Archive for the ‘Botnets’ Category

Findings from the recent AWPG report reveal that fraud remains a serious issue in the credit card/payments information category. This is often downplayed to account for rises in cases of smaller categories such as Classified Advertising and Banking. These categories, however, only account for less than 10% of all phishing cases. Statistics show that more than one-third of phishing attempts to steal credentials are directed at collecting credit card/payments information, making this the largest category affected by fraudsters.

One reason this issue may not seem as relevant might be the decrease in brand attacks since 2009. It is important to keep in mind, however, that while the number of brands hijacked by phishing attacks is down 22% from October 2009, fraudsters are finding unique ways to target specific brands through personalized phishing attempts that make these efforts more difficult to track.

According to ThreatMetrix Chief Product Officer Alisdair Faulkner in a recent Security Week article, the attacks on the credit card/payment information category may be decreasing, but continue to affect the largest number of people: “‘Unfortunately the pain is not just felt by the brands targeted by phishing attacks, it is every other online business that is then attacked with the stolen identity and credit card information,’” he said.

Within a period of 24 hours (from Feb. 1 – Feb. 2) ThreatMetrix detected 135,000 fraudulent transactions attempted against 350 of the top online companies, data we pulled for Security Week.

Stolen consumer information continues to be a serious issue. It is essential that innovative efforts continue to block fraudsters before they have the opportunity to cause significant damage. Statistics like those gathered from the AWPG report illustrate the rapid pace the fraud protection industry needs to move in order to maintain a solid approach to fraud prevention.

Abbie Hoffman, social and political activist of the 1960s and 70s once said “a modern revolutionary group heads for the television station.”  If Hoffman were alive he would surely advise today’s modern revolutionaries to get online.  Before Youtube, Twitter and WordPress if you wanted to start a revolution your options for telling the world what you had in mind were fairly limited to the physical realm like break down the doors of the TV station or taking a hostage to draw attention to your cause.  Hoffman’s 1970’s classic Steal This Book—a manual for then-wanna-be revolutionaries, offered detailed instructions on how to scam your way to freeloading, including how to steal (plastic) credit cards.  Hoffman would be pleased that stolen credit cards are available in bulk today as cheap commodities starting at $1.50 each according to the latest Online Fraud Report from RSA.

The new report describes a thriving “cybercriminal underground” where accomplished or wanna-be-fraudsters can buy anything from a Zeus Trojan Kit ($3K – $4K) to Online Banking Logins ($50 – $1,000 per account) to build   [read more...]

CyberSource just released an excellent white paper titled Improving Automated Screening to Overcome Increasingly Sophisticated Fraud that’s stuffed full of valuable advice and insights by Paul Brock, one of their top fraud management consultants.  You may think “clean fraud” sounds like an oxymoron but it fits as a description of fraudsters getting better (cleaner) at applying more complete and accurate personal data from stolen identities/credit cards to commit fraud. Brock’s knowledge and experience are well-worth reading in this white paper—he’s on the front lines of fighting online fraud, helping customers take and keep control over fraud 24 x 7.

You can request a copy of the CyberSource white paper here.

Brock’s premise is that because fraudsters have gotten smarter about using more and better personal data and strategies (“clean” fraud) to make it appear as though they are legitimate customers, organizations need to adopt more and better fraud prevention tools and strategies to control fraud.  He points to ThreatMetrix’s Fraud Network, “combined with cross-merchant transaction histories” as providing an effective strategy for detecting “clean” fraud.

Here are just some of the valuable points that Brock discusses in this paper:

• Next-generation device identification solutions, those that offer “both browser fingerprint and packet signature inspection,” deliver a new and rich source of information about the computer/device, it’s internet connection and it’s behavior that go beyond the “ just the apparent identities involved in the transaction”
• Device identification technology opens a new avenue of correlation that can be used in fraud screening: you have an additional element that can be examined with regard to velocity, and for detecting identity morphing.
• Device fingerprinting must go beyond the surface of identifying the transacting device, to identify whether additional suspicious activities might be at work. In the process of collecting the device identification attributes, your implementation of device fingerprinting should also interrogate the device about how it is being used and how it may be under the control of another device.

There’s a ton of great information in the white paper, get a copy and learn how to stay ahead of clean fraud.

- Tom

Next to anonymity, automation is a cybercriminal’s best friend. Botnets—a network of compromised computers on the Internet under the command and control of a single computer—are a game-changer for e-fraudsters. Cybercriminals with a sufficiently large botnet have the potential computing power equivalent to a supercomputer at their disposal. A botnet can originate fraudulent transactions from many different computers from all over the world, making it harder to recognize fraud patterns through traditional velocity checks. There are a myriad of ways to exploit a botnet that I’ll describe in a minute, but first a little grounding on the world of bots and botnets.

Read more…

We keep finding new and interesting ways to use our ThreatMetrix comic characters to spread the word about our SaaS web fraud solution — now here’s a new one that’s good for more than just a laugh: educational “how-to’s” so you can get under the hood of The ThreatMetrix Fraud Network. Here’s our first installment cooked up by ThreatMetrix Chief Products Officer Alisdair Faulkner:   ThreatMetrix Web Fraud 101 “how to” series learn about Botnets and Proxies—two powerful tools in the fraudster toolkit and how ThreatMetrix turns these tools against them.

The tight confines of our blog make the panels a bit hard to read so head over to our website to get the full sized version of the entire series.

- Tom

If you like to worry about cybercrime statics you’ll love Symantec’s new Global Internet Security Threat Report for 2009.  Almost 100 pages full of interesting facts like “Symantec observed 6,798,338 distinct bot-infected computers in 2009,” the operative word being “observed.”  In other words the actual number of bot infected computers is probably much greater and difficult to really know.  I’ve read estimates ranging from 5% to 25% of all PCs worldwide are infected.  The botnet population is a moving and morphing target, all you really have to know is that there are a lot of them thanks to evolving technology and clever deceptions aimed at the entire population of computer users.

Botnets are just one of the cybersecurity topics that ThreatMetrix CTO discussed with Infosec Island’s Anthony Freed in this just-published interview.  Check it out here:

https://www.infosecisland.com/blogview/3717-An-Interview-with-David-Jones-CTO-at-ThreatMetrix.html

- Tom

Fraudster or customer?  The answer to that question keeps getting harder to answer in the online world while the consequences of getting it wrong get more severe.  The last mile in web fraud prevention can’t be bridged by the tools and means that rely on the personal information (PII) we all supply to the various web sites we visit.  No, the last mile in web fraud prevention is more like a chasm that must be leaped by a new class of anti-fraud technology that relies on the wealth of anonymous characteristics spawned for a web transaction that make each a unique, measurable event—information from a computer, its Internet connection and the context of a web transaction—all intelligently managed in such a way that reveals truth.  Here are seven clues that can help you derive a confidence factor for the visitors knocking on your website door to create a new account, use a credit card, or login:

1. I’ve seen this computer at our website before—it has a questionable track-record with my business
2. Someone else in the network reports suspicious or negative experience with a device
3. Something’s out of place, missing or inconsistent—a good customer using their computer for legitimate purposes wouldn’t behave (that) way
4. This computer tried to use 20 credit cards in 5 minutes—what???
5. The computer is using a hidden proxy—to register for a new credit card account???
6. The computer appears to be under the control of a bot
7. The true geographical location by IP address is different than where the person claims to be

You can learn more about how anonymous data is increasingly useful to help stop online fraud in this article in the newly launched Security Week.

-          Tom

P.S.   If you haven’t heard about Panopticlick—a project by the Electronic Frontier Foundation then you really should check out the article

I can imagine the thrill an online fraudster must get when he breaks into a bank—quietly clicking away at his browser in the comfort of his home checking the victim’s account balances to see if the balance is high enough to justify the added risk of proceeding to drain the account. With so many more potential targets to find and monitor, why not wait to strike when the moment is right and the payoff is huge? That’s exactly what the sophisticated fraudsters do: they wait because they know time is on their side.

The New York Times reports that Unspam Technologies filed a lawsuit against “gangs based in Eastern Europe that electronically break into business computers, steal banking password and transfer themselves money.” Unspam wants to get the names of the hackers by way of the banks and their customers who have been compromised. Unspam’s lawsuit invokes the federal Can-Spam Act, aiming at the email messages that are often the means by which consumer’s computers are compromised.

The critical enabler to these crimes is consumer computers infected with malicious software by cyber criminals who then monitor their activity in order to learn passwords and then use them to impersonate the consumer. The sheer numbers of infected computers is staggering; estimates put the number in the tens of millions worldwide. Fraudsters have the luxury of time on their side and the advantage of powerful technology that enables them to maximize the return on their efforts. The technology is sophisticated enough to alert the hackers “once their computers find they have gained access to the computer of someone who controls a lot of money.” They watch for consumer behaviors—like wiring money to other banks—that offer the biggest payoffs.

McAfee and Symantec among others offer consumers tools to help prevent and clean up the viruses that give control and power to the fraudsters-but they are not foolproof nor does everyone use them. Banks and companies doing business on the wordwide web invest in technologies to identify and prevent criminals from infiltrating their business—it’s in their best interest to protect themselves and their customers. The lawyer for Unspam, Jon L. Praed, told the NYT “he hoped his John Doe lawsuit would encourage banks to improve their electronic defenses.” I’m not sure banks need more motivation to defend against crime, but they do need to continue to invest in more anti-fraud tools and people to stay ahead of the cyber criminals. Device identification is the new new thing to help banks and their customers keep the bad guys out.

- Tom

According to a new study by researchers at Carnegie Mellon University it is now possible to exploit an individual’s place and date of birth to predict his or her Social Security number. Most of us have fed the worldwide web (often willingly, sometimes not) enough personal data about ourselves to leave pieces of us in the form of data that fraudsters can use to identify us: credit card numbers, birthdates, personal tastes…just about anything and everything that could be used to identify us. The Carnegie study reveals that personal data available from online sources such as Facebook can now be used to construct our Social Security numbers-personal private data that until now was considered reasonably save from intelligent guessing by networks of compromised computers.

Here’s an excerpt from the Carnegie study that spells out the problem:

‘Although defense mechanisms to detect repeated abuses are in place at those services [for instance, the SSNVS tracks incorrect attempts at verifying SSNs, and financial institutions blacklist (for various days or months) IP addresses originating 3 or more failed logins or transactions], ‘‘botnets” of compromised computers allow attackers to test-cheaply and covertly-vast numbers of variations of targets’ SSNs, strategically distributing simultaneous attempts across services, compromised machines, and target accounts.’

Device Identification would make it difficult to “strategically distribute simultaneous attempts across services” because ThreatMetrix would identify the source of the attempts, even if the fraudster is hiding behind a proxy. “Cheaply and covertly” are consistent with what I’ve said in previous blog entries about how the technology tools and means to commit fraud are making a bad problem much worse as they enable far more people to jump into the online fraud business. The more we reveal about ourselves online, the more easily we can be identified by who we are and what we do. Online banking, purchasing, gaming, dating and social networking rely on the ability for us to identify that we are who we claim to be without our physical presence-this creates the opportunity for fraud. On the web, we’re defined by data in the form of attributes that can be (and are) used to authenticate our identity: birth date, street address, favorite pet, height, color of eyes, Social Security number and more. The Carnegie study shows that it’s quite possible to correlate those data from various sources to get a more complete and accurate picture of a person for credentialing. This is something new that has the potential to wreak havoc in the online world.

Those personal data attributes scattered across the worldwide web present a new form of risk. Device Identification (when it’s done right) can take back some of that risk by providing a reliable point of reference to authenticate who’s at the computer. By profiling the computer instead of the person, ThreatMetrix Device Identification offers these advantages as a method to authenticate identity online:

• Instantly identify a computer within seconds at the moment a connection is made: manage the risk of a device connection before you provide someone access to your web site
• Passive, non-intrusive identification: because data is supplied by the visiting computer and its connection instead of the person, authentication requires no knowledge of or inputs from web site visitor
• Even if personal data such as Social Security numbers are compromised, ThreatMetrix Device Identification helps companies and institutions prevent fraudsters from using them to establish illicit accounts

Will device identification become a must-have factor to authenticate identities on the worldwide web in the next few years?

Would you feel safe purchasing goods with your credit card from your cell phone? If you answered “yes” then you’re in agreement with about half the respondents in a recent Harris Interactive survey reported by Internet Retailer who consider it “at least somewhat safe” to make a purchase through their cell phone.

Of course that presumes you are willing to overlook the inconvenience factor that goes with entering your credit card number and personal information on your cell phone—which depending on your cell phone can be a minor inconvenience or royal pain. According to the survey, “46% of cell phone owners said that, assuming they could purchase securely through cell phones, they’d be willing to make purchases this way.”

As smartphones like Apple’s iPhone get easier and consumer adoption increases it’s a fair bet that so will online purchases made from smartphones…and online banking…and social networking…and just about any web activity you would typically undertake on your computer today. Etailers and businesses that rely on customers to connect via their computer will undoubtedly invest more in technology to instill trust and confidence in smartphone users so they feel very safe interacting with them via their smartphones. While 46% may seem like a healthy number, I’m sure the survey results made more than a few etailers cringe.

As smartphones take on more everyday computing tasks they are also likely to become a desirable platform for fraudsters. Georgia Tech in its Emerging Cyber Threats Report for 2009 predicts as much. According to Patrick Traynor, an assistant professor at the university, “malware will be injected onto cell phones to turn them into bots.” He goes on to say “at this point, mobile device capability is far ahead of security….we’ll start to see the botnet problem infiltrate the mobile world in 2009.”

For now it pays to be extra careful when banking or buying from your smartphone. I’ll have more to say about mobile computing and fraud prevention in the coming weeks.

- Tom