud prevention/ operational best practices

"Guardian Analytics…has a proven and effective fraud detection risk-scoring engine."

Leading Fraud Prevention Technology

"Guardian Analytics possess one of the clearest visions for how to tackle fraud management.”

Agenda

Latest fraud trends

Analyzing current attack trends

Cyber-Crime technological innovation

Proactively defending against threats

LATEST FRAUD TRENDS

Recent Fraud News

ACH Fraud as a % of losses are growing . ACH

fraud now accounts for 56% of fraud losses.

Jan 13, 2013

Jan 13, 2013

New ZeuS source code based rootkit available for

purchase on the underground market

March 14, 2013 by ddanchev

FraudINTELLIGENCE - 90% of fraud incidents don’t include a payment

- Fraudsters successfully authenticate in 3 out of 5 attempts

Mar 21, 2013

Mar 15, 2013 12:41 Jan 17, 2013 9:50

Malware Spends Significant Effort Avoiding Security

52% of observed malware behaviors focused on evading security or analysis

The Modern Malware Review, March 2013

Malware Spends Significant Effort Avoiding Security

52% of observed malware behaviors focused on evading security or analysis

The Modern Malware Review, March 2013

Criminals Better On Every Dimension

Advancing Organizing Expanding Scaling Evolving

Retail

Business

Platforms

Bank Employee

3rd Party

Mobile

Wide Array of Attacks Creating Billions in Losses

E mail Breach

Call Center Social Engineering

SMS Phishing Vishing

Purchased Credentials

Malware

Offline transactions

- Check fraud - Wire fraud

- Fax - Email - Call center - Online chat

Malware

Online transactions

- Wire - ACH - Bill Pay - External Transfers

Credentials widely available • 40% of PCs already infected (APWG) • Thousands of credentials stolen by Gozi (US

Attorney)

Phishing and Social Engineering Resurfacing • Social engineering on the rise (Gartner) • Trend in using mobile/tablets to compromise

credentials (Aite) • Email breaches connected to banking fraud (Aite) • Bad password practices leave Internet accounts at

risk - 60% of passwords reused

Rapid malware innovations steal credentials and bypass authentication

Zeus SpyEye Gameover ICE IX Ramnit Carberp Shylock Gozi Zitmo Spitmo CitMo Eurograbber

Move funds through online and offline transactions • 2012-2013 account reconnaissance attack - ~1000

accounts at 75 FIs; connected to offline fraud • ACH – 56% of losses (FS-ISAC) • Wire – 76% of attempts (FS-ISAC) • New combinations – e.g. online chat (GA) • Focus on defeating manual controls and verification

(GA)

Customer Account

Customer Account

Criminals Using Email Breaches to Gain Access

Weak passwords – password, 12345678…

Password reuse –research shows 60% of credentials re-used from one site to another

Forgotten password reset – used in hundreds of account takeovers last year

E mail Breach

Password Reset

Mobile/Tablet As Source of Credentials

Mobile or tablet users more likely to click on phishing text or email

Gather credentials via mobile or tablet, then log into online banking

SMS Phishing

User clicks on link in SMS message and gives

up credentials for online banking

Customer Account

Trends in Cyber Threats

Vishing • Criminals spoof caller ID

• Call bank customer victims pretending to be a bank officer

• Extracting information from the victim over the phone

• Take over their account

Call center social engineering • Criminals engage call center with enough information to

pretend to be the victim

• Trick call center agent into resetting credentials or performing transaction

Targeting branch employees socially

• Determine how best to meet these employees in social settings, such as fitness clubs or restaurants near the branch locations.

• Fraudsters engage in social interactions with the employees • Rope them into their crime schemes, usually with the

promise of a lucrative financial reward for their cooperation and efforts.

ANALYZING CURRENT ATTACK TRENDS: ACCOUNT TAKE OVERS

Account Reconnaissance Attack

E mail Breach

Call Center Social Engineering

SMS Phishing

Tablet Phishing Vishing

Purchased Credentials

Malware

Offline fraud - Check fraud - Wire fraud via fax - Wire fraud via email - Wire fraud via call center

Consistent and methodical account reconnaissance only • Log in (including MFA) • Password Reset • Check account summary • Access bill pay • View check images

Customer Online Account

Seen at a thousand accounts at 75+ financial institutions

Live Chat Scheme – A New Twist Combining Online Fraud and Call Center Fraud

Human fraudster successfully

authenticates using user credentials

1. Explores all accounts 2. Consolidates funds to

checking account 3. Initiates chat session

from online banking

1. Ask for general help 2. Then ask for help with wire transfer

Online Banking

Opportunity to detect suspicious activity at each step

Trends in Payments Fraud – FS-ISAC Survey

Customer Account

E mail Breach

Call Center Social Engineering

SMS Phishing

Tablet Phishing Vishing

Purchased Credentials

Malware

•Wire - most popular channel – 76% of attempts (FS-ISAC)

• ACH - growing number of losses – 52% of losses from ACH

Attacks on ACH Files - Criminals Getting Past Caps, Limits, Validations

1

2

3

4

FRAUDULENT FILE

BOGUS BATCH

ROGUE RECIPIENT

TAMPERED TRANSACTION

Fraudster submits a new ACH Batch file, all of which is fraudulent. Fraudulent files may or may not violate caps or calendar rules.

Fraudster breaks into an existing batch file and adds a new payments which will change the number of transactions in the file and the total amount of all transactions in the file. Files may still be below established caps/limits.

Fraudster breaks into an existing batch file and adds some new credit transactions (steals some money), but simultaneously adds some new debit transactions that leave the total dollar movement for the file as a whole unchanged.

Fraudster breaks into an existing batch file and edits specific parts of existing transactions (e.g. The payee account number), which leaves the number of transactions and the total dollar movement for the file as a whole unchanged.

Progressive levels of fraud infiltration Effort to find fraud with traditional rules-based monitoring and reports

Fraudster takes over corporate account

Progressive levels of fraud infiltration Effort to find fraud

Increasing effectiveness at defeating caps. rules, limits

CYBER-CRIME TECHNOLOGICAL INNOVATIONS

Distributed Denial of Service (DDoS) Attacks

DDoS attacks continue, with enhanced methods/capabilities

More horsepower: Use cloud – used networks of servers in data centers around the world as botnet (rather than individual computers)

Extreme bandwidth capability – up to 300Gbps

Consume more resources: Flooded sites with encryption requests

Criminals starting to collaborate – OCC alert

Fraud Motivated Denial of Service Attack

62 money mules recruited to steal money from Calif. construction company

ACH And Wire Transfers

• Mules with consumer accounts received $4-$9K transactions

• Mules with business accounts to hide large dollar transactions - $80K-$100K

Possibly Gameover Zeus Trojan blocking controller’s access to site to set up fraudulent transactions and launch DDoS on bank’s website

Customer called the bank after they were blocked from online banking, but no action taken to investigate the account

Law enforcement speculating multiple victims at the bank

$900K transferred, bank able to recover half, with more expected

TDoS

Criminals use automated dialing programs and multiple accounts to overwhelm the phone lines of unsuspecting citizens

Diversion - while the lines are tied up, the criminals—masquerading as the victims themselves—are raiding the victims’ bank accounts

Continuous Malware Innovations Zeus/ SpyEye Citadel

Shylock

Carberp

Gozi Prinimalka

ICE IX Zitmo/Spitmo Gameover

Social Platform

Customer service number injection

Detect remote desktop connections to avoid research detection

Spread via Skype

Boot kit

Targeted attacks planned against 30 banks

Professional Offering

Spoofs device ID information

Mastermind behind Gozi arrested • 40,000 US computers

already infected • One C&C Server housed

3000 stolen credentials

Eurograbber – comprise two factor authentication • $47M in losses; 30,000 retail and corporate accounts affected • Infects computer and mobile • Tricks two factor authentication

Fake chat injections

Coupled with Reveton ransomware

On-the-fly injections Targeting enterprises

Carberp-in-the-mobile

Zeus Rootkit

Catching up with Zeus

March 2013 - New ZeuS source code based rootkit available for purchase on the underground market

Rootkit functionality

Hide files on disk

Hide running processes in memory

Claims undetected by all major anti-malware products

Works on Windows 2003/XP/Windows 7

Ramnit in the spotlight

March 2013 - Ramnit – Back and Better at Avoiding Detection

Ramnit began as a worm, now transformed into banking malware

Rootkit style upgrades hide components from anti-malware programs

Anti-Detection Command and control server provides dynamic list of anti-malware product process names Kills any matching processes on the infected computer Blocks API calls used by anti-malware products Modules are encrypted on the disk and decrypted on the fly when needed

Independent banking module New Hook&Spy module: credential-stealing component, native to Zeus Replaced by custom built hook module, doesn’t rely on Zeus anymore

Malware take away…

Evolution continues Developer breathes new life into Zeus Malware being repurposed for financial gain – Ramnit Added functionality adds further monetization opportunities

Increased emphasis on evading detection More focus on rootkit technology Increased use of encryption Motivation behind both hiding from anti-malware programs

Stopping malware is not a cure Fraudsters change tactics as the need arises Solutions focusing on malware always challenged at keeping up

Mobile Devices – Facilitating Criminal Activities

Malware increasing: Android malware up from 28,000 to 175,000 in the third quarter

Malware downloaded via infected SMS, weblinks, infected apps

FBI alert on Loozfon and FinFisher Loozfon – steal phone number/IMEI and contact details FinFisher – spyware targeting android phones to

remotely control and monitor phones

Mobile as source of credential stealing – SMS Phishing

Bypassing mobile text-based authentication Eurograbber (Zitmo)

$47M attack in Europe

Combination online and mobile malware attack

Targeted 30,000 corporate and private banking accounts

• Botnet (Spam, DDoS) • Steal online banking credentials • Compromise transactions • Premium service texts

It’s Getting Easier for Criminals

You can rent a botnet to send your Trojan-laced emails and steal online banking credentials from thousands who click the booby-trapped attachments.

You can purchase Web injects that allow you to change the behavior of targeted bank Web sites as they are displayed in the victim’s browser.

If you want help hauling the loot, you can rent access to money mules that are hired by mule recruitment gangs.

And if you need a diversion to distract or otherwise occupy your victims while you rob them, you can rent this service.

From Krebs on Security

Threat Summary

Innovation is rapidly occurring on all fronts • Account takeover • Money movement • Defeating common controls

Multiple groups involved in cybercrime

• Working together for bigger impact • Where one leaves off, another picks up

There is no one threat that is the greatest

PROACTIVELY DEFENDING AGAINST THREATS

Criminals Innovating Account Takeover Strategies

E mail Breach

Call Center Social Engineering

SMS Phishing Vishing

Purchased Credentials

Malware Malware

Customer Account

Offline transactions

- Check fraud - Wire fraud

- Fax - Email - Call center - Online chat

Online transactions

- Wire - ACH - Bill Pay - External Transfers

Understanding Individual Behavior in Accounts

• Challenges • Device • Cookie • IP Address • Time of day • Network • …

• Add new user • Change limits • Set up batch • Set up template • Add payees • …

• View balance • View check image • Updated address • Update email • Update password • …

Login Finance Mgmt & Acct Maintenance

• ACH • Wire • Bill Pay • External Transfers • Internal Transfers • Loan Draw • …

• ACH • Wire

Online Request Offline

Online

Mobile

Email

Call Center

Branch

Malware and Human Attacks Payments Fraud

In any fraud attack, the criminal does something unusual relative to the real user

Each individual customer has their own unique banking behavior

FraudMAP End-to-End Behavioral Analytics

Is the client accessing

online/mobile banking

in an expected way? (When, where, how)

Are the client’s banking

actions normal? (occurrence,

frequency, sequence, timing,

what’s missing)

Are the transactions typical?

For this time in their history? (type, amount, payees, sender-receiver

relationship, frequency of transaction,

velocity)

• Challenges • Device • Cookie • IP Address • Time of day • Network • …

• Add new user • Change limits • Set up batch • Set up template • Add payees • …

• View balance • View check image • Updated address • Update email • Update password • …

Login Finance Mgmt & Acct Maintenance

• ACH • Wire • Bill Pay • External Transfers • Internal Transfers • Loan Draw • …

• ACH • Wire

Online Request Offline

Online

Mobile

Email

Call Center

Branch

Malware and Human Attacks Payments Fraud

Anomaly Detection/Behavioral Analytics

New FFIEC Minimum Expectations for Online/Mobile

1. Ongoing Risk Assessments

3. Customer Education/Transparency

2. Layered Security for Retail and Business

Must Include the Following Minimum Elements:

1. The ability to detect and respond to anomalous and suspicious behavior at login and transaction

2. Enhanced controls over administrative functions often used in fraud attacks

Identifies anomalous behavior for each individual account holder

Monitors login to account reconnaissance to transaction

Covers retail and business accounts Provides early indicators of account

takeover and fraud Detects widest array of attacks,

including Man In The Browser Online and mobile

Add Additional Layers Based on Risk

FraudMAP identifies high risk administrative actions (adding new users, changing approval limits, changing contact information)

FraudMAP can help drive response and intervention with 3rd party systems

2012 Focus

2013 Focus

Why FIs Prioritize Anomaly Detection

Instant, 100% coverage, no adoption issues

Stops widest array of fraud attacks

Longest lifespan – can’t be studied and not threat specific

Fast time to security with no customer impact

Little to no impact on ongoing workload

Rapid deployment, low maintenance

Most complete protection Transparent customer experience Protection for them

No action by them

Customers respond positively

Your Institution

Account Holders

Anomaly Detection For Institutions of All Sizes

Proactively Prevent Fraud Stop fraud before the transaction, defends against wide array of attacks

Conform to FFIEC Expectations All banks expected to have anomaly detection

Grow Confidence in Online Channel Reduce risk, increase online adoption and enhance online services

Know Your Customers Gain insight into your customers & their behaviors

Optimize Fraud and IT Resources Fast time to security, minimal alerts, fast investigation, no ongoing maintenance

FraudMAP Fraud Prevention Platform Dynamic Account Modeling Alerting and Visual Analytics

Retail/Business

Frau

dM

AP

Liv

e

For More Information

Email info@guardiananalytics.com to sign up for: • Periodic Fraud Informers • Monthly Fraud Factor newsletters

Visit www.guardiananalytics.com • Sign up for a demo • Visit our research

Email us with any questions • kjochims@guardiananalytics.com

Thank You!