中文 English

Preventing Online Fraud

Understanding the business models of cybercrime points to ways to defend against it.

popularity

I attended a webcast on Anti-Fraud organized by the RSA Conference in the leadup to the conference itself. The anti-fraud webcast was split into two sections. First was Steve Winderfield, who is advisory CISO at Akamai, titled “How We Can Keep up with Cyber-Criminals’ Evolving Business Models?” The second part was by Michael Tiffany of White Ops and Chris Ott of Rothwell Figg, titled “Detecting, Disrupting, and Destroying Ad Fraud.” This post will focus on the first part, since that is more relevant in a corporate environment, and where secure silicon is most likely to be involved.

How we can keep up with cyber-criminals’ evolving business models?

Steve started off by pointing out the image on the right of his title slide, which is a security gate for an airport in Alaska. It’s not that easy to see, but the code is actually taped to the post beside the keypad. Of course, it may seem that it doesn’t matter much since it’s an obscure airport in what is probably our most obscure state (sorry, Alaskans…and yes, I have been there. In fact, I walked from Alaska into Canada). But from that airport, you can fly to any other airport in the US.

It may seem odd to talk about “business models” when you are talking about criminal enterprises, but that’s the way that Steve said we need to think about it. He gave a bit of history about how online retail has been under attack:

  • It started with payment data, primarily credit cards. They either used them directly or sold the numbers.
  • When those got better protected, they shifted to personal identity information (PII) for identity theft.
  • When that got better protected, they pivoted to gift cards. By the time you tried to use the card, it was already zeroed out.
  • Next shift was to loyalty reward points.

Each time the transition was to data that could be converted into an income stream.

You need to think about what data do you have that can be monetized before the threat has worked out how to build a business model around it.

One challenge is that we don’t have good definitions for everything. Fraud vs cybercrime (fraud involves deception). Business model vs attack method. Account takeover (existing account) vs identity theft (open a new account). Mules vs online service center. Mules are humans required for some business models. If you want to take money out of an ATM, for example, you need a human to do that.

The motivations determine the business model, with very different motivations for hobbyist, hacktivist, criminal, non-nation state (terrorism), nation state. Steve said that the focus of the rest of the presentation would be on cyber criminals.

So what are some business models for cyber-criminals?

Bots: AWS talked about a huge spike recently:

In Akamai we saw a huge increase…the largest, most complex we’ve seen, but we never understood their business model, it seemed more a proof-of-concept.

Credential stuffing: Taking compromised usernames and passwords and trying 1M of them on a retailer. Maybe only 1-2% work, but with a million that is plenty.

Piracy: Streaming media sites, people stealing live events like sports or stealing pre-release movies. Then sell the content. They are so organized they even have customer complaint centers, the whole ecosystem.

Personal health information (PHI): Insurance information, false unemployment claims, etc.

Advertising and click fraud:

I want to sell a car. I pay $5 when ad is clicked. Competitor pays someone to click 1000 times. I spent my whole advertising budget. They can put their ad up for just $2 per click.

Ransomware: They lock up your data.

Extortion: They threaten to take away access to your data.

Combined approaches: They do a ransomware attack, but also steal the data. Then threaten to expose it publicly.

Javascript formjacking:

This wasn’t even on our radar before. For a lot of companies, it was not tightly controlled. There is a paradigm shift in the things that you have to cover and protect.

What’s coming?

  • 3D printers leveraged to make fingerprints, TSA keys, etc.
  • Ransomware: car, house, refrigerator.
  • Camera/microphone: Blackmail or hearing secrets.
  • Data integrity and OPSEC around law enforcement and military.
  • Deep fakes: “You’ve seen the videos…they are amazing…how will people monetize?”
  • Open banking, more Fintech Apps: Will they go after those?
  • Drones.

The little flow above shows an example of a process cyber-criminals might use (C2 is command and control, once malware is successfully inserted on a target and they exfiltrate data). Defense needs to have a kill chain, with defense in depth giving multiple opportunities to stop them.

Think about their business model and where there are opportunities to disrupt that business model.

The costs of an attack are not all just stolen money:

  • Brand confidence and shareholder value: Are you a recognized brand? Or just a commodity? This can impact shareholder value.
  • Financial loss: Will you lose proprietary information? Secret sauce? Customer data? Competitive strategy?
  • Litigation costs: Will there be a class action lawsuit?
  • Recover: With ransomware, the costs can be tremendous in terms of productivity, loss of data, cost of deploying new infrastructure. Cyber-insurance can be part of the mitigation strategy.
  • ROI: Include the risk of incarceration, fines, and personal liability.

Steve finished with some practical advice:

  • Educate leadership so that they know what risks they are accepting. Don’t be afraid to say, “I recommend that you do not accept this risk” or “regulations require us to do xxx.”
  • Take a long-term view: Do gap analysis and review your technical debt.
  • Monitor the dark web or subscribe to a feed that does, so you have “situational awareness.” If you have been compromised, this may be the first place you find out.
  • Don’t be the guy with this keypad (see pic).

Detecting, disrupting, and destroying ad fraud

One challenge with ad fraud is that it is often hard to detect. The “best” way to do it is to run a background process on a real person’s computer: that computer already records successful logins, cookies, and so forth. It makes ad fraud surprisingly scalable. Sometimes fraud is just suspected: you spend money but get no sales, so there is a suspicion of fraud but nothing strong enough to bring a lawsuit.

The obvious victim is the person buying the ads. But everyone is in price competition with everyone who is faking it. And it is not just ads, there are bots listening to music or watching videos. It has a dilutive effect on the whole market where fakes are being sold.

Ad fraud can scale into billions of dollars so has attracted tier #1 adversaries. People are rationally motivated to spend an extraordinary amount of time to work out details of the fraud controls of the ad industry.

It’s not like robbing an account you’ve taken over. When it succeeds, no one notices that a fraud has occurred and you can legitimately collect checks.

I’ll wrap up with the last summary slide:



Leave a Reply


(Note: This name will be displayed publicly)