Fraud isn't something new or something that only happens on the Internet. Identity theft has been around for decades. What has changed is how fraud is executed; not only are individuals targeted, but now entire companies can become targets for fraud. For example, what are phishing sites masquerading as legit websites if not attempts at counterfeiting the identity of that company?
Cloud service providers and blue-chip software companies are especially desirable targets for fraud. Bad actors infiltrate corporate networks not to hack the corporations themselves but to co-opt their infrastructure. Hackers use stolen credentials to hide behind IP addresses, servers, and domain addresses to wage covert cyberattacks, misleading investigators and compromising corporate infrastructure in the process.
In my research, I've uncovered the three most common scenarios of what my team calls "cyber-enabled fraud," which we define as fraud that is facilitated though the use of malware exploits, social engineering, and/or lateral movement through a compromised website, network, or account. Note that all there of these can be, and many times are, used in conjunction with one another.
Phishing: Bad actors send a phishing email to steal your credentials, usually by having you click on a masked hyperlink directing you to a well-done spoof of a legitimate website. There you are asked to list information like usernames, passwords, Social Security numbers, birthdates, or financial information. These phishing emails can also be designed to install ransomware when you follow their directives.
Social Engineering: When you spoof the email of the company's CEO directed to the CFO or someone else in finance to see if he or she will wire money to an account controlled by the bad guys. Social engineering can also accomplish some of the goals of phishing, such as gaining sensitive information or getting credentials, over the phone or, on occasion, in person. You aren't being asked to do something, like click on a link, but you are asked directly to provide sensitive information.
Lateral Movement/Resource Sabotage: Once bad actors have gained access through phishing or a vulnerability exploit, there is further fraud that can be committed: They can use that access to compromise other machines or servers in a company, often with the help of any fraudulent credentials they've managed to obtain, and they can use these compromised systems to send out malware and malicious spam, or use bandwidth and resources for crypto mining,
All of these actions result in infrastructure becoming compromised in some way. But the larger end result is that my cyber problem has just become everybody else's fraud problem because my infected system is now set up to attack other systems.
Here's an example of cyber-enabled fraud in action. There are two cloud service providers, Cloud A and Cloud B. Bad guys use prepaid or stolen credit cards to purchase a virtual server account with Cloud A and, through that server, send out malware that is using the server for fraudulent purposes.
When they are finally caught — which can take months — and the account is shut down, the bad guys immediately open up an account using the same credentials with Cloud B. If Cloud A and Cloud B are willing to work together and exchange threat intelligence information, with Cloud A flagging that account as fraudulent, they can stop the cyber-enabled fraud much faster. This drastically changes the economics for the fraudster.
Cyber-enabled fraud is part of a vicious virtual cycle. The good news is we can break this cycle by using best practices in cybersecurity that protects our own identities and assets as well as the larger cyber ecosystem. It's taking the concept of "when you see something, say something" into cyberspace. Communicating about the cyber incidents you experience to others will help them better detect potential acts of cyber-enabled fraud. When you take care to protect yourself, you are helping your virtual community fight off cyberattacks.
This research was provided by the TruSTAR Data Science Unit. Click to download a curated list of IOCs that have been tried to both cyber and fraud campaigns.