The of Rise of Cyber Threat Intelligence in the War on Internet Fraud

Stolen digital information accelerates and enables fraud. This simple truth is changing the way organizations think about protecting themselves from fraudsters. A recent example drives this point home. Ridesharing has become part of our daily life—Uber and Lyft are ubiquitous across the United States and abroad. Not long ago, someone began ordering rides and then contacting the drivers via phone, which is possible given that rideshare applications offer up the driver’s phone number once a ride is hailed. The fraudster would spoof the calling number to look like it came from the rideshare HQ and then tell the driver to cancel their ride with “Mark,” which the driver recognized as the passenger’s name, and pull over. Most drivers, seeing the phone number and the fact that the caller knew the name of the passenger that they were about to pick up, immediately complied. The fraudster would then walk the driver through an exhaustive review of the billing settings, eventually telling the driver that money was not getting deposited correctly and ask them to put in a new account number, supplying that number. The drivers, assuming they would not be paid otherwise, were happy to input the new number. All future funds for those drivers were then funneled to an offshore account.

Intelligence, as a discipline, has existed for thousands of years. It is leveraged by governments and enterprises to direct defensive and offensive resources where they are most needed. Cyber Intelligence, gathering digital intelligence for the defense of networks, brands, and software systems can be utilized to effectively minimize or detect fraud attempts.

Stolen Data, Sold on the Dark Web, Provides Fraudsters Sought-after Credibility

The fact is, the likelihood of a fraud scheme’s success is exponentially increased when the perpetrator gains credibility. In this case, the credibility was likely garnered because the fraudster had institutional knowledge of how the rideshare system works, probably because he worked at the rideshare company or had been a driver himself. The hurdle that a successful fraudster must overcome is gaining access to enough information to establish credibility. In the past, this required some access to the institution, insider information, etc. (see any bank heist or con-man movie).

Today, fraudsters are operating within a much broader and more complex cybercrime landscape. That’s because we live in the age of the breach. Almost daily, companies are experiencing data breaches, most of which contain critical Personal Identifiable Information (PII). These PII breaches often contain critical data about a company’s constituents, partners, customers, and employees. There are leaked corporate documents containing business processes, intellectual property designs, and systems information. Breaches contain credentials, passwords, and digital certificates.

Aside from the obvious kinetic cyber risks, data breaches pose an even bigger threat due to the fraud schemes they enable. Much of the stolen digital information ends up for sale or freely available on underground digital marketplaces. Many of these markets require special network software to access. The Onion Router (TOR) provides an anonymous vehicle to access the “dark web,” where marketplaces for buying and selling illicit goods—including PII–for digital currency, are numerous. There are hundreds of marketplaces on TOR and the dark web advertising billions of PII records for sale. A largely commoditized and saturated market, the sale of PII and related corporate data is inexpensive, sometimes costing just a few cents per record.

Originally an academic project developed at the Naval Research Laboratory, TOR’s mission was to create a completely anonymous network, overlaying the internet, in order to provide additional privacy. Today, access to TOR and its marketplaces provides a would-be fraudster endless access to critical data. The data available for sale is company-specific and bolsters a fraudster’s tool box for understanding the victim organization’s assets, systems and processes. Corresponding PII data provides the credibility. Armed with a sea of information, a perpetrator can call the helpdesk at an insurance company and have client specifics at hand. Credibility is achieved easily with the helpdesk agent and the theft begins. It’s not a problem if one client record does not work because the perpetrator has access to endless records. Perhaps the fraudster doesn’t need to call at all, she has the login for the client’s portal access, after all.

Cyber Threat Intelligence: The War on Fraud’s New Front

There are a number of ways to combat this kind of fraud. Aside from the obvious good cyber security hygiene, which includes a risk-appropriate defense program, threat hunting, incident response, and digital forensics, Cyber Threat Intelligence can be used as part of a comprehensive cyber fraud risk mitigation program. Cyber Threat Intelligence and Reconnaissance is born from military and nation-state intelligence disciplines. Governments leverage intelligence to inform the leadership and military on where to allocate their defensive and offensive resources. This paradigm can be applied effectively to cyber defense as well.

As a discipline, Threat Intelligence has been around for a decade and has matured over time. The original iterations were feeds of known bad Internet Protocol (IP) addresses and bad Universal Resource Locators (URL). When implemented correctly, these feeds saved time and conserved resources by informing cyber defense systems to block the known bad traffic. The next iteration was more similar to traditional government intel. Humans logged into bad guy locations on the open internet and dark web, gathered what was said and reported it back in intelligence reports to enterprises and governments. These reports detailed comprehensive attack programs and Advanced Persistent Threats (APT) focused at vertical industries. The consumer of the intel would then position their defenses and detection capabilities around the intel. In the era of the daily breach, cyber intelligence has morphed even further.

Today, cyber intelligence providers use software to mine markets, conversations, forums, and other sources looking for customer specific data. The moment a post is made about a company, the company is notified about the post and all of the forensic data is provided. Detection of the monetization of stolen data provides many benefits to the enterprise. Notification of a potential breach from the intelligence provider – rather than a customer or the authorities – allows the enterprise to gain the upper hand to triage the situation and get in front of negative PR outcomes. Further, if the stolen data has intrinsic cyber security value, the company can quickly implement countermeasures, such as locking or reissuing credentials and certificates.

In fraud prevention or assessment programs, the intelligence data can be correlated with client data to provide a risk score relative to an individual account. For example, if an insurance provider’s call center receives an inbound call about an account, but that account holder’s information is known to be compromised or for sale, the record can be flagged as high risk. This enables further screening of the individual making the request. Additionally, measures can be applied on the front end of account provisioning, where the threat data can be used to determine if a new account being created is linked to a known breach, providing an avenue for further scrutiny prior to granting access.

Organizations that proactively manage their risks to fraud understand that staying on top of emerging threats requires regular fraud risk assessments and robust antifraud controls.  Fraudsters adapt their tactics, share lessons and find new ways to steal. In this evolving landscape, cyber fraud threatens organizations large and small, public and private. Organizations that build cyber threat intelligence into their fraud risk mitigation efforts can stay ahead of the fraudster, preventing loss, protecting their customers, and preserving their reputation.

This article was written collaboratively by Kurtis Minder, CEO at GroupSense and Linda Miller, who leads the Fraud Risk Mitigation Practice at Grant Thornton, LLP.