The Rise and Rise of Web Fraud


Published on

Guest talk on Web Fraud to Network Security, Elect Eng Sydney University.
Web1.0 generated revenues from advertising. In Web2.0 new monetization models were sought. Good stuff but eventually all these eCommerce sites wake up to discover that the fraudsters have moved in.
Limited only by their imagination and the monetization model, fraudsters will do things like: login hijacks, false signups, purchases with stolen credit cards, money laundering, nigerian/419 scams etc etc.
This talk talks about a few of these problems, how it gets done and what solution/responses exist.

Published in: Technology, Business

The Rise and Rise of Web Fraud

  1. The Rise and Rise of Web Fraud What happens when web businesses shift away from advertising revenues USYD Electrical Engineering, Network Security Guest Lecture David Jones – Founder/CTO ThreatMetrix @djinoz
  2. Speaker brief history <ul><li>1985 – received my first letter from a nigerian prince wishing to send me $ </li></ul><ul><li>1999 - Founder & CEO – EmU Tech (email filtering for enterprise) </li></ul><ul><li>2000 – Lovebug/Melissa virus – nobody guesses what is to come… </li></ul><ul><li>2001 – acquired by SurfControl </li></ul><ul><li>2002/2003 – VP Research, SurfControl (now WebSENSE) </li></ul><ul><li>2003 – MigMaf trojan arrives – “it’s a bad boy” – no-one cares… </li></ul><ul><li>2004 – SpamMATTERS </li></ul><ul><li>forensic collection/correlation system for Federal Gov (ACMA). </li></ul><ul><li>Spam/Phish/Zombie/Bot Tracking </li></ul><ul><li>ACMA still use today </li></ul><ul><li>mid 2004 – Present to OECD on “forget spam – worry about Bots” – no-one cares.. </li></ul><ul><li>2005/6 – ThreatMetrix starts (botnet/compromised host tracking) </li></ul><ul><li>2008 – first Web Fraud product </li></ul><ul><li>2010 …. </li></ul>
  3. ThreatMetrix Facts <ul><li>Founded 2005 in Sydney </li></ul><ul><li>Headquartered </li></ul><ul><ul><li>Los Altos, CA </li></ul></ul><ul><ul><li>R&D Sydney, Australia </li></ul></ul><ul><ul><li>Beijing, China </li></ul></ul><ul><li>36 People </li></ul><ul><li>Venture Financed </li></ul><ul><li>150+ Customers </li></ul><ul><li>CNP, Gaming, Social Networking, Alternative Payments, Financial Services </li></ul><ul><li>SaaS Model </li></ul><ul><ul><li>Fast Implementation and ROI </li></ul></ul><ul><li>Typical Implementation </li></ul><ul><ul><li>1 to 5 Days </li></ul></ul><ul><li>Average Contract Value </li></ul><ul><ul><li>$2K - $20K per Month SaaS </li></ul></ul>
  4. Anonymity used to be cute… Credit: New Yorker Magazine July 1993,_nobody_knows_you're_a_dog
  5. Security/Fraud always morphs from FAME to $$$ Exploit Discovered Disclosure/Notoriety (defacements, spam spoofing etc) Spam, affiliate fraud etc $  Phishing, Credit Card Fraud, Botnet etc $$$  Organised Crime, Botnet Hire, Kits
  6. Stolen Identities + Location/Device Anonymity = Perfect Storm for Fraud
  7. “ ” Fraud as a Service” Food-chain Credit: Verisign
  8. Common Internet Fraud types <ul><li>Platforms: </li></ul><ul><li>Kit creation (exploits) </li></ul><ul><li>Infection/Bot Creation </li></ul><ul><li>Bot Hiring </li></ul><ul><li>Scareware sales </li></ul><ul><li>Identities: </li></ul><ul><li>Phishing </li></ul><ul><li>Keylogging </li></ul><ul><li>Spear-phishing </li></ul><ul><li>Card and ID Theft (penetration) </li></ul><ul><li>Economic Fraud: </li></ul><ul><li>Account Hijack (bank) </li></ul><ul><li>Stolen Credit Card Shopping </li></ul><ul><li>Nigerian </li></ul><ul><li>419/Adv. Fee (BMWs, Holiday rentals, Dating…) </li></ul><ul><li>Social: “Kidnapped in London..” </li></ul><ul><li>Alternative Payments/Remittance </li></ul><ul><li>Virtual goods Hijack/Laundering </li></ul><ul><li>Ganking (auction, ticketing) </li></ul><ul><li>Affiliate/Click Fraud </li></ul>
  9. This maps to the following business needs
  10. Botnets and Proxies have changed Fraud forever: Fraudster Miami/Phillipines/Ukraine <ul><li>Legacy/Outdated solutions fail </li></ul><ul><li>to detect new fraud techniques: </li></ul><ul><li>IP Geo Good </li></ul><ul><li>IP Velocity Good </li></ul><ul><li>IP History Good </li></ul><ul><li>Failed to Detect </li></ul>San Francisco Milwaukee Kalispell New York Store… <ul><li>Real-time fraud solutions must have: </li></ul><ul><li>Botnet/Proxy detection </li></ul><ul><li>Antifraud Network </li></ul><ul><li>Traditional fraud rulesets for transactional data </li></ul><ul><li>2-factor fails with MITB Trojans </li></ul>Bill Mary Susan Frank Store 1 Store 2
  11. “ Fraud as a Service” (bad guy implementation of “Software as a Service”) Means the Problem is Growing Fast No need to be an expert to be a fraudster Los Angeles New York Kalispell Frank Bill Susan Millions Today BotNets rented to other fraudsters + 100,000 New Each Day
  12. On April 30 2010 TMX systems mapped 106,000 active* compromised hosts in Australian IP address space** ~2% * Last 7 days. This is just a subset – there is a good chance ACMA or Auscert would be detecting larger amounts ** Around 10million globally
  13. Stolen Credit Cards/Password + Botnets and Proxies = PERFECT FRAUD
  14. Control – Payments Case Study With ThreatMetrix [Fraud Stopped 1 st time] Without ThreatMetrix [Fraud stopped on 5 th try] ThreatMetrix Confidential Stop fraud first time by detecting and piercing proxies to discover true location of device Stops Fraud First Time
  15. Control – New Accounts Case Study Transaction Time Threatmetrix Device ID Account Email Browser Lang. Masked IP Add. Masked IP City 8/25/2008 17:24 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn New York 8/25/2008 18:17 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn New York 8/27/2008 12:57 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn Brussels 8/28/2008 12:25 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn New York 8/28/2008 19:09 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn Los Angeles 9/3/2008 13:33 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn Kalispell 9/5/2008 12:24 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn New York 9/12/2008 13:08 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn Brussels 9/12/2008 13:20 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn Los Angeles 9/12/2008 16:48 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn New York 9/16/2008 14:33 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn New York 9/17/2008 14:19 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn New York 9/18/2008 11:59 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn New York 9/18/2008 12:56 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn New York 9/18/2008 15:02 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn New York 9/19/2008 12:38 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn New York 9/19/2008 13:25 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn Brussels 9/19/2008 18:40 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn Kalispell 9/22/2008 16:51 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn New York 9/22/2008 17:35 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn New York 9/22/2008 19:13 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn New York 9/24/2008 17:29 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 66.2228.113.2 New York 9/25/2008 12:45 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn Kalispell One Month Same Device 23 User Names In China Pretending to be in…
  16. Control – Account Login Case Study Restrict permissions of accounts based on detection of compromised computer (botnet) Risk Hidden Threat Detection
  17. Generalized MITB “proxying” attacks (current generation of malware e.g silentbanker, Zeus)
  18. No silver bullet - Different Customers have Different Goals Average order value, margins, virtual or physical goods, real-time needs, chargeback rates Orders ~9% 2.6% 1.3% Accept Auto Screen 5.1% Reject (Fraud) Review
  19. Questions?