Saturday, January 26, 2013

Fraud: Part 1 - Who commits fraud and how do they do it?

Fraud: Part 1 - Who and how?

This post will delve into the world of fraud and internet crime.  I could probably type a hundred pages on the subject; however I realize that’s not the best way to get readers.  I hope to provide you with enough information to spark your interest and the resources to find out more should you feel inclined.  This particular post will discuss internet crime trends and types of attacks.  My next post will discuss the various types of fraud and what you can do to protect yourself from the “bad guys”.  

Who? - Cybercriminals

Unless you've been living under a rock, then you have probably heard the terms cybercrime and cybercriminal.  But how much do you really know about the business of fraud?  Crime, particularly cybercrime, is a BIG business.  It is estimated that the cost of cybercrime in 2012 was $110 billion worldwide and $21 billion in the United States1.   In fact, cybercrime is the new organized crime that involves a complex business model and many intelligent players.  In Russia, magazine publications on how to commit fraud are sold in gas stations!  And they, the Russians, even hold seminars and classes on how to commit bank and card fraud.  The fraudster, or cybercriminal, will steal the identity and/or financial information of an innocent person and then use that identity and/or financial information to illegally obtain funds.  Cybercriminals steal information from large institutions by hacking into their networks or they steal information directly from the victim’s computer.  Stealing directly from the victim is usually the preferred way because it is often easier and less protected.    

A recent investigation by RSA, discovered that cybercriminals are using advanced web analytics tools and marketing techniques to refine their attacks.  By obtaining statistics on their attacks, they are able to identify the most effective attacks and the best time to conduct attacks.  For example, using web analytics and A/B testing, a cybercriminal can determine which phishing email got the highest open rates and most click-throughs2

Often, what is most surprising to people, is how difficult these criminals are to prosecute.  Many of the crimes are committed on computers in other countries, making prosecution next to impossible (and that’s if you ever find the bad guy).  To help law enforcement and regulatory agencies organize their investigations, the Internet Crime Complaint Center, or IC3, was established as a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center.  I won’t go into detail about what they do, but in a nutshell, they enable consumers and businesses to report cybercrime to a centralized place.  Below is a chart that shows the number of complaints the IC3 has received by year3:

Click here to view the 2012 Norton Cybercrime Report for more facts about cybercrime.

How? - Types of Attacks

As I mentioned above, the first step in committing cybercrime is to steal personal information.  There is an extensive black market that exists where cybercriminals buy and sell stolen personal information over the internet.  These online Fraud Forums are used to exchange goods and services and are a way for fraudsters to collaborate and offer up their skills and expertise4.  If you've never googled “credit card dump”, give it a try!  There is a high-demand for stolen information and the market is lucrative and pays well to those that can obtain it.  Cybercriminals use extensive resources to obtain everything from card numbers, email addresses, bank login information, to whole identities.  Once they have it, they sell the information to other cybercriminals who then use it to steal money!  It’s all very exciting really.

Below I have described the most common attack techniques5 and 6:

·    Malware – Software that collects personal information from a computer undetected.  Spyware, botnet, viruses, worms, keyloggers, Trojan horses, adware, and more are all types of malware.
·    Phishing – An email, instant message, or other communication that appears to be from a trustworthy source.  The purpose of these fraudulent communications is to obtain usernames, passwords, and card numbers.
·    SQL Injections – A technique often used to attack data driven applications. This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed SQL command to the database (e.g., dump the database contents to the attacker).
·    Denial-of-Service – Flooding a network or server with traffic in order to make it unavailable to its users.  This enables the fraudsters to redirect victims to a spoofed website in order to intercept their personal information. 
·    Skimming – Devices that steal credit card information when the card is swiped through them. The stolen credit card information is then sold online through an online action to carders who use the numbers to make counterfeit cards.

For more information on the types of attacks cybercriminals use, click here.

I have included some resources below if you are interested in reading more about cybercrime.  My next post, “Fraud: Part 2 – Why and what?” will discuss the other half of the fraud business model.  What do fraudsters do with your personal information and what can you do to protect yourself from them?

References and Resources



  1. Great info! This post goes along with many realting to social media in the many dangers of revealing too much info online. Many people reveal their date of birth on social networking sites and have no idea how dangerous that is (for financial crimes/ identity theft).

  2. We just talked about some of this stuff in the Networking and Servers class but analytics tools weren't mentioned at all. It's interesting how creative these people can be and how useful tools for improving your business can become useful for criminals as well.

  3. In addition to people revealing too much personal information online, many software vendors are collecting more and more personal data for authentication purposes. Some social websites require cell phone number to authenticate the user before log in. We can only hope security effectiveness stay proportionate to the threats.