Endpoint

8/29/2018
10:35 AM
Curtis Jordan
Curtis Jordan
Commentary
50%
50%

How One Companys Cybersecurity Problem Becomes Another's Fraud Problem

The solution: When security teams see something in cyberspace, they need to say something.

Fraud isn't something new or something that only happens on the Internet. Identity theft has been around for decades. What has changed is how fraud is executed; not only are individuals targeted, but now entire companies can become targets for fraud. For example, what are phishing sites masquerading as legit websites if not attempts at counterfeiting the identity of that company?

Cloud service providers and blue-chip software companies are especially desirable targets for fraud. Bad actors infiltrate corporate networks not to hack the corporations themselves but to co-opt their infrastructure. Hackers use stolen credentials to hide behind IP addresses, servers, and domain addresses to wage covert cyberattacks, misleading investigators and compromising corporate infrastructure in the process.

In my research, I've uncovered the three most common scenarios of what my team calls "cyber-enabled fraud," which we define as fraud that is facilitated though the use of malware exploits, social engineering, and/or lateral movement through a compromised website, network, or account. Note that all there of these can be, and many times are, used in conjunction with one another.

Phishing: Bad actors send a phishing email to steal your credentials, usually by having you click on a masked hyperlink directing you to a well-done spoof of a legitimate website. There you are asked to list information like usernames, passwords, Social Security numbers, birthdates, or financial information. These phishing emails can also be designed to install ransomware when you follow their directives.

Social Engineering: When you spoof the email of the company's CEO directed to the CFO or someone else in finance to see if he or she will wire money to an account controlled by the bad guys. Social engineering can also accomplish some of the goals of phishing, such as gaining sensitive information or getting credentials, over the phone or, on occasion, in person. You aren't being asked to do something, like click on a link, but you are asked directly to provide sensitive information.

Lateral Movement/Resource Sabotage: Once bad actors have gained access through phishing or a vulnerability exploit, there is further fraud that can be committed: They can use that access to compromise other machines or servers in a company, often with the help of any fraudulent credentials they've managed to obtain, and they can use these compromised systems to send out malware and malicious spam, or use bandwidth and resources for crypto mining,

All of these actions result in infrastructure becoming compromised in some way. But the larger end result is that my cyber problem has just become everybody else's fraud problem because my infected system is now set up to attack other systems.

Here's an example of cyber-enabled fraud in action. There are two cloud service providers, Cloud A and Cloud B. Bad guys use prepaid or stolen credit cards to purchase a virtual server account with Cloud A and, through that server, send out malware that is using the server for fraudulent purposes.

When they are finally caught — which can take months — and the account is shut down, the bad guys immediately open up an account using the same credentials with Cloud B. If Cloud A and Cloud B are willing to work together and exchange threat intelligence information, with Cloud A flagging that account as fraudulent, they can stop the cyber-enabled fraud much faster. This drastically changes the economics for the fraudster.

Cyber-enabled fraud is part of a vicious virtual cycle. The good news is we can break this cycle by using best practices in cybersecurity that protects our own identities and assets as well as the larger cyber ecosystem. It's taking the concept of "when you see something, say something" into cyberspace. Communicating about the cyber incidents you experience to others will help them better detect potential acts of cyber-enabled fraud. When you take care to protect yourself, you are helping your virtual community fight off cyberattacks.

This research was provided by the TruSTAR Data Science Unit. Click here to download a curated list of IOCs that have been tried to both cyber and fraud campaigns.

Related Content: 

Curtis Jordan is TruSTAR's lead security engineer where he manages engagement with the TruSTAR network of security operators from Fortune 100 companies and leads security research and intelligence analysis. Prior to working with TruSTAR, Jordan worked at CyberPoint ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/30/2018 | 11:32:29 PM
Re: Fraud
@Dr.T: Sure, virtualization and gapping measures can be great for security and tenant isolation...but more to the point, certain systems have to interact with each other -- and the security issues flow just as readily as does the communication itself.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/30/2018 | 11:30:40 PM
Re: Honan example
@Dr.T: Actually, nope, that's not what happened; this was not a case of PEBKAC. The problem lay with security issues at Amazon and Apple respectively.

Here's Honan's account of his digital nightmare: wired.com/2012/08/apple-amazon-mat-honan-hacking/
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/30/2018 | 9:35:34 AM
Reputation
"cyber-enabled fraud," which we define as fraud that is facilitated though the use of malware exploits, social engineering, and/or lateral movement through a compromised website, network, or account. This would be problematic for companies reputation, it is still their lack of security that enabled attackers to cause the damage.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/30/2018 | 9:32:49 AM
Cloud A and B
f Cloud A and Cloud B are willing to work together and exchange threat intelligence information, ... This is the major problem in the industry, they do not share security related information with each other.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/30/2018 | 9:30:25 AM
Say something
It's taking the concept of "when you see something, say something" into cyberspace. This would be a way to go. It requires a good security awareness programs to achieve it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/30/2018 | 9:28:52 AM
Re: Honan example
compromise of his Apple ID, which in turn was able to be compromised via information gained by compromising Honan's Amazon account! Yes. Most liley the same account names and passwords are used. A common problem..
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/30/2018 | 9:27:21 AM
Fraud
But the larger end result is that my cyber problem has just become everybody else's fraud problem because my infected system is now set up to attack other systems. This makes sense. Best approach against this is segregation of the systems so one is compromised but the rest can still be protected.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/29/2018 | 11:04:13 PM
Honan example
An even more insidious example can be seen in the case of Wired's Mat Honan -- whose entire online/computer life was compromised in 2012 via a compromise of his Apple ID, which in turn was able to be compromised via information gained by compromising Honan's Amazon account!
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17229
PUBLISHED: 2018-09-19
Exiv2::d2Data in types.cpp in Exiv2 v0.26 allows remote attackers to cause a denial of service (heap-based buffer overflow) via a crafted image file.
CVE-2018-17230
PUBLISHED: 2018-09-19
Exiv2::ul2Data in types.cpp in Exiv2 v0.26 allows remote attackers to cause a denial of service (heap-based buffer overflow) via a crafted image file.
CVE-2018-17231
PUBLISHED: 2018-09-19
** DISPUTED ** Telegram Desktop (aka tdesktop) 1.3.14 might allow attackers to cause a denial of service (assertion failure and application exit) via an "Edit color palette" search that triggers an "index out of range" condition. NOTE: this issue is disputed by multiple third par...
CVE-2018-17228
PUBLISHED: 2018-09-19
nmap4j 1.1.0 allows attackers to execute arbitrary commands via shell metacharacters in an includeHosts call.
CVE-2018-8889
PUBLISHED: 2018-09-19
A directory traversal vulnerability in the Connect Service of the BlackBerry Enterprise Mobility Server (BEMS) 2.8.17.29 and earlier could allow an attacker to retrieve arbitrary files in the context of a BEMS administrator account.