Current Trends in Corporate Criminal Activity 1:15 PM - 2:15 PM 4/28/2015

Transcription

1 Current Trends in Corporate Criminal Activity 1:15 PM - 2:15 PM 4/28/2015

2 Presenters: John McCullough, Financial Crimes Service Fred Laing, Upper Midwest Automated Clearing House Association 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 2

3 Agenda Transition and New Approaches to Crime Trends Cybercrimes Mitigation Techniques 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 3

4 Transition and New Approaches to Crime Trends 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 4

5 Physical Attacks Merging with Technology (Blow Torching ATMs, Madison, WI) 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 5

6 Sophisticated Skimmers on ATM s for Data Physical Attacks with Technology 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 6

7 Criminal Evolution Focus on Gathering Data The First generation gas pump skimmers place on the outside Device placed inside gas pumps, blue tooth connect, not as detectable 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 7

8 Technology to Clone Cards, Just Add Data Target Data, Home Depot, etc. Images removed 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 8

9 You re Hired to Shop (Mules) 1 Be a "Secret Shopper letter US residents in all 50 states being approach This check turns out to be counterfeit and is drawn against Wal-Mart s Payroll Account letter instructing them to deposit the check into their personal account for 24 hours Send on series of "secret shopper" tasks 2 Test Wal-Mart by sending a wire transfer/moneygram using these funds Shopper Complete customer service report and keeps $350 Letters post marked from Spain 3 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 9

10 4 Letters sent to mules Letter looks real, Individuals with no jobs find this offer as a great opportunity Greed does play a role in this process This person ends up as the looser 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 10

11 It Just Doesn t End There Images removed 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 11

12 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 12

13 Cybercrimes Criminals are seeking business, government and personal data Data is valuable to other criminals (i.e., Darknet) and sold Its all about data used for impersonations of a businesses, government agencies, employee PII or consumer data used to take over accounts, steal funds, illegal purchase goods/services, create new identity, open accounts, buy and trade, terrorism activities, and so on 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 13

14 Common Thread in Financial Crimes: Always impersonations The representations may appear creditable Data breaches seek personal, business or government data Methods of detection and apprehension are difficult to detect and prove The virtual world and physical world have merged Virtual currency is becoming a common pathway for financial funding of organized criminal and terrorist activity to avoid detection Being a little paranoid is a good thing when it comes to fraudster! 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 14

15 Financial Crime Trends (What Are We Seeing) Banks: Data Breaches, debit and credit frauds followed by check fraud and new wire frauds methods deployed and mobile deposits frauds Retailers: Data breaches, debit card fraud, cloned cards, gift card fraud and return frauds, and scams to fraudulent purchase and resale smart phones General businesses: Network system attacks, data breaches, counterfeit checks, account takeover, employee impersonations on tax return frauds, business impersonations Medical; System attacks, fraudulent claims, patient impersonations, medical prescriptions frauds 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 15

16 JP Morgan Chase (Give Me Derivatives) Images removed 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 16

17 U.S. Officials Say Russians Hacked White House Computers The intrusion likely resulted, as many cyber breaches do, from an employee clicking on a malicious link and/or attachment in a so-called phishing . That s how investigators believe the hackers accessed the State Department s systems 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 17

18 What is Thought to Have Happened: Russian hackers where behind cyber intrusion of the State Department in recent months used malware called perch to penetrate sensitive parts of the White House computer system, according to a U.S. official This malware is a low and slow process, which overtime steals data and avoids detection in network systems. The White House has said the breach affected an unclassified system. But that gave the hackers access to such sensitive information as real-time nonpublic details of the President's schedule. One official says the Russians have "owned" the State Department system for months 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 18

19 White House Asks For Our Help! (Fred and John) Here is what we found: We found the employee that open the malware This employee opened an The employee downloaded an attachment This let the Russians in Who is it? (Next Slide) 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 19

20 Fred and John Found Him Opening This and Downloading it Images removed 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 20

21 The Subject Matter is Meant to Fool Your Employees Images removed { USPS - Missed package delivery FW: Invoice <random numbers> ADP Reference #<random numbers> Payroll Received by Intuit Important - attached form FW: Last Month Remit Scanned Image from a Xerox WorkCentre Fwd: IMG01041_ _m.zip My resume Voice Message from Unknown Caller (<phone number>) Important - New Outlook Settings FW: Payment Advice - Advice Ref:[GB<random numbers>] New contract agreement Important Notice - Incoming Money Transfer Payment Overdue - Please respond FW: Check copy Corporate efax message from <phone number> FW: Case FH74D23GST58NQS 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 21

22 It Takes Only One Employee to Make Mistake! Images removed 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 22

23 How Effective Are These Criminals 780 Corporations Images removed 85 million known victims 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 23

24 The Report List 24 Pages of Corporations with Data Breaches Images removed 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 24

25 Survey by April 2015 CompTIA on Data Breach Causes Human error accounts for 52% Technology errors account for 48% Other Comments: 32 % respondents did not have the ability to prevent an attack 51 %, lacked training to deal with insider threats 43 % cited budget issues 40 % did not have Sufficient staff 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 25

26 Substantial Increase of Tax Return Fraud 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 26

27 Someone Filed My Tax Return Beware! Intuit CATO, breaching business networks Acquire payroll records Criminal impersonates person tax filing If a pattern develops, consider possible data breach Have contingency plans for employees to reporting such incidents 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 27

28 Tax Fraud Season If you become a victim of identity theft, the IRS recommends you take the following steps right away: Contact the IRS Identity Protection Specialized Unit at x245 so that steps can be taken to secure your tax account Complete IRS Identity Theft, IRS Form Report ID theft incidents to the Federal Trade Commission at consumer.ftc.gov or the FTC Identity Theft Hotline at File a report with the local police Contact the fraud departments of the three major credit bureaus: Equifax, equifax.com, ; Experian, experian.com, ; and TransUnion, transunion.com, Close any accounts that have been tampered with or opened fraudulently 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 28

29 Wire Frauds Are Increasing The FBI Denver Division has received an increase in business compromises criminal complaints. The fraud occurs when the controller, treasurer, or accounting officer at the business receives an that appears to be from the company executive. The is a request that a wire transfer be sent. The fraudulent appears to have originated from an executive within the company or appears to be an chain forwarded from company executives. The includes an attachment with instructions for the wire transfer. domain name used to send the fraudulent is similar to the company s domain name with a minor change. 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 29

30 Common Wire Frauds Today (This April Example, CA) Homeland Security Investigators in San Francisco are currently investigating an organization that creates domain names, which are similar to known organizations and sends fraudulent wire instructions to employees via . The employees believes the requests are originating from a high level manager within their company, and proceeds On 4/10/2015, HSBC Hong Kong received a $375, wire transfer from the United States. The wire transfer was sent to BROTENT TENTNOLOGY, LTD Account # 801-1X85XX-838. If your institution wired funds to this account, please contact SSA Michael Shinn. Thank you. 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 30

31 Why do people still fall for phishing attacks, especially finance people in charge of wire transfers at corporations? Organization with 10,000 employees, even if only one out of a thousand employees opens the phishing document, there compromised, leading to loss of information and attacks Criminals target selected employees with authority and attempt to fool them with fake s The targeted employees are busy and trusted employees, likely overworked, under deadlines, mistakes happen 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 31

32 Dave Jevans, Co-founder of the Anti- Phishing Working Group Stated: The hacker attack against Anthem Inc. (data breach) Started with a spear-phishing campaign which targeting five of its employees The real risk here is an increase in targeted attacks against a handful of key employees within your organization (people with authority) Data breach malware have spread to vendors with the intent to come through the side door of the vendors corporate clients being serviced (i.e., Target and Vendor) 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 32

33 Mitigation: Training of Employees /17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 33

34 Other Risks to Consider Images removed Disgruntled employee(s) Criminal partners, insider 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 34

35 Taking Your Computer/Smart Phone Hostages 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 35

36 Example Ransomware : Your system is locked by cyber criminals with message denying access to files The Ransomware attacks are waged in two parts. First, a PC or mobile device is infected with malware that locks the corporate user out or encrypts files so that the user can longer access them Then a ransom is demanded through an automated message that appears on the device's screen. The user is told he or she has a limited amount of time to pay the ransom before the device will be wiped clean or the files will be erased How doe it start: Criminals will use various ploys to get staff to click on links or download attachments, which, in turn, infect their computers 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 36

37 Lance James, head of cyber-intelligence at the consultancy Deloitte & Touche. Now experts are calling attention to one of the reasons why ransomware attacks are becoming more common - because organizations say they'd rather not deal with the fallout that trails a breach or cyber-attack that goes public. Instead of getting law enforcement involved, they'd rather try their hands at making deals with their attackers first. But paying ransom is short-sighted and is never a good idea. Why? Because cybercriminals rarely keep their end of the bargain. Organizations that negotiate with hackers often end up with lost data after paying a hefty ransom. 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 37

38 Extortion Methods Expanding 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 38

39 Cyber Extortion is Successful 1/3 of US corporations who experience cyber extortion would negotiate for data return Corporations do not want to report extortions to Law enforcement Corporations do not want the publicity Corporations expenses to clean-up and notify parties is costly Corporation Stock shares drop Potential regulatory issues and fines CEO and CIO s on the hook 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 39

40 Distributed DoS attack So the bad guys took our servers down Answer: They are testing your response and planning other activity. They may use DDoS Attack as a distraction from another event they are executing against the company 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 40

41 Distributed Reflection DoS attack Combines Reflection and Amplification Uses third-party open resolvers in the Internet (unwitting accomplice) Attacker sends spoofed queries to the open recursive servers Queries specially crafted to result in a very large response Impact: Causes DDoS on the victim s server 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 41

42 Cache poisoning Corruption of the DNS cache data 1. Attacker queries a recursive name server for IP address of a malicious site 2. The recursive server does not have the IP address and queries a malicious DNS resolver 3. The malicious resolver provides requested rogue IP address and also maps the rogue IP address to additional legitimate sites (e.g The recursive name server caches rogue IP address as the address for 5. User queries the recursive server for IP address of 6. The recursive server replies to user with cached rogue IP address 7. Client connects to site controlled by attacker, thinking it is Impact: Logins, passwords, credit card numbers of the user 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 42 can be captured

43 TCP SYN floods Uses the 3-way handshake that begins a TCP connection Attacker sends spoofed SYN packets with the source IP address of bogus destinations The server sends SYN-ACKs to these bogus destinations It never receives acknowledgement back from these destinations and the connections are never completed These half-opened connections exhaust memory on the server Impact Server stops responding to new connection requests coming from legitimate users 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 43

44 DNS tunneling Uses DNS as a covert communication channel to bypass firewall Attacker tunnels other protocols like SSH, TCP or Web within DNS Enables attackers to easily pass stolen data or tunnel IP traffic without detection A DNS tunnel can be used for as a full remote control channel for a compromised internal host. Also used to bypass captive portals to avoid paying for Wi-Fi service Impact: Data exfiltration can happen through the tunnel 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 44

45 DNS hijacking Modifies DNS record settings (most often at the domain registrar) to point to a rogue DNS server or domain. User tries to access a legitimate website User gets redirected to bogus site controlled by hackers that looks a lot like the real thing. Impact Hackers acquire user names, passwords and credit card information See all Ten: 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 45

46 Why Does This Keep Happening "The reality is: The dark element is much better at information-sharing than the corporations are. (Usman Choudhary, ThreatTrack): Advance Persistence Attack (APT: Attack networks and low and slow method) Organize Motivated Well funding Smart and share information better than corporations Information is valuable information on the black market (Sony) 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 46

47 Mitigation Techniques and Tips

48 Training Employee education is Missing.. Do you have a formalized ongoing training program? Human error accounts for 52% of data breaches AND Educate, Educate, Educate Focus on specialized training with personnel with authority 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 48

49 Mitigation Techniques Companies can open attachments in a secure container or virtual machine, to avoid infection of the target computer Employ multiple anti-virus to detect various malware techniques Training users to avoid opening spam s is also very important Bankers need to educate users about the limits of two-factor authentication Employees should not rely on the information presented on the screen (links, phone numbers, pop-ups, domains names) Analytics software that can detect, say, that an organization is sending $500,000 to an account the bank has never seen before DNS attack indicator you have been or are being hit It is a distraction to keep you from detection of the real threat or execution of a crime 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 49

50 From a Network Standpoint Anti-virus software Firewalls Anti-Malware software Install software updates ASAP Monitor Internet traffic Manage passwords Strong policies defining what employees can do with their work computers when it comes to internet access, use of external devices, etc. An educated employee base 4/17/ FRPA and UMACHA Copyright 2015 all rights reserved

51 Physical/Network Security Use Dual Control whenever handling financial transactions Change vendor supplied defaults Encrypt data when you can Develop and implement a data retention, storage and destruction policy Ensure terminated employees credentials are deleted Ensure hiring policies include verifying application data and check references Regularly test systems for vulnerabilities AND Educate, Educate, Educate 4/17/ FRPA and UMACHA Copyright 2015 all rights reserved

52 Cash Management Products Positive Pay, Reverse Positive Pay Debit blocks and filters Stop all debits vs. stop all but specific debits Separate accounts for separate processes One for payroll, another for receivables, etc. Account reconciliation DAILY!! Balance Reporting 4/17/ FRPA and UMACHA Copyright 2015 all rights reserved

53 Out-of-Band Authentication Between You and Your FI What is it? Phone call (voice authentication or just a simple phone call) Text message (SMS) Secure Fax Why do it? To authenticate that the file or transaction is what you intended to generate Fraud prevention method but may also assist in preventing unintentional processing errors (sending the wrong week s payroll file to your FI) 4/17/ FRPA and UMACHA Copyright 2015 all rights reserved

54 Ways to Authenticate User ID and password (and/or picture) this is single factor and not sufficient by themselves, Challenge Questions fall into this too Token(s) a second factor, somewhat effective but there needs to be more, could be a cell phone or other similar device Biometric a third factor, hard to control in a virtual exchange but it s effective when used FFIEC defined three factors; what you know, what you have, and what you are 4/17/ FRPA and UMACHA Copyright 2015 all rights reserved

55 Exposure Limits Usually based on a credit review but can be used to limit fraud loss exposure Company and bank should work together to set the limit(s) Can be for a file, batch, or entry and can be daily, weekly or even monthly Should be set close to the size of the largest anticipated file Monitoring should be real time Limit should be reviewed regularly There should be well defined over-limit procedures 4/17/ FRPA and UMACHA Copyright 2015 all rights reserved

56 Anomalous Detection & Layered Security Look for trend lines that are out of band Sudden increases in transaction volume, dollar amounts, or returns Review ALL the data in a file, has anything changed from the last file? Where did the instructions come from When do you access the network to generate the transactions In other words, LOOK FOR ANYTHING THAT S DIFFERENT FROM WHAT YOU NORMALLY SEE! 4/17/ FRPA and UMACHA Copyright 2015 all rights reserved

57 FCC Recommendations for Small Businesses 1. Train employees in security principles 2. Protect information, computer and networks from Viruses, spyware and Malware 3. Provide firewall security for your internet connection 4. Download and install software updates as they become available 5. Make backup copies of important business data 6. Control physical access to your computers and networks 4/17/ FRPA and UMACHA Copyright 2015 all rights reserved

58 FCC Recommendations for Small Businesses (cont.) 7. Secure your Wi-Fi networks 8. Require individual user accounts for each employee 9. Limit employee access to data & information, limit authority to install software 10. Regularly change passwords 4/17/ FRPA and UMACHA Copyright 2015 all rights reserved

59 Mitigation Recommendations for Business Customers Using Online Payments (Spear Phishing and Business Account Takeover Attacks) Initiate payments under dual control Use dedicated computer where and web browsing are not possible. Limit admin rights on users workstations Reconcile transactions on a daily basis. Implement an employee awareness program Implement fraud detection systems with predictive analytic and transaction monitoring capabilities Use Out-Of-Band authentication systems manual client callback SMS text messaging Interactive Voice Response Fourteen additional in-depth defenses 59 FRPA and UMACHA Copyright 2015 all rights reserved 4/17/2015

60 Security is a TOTAL System, Process, and Procedure Issue!! DR WAN Data warehouse WW Campuses Business Analytics Back up tape WWW WW Customers Customer Portal Production Data Disk storage WW Partners WAN Outsourced Development Staging Back up disk Remote Employees VPN Enterprise File Server 4/17/ FRPA and UMACHA Copyright 2015 all rights reserved Endpoint Network Applications Files Storage

61 Security is a TOTAL System, Process, and Procedure Issue!! Device Theft WW Campuses Media Theft WAN Business Analytics Unauthorized Data warehouse Activity DR Media Loss Takeover Intercept WWW Unauthorized Access Unauthorized Access Unavailability Back up tape WW Customers Eavesdropping Fraud Customer portal Production Data Corruption Disk storage Unintentional Distribution WW Partners Data Loss Device Remote Loss Employees WAN VPN Outsourced Development Unauthorized Activity Enterprise Staging Data Theft File Server Back up disk 4/17/2015 DOS 61 FRPA and UMACHA Copyright 2015 all rights reserved Endpoint Network Applications Files Storage

62 What Happens If Your Organization Is a Victim? Discontinue using whatever piece of hardware is infected and disconnect it from any network (Use an expert on removal) Determine what connections that computer had with others and check those for problems Let corporate security know immediately so they can contact the authorities and any outside organization they feel may be needed to fix the problem Change passwords, ID s, etc. for anyone accessing systems tied to the infected system and disable the old ones Notify your provider(s) within 24 hours 4/17/ FRPA and UMACHA Copyright 2015 all rights reserved

63 Recommendations (cont.) (Who is in the best position to provide solutions?) Detecting fraud earlier and automate solutions Increase employee awareness training Better hiring practices Employee monitoring systems (Who touched it?) Investments in new fraud technology Sharing crime issues in real time with others (your bank, like companies, etc.) Seek out help from: (Local Law Enforcement, your vendors, organizations like FS-ISAC) FRPA and UMACHA Copyright 2015 all rights reserved 63 4/17/2015

64 The End ( kind of ) Thank You! 4/17/2015 FRPA and UMACHA Copyright 2015 all rights reserved 64