today’s vision and tomorrow's reality · 2018-04-02 · 4/17/2015 3 sasha panin’s malware...
TRANSCRIPT
Today’s Vision and Tomorrow's Reality
The New Face of Financial Crimes
Presenters:
Fred Laing,
Upper Midwest Automated Clearing House (UMACHA)
763-549-7000
John McCullough, CPP, CFE
612-238-3651
4/17/2015 3
Sasha Panin’s malware Atlanta prison in April 2017
ZeuS malware ZeuS, created in 2007, had infected more than 13 million computers and had been used to steal over $100 million, according to court papers filed by Microsoft in 2012.
Roman Valeryevich Seleznev, aka "Track2, 38 counts related to
defrauding 3,700 financial institutions in the United States of at least
$169 million.
• Stats and Trends
• What is Fueling Crime
• Business Check Financial Crimes
• Criminals Using Technology
• Synthetic Identity Theft
• Cyber Crimes• Ransomware
• CATO
Agenda
4
4/17/2015 5
Theft Resource Center (ITRC) and CyberScout
4/17/2015 6
Businesses have impacted these trends
Theft Resource Center (ITRC) and CyberScout
4/17/2015 7
The number of U.S. data breaches tracked in 2016 hit an all-time record high of 1,093,
according to a new report released today by the Identity Theft Resource Center (ITRC) and CyberScout (formerly IDT911).
Theft Resource Center (ITRC) and CyberScout
Data Breaches
4/17/2015 8
Theft Resource Center (ITRC) and CyberScout
4/17/2015 9
Theft Resource Center (ITRC) and CyberScout
Business Losses
4/17/2015 10
4/17/2015 11Theft Resource Center (ITRC) and CyberScout
Access
Fueling Crime
12
Terrorism
• Terrorists use low value, but high volume fraud activity to fund their operations• They are now also moving monies through social media and new payment methods
Recent Business Thefts and Trend
• Overnight on 10/17/16 at least two suspects cut alarm lines to the to business then entered the business.
• They then backed a Penske rental truck into the business and loaded property of the business
• They also cut into the safe and broke into the registers and took the cash from within.
• The suspects took all the servers from the office and removing all video equipment…
• The suspects obviously had inner working knowledge of the business
• They have no leads on current or former employees who may be suspects
14
Don’t Forget the Basics• Visitor and building controls
• Alarms, CCTV, access control, keys and lock
• Good hiring practices
• Training and procedures
• Clean desk policy
• Trained personnel on security procedures
• IT controls and protection
• Drills and table top practice
• Communication, backup systems and hot sites
4/17/2015 15
Business ChecksFinancial Crimes
4/17/2015 16
Versa Check Software ($49) (Makes counterfeiting checks easier)
Check Protection
In 2016, check fraud remains the third highest form of fraud:
• Secure your checkbook and stock
• Secure signature stamps
• Ensure your US mail is secured, including Sat delivery (Criminals will steal your inbound and out bound mail)
• Blue box or your post office best
18
Check Protection• Use Positive Pay (see your banker)
• Dual Control on issuance and Dual signatures for high dollar
• Daily review of online bank statements
• Standalone PC and disconnect when done banking
• Reconcile checking account monthly
• Account control (to many or two few?)
• Protect checks that have been processed
• Do not allow checks to be written for cash
• Truncate check-stub information, especially employee’s social security numbers
• Move to ACH payments and use “out of channel authorization”
19
ACH Out-of-Band Authentication
• What is it?• Phone call (voice authentication or just a simple
phone call)• Text message (SMS)• Secure e-mail• Fax
• Why do it?• To authenticate that the file or transaction is what you
intended to generate • Fraud prevention method but may also assist in
preventing unintentional processing errors (sending the wrong week’s payroll file to your FI)
20
Date
Feb. 3
“
“
“
“
“
Feb. 4
“
“
“
“
“
“
“
Homeless with a “Good ID”Two Days, $8,400
Time Branch Location Ck. Amt.
10:31 St. Anthony $349.00
11:05 Roseville $457.6711:52 Eagan $625.5512:58 West St. Paul $353.5715:52 South St. Paul $589.9816:23 Inver Grove $595.67
10:16 Midway $795.8310:35 Central $623.7510:58 Spring Lake Park $789.3813:35 St. Louis Park $845.5414:11 Ridgedale $852.7715:00 White Bear Lake $395.8816:06 Little Canada $657.9916:27 Maplewood $479.67
Loss: $8,412.25
Criminals Using Technology
4/17/2015 22
In 2017 Emerging Trends With Gateway Technology
• Vehicle technology
• Internet of things (wireless devices, CCTV, alarms, access controls, temp, air, tv, laptops, pads, etc.)
• Voice command boxes
• Artificial intelligence advances
• Robots
• Self-checkout
• Medical Online Charts
• Drones
• VoIP (voice over IP)
4/17/2015 23
Gas Pump Skimmers
24
Device placed inside gas pumps, blue tooth connect, not
as detectable by customer
First generation gas pump skimmers place on
the outside
When you’re traveling, use cash or the pump close to the attendant, major travel consider preloaded cards, monitor online bank statement, look for unbroken tamper seal on pump
It has recently been brought to our attention that an ATM skimming
device has been found on an ATM in the St. Paul and PlymouthAs of 10/25/16 Lincoln NE group pictured
Past 6 Months Minneapolis and St. Paul
4/17/2015 26
Skimmer Razors, Thin for ATMs Card Slot, Not Visible…
27
VeriFone POS Skimmer & ATM Tampering
Business TravelMitigation:
• Closely monitor banks statements
• Employees need to reconcile their expense report quickly
• Make employees aware of skimmers on ATMs, gas pumps, POS terminals
• Check for hardware overlays
• Hand cover over keypad while typing in a PIN
• Use national known gas stations, use pumps close to attendant’s window or pumps closes to the store entrance
• Do not use ATM at bars, hotels, gas stations
• Use ATM within bank vestibules and CCTV
• If any ATM machine captures your card and it will not release it out of the ATM, immediately close the account
4/17/2015 29
Synthetic Identity Theft• Synthetic identity theft is the use of someone's
personally identifiable information (PII), which the thief combines with made-up details to create a false identity.
• The thief may steal an individual's social security number, for example, and use it in conjunction with a false name and address and date of birth
• Fastest growing financial crime in the UK
4/17/2015 30
Synthetic Identity Theft• How is it being used:
• Applications for credit and/or debit cards
• Loans (personal and business)
• Leases
• New banks accounts
• Employment
• Social services
• Money laundering
4/17/2015 31
Law Enforcement’s Dilemma
• Synthetic Identity Case:• Who are the victims or victim?• Is it a bad debt or recognized as fraud (classification)?• Civil or criminal matter to report?• Law enforcement training has not caught up…• Laws have not caught up and legislators fail to understand…• Prosecutors find charging laws difficult to prosecute
individuals…
4/17/2015 32
4/17/2015 33
Minneapolis Chief Janeé Harteau:
Cybercrime Is Safer for the Criminal and Harder for the Police
We are seeing gang members do the same things that were described from Chicago. It is much easier to fund gang efforts through cybercrime than it is to rob somebody or sell drugs on the street corner, because you are much less likely to get caught.
We can’t physically see these cybercrimes, so there’s less evidence, and less risk to the criminal.
Synthetic Identity Theft Prevention• Is your new customer screening thorough enough?
• Internal review of applications, not just of outside screening services
• Vetting person or company or both
• Validation of state ID (No photo copies or mobile)
• Google searches, carefully review links
• Do not believe the listings in social media websites
• Risk level tolerance and consider location visits
• Check references of who they should know(i.e., who’s your banker and who do you work with?)
4/17/2015 34
CyberCrimes
• Ransomware
• Business Email Compromised (BEC)
• Corporate Account Takeover (CATO)
4/17/2015 35
How it Begins
• Some form of impersonation
• It’s a electronic confidence scam
4/17/2015 36
Remember Fred and JohnWhere Summoned to the
White House
They needed to track down email leaks
37
The electronic intrusion likely resulted private data and emails being stolen
How could this happen?
After 20 mins, Fred and John found the answer38
U.S. Officials Think the Russian’s Hacked White House Computers
We Found Milton!
39
We found him in the sub-basement of the White House, he was opening Emails and the
attachments
USPS - Missed package delivery emailFW: Invoice <random numbers>, Please payPayroll Received by Intuit, needs to be looked atImportant - attached form, need form completedFW: Last Month Remit, please open attachScanned Image from a Xerox WorkCentreFwd: IMG01041_6706015_m.zipMy resume or salaries of executiveImportant - New Outlook SettingsFW: Payment Advice - Advice RefNew contract agreementImportant Notice - Incoming Money TransferPayment Overdue - Please respondFW: Check, see attached copyCorporate eFax message from <phone number>FW: Case # FH74D23GST58NQS
Malware in Emails Detected
40
Milton’s Password was 123456
4/17/2015 41
Milton PC Plugged-In
42
Key Stroke Logger
He said he found the memory stick at the employee door. “Just looking to see who it belonged to…”
Mitigate by having USB turned off or require administrative authority to plug in…, training of employees also needed…
• A decade’s worth information of Hillary Clinton campaign chairman, John Podesta’s emails may have been caused by bad instructions
• Podesta received a suspect email purportedly from Google saying hackers had tried to infiltrate his Gmail account
• An aide emailed the campaign’s IT staff to ask if the notice was real
• The replied that it was “a legitimate email" and that Podesta should “change his password”. However, the link inside the email was used to change the password, providing the “hackers” the new password…
4/17/2015 43
John Podesta
The New York Times reported Tuesday
Phishing: Targeting Your Key Executives/Managers
How Criminals Target Key Employees
Scripts Programs In Attachments(This script can make the email look like it is from the CEO)
46
When the Email Compromised is Sent:
FBI Prevention BEC
4/17/2015 49
50
Impersonation Websites
The Mule Hacker and Ransomware
51
Once the Business is “Infected”…• Gain access to data files for Ransomware/BEC/CATO
• Gain control over the business network
• Learn your banking processing to impersonate your company and to send wires or ACHs…
• To copy employee payroll files to file fake tax returns
• Gain competitive client list or insider information
• Configure a file to capture POS transactions
• Other commands and gain control of gateways
• Hi-jacking VOIP, alarms, cameras…
52
How Big of Problem?
• Business Email Compromise $3.1 B• Ransomware $1.6 M
• CATO ? ($ Not Identified)
53
FBI 2016
Internet Complaint Center Reports BEC:
• BEC scam continues to grow, evolve, and target businesses of all sizes.
• Since January 2015, there has been a 1,300% increase in identified exposed losses.
• The scam has been reported by victims in all 50 states and in 100 countries. Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong.
https://www.ic3.gov/media/2016/160614.aspx
4/17/2015 54
Ransomware
https://pdf.ic3.gov/2015_IC3Report.pdf
Your Computer Screen May Look Like This
56
Example “Ransomware”:• Your system is locked by cyber criminals with message
denying access to files• The Ransomware attacks are waged in two parts. First,
a PC or mobile device. Infected with malware, it locks the corporate user out or encrypts files so that the user can longer access the PC or mobile
• Then a ransom is demanded through an automated message that appears on the device's screen. The user is told he or she has a limited amount of time to pay the ransom before the device will be wiped clean or the files will be erased
• Again it starts when staff clicks on a link or download attachments, which, in turn, infect their computers
57
Signs of Malware on the PC
• “System Unavailable” messages while banking online
• Changes in the way your online banking application appears
• Unexpected requests for a one-time password/token in a session
• Unusual pop-up messages
• Computer locks up
• Dramatic loss of PC speed
• Unexpected rebooting or restarting of PC
• New or unexpected toolbars or icons
• Inability to shut down or restart PC
• Warnings from anti-virus or anti-malware software
58
Mitigation Suggestion• Require dual authorization to initiate a payment or change
administrative rights
– It’s an effective defense to internal and external fraud.
– Dual authorization = two users, two PCs and two sets of credentials
• Sign up to receive alerts for payments and administrative changes
• Monitor and reconcile accounts at least once a day
• Exercise good password management
– Use strong passwords
– Do not share passwords
– Different passwords for each online site
– Regularly change passwords
– Do not store passwords on your PC
59
System Controls(hire the right people)
• Block executables at your email gateway
• Disable macro-enabled office documents specifically MS Word and Excel, for anyone who doesn’t explicitly need it.
• Stopping malicious JavaScript starts with blocking .js via email and keeping browser software up to date.
• Prioritize patching vulnerabilities associated with browser exploitation. This includes the browser software, but also plug-ins.
• Update system patches and updates
• Review new technology and vendor control packages
http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/
4/17/2015 60
• Train your CEO, CFO, Presidents, AVP, Mangers, Supervisors and Tellers• Involve your IT in training and allow them to discuss examples of any
attempts during staff meetings…follow there recommendations• Training staff on criminal pretexting techniques to create false “trust”
✓ How social engineering works✓ Do you have Social media policy (linked-in, Facebook,…)✓ Follow-up emails, texting, phone messages, ✓ Have a chair for visitors (escort policy)✓ Out of channel verification process
How Do I Prevent Ransomware Infection?
Options: On-line Searches
• Example (Public Keys to unlock the software)
4/17/2015 62
FBI Prevention Video
4/17/2015 63
CATO
• Corporate Account Takeover Fraud is a form of corporate identity theft where a business’ online banking credentials are stolen by malware.
• Criminal entities can then initiate fraudulent banking activity, including wire transfers and ACH payments.
• Corporate Account Takeover Fraud involves compromised identity credentials and is not about compromises to the wire system, ACH Network or bank systems.
64
What Happens If Your Organization Is a Victim?
• Discontinue using whatever piece of hardware is infected and disconnect it from any network and power ASAP!
• Determine what “connections” that computer had with others and check those for problems
• Let corporate security know immediately so they can try to limit the encryption process
• Contact the FBI or IC3: https://www.ic3.gov/ and https://www.ic3.gov/media/2016/160915.aspx
• Develop a expert list of outside vendors to help, consider retaining them in case this event
• Back-up system tested for recovery (everyone has a back system, right?)
• Consider buy Bitcoin to cover a payout $5K, 10K, 20K or more.
• Change passwords, ID’s, etc. for anyone accessing systems disable the old ones
• Notify your provider(s) within 24 hours
66
When Prevention Fails• Do not panic or let emotions get in the way
• Remain calm and determine facts
• Determine the scope of the event
• Pull together your response team
• Protect assets: bank accounts, data sets, confidential info…
• Do this by delegating urgent tasks
• Contain and minimize the impact
• Network and PC data records to be preserved
• Eliminate threat or furtherance of the activity
• Corrective action…seek experts on forensic work
• Seek Law Enforcement assistance
• Keep good documentation (chorological the 5 W’s)
• Bitcoin held and ready to use…last resort
Cyber Crime
68
How Are You Feeling ?
70