Post-Data Breach ID Theft & Fraud Transactions…

How the Bad Guys Operate.

21 Sep 2017

Liz Shirley,

Tech Director, Intel & Intel Analysis

Wapack Labs

How Credential Reuse Attacks and Dark Net ID Fraud

Sales Work, Suspicious Activity To Look For

And Mitigation Steps To Take

Wapack Labs –

How We Do Actionable Cyber Threat Intelligence

Wapack Labs is a private cyber threat intelligence company. We identify threats to your

organization, your suppliers, your partners, and industry — insiders, threats to personnel,

cyber systems, geopolitical, operational risk, and more…

Wapack Labs presents consulting and intelligence expertise in identity fraud, credential

reuse attacks and data breach notification in the corporate environment and mitigation

recommendations. We draw on Lessons Learned from financial, retail, healthcare, as well

as government and military large scale data breaches including Personally Identifiable

Information (PII) similar to the compromised Equifax data.

We also include recommendations for due diligence cyber threat assessments for financial

and other institutions engaging in activities including: Mergers and Acquisitions (M&A) and

contracting with vendors/suppliers or Business Associates (BAs).

Lost PII of employees or customers can be used by hackers to attack corporate networks

How is Stolen PII Data Used?

In a social engineering context, cyber threat actors have

discovered that corporate users more readily respond to

emails associated with their company and bosses (e.g.

CEO fraud), than to personal matters.1 – Krebs Security

Criminals and APT actors (Chinese, Russian, NK Lazarus)

may use Personal email address of a boss, HR, vendor, or

customer to contact employees to conduct phishing

attacks or solicit further PII (such as SSNs) that may result

in fraud, industrial espionage or ransomware attacks.

Lazarus Group

APT used

Phishing and

Watering-hole

attacks to target

FIs & steal funds

Stolen PII Enables Criminals to Fraudulently Obtain:

Credit cards, Pre-Paid & Gift cards, eWallets, Bitcoins

• Electronics, phones, gas, jewelry, clothes/shoes, guns, drugs

• Monitor purchases listed on bank, credit card statements

Open Lines of Credit or “Tradelines” (CPNs):

Bank accounts Mortgages/Equity Vehicle/ATV/RV/boat loans

Cosmetic surgery Business equip loans Pet healthcare

Add co-signer to your credit to obtain/increase their credit rating

Cash out victim’s current & newly created credit lines

File fraudulent W2s/Tax Returns & Steal Tax Refunds

Top ID Theft: children and deceased (most prized accounts)*

Fake IDs: Conduct criminal acts, elude immigration or LE using victim’s name

Medical Treatment: Affect victim’s policy limits, deductibles, & eMR medical history

(victim could receive wrong treatment or wrong meds at subsequent medical visits)

Tracking Black Market Carders:

Wapack Targeteer & Rogues Gallery

Employee and individual email accounts and passwords

(credentials) are often posted in open source Google

Groups, clearweb, and dark net data dump repositories

by hackers.

Stolen creds and botnets can enable compromise of devices for

use by criminals in cryptocurrency mining operations.

Notorious data breach repositories, called “dumps”:

Accounts for PayPal, Amazon, eBay & Retailers (Target, etc)

Hacker/Carder forums

Pony (botnet) dumps: Twitter, Google, Facebook accounts

Pastebin posts

LinkedIn breaches ** Yahoo breach

Tumblr_2013_users breach MySpace breach

MPGH.net VK\VK_100M breach

AntiPublic_2017 breach dump

mate1\mate1.com-plain-november-2015

Locations & Terms of the ID Fraud Trade Black Markets

Google Groups, Clear Web Hacker Forums & Dark Net Black Markets

fullz – PII data that consists of name, emails, passwords,

bank account numbers, SSN, DOB, mother’s maiden name,

previous residences, vehicle loans info, etc.

If it does not have bank account numbers, SSN, DOB, name,

emails, & passwords then it’s not a “fullz”.

Most extensive PII data, highly prized and more pricey.

Black market criminals Buy & Sell ID theft data of different levels of fidelity:

fullz, credit checks, tax info/methods, W2’s, cardz, cc’s, tradelines, CPNs/SCNs, etc

Carding – stealing credit card info or PII to create fake credit, prepaid or gift cards

The Equifax data breach will provide

criminals with “fullz” and “credit check” levels

of PII and ID theft data

ID Theft & Fraud Transactions… How the Bad Guys Operate

Turning your PII & creds into monetary funds.

Methods used for funds transfers to circumvent

FI fraud algorithms, IRS counter-terrorism &

money laundering transfer limits

2017 - Impacting 24 FIs. Deep web market vendor,

leaguemode, advertised 2016 U.S. W-2’s with dates of

birth (DOB) and U.S. & EU bank accounts for sale.

He also advertised the GozNym botnet.

Malware/botnets often advertised alongside cc & PII data

Stolen PII and Credentials Lead to Additional Compromises

Such as Phishing, Ransomware and Keyloggers…

• Credentials• Computer login, ERP, email, other

• All web accounts – including additional credentials for corporate resources

• Application keys for all applications on the system

• Bank info

• Cryptocurrency & eWallet mining

• Screen shots of shipping manifests

• Financial transactions between importing and exporting parties.

© 2017 – WAPACK LABS

Collecting as many as 40K

new accounts every week.

PII and Corporate Data in Public Cyber Security Products

and Hard-Coded in Malware

Wapack analysts observe a large volume of corporate data on VirusTotal contained

within malware. Corporations or individuals often load files to cyber security apps or

virus checkers that they fear may be infected, but contain PII, corporate IT or

proprietary info.

Victim PII data has been observed hard-coded in malware samples, including victim

email accounts and passwords. (Found during M&A CTA)

We observed a Pay Per Install (PPI) infection botnet scheme, as part of a cyber

criminal enterprise, that included corporate info.• Data of one corporation was discovered within Virut and Sality worm malware samples that were

loaded into public VirusTotal repository.

This data could be auto-pushed to other cyber security apps, SIEMS, platforms of competitor

companies & available to additional hackers.

M&A, Supply Chain, Third Party, “BAs” –

“Due Diligence” Cyber Threat Assessments

10© 2017 – WAPACK LABS

We didn’t have a corporate compromise…

so how did our data end up compromised?

Lessons Learned from Healthcare & Defense/National Security:

Ensure vendors & BAs sign data breach notification and liability

agreements

Post PII Data Breach - Mitigations

Implement multi-factor authentication for corporate accounts, web-based email, applications and

systems accesses to limit the impact of compromised credentials;

Implement and practice a device and data backup program, data integrity checks, and a COOP

restoration plan to mitigate the potential for further compromises and ransomware attacks.

FIs/Corps shouldn’t use Security Questions that may involve data found in credit reports:

• Mother’s maiden name, former addresses, former vehicles, former schools, former pet names

Conduct a robust operational security (OPSEC) training program for employees & customers.

• Question emails received from boss/HR/vendors/customers coming from personal email accounts;

• Call the person & verify that they actually sent it.

• Ensure employees change system passwords so previous email credential dumps cannot be used to exploit

these accounts in the future;

• Not to click on spear-phish links, how credential reuse attacks work, post-breach mitigations, etc.;

• Do not re-use passwords across personal and corporate systems;

• Do not use employee work emails to communicate on non-work related sites:

• Hobby & social media sites, forums, & email lists (e.g. Craigslist, eBay, Instagram, Google Groups, etc.);

Jeff Stutzman

Founder, Wapack Labs

603-930-2222

jstutzman@wapacklabs.com9/28/2017

Liz ShirleyTech Director, Technical & Intelligence Analysis

lshirley@wapacklabs.com

304-839-4040

wapacklabs.com