how technology changed fraud investigations · money mule net. 3rd-party enablers. corporate...

How technology changed fraud investigations

Jean-François LegaultSenior ManagerAnalytic & Forensic TechnologyJune 13, 2011

Presenter

Presentation Notes

Click to edit Master text styles Second level Third level Fourth level

© Deloitte & Touche LLP and affiliated entities.

No Detective Controls

Unencrypted System

RogueDevice

Insecure Protocole

Signature-Based controls

Unauthorized USB Devices

Vulnerable System or App

Business Infrastructure

PartnersWeb Remote

Access CustomersBusiness

Processing Partners

Email

The Changing Cyberfraud Landscape

MaliciousInsider

CarelessUser

Vendors &Contractors

RogueAccess

Guests &Visitors

Data Loss IdentityTheft

Unauthorized Access

Copyright Infringement

UnavailableSystems

DataDestruction

Damage toBrand

UndergroundEconomy

Cyber-CriminalTools &

Techniques

Internet

ThreatVectors

CorporateEntity

Consequences

Spam Phishing Social

EngineeringBotnets

Social Networking

Cloud Computing

Compromised Websites

Compromised Websites

Cyber-Criminal Network

Malware Authors

Organized Crime

Money Mule Net

3rd-Party Enablers

Corporate Enablers Insiders Command &

Control

1 How technology changed fraud investigations


The Underground Economy

An entire underground economy has been built for the purpose of stealing, packaging, and reselling electronic information.

Compromise

Stolen Data Drop Sites

Credit Card Cashers

Cyber Criminals

Malware Authors

Malware Distribution

Service

Data Acquisition

Service

Payment Gateways

Data Mining & Enrichment

eCommerce Sites

Data Sales

Identity Collectors

Acquire Enrich and Validate Sell Monetize

Spammer Botnet Owners

On-Line GamblingeMoney

Phishing Keyloggers

Data Validation Service

Instant Messaging

Carding Forums

$Cashing

Drop ServiceRetailers

Wire TransferBank

Botnet Service



Products of Cybercrime

Overall Rank Item Percentage 2010 Price Ranges2010 2009 2010 2009

1 1 Credit card information 22% 19% $0.07-$1002 2 Bank account credentials 16% 19% $10-$9003 3 Email accounts 10% 7% $1-$184 13 Attack tools 7% 2% $5-$6505 4 Email addresses 5% 7% $1/MB-$20/MB6 7 Credit card dumps 5% 5% $0.50-$1207 6 Full identities 5% 5% $0.50-$208 14 Scam hosting 4% 2% $10-$1509 5 Shell scripts 4% 6% $2-$7

10 9 Cash-out services 3% 4% $200-$500 or50%-70% of total value



Products of Cybercrime

Item Bulk Prices Observed Unit Price

Credit card information

10 credit cards for $17 $1.70100 credit cards for $100 $1.001000 credit cards for $300 $0.30750 credit cards for $50 $0.07

Credit card dumps 101 dumps for $50 $0.50

Full identities30 full identities for $20 $0.67100 full identities for $50 $0.50

Source : Symantec Global Internet Security Threat Report



Let’s Not Forget Classic Financial Fraud

AssetMisappropriationCorruption

Financial Non-Financial

Non-CashCash

Cash Larceny

FraudulentDisbursements

Conflict of Interest Bribery Extortion

Skimming

FraudulentStatements

Inventory Intellectual Property



From how we investigate it



Strategize the forensic collection and examination

Conceptual review

platform

Cull down data review

set

Identify types of forensic

analysis relevant to the case

Forensic preservation

Identify ALL sources of evidence



The Forensic Acquisition

A forensic image versus a logical image• Forensic imaging captures a bit by bit image of the entire drive, including space where

deleted material may exist• Forensic images leave no finger print – suspects cannot tell that the image has been

made, no date or time stamps will be changed• Turning on a suspect machine and viewing data files and/or making a copy of the data

files can immediately compromise evidence

Forensic

Logical


Presenter

Presentation Notes

Click to edit Master text styles Second level Third level Fourth level


Forensic Acquisitions

Forensic Acquisitions

Virtual Acquisitions

Cloud Acquisitions Mobile Device Acquisitions

Network Acquisitions

Straight Hard-Drive Acquisitions



Cloud Computing Structure

Cloud Layer (Type) When Is It Used? ExampleSoftware as a service (SaaS)

The complete end to end functionality of a software service and all of the underlying services are to be hosted entirely by an external provider

Google Applications, Salesforce.com, Online Tax Applications

Platform as a service (PaaS)

A service that is to be developed by an organization, but they want to accelerate development by utilizing external pre-built platforms that run on a pre-built infrastructure

Microsoft Azure (OS, Databases, etc.), Google App Engine

Infrastructure as a service (IaaS) (there is also HIaaS – Hardware Infrastructure as a service)

A service is to be developed by an organization on their own platforms but hosted externally on a pre-built infrastructure/Storage Space

Amazon Elastic Compute Cloud, VMware, Citrix

Runs ON

Investigation, e-discovery, and incident response can be very difficult as environments are very distributed and heavily abstracted

Runs ON



The Forensic Acquisition

Mobile Acquisition

Forensic images can be acquired from many device mobiles, iPads, iPods, BlackBerrys, music and video players, portable game devices, etc.



Trends in Computer Forensics

Growing volumes of data storage More live forensic analysis

Merging of computer forensics into e-discovery

Hardware and software based encryption

Increased pressure to comply to e-discovery and forensics legislation

Increased use of powerful handheld devices

Volatile memory forensics



To how we view evidentiary data



Self-Organizing Map

• Makes sense of complex, high dimensional data

• Considers large volumes of data from disparate sources

• Makes no assumptions into the inter-relationships

• A concept based on proximity and similarity

• Is able to predict future behaviour based on historical insights

• Clusters (black lines) are determined to optimally group “like” customers together

Six-dimensional view of variables –to provide insights as to the potential for

inappropriate activities


Presenter

Presentation Notes

Other Product – those who selected other products are exhibiting no fraud behaviour. Number of Claims– every non fraud policy/customer has made at least one claim, and therefore the fact that a customer has claimed at least once is not a strong indicator of fraud. Claims and Premiums – However, policies with high premiums and high claim levels do appear to have at least partial correlation with fraud events. Claims Top Left – Option A, average premiums, don’t buy other products, have higher claim values and claim frequency Claims Bottom Left – Option A, higher premiums, don’t buy other products, have some higher valued claims and frequency of claims Other observations: Fraud are never other products Fraud are medium to high claims Claims and premiums are partially correlated, perfect correlation would be represented by similar distributions of the colour.

© Deloitte & Touche LLP and affiliated entities.15 How technology changed fraud investigations

Transaction flow

Presenter

Presentation Notes

Deloitte a investit dans les solutions de visualisation de données parce que nous croyons qu’elles offrent à nos clients de capacités d’analyse et de présentation inégalées.

© Deloitte & Touche LLP and affiliated entities.16 How technology changed fraud investigations

Table 2: Account 3

Presenter

Presentation Notes

Deloitte a investit dans les solutions de visualisation de données parce que nous croyons qu’elles offrent à nos clients de capacités d’analyse et de présentation inégalées.


Contact

Jean-François Legault, M. [email protected]


how technology changed fraud investigations · money mule net. 3rd-party enablers. corporate...

Documents