Leveraging External Threat Intelligence to Reduce the Impact of Cyber Fraud
May 20th, 2019
Financial cyber fraud is on the rise around the world. Earlier this year, IntSights recorded a 212 percent year-over-year increase in credit card data posted on dark web forums and black markets. This significant uptick in exposed credit cards causes headaches for consumers and the financial institutions that issue the cards alike. We recently hosted a webinar, How to Reduce the Cost of Financial Fraud Using External Intelligence, to arm you with the knowledge and tools you need to use cybercriminal activity to your advantage and mitigate the risk of compromised credit cards before they are leaked.
This blog will break down some of the common types of financial cyber fraud, sources you can use to monitor hacker activity, new hacker strategies for stealing credit card or bank account information, and best practices for automating discovery and mitigation to reduce fraud costs.
The Most Common Types of Financial Cyber Fraud
Stolen credit cards are among the most commonly found goods available for purchase in dark web black markets and other hacker hangouts. The primary motivation for stealing or acquiring credit card information is clear: They can be used – or stolen – almost everywhere on Earth, and have relatively few risks with high rewards for cybercriminals.
Recycling old credit cards is a common practice among hackers and other threat actors. It makes monitoring for new card numbers difficult because you need to sort through a lot of outdated or irrelevant data. IntSights recently broke down the fraud theft, identification, and mitigation process with our partners Riskified, a fraud security vendor. We took leaked credit cards discovered on the dark web and tracked how they were used and recycled over the course of several years.
Cybercriminals also use compromised bank account information to steal money with relative ease. They do this by acquiring account and routing numbers to initiate withdrawal requests, logging into customer accounts using leaked credentials or password guessing tools, or brute force password spraying campaigns. Regardless of the tactic used, it typically results in easy fraud, and banks and other financial institutions are often on the hook for the financial repercussions.
Hacker Tactics, Techniques, and Procedures (TTPs)
Speaking of tactics hackers use, IntSights identified a handful of common and emerging attack vectors and TTPs:
- SS7 Vulnerabilities: Cybercriminals have recently exploited flaws in SS7 – a protocol used by telecommunication companies to coordinate how they route SMS around the world – to intercept messages that authorize payments from accounts. This type of scheme enables hackers to empty customer bank accounts.
- SWIFT Codes: The SWIFT system is supposed to be a secure protocol for verifying international wire transfers, but hackers have found various ways to use this protocol to validate fraudulent transactions.
- Malicious Applications: Most banks and financial institutions have mobile applications to let customers access their assets remotely. Cybercriminals often create fake versions of these apps that spread malware, or are able to penetrate legitimate apps that have vulnerabilities due to lackluster security.
- Hacker Automation Tools: Hacker automation tools allow cybercriminals to run campaigns at a higher velocity and lower the barrier to entry for non-technical hackers to run their own campaigns without having to code or build their own tools. Some examples of these tools are credit card checkers and phishing kits.
- Social Media: Cybercriminals use fake social media accounts to exploit unknowing consumers, tricking them into giving away their credentials or financial data on platforms they are comfortable using.
- ATM Hacking: ATMs offer an opportunity for physical fraud. Threat actors target ATMs with malware that can extract money or with credit card skimmers that gather credit card information when users dip their cards.
- Insider Recruitment: While more rare than credit card theft or bank account fraud, insider recruitment can have far more drastic consequences when executed successfully. Cybercriminals recruit employees or others with access to financial systems to leak data, give them entry into the network, or share credentials and information on internal procedures.
Where to Find Hacker Activity
Cybercriminals orchestrate attacks and exchange goods across a variety of sources on the clear, deep, and dark web. The following are just a few of the notable hubs you can (and should) monitor to identify hacker chatter and activity that may be indicative of an attack brewing:
Dark Web Sources
- Credit card shops like J-Stash and Genesis Store
- Black markets – these tend to emerge and go down frequently and at random
- Hacker forums and chat rooms – both open and private
What to Look For
- Bank Identification Numbers (BINs)
- Leaked credit cards
- SWIFT codes
- Brand mentions
- Customer accounts
- Leaked credentials
Clear and Deep Web Sources
- Social media
- App stores – both mobile and desktop
- Domain registrars
- Paste sites
What to Look For
- Brand impersonation
- Phishing websites and domain impersonations
- Leaked customer data
- Malicious applications
How to Use External Threat Intelligence to Detect and Mitigate Fraud
Once a fraud campaign is successful, it can be difficult to mitigate its effects. Banks and financial institutions are often on the hook for their customers’ stolen assets, which can cost them millions of dollars each year. The best approach to mitigation is to go on the offensive to identify and shut down fraud campaigns before they actually occur. If you can prove a fake domain or social media account has malicious intent, you can approach the registrar, social media site or app store to get fraud campaigns taken down directly.
This is why it’s important to focus on validation of posts and data dumps, and not just identification. There’s a lot of harmless junk circulating online, especially when it comes to financial data. Someone can claim to have a fresh new batch of active credit cards, but you can’t always take their word for it. Sometimes you need to engage with a threat actor and collect data samples to validate if their claims are real or not.
The best way to identify and validate threats is to use an automated solution that filters through the chatter and pinpoints threats that are specific to your organization. IntSights provides tailored intelligence to our users, enabling them to quickly remediate threats targeting their organizations before they become attacks.
To learn more about the different methods and access points cybercriminals use to steal sensitive data and information, download our Banking & Financial Services Cyber Threat Landscape Report (April 2019).
Kevin Diffily is a Content Marketing Manager at IntSights. He strives to educate and engage with cybersecurity professionals, enabling them to make informed decisions to bolster their defense systems and protect their organizations. Kevin has a background in journalism, brand development, copywriting, and social media management. He received his B.A. in Communication from Curry College and his M.A. in Integrated Marketing Communication from Emerson College. He is a staunch proponent of gratuitous Oxford comma use.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.