1 / 33

Cybersecurity & Fraud

Cybersecurity & Fraud. Assoc. of Certified Fraud Examiners CT Chapter June 22, 2018 Bryan Cassidy, VP / Information Security Officer (CISA, CISSP, CFE). Agenda. Wire & ACH Fraud. Internet Connected Devices (IOT). Open Source Intelligence Gathering (by fraudsters)

laneb
Download Presentation

Cybersecurity & Fraud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cybersecurity & Fraud Assoc. of Certified Fraud Examiners CT Chapter June 22, 2018 Bryan Cassidy, VP / Information Security Officer (CISA, CISSP, CFE)

  2. Agenda Wire & ACH Fraud Internet Connected Devices (IOT) • Open Source Intelligence Gathering (by fraudsters) • Email Header Message Overview • Variations of Fraud Scheme • Money Mule Recruitment • Basic Investigation Procedures • Shodan.io • Cybersecurity Risks • Denial of Service • Physical Harm • Unauthorized Access • Unintentional Disclosure

  3. Why Are They Rarely Arrested? PARIS MOSCOW HARTFORD MIAMI DUBAI LAGOS DAR ES SALAAM Geopolitical Challenges Govt. Protections Masking Techniques Laws/Regulations Attribution Challenges

  4. Wire & ACH Fraud

  5. Wire/ACH Fraud Headlines in Mainstream Media

  6. FBI Public Service Announcements January 22, 2015 I-012215-PSA There have been 2,126 victims with an exposed loss amount of $0.2 billion... August 27, 2015 I-082715a-PSA There have been 8,179 victims with an exposed loss amount of $0.8 billion... June 14, 2016 I-061416-PSA There have been 22,143 victims with an exposed loss amount of $3.1 billion... May 4, 2017 I-050417-PSA There have been 40,203 victims with an exposed loss amount of $5.3 billion... October 2013 – December 2016

  7. Open Source Information Gathering Full Names, Job Titles, Roles & Responsibilities, Email Naming Conventions. Press Releases, Media Mentions, Full Names, Titles, Email Naming Conventions. Press Releasesand Leadership Biographies. Press Releasesand Leadership Biographies. Out of Office Response Notifications (External)

  8. Email Message Headers Data appended to every email message which is used to control the message and the transmission from the sender to the recipient. The header contains other meta data such as; subject, reply-to, return-to, originating IP address, user-agent, etc.

  9. Wire/ACH Fraud Variations Complexity* Sub-Category Category Success Probability* Low Low Email Spoofing Header Alteration Low/Moderate Low Similar Domain Social Engineering Moderate** Moderate** Email Compromise Your Company Moderate** Moderate** Third-Party Account Takeover High Low Full Control * These qualitative ratings are based on professional experience, law enforcement notifications, mainstream media articles, etc. ** The complexity and probability ratings highly depend on the security mechanisms that have been implemented; therefore, these are for discussion purposes.

  10. Email Language Tradecraft This list of not all inclusive but is meant to give a general idea of language similarities seen in fraudulent attempts; Urgency Favorite Word “...process this as soon as possible.” “...kindly...” “...payment must be made today.” Initial Contact “Are you in the office?” Avoidance “I can’t take calls right now.” “Are you available to process a payment?”

  11. Email Spoofing (Header Alteration) From: John Patrick <ceoexec01@yandex.com> Sent: April 2, 2017 10:02am To: bcassidy@farmingtonbankct.com Subject: Urgent Hi Bryan, Can you kindly process a wire for me? Thank you, John Sent from my iPad

  12. Email Spoofing (Similar Domain) From: John Patrick <jpatrick@farmlngtonbankct.com> Sent: April 2, 2017 10:02am To: bcassidy@farmingtonbankct.com Subject: Urgent Hi Bryan, Can you kindly process a wire for me? Thank you, John Sent from my iPad

  13. Email Compromise From: John Patrick <jpatrick@farmingtonbankct.com> Sent: April 2, 2017 10:02am To: bcassidy@farmingtonbankct.com Subject: Urgent Hi Bryan, Can you kindly process a wire for me? Thank you, John Sent from my iPad

  14. Witting & Unwitting Money Mules From: John Patrick <jpatrick@farmingtonbankct.com> Sent: April 2, 2017 11:02am To: bcassidy@farmingtonbankct.com Subject: Re:Urgent I can’t talk but let me know when the wire is sent; Bank Name: First National Bank of Hawkins Bank Address: 1 Demogorgon Drive, Hawkins, IN Beneficiary Name: Hawkins Laboratory LLC Beneficiary Address: 11 Hopper Way, Hawkins, IN Beneficiary Account #: 11011011 Beneficiary Routing #: 123456790 Thank you, John Sent from my iPad

  15. Recruitment of Money Mules Romance Scams ...“money mules” are people who are used to transport and launder stolen/counterfeit money. The individuals used are not the only victims; the scheme is designed to extract money from an organization or from other people... “To Good To Be True” Job Postings Reshipping Work From Home Secret Shopper Over Payment Scams

  16. Basic Investigation Procedures

  17. Email Message Headers The beginning of the email message header usually contains transmission details, so if you scroll down to the bottom, you can usually find the following metadata; “From:” – This field is for displaying who sent the email. “Reply-To:” – This field is used to populate email address if the recipient replies to the email. “Return-Path:” – This field is used to receive the bounced email address if it is undeliverable. “X-Origination IP:” – This field may tell you the IP address that was used to send the email. “Date:” – This field may provide details on the potential time zone of the sender (e.g., Sun, April 2, 2017 10:04:42 +0200). “User-Agent:” – This field may provide details on the email client used. “X-Mailer:” – This field may provide details on the email client used.

  18. IP Address In using your preferred online tool to perform a “WHOIS” search (e.g., WHOIS.com, BROWSERLEAKS.com, IPADDRESS.com, etc.), you can usually find the following by typing in the IP address; 123.456.789.011 “Geolocation Country/State/City” – This will let you know the geolocation of the IP address. “Internet Service Provider (ISP)” – This will let you know what internet service provider was used by the sender. “TOR Relays” – This will let you know if “the onion router” was potentially used to anonymize traffic. “Contact Details” – This can include names, mailing address, phone numbers, and email addresses for the internet service provider.

  19. Domain Address In using your preferred online tool to perform a “WHOIS” search (e.g., WHOIS.com, BROWSERLEAKS.com, IPADDRESS.com, etc.), you can usually find the following by typing in the domain address; farmingtonbankct.com “Organization Name” – This will let you know the geolocation of the IP address. “Registration Date”– This will let you know what internet service provider was used by the sender. “Registration Update Date” – This will let you know what internet service provider was used by the sender. “Contact Details” – This can include names, mailing address, phone numbers, and email addresses for the individual/organization that has registered the domain address.

  20. Searching on Other Data Elements • If you have an address, you can use Google Maps (or similar) to verify the location, just know when the map data was last updated. • Ex: You may learn that the address ties back to a UPS Store box. • If you have a company name, you can use a state’s business search website to identify directors/agents names and mailing addresses. • If you have a residential address, you can use a state’s property search website to identify owner names. • If you have a phone number or email address, you can attempt to enter the data on social media searches to see if any public profiles are using the same data.

  21. Reporting Internet Crimes Internet crime includes any illegal activity involving one or more components of the Internet, such as websites, chat rooms, and/or email. Internet crime involves the use of the Internet to communicate false or fraudulent representations to consumers. These crimes may include, but are not limited to, advance-fee schemes, non-delivery of goods or services, computer hacking, or employment/business opportunity schemes. The IC3 does not conduct investigations; however, the information is reviewed by an analyst and forwarded to federal, state, local, or international law enforcement or regulatory agencies. www.ic3.gov Complaint Referral FormInternet Crime Complaint Center

  22. Dept. of Justice – “Operation Wire Wire” IMMEDIATE RELEASE June 11, 2018 74 Arrested in Coordinated International Enforcement Operation Targeting Hundreds of Individuals in Business Email Compromise Schemes “...conducted over a six month period, culminating in over two weeks of intensified law enforcement activity resulting in 74 arrests in the United States and overseas, including 29 in Nigeria, and three in Canada, Mauritius and Poland. The operation also resulted in the seizure of nearly $2.4 million, and the disruption and recovery of approximately $14 million in fraudulent wire transfers.”

  23. Internet of Things (IoT)

  24. Convenience of Connected Devices

  25. Attack Vectors Unsupported (by Vendor) Discoverable Due to “Plug n’ Play” Default Passwords Zero Day Vulnerabilities Unpatched Firmware

  26. Shodan www.shodan.io “Shodan is the world's first search engine for Internet-connected devices. You discover which of your devices are connected to the Internet, where they are located and who is using them.”

  27. Denial of Service (Mirai) A malware variant that took control of specific Internet-connected devices so they could be directed & used in large scale attacks. The open source code was then released on hacker forums. October 21, 2016 1.2 terabits per second From 50,000 to 500,000 devices and many more…

  28. Physical Harm (Medical Implants) “...the FDA confirmed that St. Jude Medical’s implantable cardiac devices have vulnerabilities that could allow a hacker to access a device. Once in, they could deplete the battery or administer incorrect pacing or shock.”

  29. Physical Harm (Programmable Logic Controllers) “...an unexplained pattern of valve and duct movements had occurred over the previous 60 days. These movements consisted of manipulating the PLCs that managed the amount of chemicals used to treat the water to make it safe to drink, as well as affecting the water flow rate, causing disruptions with water distribution.” 

  30. Physical Harm (Connected Cars) “...as of October 2014, the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks...the purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations.”

  31. Unauthorized Access (Security Cameras) “...they [security cameras] had faulty software that let anyone who obtained a camera’s IP address look through it — and sometimes listen as well.

  32. Unintentional Disclosure (Smart Home) “As the woman, identified only as Danielle, chatted away with her husband, the device’s virtual assistant, Alexa, mistakenlyheard a series of requests and commandsto send the recording as a voice message to one of the husband’s employees.”

  33. www.linkedin.com/in/bryancassidy

More Related