With business email compromise, click farms, synthetic identities, and omnichannel attacks, Danny Bradbury explores how the pickings for fraudsters have never been richer
The Greek sea merchant Hegestratos was the first recorded fraudster. He tried to commit loan fraud by sinking his boat, but got caught and drowned. He wouldn’t have recognized today’s rip-offs, with their advanced techniques and technologies.
Today, fraud is at an all-time high. It has also evolved at a breakneck pace, with adversaries using everything from email to SIM swapping in their bids to pull a fast one.
“When you first think about fraud, you think of misuse, misrepresentation and deception around the activities you’re doing,” says Kimberly Sutherland, vice-president of fraud and identity at LexisNexis Risk Solutions. That opens up a wide variety of categories, ranging from business email compromise (where attackers persuade employees to send money to fraudulent accounts) through to ad fraud, where crooks operate vast networks of ‘click farms’ to increase the visibility of their clients’ apps and promote positive reviews.
One of the fastest-growing categories of fraud is account takeover (ATO). The rising number of online accounts serving consumers and businesses, together with the poor practices used to secure them, make rich pickings for fraudsters who can co-opt them in several ways.
Some ATOs target high-value individuals, warns Mike Lynch, CSO and chief product officer at anti-fraud AI company Deep Labs, who spent several years working anti-fraud at Bank of America. Fraudsters will use spear-phishing emails or socially engineer call center employees to gain access.
Crooks have automated this process for lower-value accounts, he continues, using login credentials harvested from hacked databases and sometimes sold online. “They can rent a box – they don’t even have to create their own – and they can test these credentials across different organizations,” explains Lynch. As people frequently reuse their passwords, their Facebook credentials might well also access their bank.
Why would a fraudster need access to an account that may have hardly any money in it? Trace Fooshee, senior analyst at research and consulting company Aite Group and former head of fraud strategy for SunTrust Bank, explains that they need ‘drop accounts’ that exist solely for receiving and cashing out stolen funds. “The fraudsters seem to have a nearly endless inventory of drop accounts (also known as mule accounts) at their disposal,” he says. “This has been one of the factors that has contributed to the unusually expansive scale of ATO attacks recently.”
"Some account takeovers target high-value individuals"
Synthetic Identities
Many fraudsters don’t bother stealing accounts at all; they’ll just create their own. Synthetic identity fraudsters will use fake data such as phone numbers and email addresses to create identities that they can use to apply for credit. Using children’s social security numbers and ruining their credit rating before they’re even adults is a popular and deplorable trick. Companies sometimes don’t validate the data, explains Sutherland.
“When synthetic identities first came out, they involved simple things like getting a credit card in your dog’s name,” she says. “It’s much more sophisticated than that now.”
Today, fraudsters will work with a company that issues credit to a synthetic ID, increasing the credit limit. Sutherland calls this “proper care and feeding.” That’s what a ring of New Jersey fraudsters led by Babar Qureshi did in a spree that saw them run up $200m in credit using over 7000 fabricated identities. They would apply for credit cards using fake information and then make small purchases, paying the cards down regularly. When their credit was high enough, they would burn the account by maxing out the credit limit and not paying it off.
Often, Sutherland says, fraudsters can work these scams by favoring human-assisted application processes rather than online ones that might be more likely to verify information automatically. Likely targets include call centers and in-person loan applications at places like car dealerships.
That said, the rise of online transactions has definitely made it easier for some kinds of fraud. Yinglian Xie, CEO of AI-based anti-fraud company DataVisor, explains that the rise of online tax filing processes in the US has made fraud more straightforward.
“Our research team learned that there are many cases where attackers could obtain information about individuals living overseas, for example,” she says. Fraudsters file tax claims on the victim’s behalf and cash in on the refund cheques.
"Fraudsters can work scams by favoring human-assisted application processes rather than online ones"
Omnichannel fraud
The rise in technology tools at the average person’s disposal has led to another development: omnichannel fraud. Customers now demand to deal with companies through various channels, ranging from phone to online. That has expanded the avenues for fraud, explains Aite’s Fooshee.
This fraud can span several channels. For example, a fraudster can use an online app to attempt a fraudulent payment, deliberately triggering detection and the transmission of a one-time SMS passcode alert to the victim. They’ll then call the victim pretending to be from the bank’s security group and dupe them into giving them the code. Then, they’ll call the bank’s fraud department with the code to allow the payment. “It’s a form of social engineering that requires the coordination of cross-channel communications,” Fooshee tells Infosecurity.
It can also straddle different industries. Another common tactic is SIM swapping, in which the attacker takes direct control of the victim’s cell phone account immediately before taking over their bank account, he warns. They can produce falsified credentials at a franchised mobile merchant and ask to upgrade their equipment. “Then they have what they need to intercept SMS text alerts from the victim’s bank if/when they detect potentially fraudulent activity,” he explains.
Some fraudsters don’t even bother SIM swapping, explains Lynch. Instead, they’ll just call the phone company and ask them to forward the victim’s number to their phone. “Fraudsters are smart enough to reverse it back to the consumer’s number, so the consumer probably had no idea that this even happened,” he warns. That means a company can’t just rely on its own security; it has to verify whether the telco had bank-grade security too.
The stakes are rising as more interactions make their way onto omnichannel platforms. Aside from customer demands for increasing convenience, regulators are also driving financial services companies to omnichannel interactions, warns Kris Lovejoy, global cybersecurity leader at EY.
“You’ve got stuff happening like the EU’s Payment Services Directive (PSD2), which requires that banks doing business in Europe open up access for data aggregators and payment services,” she says. “You’re also beginning to see discussions about this open banking technology paradigm become more relevant within the US.”
This means that banks will end up interacting with app vendors rather than the users themselves, she warns, which will make fraud detection harder. She worries that the security of mobile apps isn’t keeping up with the risk, and believes that the apps are playing a bigger part in omnichannel fraud.
“We’re receiving a ton of malware-infected applications being delivered to the unsuspecting user, and that application is being used for credential and other kinds of PII data collection,” she says.
This is due, in part, to companies’ reliance on third-party application vendors, she argues. Many of them bolt together applications using third-party libraries and don’t verify them properly.
“They’re creating these amalgam applications that they’re delivering to their clients very quickly, with no security built inside,” she says. The underlying software in these apps can then harvest data from the phone, including the app’s login credentials and other PII.
“If I see that there are 50 different individuals tied to one phone number, that seems a little risky”
AI for White Hats & Black Hats
As these frauds become more complex, mitigating them is getting more difficult. Rather than using simple hard-coded rules based on individual data points such as credit card charges, companies must analyze data from multiple sources, say experts.
Sutherland talks of correlating digital and physical activities to find warning signs. “If I see that there are 50 different individuals tied to one phone number, that seems a little risky,” she says.
As the data volumes and the number of data sources grow, companies are adopting AI-based solutions. Deep Labs and DataVisor are among a growing number of vendors using machine learning to spot patterns in large volumes of data and alert clients to potential fraud. These tools look at things like login events, location, access patterns, the device used to access an account and the activities conducted on it.
The big problem is getting hold of that data. “A company can be very siloed, so its own lines of business don’t talk to each other, or they don’t share information across the contact channel or even across geographies,” Sutherland says. Even if they do, it can be difficult correlating information from business partners, especially across national boundaries and with GDPR and other privacy regulations making it harder to exchange information.
AI may help companies to battle fraud but it isn’t always a force for good, warns Abhishek Gupta, founder of the Montreal AI Ethics Institute. He warns that with the evolution of generative adversarial networks, people are getting better at faking audio and video. Before long, attackers might replicate someone’s voice on a phone call.
“There are things that are immutable, like your fingerprint and your voice,” he says, warning that the more attackers can fake, the more they can convince others they are you. “Combining that with other pieces of your identity could create this digital clone of you that can be used to perpetrate fraud of any kind.”
With modern fraud evolving so quickly, attackers can make millions without leaving an armchair. Who needs to bother sinking boats with all those opportunities?