how technology changed fraud investigations · money mule net. 3rd-party enablers. corporate...
TRANSCRIPT
How technology changed fraud investigations
Jean-François LegaultSenior ManagerAnalytic & Forensic TechnologyJune 13, 2011
© Deloitte & Touche LLP and affiliated entities.
No Detective Controls
Unencrypted System
RogueDevice
Insecure Protocole
Signature-Based controls
Unauthorized USB Devices
Vulnerable System or App
Business Infrastructure
PartnersWeb Remote
Access CustomersBusiness
Processing Partners
The Changing Cyberfraud Landscape
MaliciousInsider
CarelessUser
Vendors &Contractors
RogueAccess
Guests &Visitors
Data Loss IdentityTheft
Unauthorized Access
Copyright Infringement
UnavailableSystems
DataDestruction
Damage toBrand
UndergroundEconomy
Cyber-CriminalTools &
Techniques
Internet
ThreatVectors
CorporateEntity
Consequences
Spam Phishing Social
EngineeringBotnets
Social Networking
Cloud Computing
Compromised Websites
Compromised Websites
Cyber-Criminal Network
Malware Authors
Organized Crime
Money Mule Net
3rd-Party Enablers
Corporate Enablers Insiders Command &
Control
1 How technology changed fraud investigations
© Deloitte & Touche LLP and affiliated entities.
The Underground Economy
An entire underground economy has been built for the purpose of stealing, packaging, and reselling electronic information.
Compromise
Stolen Data Drop Sites
Credit Card Cashers
Cyber Criminals
Malware Authors
Malware Distribution
Service
Data Acquisition
Service
Payment Gateways
Data Mining & Enrichment
eCommerce Sites
Data Sales
Identity Collectors
Acquire Enrich and Validate Sell Monetize
Spammer Botnet Owners
On-Line GamblingeMoney
Phishing Keyloggers
Data Validation Service
Instant Messaging
Carding Forums
$Cashing
Drop ServiceRetailers
Wire TransferBank
Botnet Service
2 How technology changed fraud investigations
© Deloitte & Touche LLP and affiliated entities.
Products of Cybercrime
Overall Rank Item Percentage 2010 Price Ranges2010 2009 2010 2009
1 1 Credit card information 22% 19% $0.07-$1002 2 Bank account credentials 16% 19% $10-$9003 3 Email accounts 10% 7% $1-$184 13 Attack tools 7% 2% $5-$6505 4 Email addresses 5% 7% $1/MB-$20/MB6 7 Credit card dumps 5% 5% $0.50-$1207 6 Full identities 5% 5% $0.50-$208 14 Scam hosting 4% 2% $10-$1509 5 Shell scripts 4% 6% $2-$7
10 9 Cash-out services 3% 4% $200-$500 or50%-70% of total value
3 How technology changed fraud investigations
© Deloitte & Touche LLP and affiliated entities.
Products of Cybercrime
Item Bulk Prices Observed Unit Price
Credit card information
10 credit cards for $17 $1.70100 credit cards for $100 $1.001000 credit cards for $300 $0.30750 credit cards for $50 $0.07
Credit card dumps 101 dumps for $50 $0.50
Full identities30 full identities for $20 $0.67100 full identities for $50 $0.50
Source : Symantec Global Internet Security Threat Report
4 How technology changed fraud investigations
© Deloitte & Touche LLP and affiliated entities.
Let’s Not Forget Classic Financial Fraud
AssetMisappropriationCorruption
Financial Non-Financial
Non-CashCash
Cash Larceny
FraudulentDisbursements
Conflict of Interest Bribery Extortion
Skimming
FraudulentStatements
Inventory Intellectual Property
5 How technology changed fraud investigations
© Deloitte & Touche LLP and affiliated entities.
From how we investigate it
6 How technology changed fraud investigations
© Deloitte & Touche LLP and affiliated entities.
Strategize the forensic collection and examination
Conceptual review
platform
Cull down data review
set
Identify types of forensic
analysis relevant to the case
Forensic preservation
Identify ALL sources of evidence
7 How technology changed fraud investigations
© Deloitte & Touche LLP and affiliated entities.
The Forensic Acquisition
A forensic image versus a logical image• Forensic imaging captures a bit by bit image of the entire drive, including space where
deleted material may exist• Forensic images leave no finger print – suspects cannot tell that the image has been
made, no date or time stamps will be changed• Turning on a suspect machine and viewing data files and/or making a copy of the data
files can immediately compromise evidence
Forensic
Logical
8 How technology changed fraud investigations
© Deloitte & Touche LLP and affiliated entities.
Forensic Acquisitions
Forensic Acquisitions
Virtual Acquisitions
Cloud Acquisitions Mobile Device Acquisitions
Network Acquisitions
Straight Hard-Drive Acquisitions
9 How technology changed fraud investigations
© Deloitte & Touche LLP and affiliated entities.
Cloud Computing Structure
Cloud Layer (Type) When Is It Used? ExampleSoftware as a service (SaaS)
The complete end to end functionality of a software service and all of the underlying services are to be hosted entirely by an external provider
Google Applications, Salesforce.com, Online Tax Applications
Platform as a service (PaaS)
A service that is to be developed by an organization, but they want to accelerate development by utilizing external pre-built platforms that run on a pre-built infrastructure
Microsoft Azure (OS, Databases, etc.), Google App Engine
Infrastructure as a service (IaaS) (there is also HIaaS – Hardware Infrastructure as a service)
A service is to be developed by an organization on their own platforms but hosted externally on a pre-built infrastructure/Storage Space
Amazon Elastic Compute Cloud, VMware, Citrix
Runs ON
Investigation, e-discovery, and incident response can be very difficult as environments are very distributed and heavily abstracted
Runs ON
10 How technology changed fraud investigations
© Deloitte & Touche LLP and affiliated entities.
The Forensic Acquisition
Mobile Acquisition
Forensic images can be acquired from many device mobiles, iPads, iPods, BlackBerrys, music and video players, portable game devices, etc.
11 How technology changed fraud investigations
© Deloitte & Touche LLP and affiliated entities.
Trends in Computer Forensics
Growing volumes of data storage More live forensic analysis
Merging of computer forensics into e-discovery
Hardware and software based encryption
Increased pressure to comply to e-discovery and forensics legislation
Increased use of powerful handheld devices
Volatile memory forensics
12 How technology changed fraud investigations
© Deloitte & Touche LLP and affiliated entities.
To how we view evidentiary data
13 How technology changed fraud investigations
© Deloitte & Touche LLP and affiliated entities.
Self-Organizing Map
• Makes sense of complex, high dimensional data
• Considers large volumes of data from disparate sources
• Makes no assumptions into the inter-relationships
• A concept based on proximity and similarity
• Is able to predict future behaviour based on historical insights
• Clusters (black lines) are determined to optimally group “like” customers together
Six-dimensional view of variables –to provide insights as to the potential for
inappropriate activities
14 How technology changed fraud investigations
© Deloitte & Touche LLP and affiliated entities.15 How technology changed fraud investigations
Transaction flow
© Deloitte & Touche LLP and affiliated entities.16 How technology changed fraud investigations
Table 2: Account 3
© Deloitte & Touche LLP and affiliated entities.
Contact
Jean-François Legault, M. [email protected]
17 How technology changed fraud investigations