• Save
The Rise and Rise of Web Fraud
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

The Rise and Rise of Web Fraud

on

  • 2,570 views

Guest talk on Web Fraud to Network Security, Elect Eng Sydney University. ...

Guest talk on Web Fraud to Network Security, Elect Eng Sydney University.
Web1.0 generated revenues from advertising. In Web2.0 new monetization models were sought. Good stuff but eventually all these eCommerce sites wake up to discover that the fraudsters have moved in.
Limited only by their imagination and the monetization model, fraudsters will do things like: login hijacks, false signups, purchases with stolen credit cards, money laundering, nigerian/419 scams etc etc.
This talk talks about a few of these problems, how it gets done and what solution/responses exist.

Statistics

Views

Total Views
2,570
Views on SlideShare
2,543
Embed Views
27

Actions

Likes
13
Downloads
0
Comments
2

8 Embeds 27

http://www.slideshare.net 13
http://www.lmodules.com 5
http://qa.itfundas.com 3
http://www.linkedin.com 2
http://proyectosdrupal2.vectorsf.com 1
http://drupal.vectorsf.net 1
https://eat.tees.ac.uk 1
https://www.linkedin.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • I modified this slide from a Verisign presentation – it shows how only a few ‘fronts ’of the identity theft/fraud ecosystem
  • ThreatMetrix Device Identification is used for three principal applications. These are i) New Account Sign-up which is broadly applicable to the financial services industry, social networking, alternative payments, credit card applications and so forth, ii) Account takeover which is broadly applicable to the same set of industries, and iii) Card not present “CNP” purchases which is applicable to the retail community. ThreatMetrix is a rules based application so the same product can be easily deployed across multiple industry types with a minimum of effort.
  • 05/17/10

The Rise and Rise of Web Fraud Presentation Transcript

  • 1. The Rise and Rise of Web Fraud What happens when web businesses shift away from advertising revenues USYD Electrical Engineering, Network Security Guest Lecture David Jones – Founder/CTO ThreatMetrix @djinoz
  • 2. Speaker brief history
    • 1985 – received my first letter from a nigerian prince wishing to send me $
    • 1999 - Founder & CEO – EmU Tech (email filtering for enterprise)
    • 2000 – Lovebug/Melissa virus – nobody guesses what is to come…
    • 2001 – acquired by SurfControl
    • 2002/2003 – VP Research, SurfControl (now WebSENSE)
    • 2003 – MigMaf trojan arrives – “it’s a bad boy” – no-one cares…
    • 2004 – SpamMATTERS
    • forensic collection/correlation system for Federal Gov (ACMA).
    • Spam/Phish/Zombie/Bot Tracking
    • ACMA still use today
    • mid 2004 – Present to OECD on “forget spam – worry about Bots” – no-one cares..
    • 2005/6 – ThreatMetrix starts (botnet/compromised host tracking)
    • 2008 – first Web Fraud product
    • 2010 ….
  • 3. ThreatMetrix Facts
    • Founded 2005 in Sydney
    • Headquartered
      • Los Altos, CA
      • R&D Sydney, Australia
      • Beijing, China
    • 36 People
    • Venture Financed
    • 150+ Customers
    • CNP, Gaming, Social Networking, Alternative Payments, Financial Services
    • SaaS Model
      • Fast Implementation and ROI
    • Typical Implementation
      • 1 to 5 Days
    • Average Contract Value
      • $2K - $20K per Month SaaS
  • 4. Anonymity used to be cute… Credit: New Yorker Magazine July 1993 http://en.wikipedia.org/wiki/On_the_Internet,_nobody_knows_you're_a_dog
  • 5. Security/Fraud always morphs from FAME to $$$ Exploit Discovered Disclosure/Notoriety (defacements, spam spoofing etc) Spam, affiliate fraud etc $  Phishing, Credit Card Fraud, Botnet etc $$$  Organised Crime, Botnet Hire, Kits
  • 6. Stolen Identities + Location/Device Anonymity = Perfect Storm for Fraud
  • 7. “ ” Fraud as a Service” Food-chain Credit: Verisign
  • 8. Common Internet Fraud types
    • Platforms:
    • Kit creation (exploits)
    • Infection/Bot Creation
    • Bot Hiring
    • Scareware sales
    • Identities:
    • Phishing
    • Keylogging
    • Spear-phishing
    • Card and ID Theft (penetration)
    • Economic Fraud:
    • Account Hijack (bank)
    • Stolen Credit Card Shopping
    • Nigerian
    • 419/Adv. Fee (BMWs, Holiday rentals, Dating…)
    • Social: “Kidnapped in London..”
    • Alternative Payments/Remittance
    • Virtual goods Hijack/Laundering
    • Ganking (auction, ticketing)
    • Affiliate/Click Fraud
  • 9. This maps to the following business needs
  • 10. Botnets and Proxies have changed Fraud forever: Fraudster Miami/Phillipines/Ukraine
    • Legacy/Outdated solutions fail
    • to detect new fraud techniques:
    • IP Geo Good
    • IP Velocity Good
    • IP History Good
    • Failed to Detect
    San Francisco Milwaukee Kalispell New York Store…
    • Real-time fraud solutions must have:
    • Botnet/Proxy detection
    • Antifraud Network
    • Traditional fraud rulesets for transactional data
    • 2-factor fails with MITB Trojans
    Bill Mary Susan Frank Store 1 Store 2
  • 11. “ Fraud as a Service” (bad guy implementation of “Software as a Service”) Means the Problem is Growing Fast No need to be an expert to be a fraudster Los Angeles New York Kalispell Frank Bill Susan Millions Today BotNets rented to other fraudsters + 100,000 New Each Day
  • 12. On April 30 2010 TMX systems mapped 106,000 active* compromised hosts in Australian IP address space** ~2% * Last 7 days. This is just a subset – there is a good chance ACMA or Auscert would be detecting larger amounts ** Around 10million globally
  • 13. Stolen Credit Cards/Password + Botnets and Proxies = PERFECT FRAUD
  • 14. Control – Payments Case Study With ThreatMetrix [Fraud Stopped 1 st time] Without ThreatMetrix [Fraud stopped on 5 th try] ThreatMetrix Confidential Stop fraud first time by detecting and piercing proxies to discover true location of device Stops Fraud First Time
  • 15. Control – New Accounts Case Study Transaction Time Threatmetrix Device ID Account Email Browser Lang. Masked IP Add. Masked IP City 8/25/2008 17:24 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 66.79.172.10 New York 8/25/2008 18:17 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 208.77.47.109 New York 8/27/2008 12:57 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 78.129.235.30 Brussels 8/28/2008 12:25 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 208.77.43.80 New York 8/28/2008 19:09 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 204.16.192.197 Los Angeles 9/3/2008 13:33 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 64.32.7.84 Kalispell 9/5/2008 12:24 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 66.79.172.10 New York 9/12/2008 13:08 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 78.129.235.35 Brussels 9/12/2008 13:20 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 205.209.175.5 Los Angeles 9/12/2008 16:48 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 66.79.172.100 New York 9/16/2008 14:33 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 204.16.195.71 New York 9/17/2008 14:19 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 75.126.8.13 New York 9/18/2008 11:59 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 75.126.8.13 New York 9/18/2008 12:56 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 208.101.53.226 New York 9/18/2008 15:02 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 75.126.8.10 New York 9/19/2008 12:38 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 208.101.53.230 New York 9/19/2008 13:25 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 78.129.235.34 Brussels 9/19/2008 18:40 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 208.98.30.90 Kalispell 9/22/2008 16:51 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 208.101.53.227 New York 9/22/2008 17:35 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 75.126.8.13 New York 9/22/2008 19:13 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 75.126.8.13 New York 9/24/2008 17:29 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 66.2228.113.2 New York 9/25/2008 12:45 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 64.32.7.97 Kalispell One Month Same Device 23 User Names In China Pretending to be in…
  • 16. Control – Account Login Case Study Restrict permissions of accounts based on detection of compromised computer (botnet) Risk Hidden Threat Detection
  • 17. Generalized MITB “proxying” attacks (current generation of malware e.g silentbanker, Zeus)
  • 18. No silver bullet - Different Customers have Different Goals Average order value, margins, virtual or physical goods, real-time needs, chargeback rates Orders ~9% 2.6% 1.3% Accept Auto Screen 5.1% Reject (Fraud) Review
  • 19. Questions?