In our previous blog, we highlighted how fraudsters conduct reconnaissance for fraud activities.
While banking malware, trojans, worms, and botnets such as Zeus Panda, Ramnit and Trickbot have typically been used to infect consumer PCs in order to collect personal data and online login credentials, including banking sites, not all weaponization is malware-related.
In fact, non-malware related attacks are probably equally effective because they don’t need the resources and numerous steps that it takes to monetize access through computer network operations.
Fraud actors benefit significantly from computer network operations collection because it reduces the steps they have to take to obtain legitimate accounts.
Typical Seven Step Monetization Process of Computer Network Operations
Reconnaissance -> Weaponization -> Delivery -> Exploitation -> Installation -> Command and Control -> Action (exfiltration, ransomware, selling stolen information on the dark web, etc)
Typical Four Step Monetization Process of Fraud
Reconnaissance -> Weaponization -> Delivery/Account Takeover -> Action(Empty Account, Send Business Email Compromise, etc)
Identity and Account-related Weaponization
The Cyber Kill Chain can theoretically be applied to other types of online account frauds affecting financial institutions, retailers, and technology companies alike.
Aside from advanced adversaries, even less sophisticated fraudsters can conduct various types of identity fraud in order to conduct account takeovers, new account fraud, and even account farming activities.
This can be achieved on both consumer accounts as well as business or enterprise customer accounts by weaponizing victims’ PII or utilizing company registration and financial/tax data.
After the reconnaissance stage of identifying victim PII or sensitive company registration data, fraudsters can weaponize digital identity and account-related data by:
Account Takeover Attack Methods:
First, a victim receives a phishing lure masquerading as an SMS message from their mobile carrier. These typically indicate a refund is being issued for a previous overcharge.
The link the victim clicks within the message will prompt them to enter their personal and banking information. This is instantly recorded and sent directly to the threat actor.
Also, by clicking on the phishing link, the receiver has confirmed that the cell phone number is an active line.
With the stolen information in hand, the threat actor has the ability to search online, confirm the provider of the cell phone user, and call the carrier.
All they have to do is answer a few questions using their victim’s personal data, convince the cell phone carrier that they are indeed the user, and have the phone number remotely switched to a SIM card which happens to belong to the threat actor.
Now in control of the mobile number, the threat actor can thwart SMS-based two-factor authentication checks that were supposed to protect the user’s online bank account.
By resetting any of the passwords of the compromised accounts, the full takeover is complete.
Credential stuffing is when credentials obtained from a data breach on one service are used to attempt to log in to another unrelated service.
For example, an attacker may take a list of usernames and passwords obtained from a breach of a department store, and use the same login credentials to try and log in to the site of another retailer.
The attacker is hoping that some fraction of those department store customers also have an account at that retailer, and that they reused the same usernames and passwords for both services.
Brute force attacks attempt to guess passwords with no context or clues, using characters at random sometimes combined with common password suggestions.
Many adversaries targeting financial institutions will typically create software that is specifically designed to brute force login credentials on online banking websites.
An attacker sending an email to a victim which appears to come from someone in the victim’s contact list.
This email will usually have a suspicious link that could contain an exploit or malware that gains direct access to the user’s device, or in this case, it tricks a user to take an action..
For example, the fraudster could ask for the victim’s credentials to takeover their email account or convince them to wire money to a fraudulent account, such as in business email compromise schemes.
Fraudsters can also use social engineering against telecommunications companies in order to conduct the aforementioned sim-swap attacks; by doing so, they are able to bypass authentication measures for a vast majority of a victim’s personal accounts, aside from a phone account.
Stolen Account Purchase
Purchasing previously stolen accounts on the underground economy.
Typically after a computer network operation is successful and the actors are trying to monetize the exfiltrated accounts, fraud actors can buy accounts on the internet, often in closed forums.
However, fraudsters in certain regions and cultures are less worried about law enforcement and whether or not they will get caught.
Nisos researchers are observing a significant amount of illicit account sales on open forums as well as on social media platforms and messenger groups.
New Account Fraud
Identity Fraud (Stolen Identity)
Consumers' personal information is stolen or sold on the black market and used without their knowledge.
This includes names, addresses, dates of birth, SSNs, and employer information.
Fraudsters use victims’ real identities to their advantage, opening accounts and making purchases.
The victims are usually unaware of the fraud until it either shows up on their credit file or they are notified by their bank or a collection department.
Synthetic Identity Fraud
Synthetic identity theft is a type of fraud in which a criminal combines real and fake information to create a new identity.
The real information used in this fraud is usually stolen, and in many cases fraudsters will use the social security numbers and other sensitive information of individuals who are not yet in the credit system yet, such as children.
This information is used to open fraudulent accounts and make fraudulent purchases.
Threat actors steal social security numbers and couple them with false information like names, addresses, and even dates of birth.
Because there is no clearly identifiable victim in this kind of fraud, it often goes unnoticed and is not necessarily used to monetize. A fraud actor could open accounts and use them responsibly to build up credit over months and years before exercising a sizable purchase down the road.
Account farming involves the creation, development, and raising of accounts.
Individuals and groups that conduct this type of activity are not often categorized as fraudsters, but may be considered account “abusers.”
While the most common reason for account farming is financial gain, farmed accounts could potentially be used for a variety of other purposes, including running disinformation campaigns or conducting social engineering.
Strategies account abusers typically undertake include the following:
- Using automated tools for bulk account creation
- Using teams of humans for creating and raising hundreds of accounts
- Account renting or selling
- Single or bulk purchase of accounts
In our next blog, we will discuss how fraudsters deliver the fraudulent activity and take over accounts.
Later blogs will also discuss how we at Nisos disrupt such activity with our clients.