Amuleek Bijral, Country Manager — India & SAARC RSA, The Security Division of
EMC
Online criminals consistently build upon techniques to conduct online attacks
against financial institutions, to refine the fraud supply chain, and to find
new opportunities for financial gain in areas outside the consumer realm. They
work to mock the legitimate world of business by staying innovative, competitive
and organized. However, there are methods to help mitigate and prevent the
resulting losses caused by successful online attacks, through layered security.
The fraud analysts at the RSA Anti-Fraud Command Center have compiled a list
of techniques likely to be adopted by cyber criminals in the near future. Let's
take a look.
Direct Hit! |
Applies To: CIOs |
Money Muling: Preying upon the innocent
A money mule within the fraud supply chain is a person works on behalf of an
online criminal. They happen to be the innocent players within the fraud supply
chain. The combination of money mule recruitment networks and “mule herders”
(managers who control a network of mules) is a specialized cashout service
offered for sale within the fraud underground. In 2008, we observed numerous
mule recruitment scams sent via spam attacks that directed people to
professional-quality websites that offered allegedly legitimate jobs to perform
money transfers. These websites lured people to apply for a position described
as a "money transfer agent" or "regional manager.” This brings honest people
into the fraud and money laundering cycle. Mules move cash that originates from
compromised bank accounts, from one online criminal to the other. Depending on
the amount of money laundered, a mule will receive a small percentage for
compensation.
As a result of the weakened economy, money mules will be easier to recruit
over the next year or two until there is a significant growth in new job
opportunities. To leverage the growing unemployment rates, more money muling
operations will develop over the next year. The continuing economic slump means
more people will be looking for jobs and will be less selective in the jobs to
which they apply. This will enable more people to be recruited as money mules
and keep this part of the supply chain fully active.
Consolidation of 'traditional' phishing and malware attacks
In April 2008, we discovered a new technique that merged classic phishing
and malware content and related tactics. The Rock Phish group was the first to
pioneer this double-vector attack when they used both phishing sites and the
Zeus Trojan to attack and infect online users. Upon receiving the fraudulent
correspondence, victims of these attacks were directed to phony websites that
solicited personal information. Concurrently, the Zeus Trojan infected their
computers. As a result, even if the online user did not fall for the phishing
scam and divulge personal details on the website, the Trojan would later steal
information that was transmitted while the victim interacted with other
websites.
As online banking users have become more educated about cyber crime and the
risks they face by providing personal information on financial institutions'
websites, criminals have had to develop alternative ways to dupe them. By
leveraging spammed emails designed to initiate a phishing attack and direct
unsuspecting users to a website infected with malware, criminals can achieve
greater results. This way, a computer infected by a Trojan via this attack
method helps to ensure that fraudsters can gain access to personal information
without requiring online users to submit their information themselves.
The volume of phishing attacks during 2008 grew 66% over those detected
throughout 2007. Despite heightened awareness among online banking users,
phishing remains a popular platform for fraudsters as it has a very low
execution cost, can reach broad sets of users, and requires limited technical
expertise to set up. For these reasons, the rate of phishing attacks will
continue to increase throughout 2009 and beyond. And while silent "drive-by
download" infections (in many cases, planted within legitimate web pages) is a
leading Trojan infection method, we anticipate an increase in combined phishing
and Trojan attacks. Socially engineered online attacks using spammed email that
contain information on popular societal issues will also serve as an additional
way to direct unsuspecting user to malware infection sites.
Enterprise fraud will increase
Enterprise fraud is still in its infancy and online criminals are just
starting to realize the potential benefits of it. We have witnessed many
incidents of enterprises of all kinds that have been targeted unknowingly. For
example, fraud analysts have uncovered VPN and web mail account credentials
within online criminal's drop zones during the credential recovery process. We
have also witnessed transactions occurring among fraudsters such as the
solicitation of e-mail addresses for top executives at the US corporations at
the offered price of $50 each. This is indicative of the likelihood that there
will be an increase in the number of spear phishing incidents in the coming
year. Spear phishing is a targeted form of online attack directed at those with
access to high-value accounts, applications and business information — quite
often the targets are business executives.
We expect to see an increase in enterprise fraud in the next 12 — 18 months.
This is a nefarious threat as online criminals stand the chance of gaining
access to sensitive corporate data such as intellectual property and business
plans.
Layered security is the best protection
Staying a step ahead of online criminals and being prepared to address new
threats as they come knocking at the door is critical to fending off fraud.
Financial institutions should consider instituting a layered approach to
security which is critical to lowering the overall risk posed by online crime. A
layered security approach has three core elements:
Understand the threat landscape: Financial institutions must understand the
threats that are targeting their business and the relative risks they pose. By
doing so, they can mitigate the risk of online fraud or even prevent it from
occurring at all. By gathering and sharing intelligence and developing a broad
knowledge of potential threats, financial institutions can better evaluate their
own vulnerabilities and implement security solutions to address them.
Use multi-factor authentication to protect login: User name and password
authentication is not enough to protect access to sensitive data with the
advanced nature of today's threat landscape. Moreover, many countries have
imposed regulations requiring organizations to protect access to user accounts
and personal information with a second form of strong authentication.
Multi-factor authentication is essential to prevent unauthorized access to a
user's sensitive and personal data.
Monitor transactions and activities that occur post-login: Beyond
authentication solutions that challenge users to assure their identity at login,
financial institutions should consider implementing a transaction monitoring
solution that analyzes and challenges high-risk transactions after login has
occurred. Transactions typically require more scrutiny and pose more risk to
organizations and their customers than just the act of logging in to an account.
Transaction monitoring can help identify suspicious post-login activities and
mark them for further review.