Security Experts:

Where do Fraudsters Learn About New Attacks? From the Good Guys.

To Maximize Profits, Fraudsters Need to do a Whole Lot of Learning.

Fraud provides endless opportunities for the enterprising individuals who commit it. There are many techniques to separate unsuspecting victims from their money, and even more so, cover stories that allow the fraudsters to implement those techniques. Fraud by nature is a process, and in most cases, an elaborate one. Take for example, the classic process of a technique involving setting up a Phishing attack, logging into the victim’s online banking account and transferring the money to a mule account (an account operated by the fraudster or an associate that is used to accept and cash out fraudulent funds). For the Phishing attack, the fraudster would need a “root” (a hosting server, either hacked or rented with a stolen credit card), a “scam page” (the Phishing kit), a mailing list to spam the Phishing letter to and a tool that would actually send the spam E-mails. Even before that, he’ll have to find out which bank is the easier target.

Fraud TechniquesOnce the Phishing attack is set up and victims’ credentials are collected, he’ll have to log into the bank’s website, probably using a proxy server as to not arouse suspicion. Then, he’ll have to transfer the money to a pre-determined mule account based on the money transfer policies of the bank. This would require the fraudster to know exactly how much money is safe to transfer without arousing the suspicion of the bank’s fraud department. Getting a mule is no walk in the park either. Most mules are recruited in work-from-home scams, meaning setting up a mule recruitment network, managing the mules, and so on.

The level of sophistication that’s required to commit fraud even in classic schemes, as this example shows, pushed fraudsters to build the underground community. Instead of learning how to do everything, fraudsters learn how to do one thing very good and then offer it as a service to the market. While this arrangement simplifies the fraud process and enables unsophisticated fraudsters to commit fraud, there’s still a big variance in the success rate of whatever each fraudster is doing. A mule network for example, can be extremely unsophisticated, focusing on social engineering through E-mails, or extremely sophisticated, using a back-office mule management panel and a “front” website of a fake company that is supposedly hiring. The cover stories for each mule network can also change, from one based on simple cookie-cutter E-mail templates to a custom-written hiring process designed to lure unwitting individuals to sign up as mules. These variances affect the success rate of the scam and therefore how much money the fraudster will be making (either by actually stealing money or the price for his service that he can charge in the underground market).

Looking to maximize their profits, fraudsters need to do a whole lot of learning. They can either learn techniques of areas they have not focused on thus far, learn better techniques in the field they already specialize in, or learn new cover stories to improve the techniques they already use. A lot of this learning is done through trial and error. That’s how fraudsters discover vulnerabilities in banks’ processes that allow them to cash out a lot of money with relatively little effort.

Several years ago, a lot of this learning was also done through their peers in the underground communities. Respected members posted tutorials on specific parts of the fraud process, or the entire process in its entirety, while other members opened discussion threads about subjects that interested them. However, as these communities were being shut down by law enforcement, many communities changed and focused strictly on being a platform for underground trading. Tutorials and discussions still exist, but not in the volumes of the past. Fraudsters had to learn from their peers in a different way.

Law enforcement agencies, security companies, reporters and various organizations often blog or write articles about the latest and greatest scams that were observed in hopes that others learn to better protect themselves. Instead of reading tutorials, fraudsters simply follow these publications to see what other fraudsters are doing. In case the technique works, or in case they just see potential, they can adopt it for themselves. One fraudster suggested checking out the website of the Internet Crime Complaint Center, an FBI-NW3C partnership that allows victims to file complaints on scams. The website also details an extensive list of Internet crime schemes, which fraudsters can read and learn from. The fraudster suggested picking one that looks nice and thinking of ways to make it more effective and “bulletproof.” In another case, fraudsters listed various blogs of security companies and reporters, with a suggestion to track their various posts.

Fraudsters will always search for new ways to expand their knowledge in the extremely broad field of fraud. Not only do fraudsters show intelligence gathering capabilities from “the enemy” (the banks and the security industry that protects them), but they also use the enemy’s intelligence gathering capabilities to their benefit – improving the sophistication level of their own attacks.

Subscribe to the SecurityWeek Email Briefing
view counter
Idan Aharoni is the Head of Cyber Intelligence for the FraudAction Intelligence team at RSA where he is responsible for gathering, analyzing and reporting intelligence findings on cybercrime and fraud activity. Mr. Aharoni joined Cyota (later acquired by RSA) in February 2005 as an analyst at the Anti-Fraud Command Center. During his service, he founded the FraudAction Intelligence team, which he leads today. Between his work at the Anti-Fraud Command Center, as well as the unique insight he has gained by the intelligence and discoveries gathered by his team, Mr. Aharoni offers vast expertise into the underground fraud economy and how cybercriminals operate.