One of the commonest ways in which online fraud is carried out is via phishing, the general name given to the process of a fraudster contacting a third party with a view to attempting to acquire confidential information from them. Nearly 450,000 distinct phishing attacks were identified in 2013, resulting in a total estimated financial loss of almost $6 billion[5]. Phishing is frequently carried out via the use of a fraudulent website which copies the 'look-and-feel' of the legitimate website for the brand under attack (with a 2014 study finding that over 22% of all attacks made use of fake banking websites[6]). The website, which is under the control of the fraudster, typically encourages customers to log in, so as to allow the fraudster to collect the user-names and passwords which are entered. In many cases, customers are directed to these phishing sites via embedded links in fraudulent e-mails purporting to originate from the organisation in question. However, in other cases, fraudsters have been found to purchase sponsored-ad space from popular search engines, so that advertisements for their fake sites appear in response to customer searches for the brand name in question. Some of the most convincing phishing attacks occur when the fraudster specifically registers a brand-specific domain name for the purpose of constructing the phishing site; a 2015 study found that over 27,000 domain names had been most probably registered specifically by fraudsters for use in phishing attacks, in the second half of 2014 alone[7].
Figure 1: Example of a fraudulent banking website using a brand-specific domain name (hsbcprivatebank.org.uk)
There are a number of steps which can be taken by businesses to mediate the risks associated with phishing. A comprehensive brand-protection programme should attempt to identify phishing sites in at least the following three ways:
- Monitoring for the registration of brand-specific domain names which may subsequently be used for the hosting of fraudulent sites.
- General Internet searching and crawling to identify suspicious sites.
- Monitoring (via the use of 'spam traps') for the appearance of e-mails which are directing customers towards phishing sites.
Following the identification of a phishing site, the priority will be the rapid implementation of a process of enforcement to have the site deactivated. The exact mechanism of enforcement will vary from case to case but, frequently, the submission of a notice to the registrar or hosting provider of the site will result in a successful deactivation, since the use of website for fraudulent purposes will be in contravention of the Acceptable-Use Policies of most providers.
It is also advisable to educate customers on techniques for avoiding falling victim to phishing scams. The most fundamental is for customers to check the domain name within any link on which they click, but other tips (such as checking for the presence of HTTPS URLs, and the use of an up-to-date security product on their computer) can also be helpful.
A second familiar type of scam is the advance-fee fraud, or '419' scam (named after the article of the Nigerian Criminal Code covering this type of fraud). Most usually, this is perpetrated via the use of an e-mail, often purporting to originate from a trusted organisation, and promising the recipient a sum of money, a lottery prize, or an offer of employment. Following a subsequent period of correspondence with the sender, the recipient is asked to send a 'fee', which is then ultimately just retained by the fraudster. As with phishing scams, many of the most convincing 419s make use of brand-specific domain names, either for use in the production of an associated fake site, or to allow the construction of plausible originating e-mail addresses ('from' addresses) for the scam mails. In these cases, many of the available monitoring and enforcement techniques will be similar to those available for phishing sites. For instances which do not make use of specially-registered domain names (e.g. those using webmail addresses for making contact with victims), and which do not use associated fake websites, it is generally the case that the only means of detection is via the use of spam traps to identify the e-mails in question. The process of enforcement will then generally involve deactivation of the e-mail addresses (or telephone numbers) being used by the fraudsters; many providers of webmail or telephone services will shut down an address or number, providing it is possible to supply them with evidence of the use of that address/number for fraudulent purposes (e.g. a copy of the original scam e-mail).
Figure 2: Example of a scam e-mail comprising an advance-fee ('419') fraud and making use of the e-mail functionality of a non-legitimate, brand-specific domain name (cocacolagroup.co.uk)
In other cases, fraudsters may make use of malicious software ('malware'), which can be spread to users' computers by convincing them to open an infected attachment in a malicious e-mail, or by visiting a site (and usually also clicking a hyperlink) which is infected. Two common types of malware which are relevant to the perpetration of online fraud include:
- Keyloggers, which record sequences of keypresses (such an entered passwords) on a user's computer, and then transmit this information back to the fraudster.
- DNS-poisoning malware, which affect the technical configuration of a user's computer in such a way that they can be directed to a fraudulent site even if the correct (legitimate) domain name is entered into their browser.
Protection against malware generally falls under the responsibility of individual Internet users, through the use of an effective Internet-security product. However, brand owners can also:
- Monitor for the online appearance of brand-specific material in conjunction with malicious content, and instruct the hosting providers of any such sites to deactivate them.
- Educate their customers to avoid opening attachments in unsolicited e-mails or visiting unfamiliar websites.
- Make use of additional technical 'work-arounds', such as the use of 'virtual keyboards' (on which text can be entered via a series of mouse clicks) on log-in pages, to circumvent keyloggers.
Once log-in details (or other associated contact details and/or financial information) have been stolen by criminals, they are in many cases then 'traded' online as a commodity. This trade may take place in totally private forums (such as password-protected chat channels), but can also occur in other environments which can be monitored to some degree (e.g. social media, website-based forums or 'carder' websites on the regular Internet, 'Deep' or 'Dark' Web). In many cases, it may not be possible to have these websites deactivated (for example, in cases where the sites are hosted in geographies where enforcement is difficult, or where the domain-name registrars or hosting providers are non-compliant to takedown requests). However, it is still advantageous to monitor for the online appearance of compromised customer details (e.g. by searching for credit-card numbers in the format known to relate to a particular financial-service provider), so that compromised accounts can be identified and 'locked' as quickly as possible.
Figure 3: Example of a 'carder' website on the Dark Web
In addition to 'classic'
brand-protection techniques, however, businesses may also find it beneficial to
employ other strategies to protect their customers, such as offering them free
anti-virus and malware-protection products, and insuring them against being
personally liable for financial losses arising from fraudulent activity.
[6] http://media.kaspersky.com/en/Kaspersky-Lab-KSN-report-Financial-cyber-threats-in-2013-eng-final.pdf
.jpg)
No comments:
Post a Comment