- Email: [email protected]
Computer Fraud Scenarios
real life fraud
Computer Fraud Scenarios Credit Creeps by Fred Cohen
Series Introduction In this series, we provide a monthly scenario of a computer-related fraud, complete with the story line and details — but with no specifics about organizations involved. Then we do a root cause analysis and identify mitigation strategies actually applied or proposed.
Background When international criminals go after credit cards, the most well known schemes aren't necessarily the paths they adopt. In this case the bad guys didn't want a lot of publicity and they didn't want to get rich quickly with one big hit. Rather, they undertook a systematic approach to income via credit card fraud. When I first heard about this scheme it came through to me via a medium-sized supplier who had received complaints from customers that their credit cards had been used to make false charges. The company naturally asked why their loyal longtime customer thought that they were involved. They were surprised to learn that their customer had a special credit card for their business only. Within a few weeks they started to get complaints and concerns from other customers. There could be no doubt about it, someone had taken the credit card numbers that the company held in its records for charge accounts. The question that remained was how this had happened and what to do about it.
The scheme Investigation ultimately showed that a perpetrator from a foreign located IP address had entered their systems, gained customer confidential information from their Ecommerce Web server, and was using it to make moderate dollar value (on the order of $500-1000 each) purchases from third parties using customer account information. These were all small businesses whose 16
typical buying patterns were in this price range, but the supplies being purchased were not of the right sort for these types of businesses and the shipping addresses were not real places and were in the US. The perpetrators of this scheme apparently had scoped out the likely purchase amounts for these sets of credit cards, presumably by looking at the records contained within the computer storing their records, but possibly by using insider information from credit card companies seen in recently published massive fraud cases. Once they had proper financial thresholds, they were able to make purchases that would not be automatically stopped by the credit card systems' fraud detection software. They apparently made phoney purchases from people who were involved in the scheme because the items they purchased could not have been delivered to the addresses specified. In other words, someone in the organizations they were buying from was in on the scheme and was, perhaps, even the perpetrator.
Action The action started with a scan of the victim Web server with a free Internet-based scanner. The scan revealed a set of known vulnerabilities associated with the Web server This was a widely published vulnerability with this server, however it was not known by the systems administrators who were running the server. The perpetrators were able to enter a URL that was predictable and directly get customer details including all of the information required for credit card purchases. They were also able to look at customer purchase records which were available by clicking on a link from the customer information page. Unfortunately there were inadequate audit records to allow these activities to be tracked, so the victim will never know precisely what information was gained from this process, however, it seems clear that all customer credit card
records could have been accessed and since this activity took place for at least a week before it was discovered, a large number of records might have been compromised. The perpetrators proceeded to use the credit cards with their favourite sleazy credit card processing business to take as many dollars as could reasonably fit within the purchase profiles of the credit card holders. A conservative estimate is that $100 000 per week was taken from this attack for a period of at least three weeks, and perhaps longer. Once the credit cards were disabled, the perpetrator likely went elsewhere, or perhaps this was just one of many such schemes operated on an ongoing basis. It was clearly a professional job.
Aftermath When the incident was discovered, the first action was to stop the losses by stopping the technical attack and contacting the company lawyer. The lawyer led the company to private detectives who would protect the company as much as possible without involving the relevant police agency unless and until it was necessary and appropriate. The private detectives indicated to the customer that the apparent foreign nexus and the financial loss levels were such that notifying the FBI or Secret Service would be an appropriate next step, however, the client opted to maintain control of the investigative process and help their customers limit losses while avoiding all publicity. The technical attack was severed by internal systems administrators once they understood it and an external penetration study was ordered to see if an outsider could find any more obvious external vulnerabilities in a few days of effort. Several were found and mitigated, but no substantial effort was made to improve the overall architecture which had several other problems that would allow different techniques to succeed at doing the equivalent thing in a different manner. The financial aftermath created lots of paperwork for lots of people, and the perpetrators were never tracked down or otherwise pursued by the company. They decided that it was in their best interest to make certain that the customers were not unduly
real life fraud inconvenienced by helping them to recover, and that further effort would not be fruitful. Visa/MC may have followed up with criminal proceedings and the losses to the corporate account holders was limited. We all paid for it in our credit card interest rates.
Mitigation Mitigation is a complex issue in a small to medium-sized business. The decisions described here include those taken by the company. Clearly other courses of action might have been taken. Remember that the typical business owner is acting in their own interest and not that of the general public. • Cut off the attack: The attack had characteristics that allowed it to be rapidly severed and this was done without substantial attempt to track down the perpetrators. Some audit information was gleaned, and the attackers tried re-entry several times after been cut off, followed by attempts to rescan for new vulnerabilities over the next few days. • Call the credit card company: The next step taken was to call the credit card processing company (Visa in this case) and give them a list of the credit card account numbers that were potentially stolen. This prevented the fraud from getting worse and limited losses to clients. It was considered a service to the clients to do so since otherwise they would have been individually inconvenienced by the need to report it on their own.
•Notify the customers: This is almost always the hard part. The victim had to notify their entire customer base of the situation, which meant loss of face to say the least. They didn't know which of them had been targetted, but they put as good a face on it as they could. • Mitigate due diligence risks: The security review this company undertook probably met the requirements for due diligence and little more. While they do not want to be ripped off again in this way, they don't think that they will be and they figure that they weathered this storm and will be able to weather others if they need to. If I sound a bit disenchanted with this case it is because I am. This is the sort of thing that makes it worthwhile to be a criminal and it taxes my willingness to tolerate those who tolerate lawlessness. The people who take from others do so because they don't think about or care about who they hurt. The so-called victims in this case seem to me to care only about their business and not about the greater good. So we all pay the price of their lack of vigilance.
Conclusions
About The Author:
The obvious conclusion is that hundreds of thousands of dollars a week in losses (or gains depending on which side of the law you are on) are pretty easily attained. You look for ripe targets with simple and free tools, and use obvious
Fred Cohen is helping clients meet their information protection needs at Fred Cohen & Associates and Security Posture and doing research and education as a Research Professor in the University of New Haven's Forensic Sciences Program.
Normalization and Deconfliction Peter Stephenson
In last month’s column we started the correlation process. This early work simply looked at individual pieces of evidence as they might relate to other pieces of evidence. However, there are
and free exploits to gain the information you need to perpetrate frauds. You then use this information at reasonable levels and walk away with loads of money or goods. You can do this for quite a while if you take little enough from enough people, and apparently this is done quite a bit. If you move about on a month by month basis, the odds of your getting caught are small and you can likely keep it up for at least a few years without much difficulty. As in virtually all such cases, criminals get caught either by luck, by staying too long, by taking too much, or by taking from the wrong people. In this case, they took from the right people and they took the right amounts. Did they stay too long? I will likely never know because these individuals, as far as I can tell, are not yet caught. Could they be caught? Probably yes — if anyone decided to take it upon themselves to do so. Will they be? Not unless or until they take from the wrong organization or stay too long. Any similarity between the characters or events in this article and any real persons or situations is strictly coincidental... however... The story you have just read is true. Only the names have been changed to protect the innocent.
some potential pitfalls if we stop here. First, digital evidence can be ambiguous. In other words, we can see the same event reported by various sources in various ways. Are we really looking at
the same event, or are we looking at different ones? The second issue is that events may be reported in unusual ways leading the analyst to believe that the event occurred multiple times when, in fact, it did not. We need processes to analyze all the events that are reported and to help us to understand the actual data that we are seeing. Fortunately, we actually have two: normalization and deconfliction. Those two processes will be the topics of this month’s offering. 17
Computer Fraud Scenarios Credit Creeps by Fred Cohen
Series Introduction In this series, we provide a monthly scenario of a computer-related fraud, complete with the story line and details — but with no specifics about organizations involved. Then we do a root cause analysis and identify mitigation strategies actually applied or proposed.
Background When international criminals go after credit cards, the most well known schemes aren't necessarily the paths they adopt. In this case the bad guys didn't want a lot of publicity and they didn't want to get rich quickly with one big hit. Rather, they undertook a systematic approach to income via credit card fraud. When I first heard about this scheme it came through to me via a medium-sized supplier who had received complaints from customers that their credit cards had been used to make false charges. The company naturally asked why their loyal longtime customer thought that they were involved. They were surprised to learn that their customer had a special credit card for their business only. Within a few weeks they started to get complaints and concerns from other customers. There could be no doubt about it, someone had taken the credit card numbers that the company held in its records for charge accounts. The question that remained was how this had happened and what to do about it.
The scheme Investigation ultimately showed that a perpetrator from a foreign located IP address had entered their systems, gained customer confidential information from their Ecommerce Web server, and was using it to make moderate dollar value (on the order of $500-1000 each) purchases from third parties using customer account information. These were all small businesses whose 16
typical buying patterns were in this price range, but the supplies being purchased were not of the right sort for these types of businesses and the shipping addresses were not real places and were in the US. The perpetrators of this scheme apparently had scoped out the likely purchase amounts for these sets of credit cards, presumably by looking at the records contained within the computer storing their records, but possibly by using insider information from credit card companies seen in recently published massive fraud cases. Once they had proper financial thresholds, they were able to make purchases that would not be automatically stopped by the credit card systems' fraud detection software. They apparently made phoney purchases from people who were involved in the scheme because the items they purchased could not have been delivered to the addresses specified. In other words, someone in the organizations they were buying from was in on the scheme and was, perhaps, even the perpetrator.
Action The action started with a scan of the victim Web server with a free Internet-based scanner. The scan revealed a set of known vulnerabilities associated with the Web server This was a widely published vulnerability with this server, however it was not known by the systems administrators who were running the server. The perpetrators were able to enter a URL that was predictable and directly get customer details including all of the information required for credit card purchases. They were also able to look at customer purchase records which were available by clicking on a link from the customer information page. Unfortunately there were inadequate audit records to allow these activities to be tracked, so the victim will never know precisely what information was gained from this process, however, it seems clear that all customer credit card
records could have been accessed and since this activity took place for at least a week before it was discovered, a large number of records might have been compromised. The perpetrators proceeded to use the credit cards with their favourite sleazy credit card processing business to take as many dollars as could reasonably fit within the purchase profiles of the credit card holders. A conservative estimate is that $100 000 per week was taken from this attack for a period of at least three weeks, and perhaps longer. Once the credit cards were disabled, the perpetrator likely went elsewhere, or perhaps this was just one of many such schemes operated on an ongoing basis. It was clearly a professional job.
Aftermath When the incident was discovered, the first action was to stop the losses by stopping the technical attack and contacting the company lawyer. The lawyer led the company to private detectives who would protect the company as much as possible without involving the relevant police agency unless and until it was necessary and appropriate. The private detectives indicated to the customer that the apparent foreign nexus and the financial loss levels were such that notifying the FBI or Secret Service would be an appropriate next step, however, the client opted to maintain control of the investigative process and help their customers limit losses while avoiding all publicity. The technical attack was severed by internal systems administrators once they understood it and an external penetration study was ordered to see if an outsider could find any more obvious external vulnerabilities in a few days of effort. Several were found and mitigated, but no substantial effort was made to improve the overall architecture which had several other problems that would allow different techniques to succeed at doing the equivalent thing in a different manner. The financial aftermath created lots of paperwork for lots of people, and the perpetrators were never tracked down or otherwise pursued by the company. They decided that it was in their best interest to make certain that the customers were not unduly
real life fraud inconvenienced by helping them to recover, and that further effort would not be fruitful. Visa/MC may have followed up with criminal proceedings and the losses to the corporate account holders was limited. We all paid for it in our credit card interest rates.
Mitigation Mitigation is a complex issue in a small to medium-sized business. The decisions described here include those taken by the company. Clearly other courses of action might have been taken. Remember that the typical business owner is acting in their own interest and not that of the general public. • Cut off the attack: The attack had characteristics that allowed it to be rapidly severed and this was done without substantial attempt to track down the perpetrators. Some audit information was gleaned, and the attackers tried re-entry several times after been cut off, followed by attempts to rescan for new vulnerabilities over the next few days. • Call the credit card company: The next step taken was to call the credit card processing company (Visa in this case) and give them a list of the credit card account numbers that were potentially stolen. This prevented the fraud from getting worse and limited losses to clients. It was considered a service to the clients to do so since otherwise they would have been individually inconvenienced by the need to report it on their own.
•Notify the customers: This is almost always the hard part. The victim had to notify their entire customer base of the situation, which meant loss of face to say the least. They didn't know which of them had been targetted, but they put as good a face on it as they could. • Mitigate due diligence risks: The security review this company undertook probably met the requirements for due diligence and little more. While they do not want to be ripped off again in this way, they don't think that they will be and they figure that they weathered this storm and will be able to weather others if they need to. If I sound a bit disenchanted with this case it is because I am. This is the sort of thing that makes it worthwhile to be a criminal and it taxes my willingness to tolerate those who tolerate lawlessness. The people who take from others do so because they don't think about or care about who they hurt. The so-called victims in this case seem to me to care only about their business and not about the greater good. So we all pay the price of their lack of vigilance.
Conclusions
About The Author:
The obvious conclusion is that hundreds of thousands of dollars a week in losses (or gains depending on which side of the law you are on) are pretty easily attained. You look for ripe targets with simple and free tools, and use obvious
Fred Cohen is helping clients meet their information protection needs at Fred Cohen & Associates and Security Posture and doing research and education as a Research Professor in the University of New Haven's Forensic Sciences Program.
Normalization and Deconfliction Peter Stephenson
In last month’s column we started the correlation process. This early work simply looked at individual pieces of evidence as they might relate to other pieces of evidence. However, there are
and free exploits to gain the information you need to perpetrate frauds. You then use this information at reasonable levels and walk away with loads of money or goods. You can do this for quite a while if you take little enough from enough people, and apparently this is done quite a bit. If you move about on a month by month basis, the odds of your getting caught are small and you can likely keep it up for at least a few years without much difficulty. As in virtually all such cases, criminals get caught either by luck, by staying too long, by taking too much, or by taking from the wrong people. In this case, they took from the right people and they took the right amounts. Did they stay too long? I will likely never know because these individuals, as far as I can tell, are not yet caught. Could they be caught? Probably yes — if anyone decided to take it upon themselves to do so. Will they be? Not unless or until they take from the wrong organization or stay too long. Any similarity between the characters or events in this article and any real persons or situations is strictly coincidental... however... The story you have just read is true. Only the names have been changed to protect the innocent.
some potential pitfalls if we stop here. First, digital evidence can be ambiguous. In other words, we can see the same event reported by various sources in various ways. Are we really looking at
the same event, or are we looking at different ones? The second issue is that events may be reported in unusual ways leading the analyst to believe that the event occurred multiple times when, in fact, it did not. We need processes to analyze all the events that are reported and to help us to understand the actual data that we are seeing. Fortunately, we actually have two: normalization and deconfliction. Those two processes will be the topics of this month’s offering. 17