How technology changed fraud investigations. Jean-François Legault Senior Manager Analytic & Forensic Technology June 13, 2011

Size: px

Start display at page:

Download "How technology changed fraud investigations. Jean-François Legault Senior Manager Analytic & Forensic Technology June 13, 2011"

Owen Wheeler
5 years ago
Views:

1 How technology changed fraud investigations Jean-François Legault Senior Manager Analytic & Forensic Technology June 13, 2011

2 The Changing Cyberfraud Landscape Underground Economy Malware Authors Organized Crime Money Mule Net 3rd-Party Enablers Corporate Enablers Insiders Command & Control Cyber-Criminal Network Cyber-Criminal Tools & Techniques Spam Phishing Social Engineering Botnets Social Networking Cloud Computing Compromised Websites Compromised Websites Internet Threat Vectors Business Infrastructure Partners Web Remote Access Customers Business Processing Partners No Detective Controls Unencrypted System Rogue Device Insecure Protocole Signature-Based controls Unauthorized USB Devices Vulnerable System or App Corporate Entity Malicious Insider Careless User Vendors & Contractors Rogue Access Guests & Visitors Consequences Data Loss Identity Theft Unauthorized Access Copyright Infringement Unavailable Systems Data Destruction Damage to Brand 1 How technology changed fraud investigations

3 The Underground Economy An entire underground economy has been built for the purpose of stealing, packaging, and reselling electronic information. Compromise Acquire Enrich and Validate Sell Monetize Stolen Data Drop Sites Payment Gateways ecommerce Sites emoney On-Line Gambling Phishing Keyloggers Instant Messaging Bank Wire Transfer Botnet Service Spammer Botnet Owners Data Validation Service Carding Forums Retailers Drop Service Malware Distribution Service Data Acquisition Service Data Mining & Enrichment Data Sales Cashing $ Malware Authors Identity Collectors Credit Card Cashers Cyber Criminals 2 How technology changed fraud investigations

4 Products of Cybercrime Overall Rank Item Percentage 2010 Price Ranges Credit card information 22% 19% $0.07-$ Bank account credentials 16% 19% $10-$ accounts 10% 7% $1-$ Attack tools 7% 2% $5-$ addresses 5% 7% $1/MB-$20/MB 6 7 Credit card dumps 5% 5% $0.50-$ Full identities 5% 5% $0.50-$ Scam hosting 4% 2% $10-$ Shell scripts 4% 6% $2-$ Cash-out services 3% 4% $200-$500 or 50%-70% of total value 3 How technology changed fraud investigations

5 Products of Cybercrime Item Bulk Prices Observed Unit Price 10 credit cards for $17 $1.70 Credit card information 100 credit cards for $100 $ credit cards for $300 $ credit cards for $50 $0.07 Credit card dumps 101 dumps for $50 $0.50 Full identities 30 full identities for $20 $ full identities for $50 $0.50 Source : Symantec Global Internet Security Threat Report 4 How technology changed fraud investigations

6 Let s Not Forget Classic Financial Fraud Corruption Asset Misappropriation Fraudulent Statements Conflict of Interest Bribery Extortion Financial Non-Financial Cash Non-Cash Cash Larceny Skimming Fraudulent Disbursements Inventory Intellectual Property 5 How technology changed fraud investigations

7 From how we investigate it 6 How technology changed fraud investigations

8 Strategize the forensic collection and examination Identify ALL sources of evidence Forensic preservation Identify types of forensic analysis relevant to the case Cull down data review set Conceptual review platform 7 How technology changed fraud investigations

9 The Forensic Acquisition Logical Forensic A forensic image versus a logical image Forensic imaging captures a bit by bit image of the entire drive, including space where deleted material may exist Forensic images leave no finger print suspects cannot tell that the image has been made, no date or time stamps will be changed Turning on a suspect machine and viewing data files and/or making a copy of the data files can immediately compromise evidence 8 How technology changed fraud investigations

10 Forensic Acquisitions Network Acquisitions Straight Hard-Drive Acquisitions Virtual Acquisitions Forensic Acquisitions Cloud Acquisitions Mobile Device Acquisitions 9 How technology changed fraud investigations

11 Cloud Computing Structure Runs ON Runs ON Cloud Layer (Type) When Is It Used? Example Software as a service (SaaS) Platform as a service (PaaS) Infrastructure as a service (IaaS) (there is also HIaaS Hardware Infrastructure as a service) The complete end to end functionality of a software service and all of the underlying services are to be hosted entirely by an external provider A service that is to be developed by an organization, but they want to accelerate development by utilizing external pre-built platforms that run on a pre-built infrastructure A service is to be developed by an organization on their own platforms but hosted externally on a pre-built infrastructure/storage Space Google Applications, Salesforce.com, Online Tax Applications Microsoft Azure (OS, Databases, etc.), Google App Engine Amazon Elastic Compute Cloud, VMware, Citrix Investigation, e-discovery, and incident response can be very difficult as environments are very distributed and heavily abstracted 10 How technology changed fraud investigations

12 The Forensic Acquisition Mobile Acquisition Forensic images can be acquired from many device mobiles, ipads, ipods, BlackBerrys, music and video players, portable game devices, etc. 11 How technology changed fraud investigations

13 Trends in Computer Forensics Growing volumes of data storage More live forensic analysis Merging of computer forensics into e-discovery Hardware and software based encryption Increased pressure to comply to e-discovery and forensics legislation Increased use of powerful handheld devices Volatile memory forensics 12 How technology changed fraud investigations

14 To how we view evidentiary data 13 How technology changed fraud investigations

Self-Organizing Map Makes sense of complex, high dimensional data Considers large volumes of data from disparate sources Six-dimensional view of variables to provide insights as to the potential for

15 Self-Organizing Map Makes sense of complex, high dimensional data Considers large volumes of data from disparate sources Six-dimensional view of variables to provide insights as to the potential for inappropriate activities Makes no assumptions into the inter-relationships A concept based on proximity and similarity Is able to predict future behaviour based on historical insights Clusters (black lines) are determined to optimally group like customers together 14 How technology changed fraud investigations

16 Transaction flow 15 How technology changed fraud investigations

17 Table 2: Account 3 16 How technology changed fraud investigations

18 Contact Jean-François Legault, M. Sc How technology changed fraud investigations

Cybercrime and Information Security for Financial Institutions. AUSA Jared M. Strauss U.S. Attorney s Office So. District of Florida

Cybercrime and Information Security for Financial Institutions AUSA Jared M. Strauss U.S. Attorney s Office So. District of Florida Defining Cybercrime Stealing and Monetizing Financial and Identity Data