Don’t be April Fooled by Cyber Fraud

Author: Heather Antoinetti

With losses skyrocketing past $1.4 billion, cyber fraud is no laughing matter. Last year alone, over 300,000 consumers reported cyber fraud and malware attacks to the FBI’s Internet Crime Complaint Center (IC3). In celebration of a fool’s holiday, we thought we’d share a few interesting tools and scenarios we’ve seen recently, so without further ado and in no particular order, here they are.

Free Website Cloner

Phishing just got easier thanks to a free tool, “httphish.” With a rich feature set including a keylogger and fast redirection to the original website after credentials have been stolen in order to decrease the chance of detection, this tool promises to be a real crowd pleaser among fraudsters.

The screenshot above shows the listing for the website cloning tool on a darkweb market.

A real example of domain squatting

While conducting regular monitoring for a retail banking client, a GroupSense analyst identified a URL bearing a close resemblance to the client’s URL, but registered by an unknown individual. Upon accessing the site, the analyst was presented with a login screen that looked exactly like the client’s official login screen where users would be prompted to enter their ATM/debit card number and password combination. It appears as though whomever registered the fake site is using it to collect online banking credentials.

None of the activity described above is the result of a failure of the client’s defensive security practices, yet this still poses a threat to the client’s brand. It is because of external threats like this that organizations should be proactively monitoring for misuse of their brand.

Fake Apps

Threat actors look to leverage the trust consumers place in popular brands and government agencies, making fake applications another popular technique for a variety of reasons. Fake apps can gather personal data, credit card information and distribute malware. Mobile users search for and download applications quickly, often without verifying the validity of the app.

One of the many conditions GroupSense monitors for is false or spoofed websites and applications. In one recent case, an analyst identified several Android applications sharing characteristics with our client’s legitimate mobile application. The fake applications contained malware and were built to look like a legitimate application with the intention of distributing spyware onto the devices that downloaded the app. Tools like the website cloner mentioned above make this sort of activity much easier by reducing the amount of skill a threat actor needs to clone a site, distribute malware and redirect the unsuspecting user back to the official site before the malicious activity is discovered.

Because these illicit applications do not touch the brand’s legitimate properties, they go undetected unless the organization includes proactive brand and dark web monitoring as part of their security program. Many organizations have not yet adopted this proactive monitoring as part of their strategy. The use of cloning and spoofing is on the rise because it does not require threat actors’ access to the target’s network, thus allowing them to operate the scam without interruption.

Credit card validity checker

GroupSense researchers recently spotted a product called “Anotat” on a popular dark web market. This handy gem of a tool performs two primary functions, verifying the validity of credit card numbers and receiving verification SMS messages from major service providers – including Google.

Anotat is just the most recent in a slew of similar products demonstrating how fraudsters are constantly looking for new ways to bypass two-factor authentication (2FA) technology and endanger millions of users. Once a scammer can verify that a credit card has value, they will sell the credit card information for profit. There are similar tools available to target gift cards.

The screenshot above shows a posting on a popular dark web market advertising a credit card validity checker tool.

Brute force tools

There are troves of brute force tools available. In fact, GroupSense recently published a blog about a brute force tool called Facebom, which specifically targets Facebook.

In this example, a vendor called “CrackerPro” is offering a brute force tool which matches “combo lists” against a particular website login portal. Combo lists can be found across the deep and dark web, and are practically useless in most cases because they rarely give the right combination of email address and password. CrackerPro’s new tool eliminates this issue, bringing great value to readily accessible combo lists. This is why it is so important to practice good password hygiene and to avoid password reuse. Organizations should consider credential monitoring to gain early warning when an employee’s credentials become compromised.

 

The screenshot above shows a posting on a darkweb forum advertising a brute force tool.

GroupSense clients have experienced the impact of tools like this firsthand. In one case, the threat actor offered a proof of concept. Our team took them up on it. We witnessed as the tool easily and successfully penetrated one of our customer’s web properties. The maturity of the marketplace and the tools they traffic are evident. In this case we were able to extract the software and provide supporting data to the client. This allowed them to make the necessary adjustments on the web property to mitigate the threat.

You can protect your organization from falling victim to fraudsters

Cyber fraud presents an especially difficult challenge because in many cases, it does not require the fraudster to gain access to your network. Monitoring for fraud requires external views – constant vigilance of the surface, deep and dark web for evidence of your company’s information. It requires constant monitoring of your brand by monitoring for websites with URLs similar to yours, tracking if someone is using your brand to collect information or payments, and if the information obtained from your organization being sold or shared for free on dark web markets. Social media can play a big part in how fraudsters conduct their schemes, so monitoring those platforms is critical as well.

It never hurts to talk. If you are concerned your organization would have difficulty spotting fraud, talk to an expert at GroupSense.