CYBER FRAUDTHE NEW FRONTIERS

Albert Hui GREM, GCFA, GCFE, GNFA, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA, CISM, CRISCPrincipal Consultant

2014 Asia-Pacific Fraud ConferenceNovember 17th 2014 @ Hong Kong

WHO AM I?

• Spoken at Black Hat, High Tech Crime Investigation Association (Asia Pacific Conference), and Economist Corporate Network.

• Risk Consultant for Banks, Government and Critical Infrastructures.

• SANS GIAC Advisory Board Member.

• Co-designed the first Computer Forensics curriculum forHong Kong Police Force.

• Former HKUST Computer Science lecturer.

Albert Hui GREM, GCFA, GCFE, GNFA, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA, CISM, CRISCPrincipal Consultant

albert@securityronin.com

FOCUS

• Cyber Fraud• External Fraud• Mechanisms and Facilitators

AGENDA

Overview of 2 Prominent Fraud Scenarios• Phishing / Whaling• Man-in-the-Browser

Monetization• Hacker Supply Chain• Underground Economy• Money Laundering

Cyber Security Countermeasures

Copyright © 2014 Albert Hui

PHISHINGFROM AN END-USER PROBLEMTO A CORPORATE PROBLEM

CLASSIC PHISHING SCAM:NIGERIAN LETTER

Copyright © 2014 Albert Hui

ADVANCED FEES SCAMIS 200+ YEARS OLD

“Spanish Prisoner” scam letter from 1905

Copyright © 2014 Albert Hui

PHISHING EVOLUTION

more targetedmore transparent

spear phishing

phishing

whalingpharming

Copyright © 2014 Albert Hui

WHALING EXAMPLE

trojanCopyright © 2014 Albert Hui

CLASSIC PHISHING AND WHALING COMPARED

Classic Phishing• Ridiculous contents

• Opportunistic

• Straight-forward financial scam

Whaling• Make-Believe contents

• Targeted

• Lateral compromises possible,often leads to corporate espionage

Copyright © 2014 Albert Hui

CYBER KILL CHAIN

Recon Weaponize Deliver Exploit Install C2 Action

Copyright © 2014 Albert Hui

MONETIZATIONTURNING EXPLOITS INTO CASH

SOME MONETIZATION POSSIBILITIES

bank accounts

computer

file server

customer data stored values(e.g. Q-coins, Taobao credit)

credit cardsCopyright © 2014 Albert Hui

MAN-IN-THE-BROWSER ATTACK:SPOOFED SCREENS

trojan (e.g. Zeus)Copyright © 2014 Albert Hui

MAN-IN-THE-BROWSER ATTACK:REAL-TIME REDIRECT

trojan (e.g. Zeus)Copyright © 2014 Albert Hui

FOOD CHAIN

Fraud Rings(can launder money

“safely”)

Hackers(cannot)

Copyright © 2014 Albert Hui

MONEY LAUNDERING

MONEY MULES

Copyright © 2014 Albert Hui

STORED VALUES

Copyright © 2014 Albert Hui

HACKER SUPPLY CHAIN

Anon Payment

Hacker Tools /

Bulletproof Hosting

MonetizationImplications• Sophisticated attacks now available to

non-experts

• Lower breakeven point for attacks

• More “worthwhile” targets

Copyright © 2014 Albert Hui

UNDERGROUND ECONOMY

BITCOIN FOR MONEY LAUNDERING

Dark Wallet

CoinJoin

Copyright © 2014 Albert Hui

HIDDEN INTERNET

Dark Net / Deep Web Silk Road

The OnionRouter

Copyright © 2014 Albert Hui

CYBER SECURITY COUNTERMEASURES

PHILOSOPHY

Defender’s Dilemma• Must secure all possible vulnerabilities

Intruder’s Dilemma• Must evade all detections

Reason’s Swiss Cheese ModelPicture from NICPLD

Copyright © 2014 Albert Hui

ESSENTIALS FOR DETECTING CYBER ATTACKS

• Layered defense-in-depth• Redundant security (e.g. two different brands of FWs)• Security event correlation (e.g. SIEM)• Trustworthy logging• Up-to-date threat intelligence• Security awareness and reporting channel• Incident response capability (e.g. CSIRT)

Copyright © 2014 Albert Hui

processpeople

technology

ANY QUESTIONS?

???

THANK YOU

albert@securityronin.com