Highlights
– Criminals are offering defrauding software in a Software as a Service model
– Fraud as a Service packages are traded and sold in Internet chat rooms and forums
– Financial institutions are deploying new security procedures and technologies to combat threats
A researcher presenting at an October 2008 security conference in London, England detailed a new trend of online fraud whereby criminals are offering fraudulent services in a Software as a Service (SaaS) model. The model allows anyone wishing to participate in online fraud to purchase services from unscrupulous individuals lurking in Internet chat rooms and forums. The services include information-stealing Trojan viruses, together with hosting services and a fully integrated infection service to include patches and upgrades so the Trojan avoids detection by security software.
According to security vendor RSA’s Anti Fraud Command Center, nearly half of all phishing attacks are now carried out by individuals or small groups who meet and trade information and services in Internet chat rooms. Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.
Given the potential for large sums of money to be made by employing various phishing schemes, the application of the SaaS model to phishing attacks was a natural evolution of bringing those who have the technical skills to create malicious software together with those who have the desire to run fraudulent criminal enterprises. An individual or group wishing to create their own phishing scam can simply visit an Internet chat room and purchase fraud services from another individual and begin defrauding other unsuspecting Internet users with relative ease.
In the near to mid-term, we expect more individuals to purchase ‘fraud as a service’ packages because of its relative ease to deploy along with a support structure to allow the individual to obtain technical assistance and updates to the software. Those providing the services also stand to make large sums of money by selling their services to hundreds, possibly thousands of individuals online.
Online Fraudsters: Two Groups
The head of RSA’s New Technologies group stated in his presentation that most online fraudsters can be broken down into two groups: harvesting fraudsters, who specialize in stealing user credentials, and cash-out operators, who focus on laundering the money from stolen accounts or fraudulently purchased goods.
Internet fraud normally follows the following steps:
1. Harvesting fraudsters leverage the advantages provided by the ‘fraud as a service’ packages to help them harvest account details.
2. Next, cash-out operators transfer the money from the compromised accounts into a network of so-called “mule accounts.”
3. The money is then sent via Western Union from these “mule accounts” to a third party individual who will keep a percentage of laundered money as payment and pass the remaining funds on to the cash-out fraudster.
4. In the end, the cash-out operator and harvester will share their profits.
Financial Institutions Adapt Security Measures
According to a survey conducted by the Pew Internet & American Life Project in May 2008, 53 percent of American adults who use the Internet participated in online banking. This number represents a steady increase from a similar 2006 survey in which 43 percent or about 63 million American adults participated in online banking. If financial institutions are to continue these upward trends and maintain customer confidence in conducting financial transactions online, they must keep pace with new attacks by continually developing procedure and technologies to combat increasing threats.
Some of the new techniques and technologies being deployed involve:
• Limiting credit harvesting by detecting, blocking and shutting down attacks.
• Deploying two-factor (smart cards and USB tokens) and adaptive authentication to customers.
• Improving the methods of monitoring financial transactions to spot fraud with greater speed and accuracy.
Security industry experts cite the mass market and scalable nature of the new class of phishing schemes as evidence for the need of deploying a multilayered approach to combating these threats. One such multilayered approach is being used by the Spanish bank Banco Sabadell in conducting transactions online. The bank is using short message services (SMS) to alert customers via their mobile phone of unusual account activity. It is also integrating the use of one time password generators to send a password to the user’s mobile phone that they must use in conjunction with their regular username and password in order to access their online banking accounts.
In the near to mid-term, as hacking and phishing tools continue to become more user-friendly and actively improved by unsavory software developers, we anticipate a steady rise in the sophistication and number of phishing attacks taking place online.