post-data breach id theft & fraud transactions… · credit cards, pre-paid & gift cards,...
TRANSCRIPT
Post-Data Breach ID Theft & Fraud Transactions…
How the Bad Guys Operate.
21 Sep 2017
Liz Shirley,
Tech Director, Intel & Intel Analysis
Wapack Labs
How Credential Reuse Attacks and Dark Net ID Fraud
Sales Work, Suspicious Activity To Look For
And Mitigation Steps To Take
Wapack Labs –
How We Do Actionable Cyber Threat Intelligence
Wapack Labs is a private cyber threat intelligence company. We identify threats to your
organization, your suppliers, your partners, and industry — insiders, threats to personnel,
cyber systems, geopolitical, operational risk, and more…
Wapack Labs presents consulting and intelligence expertise in identity fraud, credential
reuse attacks and data breach notification in the corporate environment and mitigation
recommendations. We draw on Lessons Learned from financial, retail, healthcare, as well
as government and military large scale data breaches including Personally Identifiable
Information (PII) similar to the compromised Equifax data.
We also include recommendations for due diligence cyber threat assessments for financial
and other institutions engaging in activities including: Mergers and Acquisitions (M&A) and
contracting with vendors/suppliers or Business Associates (BAs).
Lost PII of employees or customers can be used by hackers to attack corporate networks
How is Stolen PII Data Used?
In a social engineering context, cyber threat actors have
discovered that corporate users more readily respond to
emails associated with their company and bosses (e.g.
CEO fraud), than to personal matters.1 – Krebs Security
Criminals and APT actors (Chinese, Russian, NK Lazarus)
may use Personal email address of a boss, HR, vendor, or
customer to contact employees to conduct phishing
attacks or solicit further PII (such as SSNs) that may result
in fraud, industrial espionage or ransomware attacks.
Lazarus Group
APT used
Phishing and
Watering-hole
attacks to target
FIs & steal funds
Stolen PII Enables Criminals to Fraudulently Obtain:
Credit cards, Pre-Paid & Gift cards, eWallets, Bitcoins
• Electronics, phones, gas, jewelry, clothes/shoes, guns, drugs
• Monitor purchases listed on bank, credit card statements
Open Lines of Credit or “Tradelines” (CPNs):
Bank accounts Mortgages/Equity Vehicle/ATV/RV/boat loans
Cosmetic surgery Business equip loans Pet healthcare
Add co-signer to your credit to obtain/increase their credit rating
Cash out victim’s current & newly created credit lines
File fraudulent W2s/Tax Returns & Steal Tax Refunds
Top ID Theft: children and deceased (most prized accounts)*
Fake IDs: Conduct criminal acts, elude immigration or LE using victim’s name
Medical Treatment: Affect victim’s policy limits, deductibles, & eMR medical history
(victim could receive wrong treatment or wrong meds at subsequent medical visits)
Tracking Black Market Carders:
Wapack Targeteer & Rogues Gallery
Employee and individual email accounts and passwords
(credentials) are often posted in open source Google
Groups, clearweb, and dark net data dump repositories
by hackers.
Stolen creds and botnets can enable compromise of devices for
use by criminals in cryptocurrency mining operations.
Notorious data breach repositories, called “dumps”:
Accounts for PayPal, Amazon, eBay & Retailers (Target, etc)
Hacker/Carder forums
Pony (botnet) dumps: Twitter, Google, Facebook accounts
Pastebin posts
LinkedIn breaches ** Yahoo breach
Tumblr_2013_users breach MySpace breach
MPGH.net VK\VK_100M breach
AntiPublic_2017 breach dump
mate1\mate1.com-plain-november-2015
Locations & Terms of the ID Fraud Trade Black Markets
Google Groups, Clear Web Hacker Forums & Dark Net Black Markets
fullz – PII data that consists of name, emails, passwords,
bank account numbers, SSN, DOB, mother’s maiden name,
previous residences, vehicle loans info, etc.
If it does not have bank account numbers, SSN, DOB, name,
emails, & passwords then it’s not a “fullz”.
Most extensive PII data, highly prized and more pricey.
Black market criminals Buy & Sell ID theft data of different levels of fidelity:
fullz, credit checks, tax info/methods, W2’s, cardz, cc’s, tradelines, CPNs/SCNs, etc
Carding – stealing credit card info or PII to create fake credit, prepaid or gift cards
The Equifax data breach will provide
criminals with “fullz” and “credit check” levels
of PII and ID theft data
ID Theft & Fraud Transactions… How the Bad Guys Operate
Turning your PII & creds into monetary funds.
Methods used for funds transfers to circumvent
FI fraud algorithms, IRS counter-terrorism &
money laundering transfer limits
2017 - Impacting 24 FIs. Deep web market vendor,
leaguemode, advertised 2016 U.S. W-2’s with dates of
birth (DOB) and U.S. & EU bank accounts for sale.
He also advertised the GozNym botnet.
Malware/botnets often advertised alongside cc & PII data
Stolen PII and Credentials Lead to Additional Compromises
Such as Phishing, Ransomware and Keyloggers…
• Credentials• Computer login, ERP, email, other
• All web accounts – including additional credentials for corporate resources
• Application keys for all applications on the system
• Bank info
• Cryptocurrency & eWallet mining
• Screen shots of shipping manifests
• Financial transactions between importing and exporting parties.
© 2017 – WAPACK LABS
Collecting as many as 40K
new accounts every week.
PII and Corporate Data in Public Cyber Security Products
and Hard-Coded in Malware
Wapack analysts observe a large volume of corporate data on VirusTotal contained
within malware. Corporations or individuals often load files to cyber security apps or
virus checkers that they fear may be infected, but contain PII, corporate IT or
proprietary info.
Victim PII data has been observed hard-coded in malware samples, including victim
email accounts and passwords. (Found during M&A CTA)
We observed a Pay Per Install (PPI) infection botnet scheme, as part of a cyber
criminal enterprise, that included corporate info.• Data of one corporation was discovered within Virut and Sality worm malware samples that were
loaded into public VirusTotal repository.
This data could be auto-pushed to other cyber security apps, SIEMS, platforms of competitor
companies & available to additional hackers.
M&A, Supply Chain, Third Party, “BAs” –
“Due Diligence” Cyber Threat Assessments
10© 2017 – WAPACK LABS
We didn’t have a corporate compromise…
so how did our data end up compromised?
Lessons Learned from Healthcare & Defense/National Security:
Ensure vendors & BAs sign data breach notification and liability
agreements
Post PII Data Breach - Mitigations
Implement multi-factor authentication for corporate accounts, web-based email, applications and
systems accesses to limit the impact of compromised credentials;
Implement and practice a device and data backup program, data integrity checks, and a COOP
restoration plan to mitigate the potential for further compromises and ransomware attacks.
FIs/Corps shouldn’t use Security Questions that may involve data found in credit reports:
• Mother’s maiden name, former addresses, former vehicles, former schools, former pet names
Conduct a robust operational security (OPSEC) training program for employees & customers.
• Question emails received from boss/HR/vendors/customers coming from personal email accounts;
• Call the person & verify that they actually sent it.
• Ensure employees change system passwords so previous email credential dumps cannot be used to exploit
these accounts in the future;
• Not to click on spear-phish links, how credential reuse attacks work, post-breach mitigations, etc.;
• Do not re-use passwords across personal and corporate systems;
• Do not use employee work emails to communicate on non-work related sites:
• Hobby & social media sites, forums, & email lists (e.g. Craigslist, eBay, Instagram, Google Groups, etc.);
Jeff Stutzman
Founder, Wapack Labs
603-930-2222
[email protected]/28/2017
Liz ShirleyTech Director, Technical & Intelligence Analysis
304-839-4040
wapacklabs.com