RSA: Committing Online Fraud Is Just Too Easy
Daniel Cohen, head of FraudAction at RSA – a security division of EMC – explains how cybercriminals have upped their game
What’s the state of play with cybercrime at the moment?
With the bad guys, this past year, it has all been about being customer-centric, customer-focused. There are many, many vendors in the deep web and just like in our world they’re fighting over, or trying to get the attention of, the same customers. Customer support has been big. You can see this in illegal credit card stores. When you buy a credit card there, if you try to use it and it doesn’t work, you can come back for a refund or they’ll replace the credit card for you. They’re nice like that.
We recently released research on the use of social media by cyber criminals. They’re now using social media as a platform to offer their goods and services. They’ll congregate in groups relating to whichever topic interests them, such as credit cards or malware, and offer their goods and services in that space.
How is the sophistication of ransomware attacks developing?
With ransomware today there are platforms for ransoms, almost like ransomware-as-a-platform. You log into a platform, you create your user, plugin and press a button that generates ransomware for you. You then spread it, infecting machines, and you don’t have to worry about collecting the money and where the money is paid to. The platform takes care of that overhead. Your victims are paying into this platform that will keep its share for the services rendered to you. Then it will send you the money, perhaps in the form of bitcoin.
How are criminals taking advantage of this kind of service?
This is all taking place in the deep web, so you need to know how to get there. I would stay away from it, certainly if you’re using a computer you love. The deep web is basically beyond the bus. It’s not searchable or indexable. You can’t just Google ‘stolen credit cards’ and find one of the websites that way. You need to know how to arrive at the forums, and usually you’ll need to be invited to them. You need to know what their onion addresses are, so you can gain access to the forum then monitor what’s happening.
Cybercrime is getting better, even the spelling in spam and phishing emails is improving. It’s the breakdown of services within the underground. You can get someone to put together a phishing email for you – a phishing campaign – and they’ll make it look perfect. You outsource that part of the chain to them then you can get someone to put together a nice phishing website for you. In fact, putting together phishing sites is easy. We’ve identified software that, with the press of a button, it just pulls an entire website down, packages it up into a phishing kit and you can even configure where you want the credentials to be sent to. I could point the little application at a bank’s website and say that I’m interested in usernames and passwords, and get it to send customers’s personal details to my Gmail address. The software builds the kit for you, which you then just deploy on a server and that’s it ready for you – a perfect mimic of the bank’s website that’s sending me credentials. It’s easy.
I don’t want to spread fear, uncertainty and doubt. It’s easy to do that. For consumers and end users it’s becoming very challenging to be human. The risks posed to your identity, and obviously your information and financials, is just increasing. But, on the other hand, the banks are also doing more and being more proactive to protect your information. You can see the increased use of biometrics in the authentication process. As consumers it’s very easy to get scared but I think the security and financial industries are very actively pursuing ways to secure your identity and financials.
What impact is IoT having on fraud?
The risk by IoT is really posed to your identity, as you see more and more of these devices being used as authentication mechanisms. If I’m not mistaken I think the Jawbone Up smartband and American Express are now in some kind of partnership where you can pay with your Up band. Up is probably going to build some sort of biometric profile, then you can leverage that as an authentiction method. But we have to remember that IoT is not just one company developing its software security. It’s a whole bunch of companies that are developing their ‘things’ mostly without standards without agreed upon protocols, probably not securely. And they’re transmitting your data continuously. Every ‘thing’ is transmitting and, depending on how secure that ‘thing’ is, your data could be compromised or not. With that said, we don’t come across chatter in the underground where someone says ‘hey, this is how to hack into the whichever smart band, pull the biometric profile and use that’. We don’t see that but the world is moving in that direction. It’s an area of focus for the industry.
Are you seeing any new style of cyber threats?
There’s nothing really new. It’s mostly evolution of existing stuff. The evolution of malware attacks, account takeoevers, and phishing continues to rise. Phishing attacks that we detected throughout the past year went up by 10 percent year-on-year so it’s increasing. The activity’s increasing, it’s evolving. It’s looking better and is harder to see through.
What can consumers do to protect themselves?
When it comes to their computers, they have to keep their computers up-to-date. If your running Windows XP, don’t. Because we’re at the end of life on XP and you’re going to get hacked if you’re not already hacked. It’s a matter of computer hygeine and keeping your systems up-to-date.
As a human, from the social engineering aspect, just be vigilant, and be aware of the fact that cybcercriminals are constantly trying to get your information because they monetise it later in the underground. Think before you click. Don’t fall for the ‘you are a lottery winner’ type scams, but people do.
I consider myself to be a very security conscious individual. I don’t click on everything I see but I could walk into a restaurant, my card can be swiped and my data can be stolen. What can I do about it? There’s not much I can do about it but I can trust that the financial industry and security industry are working behind the scenes to protect my information. As important as consumer vigilance is I think the onus will fall on us in the security industry.
How much do you know about hackers and viruses? Take our quiz to find out!