Thursday 15 August 2013

Guilty Plea in Massive Card Fraud

Guilty Plea in Massive Card Fraud New Jersey is a hotbed of activity in the crackdown on card fraud. Federal authorities there announced last week that a fourth defendant has pleaded guilty in a case revealed in February involving a massive global credit card fraud scheme that spanned nearly 10 years.
The latest guilty plea in that case came about two weeks after another massive New Jersey fraud case grabbed headlines. That case involved the indictment of five alleged hackers with ties to Heartland Payment Systems hacker Albert Gonzalez in connection with a credit and debit scheme that is believed to have compromised more than 160 million cards

$200 Million Scheme

The latest guilty plea was in connection to a scheme that involved more than 25,000 fraudulent credit cards and resulted in fraud losses estimated to total more than $200 million.
"This is ... in fact, the largest case of organized credit card fraud in the U.S. as far as confirmed losses," says financial fraud expert Al Pascual, an analyst for the consultancy Javelin Strategy & Research. "The techniques the group utilized aren't anything new or groundbreaking, but, rather, it is the scale of the crime which makes it special."
Pascual says the case points out due diligence shortcomings. Banking institutions need to do more to ensure they are going back to review accounts, as well as loan applications, after they are opened.

The Pleas

On Aug. 7, the U.S. Attorney of New Jersey announced that Muhammad Shafiq pleaded guilty to one charge of conspiracy to commit bank fraud filed against him in February for the role he played in a credit card scheme that was built on synthetic, or fake, identities and fraudulent credit histories.
Shafiq is the fourth defendant to plead guilty among the 18 who have been charged in the case, federal authorities say. On July 31, Vernina Adams and Raghbir Singh pleaded guilty to the same charge that was brought against Shafiq. And on July 24, Mohammad Khan pleaded guilty to charges of conspiracy to defraud the United States.
Shafiq, Adams and Singh could face a sentence of 30 years in prison and a $1 million fine, or twice the gain or loss caused by their offense. Khan faces a maximum sentence of five years in prison and a $250,000 fine, or twice the gain or loss caused by the offense.
Khan's sentencing date is set for Oct. 30. Sentencing for Shafiq, Adams and Singh is set for November.

The Credit Scheme

In February, federal authorities arrested 13 individuals allegedly connected to the crime. Several others allegedly connected to the scheme had already been arrested, authorities said.
The Federal Bureau of Investigation spent 18 months investigating the case, which dates back to 2003.
The scheme involved moving millions of dollars through accounts under the conspirators' control, as well as wiring millions of dollars overseas, authorities say. An investigative analysis identified $60 million in proceeds that had flowed through 169 accounts, with most of those funds being withdrawn in cash, investigators say.
Authorities contend that those charged in the case and their co-conspirators created more than 7,000 false identities and fraudulently obtained tens of thousands of credit cards they used to purchase lavish goods and stockpile large sums of cash.
Additionally, those charged allegedly wired millions of dollars to Pakistan, India, the United Arab Emirates, Canada, Romania, China and Japan, authorities say.
When they entered guilty pleas, Shafiq, Singh and Khan admitted they helped obtain credit cards in the name of third parties, many of which were fake, and then directed the credit cards to be mailed to addresses controlled by members of the conspiracy. They also admitted they knew the cards would be used fraudulently at businesses, with Khan admitting to personally using the cards.
Adams, during her plea, admitted to advertising on Craigslist to recruit individuals willing to add someone to their credit card accounts. She also admitted to selling other members of the conspiracy fraudulent trade-lines - a network of black-market businesses. Adams said she extended a fictitious line of credit to a false identity, backdated the line of credit so it appeared to have existed for a longer period of time and then falsely reported that the line of credit had been paid.

A Warning for Banks

The case offers some lessons for banking institutions, Pascual says.
"This crime illustrates the fact that issuers, and lenders in general, should be conducting post-origination reviews of internal loan data for trends indicative of large-scale fraud," Pascual says. "With 7,000 false identities having been used, there were undoubtedly individual institutions with hundreds of these fraudulent applications and/or cards."
Banking institutions should be scanning their card portfolios and previous applications for suspicious activity and other red flags on a regular basis, he says. Doing so allows loan issuers to cross reference findings and identify efforts to defraud the bank, Pascual says.
"The fact of the matter is that at first blush some loan applications can pass muster, but fraud mitigation should not stop once a loan is issued as some fraudsters take the long view over the immediate payday," he says.
One fraud prevention expert praises the recent crackdown on crime rings in New Jersey, but questions whether the action will have a meaningful long-term impact.
"It is good to see more charges being brought, but the fact is, the penalties for these crimes just aren't stiff enough to stop others from committing similar ones," says Shirley Inscoe, a fraud expert and analyst for consultancy Aite. "Millions of taxpayers are defrauded, banks lose millions of dollars, which they have to make up through larger fees, and then taxpayers have to pay for the trials of these crooks. It is maddening."

International Collaboration To Takedown Botnets.

Moscow-based cyber-intelligence firm Group-IB is working with INTERPOL to monitor and track online criminals through the takedown of botnets.
The forensics firm, which has assisted in the takedown of botnets such as Grum, has been working with international law enforcement to profile cybercriminals. And during this interview with Information Security Media Group [transcript below], Group-IB researcher Andrey Komarov explains how his firm monitors undergrounds forums to track the steps of the hackers who sell malware and oversee command-and-control centers.
"We share different cyberintelligence information, including profiling on cybercriminals and also information about money mules," he says.
One of the Group-IB's newest partners is the INTERPOL Digital Crimes Center, which the firm will join in 2014.
"We plan to relocate some of our employees there to provide expert help in digital forensics and cybercrime investigations, including botnet intelligence support," Komarov says.
The Digital Crimes Center's aim is to bring together experts responsible for cyber-investigations to receive threat intelligence from different sources, such as Group-IB, he explains.
"[Currently] there are no unions, especially internationally, which are efficient and have a practical approach for sharing cyberintelligence information," Komarov says.
During this interview, Komarov discusses:
The increasing need for more global information sharing about cyber-intelligence;
Emerging mobile malware attacks that are targeting North American banks;
Why point-of-sale Trojans are quickly becoming the cybersecurity world's biggest worry.
At Group-IB, Komarov oversees international projects related to cyber-intelligence. Before joining Group-IB, which was founded in 2003, he worked within the research institutes of the Federal Export Technical Committee of the Russian Federation and in the structural units of the Ministry of Industry and Trade. Komarov also is a member of the security committee of business for the Chamber of Commerce and Industry of the Russian Federation.
Group-IB
TRACY KITTEN: Group-IB is in a somewhat unique position because of the access that it has to underground forums in Russia. What can you tell us about this unique perspective that your organization has because of your presence in Russia?
ANDREY KOMAROV: Group-IB was founded in 2003 as quite a small company; but right now we're over 90 people and we have branches in New York and Singapore. In 2008, we founded our own CERT and we do lots of stuff together with other CERTs all over the world to share cyberintelligence information about different threats, botnet activities, malware and fraud. We have a special analytics group that's responsible for monitoring different underground communities and forums. They do profiling of cybercriminals, because our key target is to get a full understanding about the profile of the cybercriminal, including physical location. This information we share with law enforcement of different countries, which helps them to reduce the fraud and also to stop some international organized crime groups. We have some good understanding about all cybercrime with Russian-speaking roots; it's very important to understand that right now cybercriminality is located in other countries, such as the former U.S.S.R. countries; it's not only Russia. The great problem for us is to find them in foreign countries, because most of them are moving to E.U. [European Union] and Asian countries, so-called risk zones, where lots of providers ignore abuses or law enforcement requests, which is really difficult for investigations.
Profiling Cybercriminals
KITTEN: Group-IB's mission is to track down the actors behind these cyber-attacks, as well as emerging malware. What kind of work is Group-IB doing to profile cybercriminals?
KOMAROV: First of all, we monitor them for quite a long time, gathering their context in different underground forums or other instant messages. For example, last year we found some developed systems that are used by cybercriminals to share messages with each other, especially during communications with money mules or other fraudsters in other countries, and they try to make such conversations very secure.
We also monitor their physical locations. That's why sometimes we get some support from law enforcement or private investigators to make physical surveillance. Our analytics usually receives some sensitive information about their real meetings in the real world, and it's very important to track their locations - their places of interest. Sometimes it takes maybe two or three years to get a full understanding about not just one member of their cybercriminal gang, but the whole group.
Last year, we had assisted Ukrainian law enforcement in arresting eight members of the Carberp group. It's really a transnational group, recording malware development, for example. The bot-kit model for Carberp was developed by Chinese hackers. It's a true and confirmed fact. It's really important to monitor the whole group, not just several personalities.
One of the key interests for us is the monitoring of the owners of underground communities and the authors of modern banking malware, too, because it helps us track their customers, so-called underground customers, or the products, and to make efficient cybercrime investigations. We share lots of e-crime intelligence information with financial institutions and law enforcement. It's impossible to do it efficiently without this data. I can say that we have confirmed information about authors of all modern banking Trojans with Russian roots, like Zeus, SpyEye, Citadel, Carberp, Andromeda and many others.
Detecting Fraud
KITTEN: What exactly is your company doing to detect fraud?
KOMAROV: The most unique technology we use is botnet striking. We have a special engine called Bot-Trek, which helps us monitor botnets in different networks without physical installation. We do it absolutely remotely and we extract their data about compromised clients from the botnets and share it with banks, e-commerce or other companies, providing them with compromised data, such as credentials, compromised online banking accounts, credit cards, intercepted forms by Trojans, and many other things for reducing potential breaches or fraud. Currently, we have had some successful cases with Microsoft's Digital Crimes Unit, Spamhaus and a series of countries, such as Poland, in joint takedowns of several big botnets such as Virut and Grum. Right now, we provide this software-as-a-service to the banks and the financial industry.
Citadel Takedown
KITTEN: Was Group-IB involved with Microsoft's Digital Crimes Unit's takedown of the Citadel botnet?
KOMAROV: Yes. We have assisted Microsoft's Digital Crimes Unit to help them with sink-holing and takedowns on command-and-control centers located in Russia on .ru and .icu domains, because we control these domain zones by an official agreement with the Ministry of Telecommunications and the National Coordination Center. That's why we can get any personal details about any owner of the domain, or we can block the domain and re-delegate if it's fraudulent or malicious. I can say that, according to our statistics, the biggest part of Citadel command-and-control centers has a Russian-speaking author and currently we're working on investigating his physical location to help Microsoft and law enforcement arrest him.
Tracking Brobot
KITTEN: Has Group-IB been doing any back-end work to help track the growth and activity of Brobot, which is the botnet that's being used to wage distributed-denial-of-service attacks against U.S. banks?
KOMAROV: Yes. We had some information on that and several of our U.S. and U.K. partners asked us for help, because this malware has Russian roots. Several of the command-and-control centers were placed in Russia. ... We established several authors responsible for its development located in the Ukraine and also we have received the full list of targets with timing.
DDoS
KITTEN: To what do you attribute the pause in DDoS attacks that have been hitting U.S. financial institutions since mid-September. Do you think it's related to some of these command-and-control centers being taken down?
KOMAROV: Possibly, but I would like to mention that right after this investigation we have blocked several so-called bullet-proof hosting operators located in Romania and some Asian countries, with help from police departments in some of those countries. I can say that probably it's because of that. It's very important to locate command-and-control centers. Two of the people we have found were arrested, but they were arrested for other crimes, including money laundering and online banking theft. Probably other members of the group were worried and they stopped their cybercriminal activities for some time; but it could be because of other reasons, too.
Working with FS-ISAC, Interpol
KITTEN: Group-IB is also working with the Financial Services Information Sharing and Analysis Center, as well as international law enforcement agencies such as Interpol. What can you tell us about the work you're doing there?
KOMAROV: Currently, we share different cyberintelligence information, including profiling on cybercriminals and also information about money mules. We monitor money mules in different countries, including the U.S. by watching underground and special underground services which provide money mules to the hackers. We collect the lists of and then share them with banks and law enforcement to stop these mules in the bank or to investigate their details. With Interpol, its Digital Crimes Center is one of our new partners. We will join it in 2014, when the center will be built and ready. We plan to relocate some of our employees there to provide expert help in digital forensics and cybercrime investigations, including botnet intelligence support.
Digital Crimes Center
KITTEN: The Digital Crimes Center is opening in Singapore in 2014. Can you tell us about the purpose of this center?
KOMAROV: I was very surprised when we received information about the center. We were really waiting for quite a long time. Thee are no unions, especially internationally, which are really efficient and have a practical approach for sharing cyberintelligence information. Interpol's Digital Crimes Center is an official law enforcement structure. The key aim and role of the center is to gather different police experts and police officers responsible for cybercrime investigations to receive intelligence from different sources and to share it with national bureaus of countries that official members of Interpol. It's very pleasant and interesting that this center is quite open for the expert community, and some of our close partners are also involved. We're happy to assist and will do our best for them to reduce fraud worldwide and to make cybercrime investigations finalized.
Cyberintelligence Sharing
KITTEN: What kind of cyber-intelligence are you sharing with banking institutions?
KOMAROV: We can divide it into several categories. One, the largest, is compromised data. It's the compromise of online banking accounts used by the customers of those banks, including compromised credit cards. The second is money-mule intelligence. It's the list of so-called active money mules. The third category is information about different threats, including brand abusing or phishing. Our CERT helps to monitor phishing. It's very important to have your own cyberintelligence resources or solutions. Modern antivirus or any security hardware, such as hardware firewalls or Trojan-detection systems, they're helpful but they can't reduce fraud. An example is when lots of customers have antivirus systems, but nearly 30 percent of them are infected by new banking Trojans or different private malware; that's why the banks need someone who can assist them and help them to stop fraud proactively.
Emerging Malware Attacks
KITTEN: You've recently identified some unique banking Trojans that were targeting banks as well as mobile devices. What can you tell us about these emerging malware attacks and what made them unique, as well as the organizations that they were hitting?
KOMAROV: We have found several private malware [strains], including new banking Trojans for mobile platforms, especially for Android. Several weeks ago, we found a new sample targeting Australian and Canadian banks. Previously, we have seen the same on U.S. banks. Previously, hackers infect with malware banking customers' standard computers and then they ask the customer to install something additional, such as a mobile banking application, and they upload the malicious application, which helps them monitor the customer - the physical location, the history of the codes and messages - and also to block the calls from the bank if the bank's fraud management department finds something suspicious. The malware also can intercept messages containing one-time passwords. They intercept them and hide from the end-customer. Then they use it for making transfers, and they do this transfer absolutely in silence. That's why the customer can't react to such threats. Point-of-sale malware is also an emerging threat, because we have found nearly 30 command-and-control centers of such malware, [including] BlackPOS. It seems to be Ukrainian authors who are responsible for it. We also monitor new exploit kits, which help hackers spread malware through vulnerabilities in Internet browsers.
KITTEN: What can you tell us about the greatest cyberthreats Group-IB has identified over the last six months? Which industries would you say are most at risk?
KOMAROV: First of all, it's the Grum botnet, because right after its takedown, according to statistics, the total percentage of world spam was reduced by 20 percent. It was targeted not on specific customers, but lots of users worldwide who were infected and their machines were used for spam and DDoS on banks as well. The second is new point-of-sale malware, such as BlackPOS. We have very deep investigations going on now with Visa, because some of the Visa merchants were hacked. Because of poor security, someone placed this malware there. We do this job together with the U.S. Secret Service and the FBI [Federal Bureau of Investigation]. Also, we share this information with Interpol's Digital Crimes Center. For the newest cases, I can't tell you the exact facts, because some of them are confidential. But I can say that in the next month, we plan some very serious arrests of a very big group; possibly some Citadel authors will also there.

What is DHS CDM program and how its works

Continuous Diagnostics and Mitigation is a program which Department of Homeland Security (DHS) established to implementation approach consistent with the Information System Continuous Monitoring (ISCM) methodology.
CDM Mission
The Continuous Diagnostics and Mitigation (CDM) program provides tools and services that enable Federal and other government IT networks to strengthen the security posture of their cyber networks.
How CDM Works
The CDM Program enables government entities to expand their continuous monitoring capabilities by increasing their network sensor capacity, automating sensor collections, and prioritizing risk alerts.
This approach lowers the operational risk of information security systems and .gov networks.
  • Agency-installed sensors perform an automated search for known cyber flaws.
  • Results are fed into Agency-level dashboards that produce customized reports, alerting government IT managers of their worst and most critical cyber risks, based on standardized and weighted risk scores.
  • Prioritized results enable agencies to efficiently allocate resources, based on the severity of the risk.
  • Progress is tracked and results can be shared within agencies. Summary information will feed into a central Federal-level dashboard, managed by the Department of Homeland Security (DHS), to inform and prioritize cyber risk assessments across the government.
About the Program
In 2012, the Office of Management and Budget identified continuous monitoring of Federal IT networks as one of 14 Cross-Agency Priority (CAP) goals, established in accordance with the Government Performance and Results Modernization Act.
To support Federal Departments and Agencies in meeting the CAP goal, DHS established the CDM program, an implementation approach consistent with the Information System Continuous Monitoring (ISCM) methodology.
Through its authority, DHS will ensure that CDM is consistently implemented, meets critical requirements for effectiveness, and leverages centralized acquisitions in the form of strategic sourcing.
The CDM program is housed within the DHS National Protection and Programs Directorate, Office of Cybersecurity and Communications (CS&C). The CDM program management office resides in CS&C’s Federal Network Resilience division.

If you Knew you Were Going to be Attacked, What Would you do Differently?

Recent reports have found that cyberattacks against U.S. corporations are on the rise, along with an increase in international threats, especially from China, and emerging threats to small businesses. Today, it’s not a matter of if an organization will be the victim of a cyberattack, but when.
If you knew you were going to be attacked, what would you do differently to prepare your infrastructure? Here are the most important steps you should take when protecting your organization.
Dedicate Budget
When budgets are tight, money is funneled towards the revenue generating parts of the business, and security is placed on the back burner. Smaller organizations especially do not think they will be attacked and do not understand the value of security. They also often lack knowledgeable staff, training and resources. It is necessary for organizations of all sizes to dedicate sufficient resources to training and hiring IT staff, or to outsource their security needs to a third-party provider.
Assess Your Risks
It is important for organizations to have a clear view into the risks facing them. Some organizations might want to consider partnering with a consultant that can perform an audit and assess their risk profile. Then, the organization can put a plan in place to protect itself.
Take Action
Once you have identified the threats facing your organization, put the right technology and best practices in place to prevent them, for example:Put up firewalls
Upgrade code
Don’t forget about PCI certification: PCI is evolving and requirements will probably become stricter in the future. PCI certification can mitigate the risks to systems that store or transmit credit card data.
There are also several low-cost best practice solutions that can help you to substantially mitigate long term data loss and exposure. These include:
  • Staff Training
  • Virus / Malware Updates
  • System Patching
  • Open source detection tools:  IDS / IPS
  • File integrity monitors
  • Application penetration testing
  • Source code review
  • Incident Response planning and training
  • Be Proactive
The threats to the organization are constantly evolving, and the security team needs frequent training to stay up-to-date on the latest risks. For example, financially-driven attacks have become a huge issue recently, as are new phishing attacks, viruses, worms and Trojans.
For example, the Downloader.MDW, better known as Dialer.XD, forces affected computers to generate a large amount of network traffic activity with the consequent consumption of bandwidth. It carries out actions that decrease the security level of the computer and uses anti-monitoring techniques in order to prevent it from being detected by antivirus companies. It also spreads across the Internet while being downloaded by other malware.
Also, the Linux.Apaback is a Trojan horse that modifies network traffic and opens a back door on the compromised computer. Although this Trojan is considered low risk as it is easily mitigated and removed, an unsuspecting organization caught off guard can be entirely compromised by allowing such a threat to exist.
In order to stay informed, IT staff should participate in security focused events, subscribe to mailing lists, and talk to their peers. Organizations should ensure that they have the latest patch versions. They should constantly scan for threats and plug vulnerabilities in a timely manner.
Beyond the IT department, basic security training is important for all staff. For example, all employees should understand password requirements and complexities.
Conclusion
In the security business, the good guys need to be prepared 100 percent of the time, and the bad guys only need to be right once in order to cause major damage. By following this checklist, you can help ensure that your business is prepared.