You've heard of the big-news breaches: Target, Home Depot, JPMorgan Chase, Michaels. Large and small organizations allow porous online systems to jeopardize their customers and diminish profits. Find out how cybercriminals use infectious malware to infiltrate web browsers and steal identities and personally identifiable information.
The author's views aren't necessarily those of the ACFE, its Board of Regents or employees. — ed.
Botnets abound! Those crafty high-tech e-robots that cybercriminals use to silently infiltrate personal computers and other devices are increasing worldwide. Fraudsters use botnets to distribute malicious software — malware — to steal personally identifiable information (PII) and identities and then link computers to form networks to spread viruses, attack computers and servers, and commit other kinds of crime.
In January of last year, Aleksandr Andreevich Panin pleaded guilty in an Atlanta federal courtroom to a conspiracy charge as the primary developer and distributor of the SpyEye malware, which he created to steal from financial institutions. (See Botnet Bust, FBI, Jan. 28, 2014.)
According to the FBI, Panin sold the SpyEye malware in underground hacking forums to more than 150 "clients" who paid from $1,000 to $8,500 for various versions. The cybercriminals then used the malware to infect more than 1.4 million computers and steal victims' PII and economic information to transfer hundreds of millions of dollars out of victims' bank accounts and into fraudsters' controls — a classic use of botnets.
The FBI busted the SpyEye botnet gang after a major joint investigation under the FBI's Operation Clean Slate (OCL) initiative designed to "eliminate the most significant botnets affecting U.S. interests by targeting the criminal coders who create them and other key individuals who provide their criminal services to anyone who'll pay for them."
One of the online underground ads for the SpyEye Zeus malware described it as a "banking Trojan with form-grabbing possibility," which meant that it was capable of infiltrating a victim's web browser and stealing his banking PII while he was involved in an online banking transaction. Another ad touted the malware's "cc grabber," which meant it could scan stolen PII specifically for credit card information.
Panin made a big mistake when he sold his malware online to an undercover FBI agent. He was ultimately arrested in July of 2013 at the Atlanta, Georgia, airport. But perhaps, more importantly, the FBI had used a search warrant to seize a server in Georgia (the U.S. state) and bust up the botnet and rid infected computers of the SpyEye Zeus malware at the same time.
New identity theft scams continually emerge, seemingly with no end in sight. Just when you think there's a slowdown, new swindles emerge. Most of the cons originate in Russia, the Ukraine and China and then quickly spread throughout the rest of the world. Once they emerge, they're very difficult, if not impossible, to shut down.
Cybercriminals generate billions of dollars in revenue from these scams when they gain access to victims' PII because organizations fail to protect their networks and data from breaches, phishing schemes, contaminated websites loaded with malware and the ever-growing use of the telephone to fool individuals. If you or your organization is connected to the Internet then you're susceptible to malware infiltration.
Cybercriminals — often called bot herders or bot masters — can initiate Denial-of-Service (DOS) attacks on websites by sending massive quantities of spam, many of which include email attachments with malware. This allows them to chalk up large quantities of fraudulent but legitimate-looking ad clicks for carrying out online attacks and other criminal activities. This type of attack is very difficult to block if it begins from a "central point of origin" as with the SpyEye Zeus malware. It's not easy to identify the sources of this type of botnet that sends spam because it appears that it's coming from a multitude of innocent-looking computers. That isn't the case with the GameOver Zeus malware botnets that have a decentralized, peer-to-peer command and control infrastructure. (I'll discuss both of these in part two of this article.)
Hackers normally follow four steps to gain access to valuable PII, according to a white paper, Anatomy of a cyber-attack, sponsored by Dell SonicWALL on the InfoWorld website. (See PDF.)
The fours steps are: 1) "reconnaissance and enumeration," which is the art of finding vulnerabilities, either technical (for instance, a porous network security system) or nontechnical (such as an employee who's tricked into giving up sources of PII), 2) "intrusion and advanced attacks," which is the actual penetration of the network, 3) "malware insertion," in which the hacker secretly leaves code behind to enable him to maintain control over the systems and 4) "clean up," in which the hacker covers up his tracks.
Let's take a closer look at each of these four steps from the SonicWALL white paper. (I've added some additional information.)
The main goal of reconnaissance is to gather information to "learn about vulnerabilities in the targeted network system, including credentials " e.g., individuals' PII, "software versions, and misconfigured settings. One method of gathering this information is through social engineering cons, which fool end users into surrendering data. This is often perpetrated through phishing (fraudulent email), pharming (fraudulent web sites), and drive-by pharming (redirected DNS settings on hijacked wireless access points)."
Cybercriminals primarily use an Internet DNS or Domain Name System server to look up and resolve domain names such as www.cwu.edu to their corresponding IP addresses. DNS servers should be configured to handle requests coming from within a specific domain or IP address range. However, if they're configured by default to respond to requests from outside their own domain, then they become vulnerable to exploitation by hackers.
According to the SonicWALL white paper, enumeration — the second part of this two-pronged strategy — seeks to surreptitiously expand the knowledge and data gained during reconnaissance. "Service scanning" and "war dialing" are popular during the enumeration phase, and each can have dire consequences. Service scanning identifies network systems and matches knowledge bugs with software weaknesses. War dialing, on the other hand, involves using an automated system to call each of the telephone numbers owned by a company in hopes of finding a modem that provides direct access to internal company resources, according to SonicWALL.
After the hackers "have identified and correlated known vulnerabilities, they can exploit them to penetrate the network. Even more dangerous are sophisticated ‘zero-day' attacks, which exploit software weaknesses that, while not publicly disclosed, may have been distributed on the black market among attackers who range from petty criminals to transnational organized gangs," according to the SonicWALL white paper. A zero-day or zero-hour attack means that the hacker executes an attack as soon as possible before the developer of the targeted software notices the intrusion and patches the vulnerability.
After infiltrating a network, hackers "secretly insert malware in order to maintain ongoing remote control over systems and, ultimately, execute code within the network to achieve a particular goal. Inserted malware can be a nuisance (e.g., marketing driven); controlling (to provide back door access or remote control), or destructive (to cause intentional harm or to cover the tracks of the attacker)," according to SonicWALL.
Once the malware is inserted, the hacker has the keys to your network. It's like having the keys to your car or the front door of your home. Game over? Just about!
"The final stage of the attack cycle is to rid the infected system of forensic evidence," according to the SonicWALL white paper. The success of this step depends on how inconspicuous the hacker has been during the earlier steps. "For example," according to SonicWALL, "an attacker may commandeer the credentials of a trusted network user that would not raise alarms by accessing the targeted systems, or use commonplace applications, such as instant messaging to insert malicious files or extract information.
"A primary goal of this step is to erase any traces of the attack from the system. This can be done by the manual or automated deletion of command line or event logs, deactivation of alarms, and the upgrade or patching of outdated software after the attack has been accomplished," according to SonicWALL.
Once cybercriminals successfully hack into the network of a bank they not only capture information about its operations but also gain access to its customers' banking credentials, including the network addresses of their personal computers. The cybercriminals now can infect their computers with the SpyEye malware, which facilitates the theft of PII and allows them to remotely control the infected computers through command and control (C & C) servers.
The SpyEye malware records a customer's keystrokes when he or she conducts an online banking transaction and then injects that person's browser with code to underhandedly access his or her bank account. A web injection also allows cybercriminals to trick victims into revealing online PII associated with their banking accounts by changing the display of web pages in their browsers. The banks have no clue what's going on because they think that its customers — not the cybercriminals — have logged in and are transacting business.
The stolen information is sent to the cybercriminals' C & C servers and cybercriminals use it to transfer money via wire into their accounts. "The web injection can even manipulate the browser so that the amount of money listed on the account does not reflect the stolen funds," says David Marcus, director of advanced research and threat intelligence at McAfee in the article, Malware Based on Zeus And SpyEye Targets Business and High-End Bank Accounts, by Ken Presti, June 26, 2012, CRN. "And from the banks' point of view, it doesn't really look like fraud because the user is logged in and it appears to be doing things of their own volition."
The cybercriminals also steal bank customers' other PII, such as credit card information, and transfer it back to cybercriminals' servers so they can use it to make fake credit cards. Sometimes, the cybercriminals will sell the stolen PII — including banking credentials, credit card numbers, user names, passwords, PINs — to identity thieves in underground hacking forums.
Once infected, a victim's computer becomes part of the "C&C" infrastructure of a botnet. This is a double whammy for the victim: loss of money and now unknowingly allowing a cybercriminal to use his or her computer "rent free" to further his business.
To get a better grasp of the scope of the problem that hackers are creating, a few major U.S. organizations identify, track and use different models to classify data breaches according to type and industry sectors after they receive information about them from inside contacts, clients, government agencies, media and other sources. The groups include the Privacy Rights Clearinghouse (PRCH), Verizon Business and the Identity Theft Resource Center.
Many entities that have experienced data breaches don't report them to consumers or law enforcement. Sometimes, state laws require entities that have been victimized by data breaches to report them to consumers. However, most of these laws have loopholes that provide a "safe harbor" for these organizations, which allows them to opt out and not report the crimes. The organizations are reluctant to report them because of fear of bad publicity, the effect on stock prices if investors bail out, loss of revenue and profits if consumers flee to competitors, and costs to notify consumers. Therefore, most data breaches go unreported.
In part 2: The latest data breach statistics, more case histories and how you can help your communities.
Robert E. Holtfreter, Ph.D., CFE, CICA, CBA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Wash. He's also on the ACFE's Advisory Committee.
To learn more about this problem and other major issues relating to data breaches, see "Breaking Breach Secrecy," parts 1, 2 and 3 in the September/October 2011, November/December 2011 and January/February 2012 issues of Fraud Magazine.
The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.
Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.
Read Time: 5 mins
Written By:
Mandy Moody, CFE
Read Time: 5 mins
Written By:
Sandra Damijan, Ph.D., CFE
Read Time: 12 mins
Written By:
L. Christopher Knight, CFE, CPA
Read Time: 5 mins
Written By:
Mandy Moody, CFE
Read Time: 5 mins
Written By:
Sandra Damijan, Ph.D., CFE
Read Time: 12 mins
Written By:
L. Christopher Knight, CFE, CPA
