“Operation High Roller” Makes Banks Cringe

According to a McAfee and Guardian Analytics report dubbed “operation High Roller,” an international ring of cybercriminals has been attacking banks around the world. They have been siphoning roughly $78 million from bank accounts in Columbia, Germany, Italy, the Netherlands, the United Kingdom and the U.S.

In the report, McAfee Director of Advanced Research and Threat Intelligence Dave Marcus writes that this organized crime ring built on tactics established with previous malware is coming up with innovations including: “bypasses for physical ‘chip and pin’ authentication, automated ‘mule’ account databases, server-based fraudulent transactions, and attempted transfers to mule business accounts as high as €100,000 (US$130,000).”

These hackers’ methodology represents a shift from traditional man-in-the-browser attacks on victims’ PCs to server-side automated attacks. Where they once used multipurpose botnets, they now rely on dedicated servers built for the express purpose of processing fraudulent transactions.

Like most financial fraud rings, this one had previously focused on European targets, but McAfee found that their thefts have gone global, spreading to Latin America and more recently to the U.S.

This threat impacts commercial accounts, high-net-worth individuals, and financial institutions of all sizes. The new methodology allows criminals to operate more quickly and to attempt a wider variety of transactions. It is a purpose-built, multiple-strategy approach that helps the criminals’ servers avoid detection, which keeps them live for longer, facilitating even more fraud.

Consumers can begin to protect themselves with antivirus, anti-spyware, anti-phishing, and firewall protection.

Banks and other financial institutions can improve their fraud detection rates even more by incorporating device reputation management into their layered defense. Many leading financial institutions use iovation’s ReputationManager 360 to helps stop new account fraud, detect fraud at user login, detect fraudulent credit applications and also to stop check deposit fraud from mobile phones.

How the Rich and Famous Prevent Identity Theft

Despite what you may assume, most celebrities and other extremely wealthy individuals do not relish living in a fish bowl, with every move scrutinized. While some certainly do flaunt their wealth, the vast majority do not want you dropping by their home or following them into the bathroom.

The average people who post their whereabouts online, constantly update their status, or list themselves in the phone book generally have nothing to hide. But in a celebrity-obsessed culture, the rich and famous are frequently stalked or harassed, and, since their personal data is so readily available, their identities are more likely to be stolen.

Every seemingly innocuous personal detail available to a criminal can be used to obtain more information, until that criminal has developed a full profile of the potential victim. A series of little crumbs ultimately leads to a loaf of bread.

The solution is called “security through obscurity.” Now, that statement might mean something different in certain circles, but in this case it means that the best way to secure your identity is to hide, buried in the abyss of the Internet, under assumed names, behind a corporate identity. This doesn’t mean using a stolen identity, but rather creating a corporate alias.

Once you have established a corporation, which is not difficult, you can operate under the business’ name to apply for credit, set up utilities, purchase property, and execute most other transactions. Or you might continue using your own name, but obfuscate your role by listing yourself as a low-level employee instead of CEO.

Regardless of the methods you may use to obscure your identity, you cannot hide your device reputation. Unless you rely exclusively on cash for every transaction and never access the Internet, your computer, smartphone, or tablet has an established online reputation. This is a good thing because it validates your transactions without having to go into your personal details. For example, if you use a corporate credit card to make an online purchase, the retailer can use devicereputation technology to analyze the device’s level of risk and determine whether it has a history of fraudulent behavior.

If a retailer is using iovation’s ReputationManager 360, they will know immediately when a customer is attempting to make a purchase with a laptop masking its real location, and if it has been involved in fraud in the past at other iovation-protected businesses. This transaction can be routed to a manual review queue proactively in real-time, giving businesses a chance to prevent losses before they occur.

ID Thief Gets 5 Years for Stealing Identities of More Than 50 People

In California, an identity thief was recently sentenced to five years in prison for committing what appears to be classic new account fraud. The thief reportedly used a victim’s identity to open a mailbox at a shipping store in Modesto, which he often used to have fraudulently issued credit cards and other financial and identity information mailed.

Typically, new account fraud refers to financial identity theft in which the victim’s personally identifying information ¾ generally a Social Security number ¾ is used to open new accounts on the strength of the victim’s name and good credit standing, which are then used to obtain products and services.

Since a thief typically provides an alternate mailing address, such as the shipping store mailbox used in this particular case, the victim never receives the bills accumulating in his or her name, and may remain entirely unaware of the accounts’ existence until the debts have gone unpaid long enough to prompt creditors to track down the victim.

This thief used victims’ information to create fake drivers licenses with his photo, which helped make the scam stick when he was asked for ID when using fraudulently obtained credit cards.

There are technologies that help credit issuers detect and stop new account fraud by providing real-time intelligence on the device being used to apply for online credit. This technology, called device reputation by iovation Inc., not only alerts businesses when velocity thresholds have been met, it also exposes whether financial fraud, identity theft and other frauds have attempted by the device or associated computers.

Credit issuers can set up and customize their own unique business rules, and iovation analyze each application and then return a recommendation to allow, deny, or review response for the transaction, along with an explanation of the factors involved.

By identifying new account fraud in real time, credit issuers can save millions of dollars in fraud losses annually. In one case, a Fortune 100 company used iovation to identify 43,000 fraudulent credit applications and save themselves $8 million in fraud loss over two years.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

One-Third of Banking Account Takeover Attempts Successful

The Financial Services Information Sharing and Analysis Center (FS-ISAC), which works with the Department of Homeland Security, has released a study indicating that attacks on customer bank accounts have increased considerably in recent years.

The FS-ISAC, in collaboration with the American Bankers Association, surveyed large financial institutions to collect data on fraud attempts. The responding banks reported a combined 314 break-in attempts in 2011, up from 239 in 2010 and 87 in 2009.

Roughly one third of these attempts were successful in fraudulently transferring money out of hacked customer accounts, with institutions losing a total of $777,064, which is actually a decrease from $3.12 million in 2010. Customers lost only $489,672 in 2011, down from $1.16 million in 2010.

While less money was ultimately siphoned from banks and customers than in past years, there are new attack strategies on the horizon, which may push these numbers up in 2012. Threats, defenses, and vulnerabilities continually emerge, so stay tuned as we track the shifts in our evolving security landscape.

When asked what they were doing to prevent fraud and theft, banks’ three most common responses were:

  • Increased customer education
  • Multi-factor authentication
  • Anomalous behavior detection

This year, the FFIEC updated the security requirements recommended for banks. One of the recommendations encourages financial institutions to employ complex device identification. Oregon-based security firm iovation goes a step further offering device reputation technology, which builds on device identification by offering real-time risk assessments, exposing any history of fraud associated with a particular device or group of devices, and investigating relationships between devices and accounts that have been associated with fraud in order to expose fraudsters working in cahoots to steal from online businesses.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Protect Your Gaming Account As You Would Your Bank Account

Most people are aware of the need to protect their financial accounts, and generally take at least some degree of care to prevent criminals from accessing their money. Protecting your online game account, on the other hand, might not be such an obvious priority, but when accounts created for playing massively multiplayer online games are not properly secured, but connected to credit card accounts, gamers set themselves up for fraud.

PCMech offers some insider tips for MMO players. The fundamentals of account protection include:

Password protection: Never give out your password. If you contact customer service and they ask you to verify your account by providing a “knowledge-based answer,” such as the name of your pet or high school, it’s okay to answer. But never provide any identifying information in response to an unsolicited phone call or email from someone who may be posing as a representative of the MMO.

Beware of infected downloads: Add-ons and modifications downloaded from unofficial sources may be infected with spyware. PCMech’s Nick Greene suggests checking out a game’s online forum to get recommendations for reputable download sources.

Secure connected accounts: For example, if your social networking or email accounts are in any way connected to your MMO account, they both need to be equally secure, with unique passwords.

And, as always, it’s vital to keep your PC up-to-date with antivirus, anti-spyware, anti-phishing, and firewall protection. Remember to update your critical security patches, as well.

While players must do what they can to protect their accounts, the more mature gaming publishers employ multiple layers of defense behind the scenes, to protect their valued members. One proactive anti-fraud technology that doesn’t interrupt the player experience and keeps the bad guys out, is called device reputation, which examines computers, smartphones, and tablets being used to connect to a game, and helps gaming publishers know who to trust in order to keep their players safe and in a fun environment.

 Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Ode to the Nigerian Scammer

Most of us would never fall for a Nigerian email scam. The obvious “scammer grammar” and outlandish requests would tip us off, as would the supposed Nigerian origin of the message, since we’re probably familiar with the typical claims about Nigerian royalty. So you might wonder why these scammers persist in such an obvious ruse, rather than tweaking their stories to make them more believable.

According to a recent study by Microsoft researcher Cormac Herley, the Nigerian scam is designed to tip off all but the most oblivious recipients. The intended targets are people so unaware of common online scams that they must have been living in a cave without Internet access until, like, yesterday.

In Why do Nigerian Scammers Say They are from Nigeria? Herley explains, “Far-fetched tales of West African riches strike most as comical. Our analysis suggests that is an advantage to the attacker, not a disadvantage. Since his attack has a low density of victims the Nigerian scammer has an over-riding need to reduce false positives. By sending an email that repels all but the most gullible, the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.”

In other words, scammers are disqualifying the majority of potential victims in order to pinpoint the most gullible as quickly as possible. Anyone naïve enough to respond to such ridiculousness is far more likely to willingly empty their bank account.

Unfortunately for consumers, the #1 method of prevention is education—knowing when something looks too good to be true, not accepting friend connections from people you don’t know, not publishing your personally identifiable information (Teens: please stop posting photos of your freshly-printed driver’s permits and licenses on Facebook), and of course, changing passwords often and not sharing them with others. Installing anti-phishing technology on one’s computer or other device is also known to prevent many of the messages from reaching you in the first place.

On the business-side, banks, retailers, dating sites and social networks help prevent scams by identifying known scammers and spammers the moment they touch their website. By using iovation’s device identification service, ReputationManager 360, which shares the reputations of more than 975 million devices from all countries in the world, they not only know a device’s rap sheet (which could include online scam solicitations, spam, identity theft, credit card fraud and more), they know about devices related to it, and are alerted to other forms of suspicious behavior in real-time as well.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Dutch Hacker Extradited From Romania, Charged With Credit Card Fraud

A 21-year-old Dutch hacker known within the online hacking community as “Fortezza” was arrested in Romania in March, and extradited to the United States in June.

U.S. Attorney Jenny A. Durkan, who chairs the Attorney General’s Advisory Committee on Cybercrime and Intellectual Property Enforcement, said, “This defendant has wrought havoc on victims and financial institutions around the world, this indictment alleges that in just one transaction he trafficked in as many as 44,000 stolen credit card numbers resulting in millions of dollars in losses to financial institutions. Cybercriminals need to know: We will find you and prosecute you. I commend the cyber investigators at the U.S. Secret Service Electronic Crimes Task Force and Seattle Police Department for tracking down these international criminals.”

Hackers like “Fortezza” employ a variety of methods to obtain credit card data. One technique is wardriving, in which criminals hack into wireless networks and install spyware. Another is phishing, in which spoofed emails prompt the victim to enter account information. “Smishing” is similar to phishing, but with text messages instead of emails. Some hackers use keylogging software to spy on victims’ PCs, while others affix devices to the faces of ATMs and gas pumps in order to skim credit and debit card data.

All this stolen data is ultimately used to steal from financial institutions, which lose $40 billion a year to credit card fraud, and from retailers. These business fraud targets must employ multiple layers of protection to thwart cybercriminals.

One layer that businesses put upfront in their fraud detection process is based on device intelligence—what that device is doing right now on the site, and what fraud or abuse that device has caused with other businesses, even in other geographies. The leader in device identification technology is iovation, and they offer a fraud prevention service that allows online businesses to create customized business rules for identifying potentially risky transactions, and those rules can be adjusted on the fly as new threats emerge.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Online Gaming Is Lucrative For Organized Gold Farming Rings

So-called “gold farmers” play massive multiplayer online games, not for fun, but to accumulate virtual currency, or “gold,” which can then be sold to other players, despite the fact that most game operators explicitly ban the exchange of in-game currency for cash. Gold farming is so lucrative, people in China and other developing nations can support themselves by working full-time operating gold farming rings.

During an interview with TechRadar’s Dan Griliopoulous, Will Leverett, Senior Manager of Customer Service at South Korea-based online video game company NCsoft, explains,“We’re convinced that groups on the seedier side of the Internet run in parallel to each other, with many offenders in China and Russia. The simplest thing players could exchange for real-world cash was in-game currency, which would then hugely unbalance the in-game economy and auction systems; essentially, those people buying currency were using their real-world wealth to employ a tribe of servants to do their work for them, as opposed to their compatriots who were attempting the same thing by the sweat of their brow.”

Massively multiplayer games that are free-to-play typically feature in-game currency, which can be converted to real cash. This currency drives organized criminals to set up banks of gamers on various IP addresses, manipulating the game in order to accumulate as much currency as possible.

Many leading gaming publishers and MMOs are finding it increasingly necessary to deploy a layered defense to prevent gold farming, chargebacks, virtual asset theft, and, increasingly, account takeovers within gaming environments. By leveraging the power of device identification and device reputation technology, which examines the computers, smart phones, and tablets being used to connect to an online game, the publisher can easily detect patterns of players working together and shut down an entire ring of cheaters at once. In one case, a major gaming publisher implemented Oregon-based iovation’s fraud protection service and was able to take action against 1,000 fraudulent accounts almost immediately.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft for the National Speakers Association. (Disclosures.)

European Cybercrime Not Slowing Down

Device reputation authority iovation published a report revealing that the number of fraudulent transactions originating from Europe has risen dramatically over the past two years. From April 2011 to April 2012, iovation prevented approximately 15 million fraudulent online transactions in Europe. That’s an increase of 60% over the previous year. The rate of European fraud attempts jumped from 1.3% of total transactions in the first quarter of 2011 to 2.1% in the first quarter of 2012, and has risen steadily throughout the past two years.

iovation stops fraud attempts with their ReputationManager 360 solution, which has the unique ability to determine which online transactions are less trustworthy via patented reputation capabilities. By examining the established reputation of mobile phones, tablets, and computers, and uncovering other device relationships, iovation helps businesses find out ahead of time which online transactions are safe and trustworthy.

Consumers should really be checking their credit card statements monthly, at a minimum. Checking online statements once a week is preferred and setting up alerts such as, “Send me a text or email every time a charge over $100 takes place on my credit card” doesn’t hurt either.

While cybercriminals are everywhere, the countries within Europe where iovation has seen more “denied transactions” as compared to all of the transactions from a particular country include Romania, Lithuania and Croatia. The type of fraud being uncovered includes eCommerce fraud such as the use of stolen credentials or card-not-present (CNP) fraud, financial fraud and bonus abuse on gambling sites, and a plethora of online scams and solicitations being detected in social networks and dating sites.

Scammers who spend their days targeting consumers in the developed world are often blocked by businesses that are using layered fraud prevention technologies. iovation’s real-time device reputation technology detects computers and other Internet-enabled devices that have been involved with financial fraud and other abuses and lets businesses know when those devices are interacting with their websites.

iovation’s network of associations among 950 million devices provides businesses with the ability to know when devices are related to one another, so they can quickly and efficiently shut down sophisticated fraud rings and fraudulent accounts.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft for the National Speakers Association. (Disclosures.)

Identity Thief Gets 4 Years in Club Fed

Four years and six months doesn’t seem like a particularly severe sentence for a thief in Washington state who stole 15 people’s identities, including four police officers, created fake driver’s licenses, washed checks, and used “mules” to steal sensitive documents, make purchases with stolen credit, and sell the merchandise. The thief’s attorneys described him as a “38-year-old drug addict who has had medical and mental setbacks and was living in a motel.” I don’t know what his mental setbacks are, but all the meth he was doing may have been a contributing factor.

I spoke about this very case at the Merchant Risk Council’s 2012 MRC Annual e-Commerce Payments & Risk Conference in Las Vegas. I shared the stage with Detective Adam Haas, who investigated the case, and Jon Karl, from device reputation leader iovation, to discuss was “How Device Associations Helped Law Enforcement Tie Multiple ID Theft Cases Together.”

The thief in this case stole tax records and Social Security numbers from mailboxes and used the stolen information to take over victim’s credit accounts and to create counterfeit checks and fake driver’s licenses, which he used to purchase expensive items as local stores. He sold many of the stolen items on eBay or Craigslist, or simply exchanged them directly for drugs. After being arrested and released pending trial, the thief fled, posted “catch me if you can” on his MySpace page, and continued committing the same crimes. In January, he pled guilty to bank fraud and aggravated identity theft.

Kirkland police detectives received a great deal of assistance from Portland-based iovation. iovation’s ReputationManager 360 service was used to track down the fraudulent credit applications at various retail chains, which originated from a group of computers that iovation linked together within their vast network of more than 950 million unique devices. In addition to nabbing the thief, they were able to help identify other victims within the state who were not yet aware they had been impacted.

In a statement, the Detective commented, “The online digital bread crumbs sniffed out by iovation were critical in tying everything together, leading to a much bigger crime ring than we originally suspected.”

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses organized criminal hackers on Good Morning America. (Disclosures.)