Part 1 of this two-part series highlights the growing use of job boards such as those listing English as a Foreign Language teaching positions as favored haunts of Internet con artists.
A troubling up-tick in the frequency of Internet fraud attempts and the growing use of more sophisticated botnets and crimeware is leading a growing number of organizations to enlist the services of specialized Internet anti-fraud security services.
Outside the Law
Operating in a digital realm beyond the reach of law enforcement agencies, private companies and Internet security providers are increasingly joining in efforts that involve taking offensive action against Internet fraud in defense of themselves and their customers.
“To some degree, it’s a bit like the Wild West, not so much in that no laws exist — there are laws in a number of countries through which you can prosecute illegal use of a brand name, for example, but how long will that process actually take … and also whose jurisdiction are you operating under? Where do you start?
“You may wind up trying to target a site registered in the UK to a person in France operating a botnet out of Russia benefiting someone in yet another country,” Andrew Moloney, Europe, Middle East and Asia security evangelist for RSA, the security division of EMC, told the E-Commerce Times.
“The chances of getting caught are virtually zero unless you’re in the very, very top echelon of this game. We’re seeing progress, but [perpetrators of Internet fraud] will change DNSs, change botnets, change targets ten times in one morning. They have no beef about attacking whatever bank wherever. Due to globalization they literally can operate anywhere at anytime.”
“Security software can often identify known malicious links, and several of us on this team have links with specialist lists and networks that work on the identification and take-down of such sites,” added Randy Abrams, director of technical education at ESET. “And, of course, where a malicious link points to a page serving malware such as banking Trojans, a product with advanced heuristics like NOD32’s can often identify malware for which no signature currently exists.”
Offensive Defense: Taking Down Fraud Sites
For the past three years, RSA has operated a 24/7/365 anti-fraud command center that has focused almost exclusively on Internet fraud, primarily within the banking and e-commerce industries. That effort has broadened out considerably in the past few months to include working with a variety of strategic customers to study, and take defensive action against Internet fraud, Moloney told the E-Commerce Times.
“What’s happening now is that other organizations are starting to open up self-service portals that in turn open up new forms of attack. In the past, it was about controlling internal environments and infrastructure. It really spans every type of industry — suppliers, self-service portals in the public sector, in government healthcare — they all want to enable access to their services in a more efficient manner open to everyone. While there are benefits, there are corresponding security risks which you have to manage.”
RSA advises companies to take a multi-faceted and multi-layered approach to Internet fraud protection and prevention. “One thing we are learning is to try and pre-empt them targeting you in the first place.”
Its anti-fraud team includes analysts who work “undercover” in the Internet fraud underground “conversing with fraudsters, gathering in the international underground community and reporting back. It also offers more offensive services “where we mitigate the effects of phishing attacks, blocking access [to sites], and taking them down,” Moloney elaborated.
Battling Back Against the Crimeware Up-Tick
RSA has been seeing an “a big up-tick” in the overall level of attacks, according to Moloney. In addition, they’ve “become more focused. When it comes to malware and specific instances of crimeware, we’re really seeing rapid growth.”
Most of what the anti-fraud team focuses on isn’t apparent to “typical” Internet users, according to Moloney, and includes “keyloggers, screen-scrapers or malware that is reformatting information as it is flowing through — changing account information as it is transmitted and they’re quite typical for both consumers and organizations. Once it’s out there, you can’t really remove it, you can only mitigate it.”
He noted that many such attacks aren’t propagated through hardware owned and operated by malware fraud operators, rather they make use of servers they’ve infected and linked together to launch attacks.
“We as RSA can’t shut down a site, nor can a bank. Essentially the legal remedies are slow or non-existent so relying on the ISP (Internet Service Provider) code of conduct they have, and their customers signed, enables them to shut a site down … or the individual [Web site operator] to shut it down voluntarily,” Moloney explained.
“It takes a lot of practice to make it happen quickly. On a good day, it can take a small handful of minutes. On a bad day, it could take a couple of days depending on the ISP, its location and other factors.
“The more sophisticated attacks may host attack a dozen or more sites and redirect as individual sites are shut down. It’s quite a complex thing so we don’t just rely on shutdowns — blocking links to browsers, using IE 7 (Internet Explorer) greenbar/redbar,” are other tools and techniques RSA’s anti-fraud team employs.
The RSA eFraud Network
RSA is also operating an eFraud Network. “Let’s say you have an attack against five different banks by different botnets rented in five different countries. We tag resources being used to propagate the attack and find a way to share the bad IP addresses in almost real-time in order to reduce the chances of those resources being used again. That decreases the risks, and chances of prevention go up,” Moloney explained.
The eFraud Network counts 150 of the world’s largest banks as members, including Barclays, Bank of America, Wachovia and Washington Mutual. “This is done automatically by the system responding to the threat in a way that it is procreated and spread,” Moloney added.
“A globalized Internet, the digital economy — [Internet fraudsters] have been operating under free rein for a long time now. We’re starting to make it more difficult for them to operate for the first time.”
In addition, RSA is starting to make use of online knowledge-based identity authentication as a means of preventing fraud and ID theft. “We are deploying technology, call it knowledge-based authentication, where there are a number of public data sources with information about you. We connect to those and synthesize a set of questions that only you can answer.
Fresh personalized question sets are created with each new access in real-time. “What’s the color of the car you drive? It generates all sorts of different questions. For a fraudster, they have no idea what sort of question will be asked and answers will be ones only you potentially know.”
An Ounce of Prevention
As ESET’s Abrams notes, many scams perpetrated via the Internet today are reincarnations of tried-and-true cons that have been perpetrated for a long time, only con artists and fraudsters are now employing new IT tools and the Internet to carry them out.
“What we do know is that we are only seeing age-old crimes being perpetrated. The illusion that computers make these new crimes is counter-productive. Computers do facilitate the crimes in that anonymity and international boundaries help prevent prosecution. It will take a while before the international law enforcement community is properly aligned to effectively fight these criminals. In the meantime, education and a healthy dose of skepticism for any request for money on the Internet are essential for consumer protection.”