leveraging technology to combat fraud - george … fraud.ppt• carding -trafficking in and...

Information Security Association (ISA)

November 14, 2007

Leveraging Technology to Combat Fraudto Combat Fraud

Dan VanBelleghem, Technical Director Security and Systems Engineering Solutions, SRA

DISCLAIMERPoints of view or opinions expressed in this presentation do not necessarily represent the officialposition orpolicies of SRA or any past, future or present bosses.

About Me• SRA

• Leading provider of technology and strategic consulting services and solutions - including systems design, development and integration; and outsourcing and managed services.

• Comprehensive information assurance practice integrating security architecture, risk assessments, and certification & accreditation. SRA’s IA practice currently rated at NSA-CMM Level 3.

• Dan VanBelleghem• Dan VanBelleghem• Technical Director of SRA Security Systems and Engineering

Solutions Team. Conducts security-related research and consulting activities including providing strategic guidance to customers, analyzing network traffic for security-related incidents, and designing security solutions to maintain integrity and prevent loss of intellectual capital

• Member of the faculty at the George Washington University’s Computer Security and Information Assurance program.

Agenda

• Introduction • Attack Description• Threats

• Recent Threat Examples• Recent Threat Examples• Organized Crime

• Additional resources • Q&A

CreateBackdoor

CoverTracks

TrophyHunting

Network Attack Methodology

InformationGathering

ServiceIdentification Hunting

Exploit andGain Access

2007 SRA International, Inc. - Proprietary

Identification

VulnerabilityAnalysis

Denial ofService

Attacks range from focused attempts for a specific target to random scans looking for a vulnerable victim.

Aim Versus EffectAr

chite

ctur

e

Common Attacks Focus on vulnerability of a component (e.g., poor

authentication) Potential to affect the host system or platform Network becomes affected Which could impact a mission process

•Tec

hnica

l•A

rchi

tect

ure

•Ope

ratio

nal

•Arc

hite

ctur

e

•Mission Operations

•Networks

•Systems

•Components

Customer Case Studies • Common Security

Assessment Findings• Storage area networks

default administrative accounts

• Printers, switches and routers discovered with no routers discovered with no authentication enabled

• Security officer’s files found on open network share with vulnerability reports

• Databases discovered with default system accounts and passwords

Attack Sophistication• Attack sophistication continues to increase

while the amount of knowledge an attacker needs is decreasing• Tools are getting better

• Script Kiddies• Target the Internet for a known vulnerability;

however, only 1 percent of the systems may be however, only 1 percent of the systems may be vulnerable. If you can scan 1 million host, you will find 10,000 vulnerable victims.

• Black Hats• Will focus their attack to a specific victim or target.


Yesterday’s Attacks • Common attacks in 2000 & 2001 were web

defacements and Denial of Service attacks against your IRC foe.• Hacker underground bragging rights• Elevate IRC user control• Fun and curiosity

• Old school tools include NetBus, Sub7, Back Orifice • Open CD tray• Remote administration• Key logging


Today’s Attacks• More focused on financial and identity theft• Underground economy that exists to buy and

sell financial and identity data


Common Attack Scenario

Exploit & Escalate

DiscoverBackendCustomerDatabase

CompromiseCustomerDatabase

Capture CreditCard Data

Sell Data inUnderground

Market


Scan for Vulnerable

web servers

EscalatePrivileges(admin)

Database

Infect Web Server withBot code Users

Download Bot& join Bot heard

Attacker buildsarmy ofzombies

Key StrokeLogger

Threat Environment is Changing• Gartner, via the March 2007 issue of CIO

Decisions:• "By the end of 2007, 75% of enterprises will be

infected with undetected, financially motivated, targeted malware. These attacks will evade traditional perimeter and host defenses. The threat traditional perimeter and host defenses. The threat environment is changing: Targeted attacks for financial gain are increasing, and automated malware generation kits allow simple creation of thousands of variants quickly. But our security processes and technologies haven't kept up."


Recent Security Breaches• TJX

• 45.7 Million User Credit Cards and debit cards were stolen over 18 month period

• USDA• Up to 63,000 Social Security Numbers for farmers

receiving aid were disclosedreceiving aid were disclosed• University of Missouri

• Over 22,000 Students’ PII compromised


Topic: Transnational Cyber-Crime• Traditional Organized Crime: smuggling, trafficking,

drugs, gambling, etc.• Anonymity and financial lure has made cyber-crime

more attractive• Separation between the physical and virtual world.

The virtual world is another universe where groups The virtual world is another universe where groups form and engage in illegal activities

• Organized cyber-crime groups can conduct operations without ever making physical contact with each other. All can be independent, anonymous cells.

• Organization can be networked or hierarchical

Motivation…

• A highly organized criminal network based primarily in Eastern Europe

• Consist of Specialized Cells for Specific Functions– “a network of networks”

• Utilize Web Forums such as Carderportal, IAACA, Mazafaka, Shadowcrew, Carderplanet

Who Are They ?

IAACA, Mazafaka, Shadowcrew, Carderplanet• Inflict a significant amount of damage to the U.S.

and international financial industry

Where are they?• Global: All continents• Concentrations in: Middle East, Eastern Europe, Russia, Brazil,

SE Asia, USA.

What do they do?• Conduct network intrusion on merchant

processors• Write Viruses, Malware, and trojans• Use of Spam/Phishing to exploit eBay/PayPal

users, banks, credit card users, online account holders, etcholders, etc

• Software piracy, illegal pharmaceuticals• Escrow and Auction Fraud• Use of compromised credit cards and

compromised online accounts to conduct reshipping operations

Other Characteristics• Geopolitical/Cultural Perspectives:

• Lax Cyber-Laws in some countries, but getting better

• Poorly funded, untrained, and inadequately equipped police forces w/ little expertise in cyber crime or computers crime or computers

• Highly literate, educated, and skilled work force + no jobs leads young adults to find creative ways to make “easy money”--little incentive to find legit job.

• Part of the Culture: young adults spending much of their day online.

Carding Carding Carding Carding Carding Carding Carding Carding networks: networks: networks: networks: networks: networks: networks: networks:

past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present,

Carding Carding Carding Carding Carding Carding Carding Carding networks: networks: networks: networks: networks: networks: networks: networks:

past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, futurefuturefuturefuturefuturefuturefuturefuture

past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, futurefuturefuturefuturefuturefuturefuturefuture

Key Facts: ICA• Formed: 2001 during meeting in Odessa, Ukraine• Founders: Dmitriy Golubov and Roman Vega• 150 Original members• Status: The group’s members are still somewhat active with

many actors involved in other forums and groups• Dozens have been arrested

Inactive Sites Active Sites•CarderPlanet •Carders Market

Dmitriy Golubov “Script”

Arrested: July 2005

Roman Vega“BOA”

Arrested: May 2003

•CarderPlanet•CarderPortal•Darkprofits•Dumpsmarket •IAACA•Mazafaka•ShadowCrew

•Carders Market•Carders Army•Cardingworld•Darkmarket •The Grifters •TheftServices (IAACA) •Mazafaka •Tanec Hackerov• Vendorsname•TalkCash•Carder.info

• Carder - Slang used to describe individuals who use stolen credit card account information to conduct fraudulent transactions.• Carding - Trafficking in and fraudulent use of stolen credit card account information.• Cashing - The act of obtaining money by committing fraud. This act can be committed in a variety of ways: The term can stand for cashing out Western

Union wires, Postal money orders and WebMoney; using track data with PINs to obtain cash at ATMs, from PayPal accounts, or setting up a bank account with a fake ID to withdraw cash on a credit card account.

• CC - Slang for credit card. • Change of Billing (COB or COBs) - Term used to describe the act of changing the billing address on a credit account to match that of a mail drop. This

act allows the carder full takeover capability of the compromised credit card account and increases the probability that the account will not be rejected when being used for Internet transactions.

• CVV2 - CVV2 stands for credit card security code. Visa, MasterCard, and Discover require this feature. It is a 3 digit number on the back of the card.• DDoS - Acronym for Distributed Denial of Service Attack. The intent when conducting a DDOS attack is to shut down a targeted website, at least for a

period of time, by flooding the network with an overflow of traffic.• DLs - A slang term that stands for counterfeit or novelty driver's licenses.• Drop - An intermediary used to disguise the source of a transaction (addresses, phones etc.) • Dumps - Copied payment card information, at least Track 1 data, but usually Track 1 and Track 2 data.• Dump checking - Using specific software or alternatively encoding track data on plastic and using a point of sale terminal to test whether the dump is

approved or declined. This provides carders a higher sense of security for obtaining quality dumps from those who offer them and also a sense of security when doing in store carding.Full info(s)

Carding Lingo

• Full info(s) - Term used to describe obtaining addresses, phone numbers, social security numbers, PIN numbers, credit history reports and so on. Full Info(s) are synonymous with carders who wish to take over the identity of a person or to sell the identity of a person.

• Holos - Slang for the word Holograms. Holograms are important for those who make counterfeit plastic credit cards to emulate an existing security feature.

• ICQ - An abbreviation for "I Seek You". ICQ is the most widely used instant messaging system for carders. Popular among Eastern Europeans in their Internet culture, it continues to be used for carding activity.

• IRC - An abbreviation for "Internet Relay Chat". IRC is a global system of servers through which users can conduct real-time text-based chat, exchange files, and interact in other ways.

• IDs - Slang for identification documents. Carders market a variety of IDs, including bills, diplomas, driver's licenses, passports, or anything that can be used as an identity document.

• MSR (Magnetic Strip Reader) - Device that can be used for skimming payment card information and/or encoding track information on plastic. • Phishing - The extraction of information from a target using a hook (usually an e-mail purporting to be from a legitimate company). Phishers spam the

Internet with e-mails in hopes of obtaining information that can be used for fraudulent purposes. • POS (Point of Sale) - Acronym for a terminal through which credit cards are swiped in order to communicate with processors who approve or decline

transactions. • Proxies - Term used for proxy servers. The use of proxy servers to mask ones identity on the Internet is widely practiced amongst carders. Many vendors

sell access to proxy servers, socks, http, https, and VPN (Virtual Private Networks), which aide in hiding the user's actual IP address when committing fraud or other illegal activity on the Internet.

• Track 1/Track 2 data - Track 1 and Track 2 data is the information stored on the magnetic stripe of a payment card that contains the account information.

How They Market Themselves

Stages of Carding• Collection:

• Technical Means • Social Engineering means• Desired Data:

• Account Holder’s Information

• Expiration Date

Collection: Acquisition of Data

Processing: Sell “Dump” to

Databroker

• Expiration Date• Primary Acct No. (PAN)• PIN No.• CVV No.

• Processing• Production• Distribution

Distribution: ATM Cashing/

Reshipping

Production: Documents and

Merchandise

Collection of Data • Technical Methods:

• Skimming• Hacking• Malicious Programs

• Social Engineering:• Phishing (via web or phone)

Collection via Phishing

As reported by the Anti-Phishing Working Group Targeted Industry Sectors

A subset of Digital Phishnet

* Gary WarnerCopyright CastleCops®

2 Nov 2006

Metrics• 485 ‘harvest’ (‘drop’) e-mail accounts identified

associated with phish• 400 deactivated & evidence preserved• Each ‘harvest’ account contains dozens to

thousands of cardsthousands of cards• Average ‘value’ to each card is $5,000 according to

several US Court Districts• Realistic loss = $300 to $2,000 per card• 400 accounts * 100 cards/account * $600/card =

$24,000,000USD

Processing and Production• Processing includes filtering the credible data and

selling to a data broker. • Production can include:

• Fake Documents: Passports, License, Birth Certificates, etc.• Fake Credit Cards:

• Dump Data: Track 1 and 2 • An example of a “dump” (Track 1 and Track 2):

B412345123456789^John/Doe^06101011123400567000000;;41234B412345123456789^John/Doe^06101011123400567000000;;412345123456789=061010111234005679991

• Data is recorded onto a blank “white card” via a Magnetic Strip Reader (MSR)

Distribution: Cashier/Reshipping• ATM Cashing: Cashiers will receive “white plastic”

cards and withdraw funds from an ATM machine.• Reshipping Fraud: A scheme where a scammer

overseas has purchased merchandise with illegal credit cards and has it shipped to a co-conspirator (aka reshipper), often in the USA. The reshipper (aka reshipper), often in the USA. The reshipper repackages the item and sends it to a destination usually overseas. The reshipper is paid for his/her services.

1. Hacker/Programmer1. Hacker/Programmer2. Spammer2. Spammer3. Data Broker3. Data Broker

5. Reshipper/Cashier5. Reshipper/Cashier

VladuzVladuz BluetoothBluetooth

4. Documents & Mechandise4. Documents & Mechandise

6. Money Launderer6. Money Launderer5. Reshipper/Cashier5. Reshipper/CashierDMSDMS

KLADKLADSINJIISINJII

BOABOA

Financial: Money Laundering• Money Orders• Western Union

• Speedy • Highly anonymous• Ability to pickup money

wordwide• Many outlets are owned

by carders themselvesby carders themselves• Paypal

• Avaliable currencies: Canadian Dollar, Euro, Pound Sterling, USD, Yen, Australian Dollar

• Easy Setup• All transactions logged

Financial: Money Laundering• E-Gold

• Uses “virtual gold” for payment• Cashout services available

• Webmoney.ru• Z-Wallet accounts• Easy transactions via the internet, cellphone, or Webmoney

outlet (170 countries)• Fee based cashout service

Mazafaka Screenshot

CardingWorld Screenshot

Where are they going?

Use of malicious code in the carding world

As reported by the Anti-Phishing Working Group

Phishing based trojans and keyloggers

International Challenges• Cyber Crime has no geographical boundaries• Some countries just starting to recognize the

need for adequate cyber laws.• Law Enforcement cooperation often based

upon personal relationships.upon personal relationships.• Hard for U.S. law enforcement to gain venue

within the U.S. as many key targets are located overseas.

Questions

Slide - 45

Who We Are – SRA

SRA is a leading provider of technology and strategic consulting services and solutions to clients in national security, civil government, and health care and public health

We offer cutting-edge business solutions in a wide range of different areas, including:• Business Intelligence• Text & Data Mining• Contingency & Disaster Response Planning• Environmental Strategies• Enterprise Architecture• Wireless Integration• AND• Information Assurance & Privacy!

Who We Are – SRA FactoidsFounded by Dr. Ernst Volgenau in 1978• Began operations out of Dr. Volgenau’s Reston basementIPO in May 2002 (SRX)• Stock Price = $29.51 (as of 11/13/07)6,300+ employees (more than doubled in size in the last four years)300+ government clients; 900+ active engagementsHeadquartered in Fairfax, VA; offices in 17 states, DC, France, Germany, & the United Kingdom$1.269 billion in revenue in FY07 (doubled in size in just three years)$1.269 billion in revenue in FY07 (doubled in size in just three years)Goal $5 billion in revenue by FY12Chosen by Fortune magazine as one of the “100 Best Companies to Work For” for eight consecutive yearsStrong community service orientation (SRA “CARES” Committee) & environmental focus (SRA’s “Green Team”)Rolling out new college recruiting, internship, and co-op programsMajor training and development initiatives underway (career paths and training opportunities)More than 200 immediately-billable open positions currently available

Who We Are – IA & Privacy

Began operations with fewer than a half dozen practitioners c. 2000 200+ IA & Privacy professionals work within the practice today We have helped more than 300 federal information systems achieve

certification and accreditation (C&A) and are currently performing physical- and cyber-security services Government-wide

SRA’s IA analysts and engineers have obtained the highest professional certifications in the industry, including:professional certifications in the industry, including:• NSA’s Information Assurance Methodology (IAM)• NSA’s Information Engineering Methodology (IEM)• Certified Information System Security Professional certification (CISSP)• Certified Business Continuity Planner (CBCP)• Project Management Professional (PMP) • Certified Information System Auditor (CISA) • Certified Information Security Management (CISM)

What We Do

Forensics Penetration Testing Vulnerability Assessment Compliance Risk Assessment System Testing and Evaluation Incident Response Incident Response Operations Staff Augmentation Security Awareness & Training Privacy FOIA