![Page 1: Cyber Fraud Trends Authentication - FIRST · Cyber Fraud Disruptors Antivirus − Stopped static malware − Packers and scrambling is now common practice Windows XP SP2 Firewall](https://reader030.vdocuments.net/reader030/viewer/2022041021/5ed16d6e01419341f95fc0fb/html5/thumbnails/1.jpg)
Ralph Thomas iDefense Malcode [email protected], +1.571.723.1978
June, 2008
20th Annual FIRST ConferenceCyber Fraud Trends Authentication
![Page 2: Cyber Fraud Trends Authentication - FIRST · Cyber Fraud Disruptors Antivirus − Stopped static malware − Packers and scrambling is now common practice Windows XP SP2 Firewall](https://reader030.vdocuments.net/reader030/viewer/2022041021/5ed16d6e01419341f95fc0fb/html5/thumbnails/2.jpg)
Cyber Fraud Disruptors
Antivirus− Stopped static malware
− Packers and scrambling is now common practice
Windows XP SP2 Firewall− Enabled by default
− Stopped malware from coming to the computer
− Start of driveby installs via browser exploitation (get the victim to go to the malware)
t
Windows Vista Firewall− Outbound filtering enabled by
default (incl. phishing filters)
d
− Limit driveby installations
− Limit malware from phoning home
− Essential for attackers to maintain untainted/volatile hosting > Bulletproof Hosting
2FA Deployment− Underground economy changes
> Adjusted Behaviour
![Page 3: Cyber Fraud Trends Authentication - FIRST · Cyber Fraud Disruptors Antivirus − Stopped static malware − Packers and scrambling is now common practice Windows XP SP2 Firewall](https://reader030.vdocuments.net/reader030/viewer/2022041021/5ed16d6e01419341f95fc0fb/html5/thumbnails/3.jpg)
Cyber Fraud Disruptors
Essential for attackers to maintain untainted/volatile hosting > Bulletproof Hosting
Underground economy changes> Adjusted Behaviour
![Page 4: Cyber Fraud Trends Authentication - FIRST · Cyber Fraud Disruptors Antivirus − Stopped static malware − Packers and scrambling is now common practice Windows XP SP2 Firewall](https://reader030.vdocuments.net/reader030/viewer/2022041021/5ed16d6e01419341f95fc0fb/html5/thumbnails/4.jpg)
Bulletproof Hosting
The Truth About RBN− All public customers on one network
− Not secretive at all, heavily spammed ads on many forums
![Page 5: Cyber Fraud Trends Authentication - FIRST · Cyber Fraud Disruptors Antivirus − Stopped static malware − Packers and scrambling is now common practice Windows XP SP2 Firewall](https://reader030.vdocuments.net/reader030/viewer/2022041021/5ed16d6e01419341f95fc0fb/html5/thumbnails/5.jpg)
Bulletproof Hosting
The PostRBN Era− Most popular providers existed well before the fall of RBN
− Competitors to RBN, no proven connections to leadership
− Common customers is NOT evidence of common leadership McColo AbdAllah RentaBL
![Page 6: Cyber Fraud Trends Authentication - FIRST · Cyber Fraud Disruptors Antivirus − Stopped static malware − Packers and scrambling is now common practice Windows XP SP2 Firewall](https://reader030.vdocuments.net/reader030/viewer/2022041021/5ed16d6e01419341f95fc0fb/html5/thumbnails/6.jpg)
Bulletproof Hosting AbdAllah
Reseller of a coalition of bulletproof hosts Controls one network, resells the rest
![Page 7: Cyber Fraud Trends Authentication - FIRST · Cyber Fraud Disruptors Antivirus − Stopped static malware − Packers and scrambling is now common practice Windows XP SP2 Firewall](https://reader030.vdocuments.net/reader030/viewer/2022041021/5ed16d6e01419341f95fc0fb/html5/thumbnails/7.jpg)
Bulletproof Hosting
![Page 8: Cyber Fraud Trends Authentication - FIRST · Cyber Fraud Disruptors Antivirus − Stopped static malware − Packers and scrambling is now common practice Windows XP SP2 Firewall](https://reader030.vdocuments.net/reader030/viewer/2022041021/5ed16d6e01419341f95fc0fb/html5/thumbnails/8.jpg)
"Bulletproof Hosting" Fastflux
![Page 9: Cyber Fraud Trends Authentication - FIRST · Cyber Fraud Disruptors Antivirus − Stopped static malware − Packers and scrambling is now common practice Windows XP SP2 Firewall](https://reader030.vdocuments.net/reader030/viewer/2022041021/5ed16d6e01419341f95fc0fb/html5/thumbnails/9.jpg)
Bulletproof Hosting
36%
33%
9%9%
3%
1%
1%
1%
7%
4% 3%
USRUHKMYDEESUABYCALU
26%16%
12%
10%
9% 4%
4%
4%
3%
3%
2%
2%
2%
2%
1%
1%
1%
7%
US RU
MY UA
HK TR
NL DE
SG JP
LU GB
EE CZ
TH CN
CA
![Page 10: Cyber Fraud Trends Authentication - FIRST · Cyber Fraud Disruptors Antivirus − Stopped static malware − Packers and scrambling is now common practice Windows XP SP2 Firewall](https://reader030.vdocuments.net/reader030/viewer/2022041021/5ed16d6e01419341f95fc0fb/html5/thumbnails/10.jpg)
Cyber Fraud Disruptors
Essential for attackers to maintain untainted/volatile hosting > Bulletproof Hosting
Underground economy changes> Adjusted Behaviour
![Page 11: Cyber Fraud Trends Authentication - FIRST · Cyber Fraud Disruptors Antivirus − Stopped static malware − Packers and scrambling is now common practice Windows XP SP2 Firewall](https://reader030.vdocuments.net/reader030/viewer/2022041021/5ed16d6e01419341f95fc0fb/html5/thumbnails/11.jpg)
Adjusted Behavior
Fraud is more difficult/complex− give up! (not going to happen anytime soon)
(
− keep current tactics and change targets go for the smaller fish, drastic increase of phishing attacks against smaller institutions,
which are now faced with a 'new' problem
− stay with current targets and adjust tactics due to 2FA, stolen credentials are stale move from phishing/pharming to malware
All internet users are affected− financial (ebanking, ebrokerage)
f
− ecommerce, erecruitment, communication (email, IM, blogs/forums/groups, ...)
e
− persistent environments, social networks, and gaming
![Page 12: Cyber Fraud Trends Authentication - FIRST · Cyber Fraud Disruptors Antivirus − Stopped static malware − Packers and scrambling is now common practice Windows XP SP2 Firewall](https://reader030.vdocuments.net/reader030/viewer/2022041021/5ed16d6e01419341f95fc0fb/html5/thumbnails/12.jpg)
Ambush: eConsumers Under Attack
1) WLAN: Invite for eavesdropping
2) Fake User: I am not me
3) Detour into the bandit's camp: DNS spoof
4) Deceptive Guidepost: The hosts file
1) Trojans: Bogus Software
2) With counterfeit passport into the vault
3) Enter PIN: The crooks read along
![Page 13: Cyber Fraud Trends Authentication - FIRST · Cyber Fraud Disruptors Antivirus − Stopped static malware − Packers and scrambling is now common practice Windows XP SP2 Firewall](https://reader030.vdocuments.net/reader030/viewer/2022041021/5ed16d6e01419341f95fc0fb/html5/thumbnails/13.jpg)
Ambush: eConsumers Under Attack
Phishing & Pharming− Lure victims via social engineering and tempering with DNS to fraudulent
webpage designed to steal personal identifiable information (PII)
w
Maninthemiddle (MITM)
M
− Fraudulent webpage designed to instantly defraud victims in order to circumvent temporary 2FA means
Malware− Hostile software installed on the victim's computer designed to steal PII or to
perform MITM. This compromises the consumer's communication endpoint.
![Page 14: Cyber Fraud Trends Authentication - FIRST · Cyber Fraud Disruptors Antivirus − Stopped static malware − Packers and scrambling is now common practice Windows XP SP2 Firewall](https://reader030.vdocuments.net/reader030/viewer/2022041021/5ed16d6e01419341f95fc0fb/html5/thumbnails/14.jpg)
Strong Authentication
Many choices for clientside authentication
− Smart card
− USB Token
− Virtual Token
− OTP Token
− Scratch Pad
− Certificate
− Biometrics
− Phone/Cell/SMS
− etc.
Mutual (2way) authentication
Account vs. Transaction Authentication
Implementation is key− e.g. cell phone as OTP Token vs.
mTAN
− e.g. OTP token timeout at BR bank
− e.g. weakness in business process: change phone number
![Page 15: Cyber Fraud Trends Authentication - FIRST · Cyber Fraud Disruptors Antivirus − Stopped static malware − Packers and scrambling is now common practice Windows XP SP2 Firewall](https://reader030.vdocuments.net/reader030/viewer/2022041021/5ed16d6e01419341f95fc0fb/html5/thumbnails/15.jpg)
Strong Authentication