Your SlideShare is downloading. ×
  • Like
The Social Media Bait - Fraud & Cybercrime
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

The Social Media Bait - Fraud & Cybercrime

  • 526 views
Published

Presenation at the 2nd Annual Conference of ACFE Bangalore Chapter 13 July 2012

Presenation at the 2nd Annual Conference of ACFE Bangalore Chapter 13 July 2012

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
526
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
18
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Social Media Bait: Fraud and Cybercrime C b i Parag Deodhar, CA, CISA, CFE Chief Risk Officer – Bharti AXA General Insurance ACFE BANGALORE 13 July 2012Note: All opinions are personal. All logos, trademarks belong to respective companies.
  • 2. How spam, Weighing the AGENDA application value of social vulnerabilities and networking with malware are being its risks used to infiltrate social networking sites The ease of Specific phishing vulnerabilities to and what d h t watch out for with to do social networking User education, about it p policies and enforcement2 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 3. Value @ Ri k V l Risk Investigation officers said g she found out from FB that her boyfriend had dumped her. h Police said the couple had had an argument which argument, resulted in the breakup. Later, her boyfriend had left , y a post on FB saying, "Feeling super cool today. Dumped my new ex- D d girlfriend. Happy independence day " day.3 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 4. Evolution of communication on internet Bulletin Boards Web based e-mails Social networking is something that is in absolute Instant Messaging harmony with the principles P2P of internet – Connecting People Blogs & Forums Bl F Social Networking Instant Status Updates Status Updates with Geo Tagging4 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 5. O l way to communicate Only t i t5 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 6. Status update: Social Networks Whether you or not social networks have taken over our lives – both professional and p personal. Corporates use it for marketing and communication Schools and Colleges use it to communicate with students and parents Individuals use it for professional networking Personal use – sharing photos and videos, opinions, status updates, games, chat… 22 Jan 2010, Astronaut T. J. Creamer posted the first unassisted update to his Twitter account from the International Space Station marking the extension of the Internet into space6 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 7. Weighing the value of social networking with its risksBENEFITS RISKS Always connected  Spam / Scams Great way to find new  Application flaws contacts. leading to loss of your Database of information prospective clients  Inappropriate usage – Accessibility to a wide posting objectionable range of information content Service industry – Means  Hate Crime to connect with  Identity Theft customers7 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 8. Hacking Trends: Targets Education Finance 5% 5% Entertainment 7% Social Media / Web 2.0 19% Government 12% Media 16% Internet 12% Retail Technology 12% 12% Social media / Web 2.0 sites are the biggest targets for 20 the hackers.Source: Web Application Security Consortium (WASC) 8 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 9. Trends: Threat Vectors Worm DNS Hijacking Cross-site Request Forgery Cross-site Scripting Configuration error Other DoS / Brute Force Content Spoofing Unknown Insufficient Authentication SQL Injection 0% 5% 10% 15% 20% SQL injection is the most common threat vector used against web pages, content spoofing and XSS are also prominent- Social networks act as a good fodder for all three.Source: Web Application Security Consortium (WASC) 9 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 10. TrendsFacebook now allows to add your unborn baby to your list of family members via the“Expected: Child” option on Facebook profiles. Apparently too many parents were“ d i b k fil lcreating “illegal” fake profiles for their yet unhatched offspring — setting their fake babies’ages to 13 instead of negative.10 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 11. 11 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 12. 12 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 13. Trends Hobby/ showing off Organized crime13 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 14. UNDERGROUND MARKETPLACE The cyber underground is a pervasive market governed by rules and logic that closely mimic those of the legitimate business world. g It is on these forums that cyber criminals buy and sell login credentials (such as those for e- mail, social networking sites, or financial accounts); where they buy and sell phishing kits, kits malicious software, access to botnets; and software victim social security numbers, credit cards, and other sensitive information. These criminals are increasingly p professionalized, organized, and have unique g q or specialized skills.14 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 15. CaaS - CRIMEWARE AS A SERVICE CaaS is similar to Software as a Service (SaaS) (SaaS). Criminals use online cybercrime services instead of running their own servers and software, is the latest development in internet crime. To criminals, as the number of users in social network sites increases, the market value of personal information in social network also li f ti i i l t k l increases.15 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 16. Corporates @ Risk Data Leakage – Malware Spyware, Phishing Malware, Spyware External Attacks – Spam, Virus bringing down network, servers Inappropriate usage – objectionable material System overload from the heavy use of blogging and social networking sites, with implications for service availability and non-productive activities Reputation loss – Employees Customers can Employees, easily post complaints over social media Legal liabilities from defamatory blog p g y g postings by g y employees leading to reputational damage16 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 17. MALWARE The Koobface worm and its associated botnet - known for its longevity and history of targeting social networking sites. First Fi t surfacing in 2008 within MySpace and F f i i ithi M S d Facebook, b k the worm resurfaced in early 2009, this time targeting Twitter users. Message directs to a third-party website, where they are prompted to download what is purported to be an update of the Adobe Flash player. A new Koobface attack, links to Google Reader URLs controlled by cyber-criminals are being spammed by Koobface onto social network sites, including net ork sites incl ding Facebook and MySpace. Koobface ultimately attempts, upon successful infection, to gather sensitive information from the victims such as credit card numbers.17 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 18. MALWARE EXAMPLE18 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 19. Zeus P2P Trojan example j p19 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 20. Shortened URLs The very concept of shortened URLs is a problem as we don’t know the actual link. Takes you to a page that can use malware to infect your PC o r PC. Can be used as a Phishing bait Spam filters or malware scanners can be S filt l b easily bypassed by using the shortened URLs as camouflage camouflage.20 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 21. You @ Risk Privacy Steal your money / assets- Malware, Spyware, Phishing, Geo-tagging Trick your friends and family into supplying personal data, money - Nigerian scam Identity theft Use your accounts to spread spam spam, malware etc. Blackmail – information / photographs, p g p Divorce lawyers Time!!!21 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 22. PASSWORDS The problem is not only that people use the same password for many sites though, the reason that these are able to be decrypted by yp y cybercriminals is often due to the fact that they are weak.22 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 23. Data Mining Cyber thieves use data mining on social networking sites to extract sensitive information about victims. In a large-scale data mining, a cyber criminal sends out a "getting to know you quiz" to a large list of social " tti t k i "t l li t f i l networking site users. While the questions do not appear to be malicious on the surface, they often mimic the same questions that are asked by financial institutions or e-mail account providers when an individual has forgotten their p g password. Small-scale data mining may also be easy for cyber criminals if social networking site users have not properly guarded their profile or access to sensitive information information. Indeed, some networking applications encourage users to post whether or not they are on vacation, simultaneously letting burglars know when nobody is home.23 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 24. You @ Risk What you share directly What you share indirectly Your email address(As your login Answers to your secret questions of credentials) other accounts(emails etc) Likes/dislikes Your where about`s Regular updates about your day to People related / linked to you eop e e a ed ed o day doing (via photo tagging and linked) Pictures Travel likes Your picture shows way your Your trips and plans possessions Your relationship status Home address Personal Details with third party Your attitude and way of thinking application like Farmville, mafia wars24 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 25. You @ Risk www.theregister.co.uk/2010/09/13/social_network_burglary_ga ng/25 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 26. You @ Risk PHISHING Banks are not the only companies to fall prey to phishing attacks. Not uncommon to have websites that mimics the original Can be a huge threat, as the b f k number of users keep increasing day by day. Very simple modus operandi- y p p Sends you a bogus link, asks you to click on the same, once clicked asks you to enter your credentials and you are compromised26 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 27. PHISHING EXAMPLES27 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 28. “Pinterest” the latest target Scammers and cyber criminals are now pinning things that are leading to spam, phishing sites and other malicious things. A simple eye-catching photo i all it takes to lure i l t hi h t is ll t k t l someone in and have an Internet scam succeed in stealing your information or your identity. One advertises an “amazing weight loss product,” where posts include a variety of enticing thumbnail pictures. The captions to these pictures read that the product is sponsored by Pinterest (it’s not), and that it really works. Another scam involves reaching out to people through a Facebook ad ad ertising a way people can make ad, advertising a money on Pinterest. The link goes to a website that offers a Visa gift card, where all the person has to do is fill out a form to get it.28 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 29. Whaling While normal “phishing” efforts depend on phishing reaching the greatest number of people with one email, “whaling” targets top level g g p executives at organizations with a personalized email. Emails appear to be sent from a legitimate business authority (Banks, Tax Department). Links Li k embedded in these emails will ultimately b dd d i th il ill lti t l install malware on your computer. Bottom line – never open an email or forward it to a staff member unless you are sure of the identity of the sender.29 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 30. 3rd Party Applications d Games, quizzes Games quizzes, cutesie stuff Untested by social network – anyone can write one No Terms and Conditions – you either allow or you d ’t ith ll don’t Installation gives the developers rights to look at your profile and overrides your privacy settings!30 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 31. Mobile Social Networking: SIDEJACKING31
  • 32. CLICKJACKING Technique used by attackers to trick users into clicking on links or buttons that are hidden from view. Security weakness in web browsers that allows web pages to be layered and hidden from view. You Yo think you are clicking on a standard b tton o button, like the PLAY button on an enticing video, but you are really clicking on a hidden link. y y g Since you can’t see the clickjacker’s hidden link, you have no idea what you’re really doing. You could b d ld be downloading malware or giving away l di l i i information without realizing it. One form of clickjacking is to hide a LIKE button underneath a dummy button – “Likejacking”.32 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 33. Comment-Jacking This attack baits the user into supposedly typing characters to complete the captcha test. The text is added as a comment instead.33 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 34. Facebook dislike button scam The scam appears as a link on your wall saying Facebook now has a dislike button! Click Enable Dislike Button to turn on the new feature. If you click on the link it will immediately post itself to your li k th li k ill i di t l t it lf t profile - thereby spreading it to your friends. In addition it will run Malware on your computer. It essentially means you are giving criminals permission to access your profile, post spam and get you to complete online surveys to give them yet more information about you.34 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 35. NIGERIAN SCAM At about 8 p.m. Bryan Rutbergs daughter ran into his Rutberg s bedroom and asked why hed changed his status to: "BRYAN IS IN URGENT NEED OF HELP!!!“ He realized his Facebook account had been hacked. Within minutes, his cell phone was ringing non-stop, with concerned friends calling to offer help. Many had received an e mail with the story that Rutberg e-mail had been robbed at gunpoint while traveling in the United Kingdom, and needed money to get home. One even sent $1 200 to a Western Union branch in London $1,200 London. He was locked out of his own account - criminals had changed his login credentials so he couldnt access his own Facebook page That meant he couldnt remove the dire page. couldn t status message. He tried to use his wifes account to put a message on his "wall" indicating he was fine but the scammer had "de wall fine, de- friended," his wife, so that didnt work.35 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 36. New Playground for SCAM Artists Someone set up a Facebook account under the womans name, used a real picture of her, her and added her actual friends. Then, the imposter claimed that she took part in a poverty program and by giving $250 she got $40,000 in return. Some of the woman’s friends fell for it. They state initial disbelief about the program, but imposter replied “it did really work” and that she had just received the money. Because her friends know her to be a trustworthy person, some of the people, as a result, have fallen for this scam.36 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 37. Some More Scams Facebook Cashback scam Scammers told users they could link their debit card to their Facebook account and earn 20% cashback whenever they spent any money. They use this as bait to gather debit card information and spread it further to their friends friends. See who has been viewing y g your p profile Offer a link to an app that supposedly lets you see who has been accessing your profile. If you click on it and l t it access your account it messages d let t your friends with the same scam. It then has access to your account, and the ability y , y to download malicious code onto your computer.37 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 38. Children @ Risk Disturbing Content If kids explore unsupervised, they File-share Abuse could stumble upon Cyber bullies y images or Unauthorized sharing of g information you may Both children and music, video, and other not want them adults may use the files may be illegal, exposed to. Internet to harass or and download intimidate other malicious software. children. Predators Invasion of Privacy These people use the If kids fill out online forms, Internet to trick they may share information children into meeting you don’t want strangers to with them in person. have about them or your family.38 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 39. HOW TO BESOCIALLY CORRECT
  • 40. Controls @ Corporates Deploying technology to block control and block, monitor usage Revising and updating organisational policies to include acceptable use of social networking and blogging sites Managing the risk of marketing initiati es that are initiatives using blogging and social networking in order to prevent brand damage p g Brand protection services to prevent brand damage Educating end users about blogging and social networking to reduce business impact.40 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 41. CONTROLS @ CORPORATES… Risks Controls Malware, Phishing Malware Phishing, Anti Virus Anti Anti-Virus / Anti- Spyware, Keyloggers Malware / Endpoint etc. Protection Dynamic Content Real time Content Filtering SSL Threats SSL Decryption Productivity loss URL / Web filtering Mobile access Enterprise policies,41 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 42. Controls @ Corporates – Pen test Fake employee p p y profile created of very attractive 28 y y year old female based on social reconnaissance of 1402 employees 906 of which used facebook. Target employees were were males between the ages of 20 and 40. Populated the profile with information about experiences at work by using combined stories collected from real employee facebook profiles. Joined target co’s facebook group. Made 100s of friends easily - Began chatting - conversations were based on work related issues collected from legitimate employee profiles. Posted our specially crafted link on facebook profile - "Omigawd have you seen this I think we g hacked!" y got Fake web page was an alert that warned users that their accounts may have been compromised and that they should verify their credentials by entering them into the form provided. People started clicking on the link and verifying their credentials. Credentials used to access the web-vpn which in turn gave us access to the network. Credentials also allowed access to majority of systems on the network including the Active Directory server, the server mainframe, pump control systems, the checkpoint firewall console, etc.42 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime
  • 43. Control yourself KNOW THE RULES - check your organization’s p y g policy on y social networking USE SECURE PASSWORDS – NOT THE SAME EVERYWHERE CHECK THE DEFAULT PRIVACY & SECURITY SETTINGS - don’t don t providing personal information by default BE PICTURE PRUDENT - think before posting images that might cause embarrassment YOU NEVER KNOW WHO’S WATCHING - assume everyone can read your posts, including hackers! SECURE YOUR COMPUTERS - use up-to-date security software and firewalls THINK BEFORE YOU CLICK - if the email looks dodgy it probably is STRANGER DANGER - beware of unsolicited invitations from spammers SUPERVISE – Monitor kids access Remember the fundamental theory – Nothing comes for free and43 nobody likes you that much!!!
  • 44. Cybercrime, in all its forms, is a lucrative business, which doesn’t just steal from big companies who ‘can afford it’, it affects us all. If not in terms of cash, then of inconvenience THINK BEFORE YOU CLICK!!! CREDITS Various websites and online, print media Various security technology product and services companies. g Social Media websites User and addicts of social media44 ACFE Bangalore Conference 2012 ‐ Parag Deodhar – The Social Media Bait: Frauds and Cybercrime