Financial Fraud Through the Lens of Cybersecurity

What is Financial Fraud/Crime?

 A financial fraud/crime is a type of cybercrime in the form of illegal means of obtaining money/assets owned or held by financial institutions and individuals. It has been observed that a growing number of cybercrimes are being backed by pure financial motivation.

With the current complex economy system and tremendous increase in the use of Internet banking, mobile banking/wallet, e-commerce, and online share trading, there has been a corresponding growth in financial frauds. This type of fraud takes different forms which include Credit Card frauds, Internet banking frauds, Mobile banking frauds, Computer manipulation, Accounting scams and money laundering, etc.

Types of Financial Frauds

Financial fraud can occur in almost any consumer or business transaction. Here is a detailed overview of the common financial crimes.

Identity Theft

  • PII dump:  Personal Identification Information dump is the process of making an unauthorized digital copy of personal information of an individual for malpractices. The following are some of the personal information required for successful financial fraud.
  • Date of Birth (DOB): This is one of the most important pieces of information required for financial fraud. This is because, with key PII such as the name, DOB and address it is easy to find the Social Security Number (SSN) of an individual. This is also the necessary details required by the bank for the successful verification of their customers.
  • SSN: The Social Security Number is a nine-digit number issued to US citizens, permanent residents, and temporary (working) residents in the United States. Although its primary purpose is to track individuals for Social Security purposes, the SSN has become the national identification number for taxation and other purposes.

SSN is frequently used by those involved in identity theft because it is interconnected with many other forms of identification. The use of SSN has been integral to the identity infrastructure of the US as financial institutions use it as a key identifier for setting up bank accounts, Credit Cards, and loans. Presently, SSN is one of the primary factors making an individual extremely vulnerable to identity theft.

Mother’s Maiden Name (MMN): This is the name of someone’s mother BEFORE they got married, ie. her name with her original family name (or “surname”). Simply put, this is the name she used when she was a girl and a young woman. “Maiden” here means “unmarried woman”. So “maiden name” refers to a woman’s name when she was still an unmarried woman.

Certain web sites require the user to enter a security question and an answer for it. The list of questions is standard, and one of them usually is – “What is your mother’s maiden name?”. This form of knowledge-based authentication is one of the most important aspects of conducting successful transactions online for high-value products, as most banks ask this as a security question for making any changes to the account.

The figure below shows a PII dumps found in underground marketplaces.

Credit/Debit Card Frauds

  • Card dumps:

Credit Card dump is the process of making an unauthorized digital copy of the information contained in the magnetic strip of an active Credit Card with the intention of using it for illegal financial transactions.

Credit card dumps are used by fraudsters to capture valuable card data such as the card number and expiration date. These can be obtained in a number of ways. The most popular method nowadays is the “skimming”, a process in which an illegal card reader is used to copy the data from a Credit Card. Other methods include hacking into a retailer’s network or when unknown to the retailer, a malware-infected point-of-sale device sends information to cybercriminals.

The following are a few examples of Credit Card dump available in the darkweb and deepweb:

  • CVV dump:

Credit Card verification (CVV) is a unique identification number required for completing online financial transactions.

Cybercriminals acquire an unauthorized digital copy of the information contained in the Credit Card CVV with the intention of illegally making financial transaction. It is difficult to dump CVV data since E-commerce or online technologies never store CVV data, however, hackers install Skimmers on ATM machines or PoS terminals to scrap card data, besides collecting information using Phishing attacks.

The following is an example of Credit Card CVV dump available in the darkweb and deepweb:

  • TRACK1 & TRACK2 data:

There are up to three tracks on magnetic cards known as tracks 1, 2, and 3. Track 3 is virtually unused by the major worldwide networks. Point-of-sale card readers almost always read track 1 or track 2, and sometimes both.

The minimum card holder account information needed to complete a transaction is present on both tracks. Track 1 has a higher bit density and is the only track that may contain alphabetic text, and hence is the only track that contains the cardholder’s name. The information on track 1 on financial cards is contained in several formats that goes from A to M. The “A” is only used by the bank itself. The “B” is where the holder’s financial information is stored, the most important section of the magnetic stripe. C to M, is used for the ANSI Subcommittee X3B10, and N to Z is the information that is available for use of individual card issuers.

The following image depicts Track 2 data for sale in one of the darkweb marketplaces.

  • BIN Dump:

Bank Identification Number is the first six numbers that appear on a Credit Card, and it uniquely identifies the institution issuing the card. The BIN is key in the process of matching transactions to the issuer of the charge card. This numbering system also applies to charge cards, gift cards, prepaid cards and even electronic benefit cards. This numbering system helps identify identity theft or potential security breaches by comparing data, such as the address of the institution issuing the card and the address of the cardholder.

The first digit of the BIN specifies the Major Industry Identifier, such as airline, banking or travel, and the next five digits specify the issuing institution or bank. For example, the MII for a Visa credit card starts with a 4. The BIN helps merchants evaluate and assess their payment card transactions. After submitting the first four to six digits of the card, the online retailer can detect which institution issued the customer’s card, the card brand (such as Visa or MasterCard), the card level (such as corporate or platinum), the card type (such as debit card or a credit card), and the issuing bank country.

The following snapshot provides BIN information available with banking details and card information for fraudsters over different marketplaces.

  • Counterfeit cards/cloned cards:

Cloned cards are made by fraudsters with stolen Credit/Debit card information from victims or the card information sold in underground marketplaces. It is difficult to identify fraudulent transactions made from cloned Credit Cards because the real card is still in his/her possession. The image below showcases an instance of cloned or counterfeit cards available for sale in a darkweb forum.

Internet Banking and Mobile Banking Frauds

·     Financial Phishing
Phishing is a fraudulent attempt to obtain sensitive information such as username, password, and DOB etc., of the victim’s by disguising them as trustworthy entity and these details are used in fraudulent financial transactions from the victim’s bank account. Often, Internet banking users receive emails that trick users to provide their account information on the fake website that masquerades as a legitimate banking website.

The following figures show some of the recent Phishing attacks live in the wild, and targeting ING, Lloyds Bank, SMBC Bank and HALIFAX.

Phishing Email attacks vary from simple ones like fund transfer scams, lottery scams, 419 scams and dating scams to the most destructive Spear phishing or Whaling that targets executives of larger companies through Business Email Compromises (BEC).

·     Fake Prize Scam:

In this scam, users are informed through an email that they have received a payment into their bank account from a prize scheme (that is non-existent) and they are requested to pay for the shipping and handling charges in order to receive the prize amount. The example below depicts one such case of fraud masquerading as an email from the FBI Director and with the subject FEDERAL DIPLOMATIC DELIVERY.

The image below shows a spam email that pretends to be from “Shopia Thomas” with a message related to a fake cash prize award of USD $5,550,000.

·     419 Scam or International Lottery Fraud:

The 419- scam is a type of fraud dominated by criminals from Nigeria and other countries in Africa. Victims of the scam are promised a large amount of money through a lottery prize inheritance. While victims never receive the non-existent fortune, they are tricked into sending their money to the criminals. Recent incidents of such frauds include subject lines COMPENSATION FUND PAYMENT, GOOD NEWS ON YOUR FUND, Donation Information!!, Congratulation Heineken Lottery Winner, and masquerade as information from the FBI, UBA (United Bank of Africa).        

·     Financial Funding scam

These types of Financial crimes are initiated with the motivation to lure money away from the victim on the premise of fund raising for a project.

·     Fake banking apps:

Theis fraud takes place in the form of fake mobile applications that seem to be a real banking application with the functionality to displaying bogus login screens and harvesting entered data. Fake banking apps are usually spread through app stores such as Google Play or other unofficial app stores, where they pose as legitimate banking or other finance applications.

Fake banking apps typically use the following steps:

  1. Tricking victims into installing malware by posing as a legitimate banking app and obtaining the permissions needed.
  2. Upon launching, they display a phishing screen mimicking a legitimate banking app and request for login credentials or Credit/Debit card details.
  3. Once details are submitted by users, they harvest the credentials entered in the bogus form.
  4. They display an error/thank-you message, besides offering no further functionality.
  5. The last step includes the fraudulent transactions carried out using the victim’s account or selling the credentials on the black market.

Payment gateways Attacks:

  • Payment Gateways: Payment Gateways are a merchant service provided by an e-commerce website that authorizes Credit Card or direct payments processing for e-businesses, online retailers, or traditional brick and mortar stores. The payment gateway may be provided by a bank to its customers and can also be provided by a specialized financial service provider as a separate service. It facilitates a payment transaction by the transfer of information between a payment portal (such as a website, mobile phone or interactive voice response service) and the front-end processor or acquiring bank.

Payment gateways are another vulnerable area that is being targeted by cybercriminals. These e-commerce websites are directly connected both to the internet and to a banks back-end systems for data processing and supply management, making the website a prime attack point for gaining access to crucial information assets within the organization.

·     ATM SKIMMER:

This is a device designed to be affixed to the mouth of an ATM and secretly collecting Credit and Debit card information when bank customers slip their cards into ATM machines. Skimmers have been around for years and fraudsters are constantly improving them. Studies show that card skimming accounts for more than 80 per cent of ATM fraud. Some sophisticated skimmers are even able to transmit the stolen data via text message.

In November 2020, an incident of ATM skimming included a skimmer belonging to a local co-operative bank, installed in an ATM of the bank located near the Lashkar court.

·     Web/Digital Skimmer:

 Web skimming is a form of internet or carding fraud whereby a payment page on a website is compromised when malware is injected onto the page by compromising a third-party script service, in order to steal payment information.

Web/Digital skimming attacks steal credit card information or payment card data from visitors to an online store. Retailers and banks have experienced physical skimming where attackers install stealthy Credit Card skimmer devices to ATM machines.

Magecart is a style of digital skimming attack on web and mobile applications and a major cybersecurity threat to e-commerce sites. This targets e-commerce platforms such as Magento to steal credit card payment data.

The following are some of the recent, major payment gateway attacks.

In August 2020, security firms warned of a cybercriminal gang called “UltraRank” that was using malicious code to skim payment card data, followed by selling that information to others on its own underground site. Unlike other gangs in the Magecart umbrella, that sells stolen information on third-party carding sites, UltraRank created its own carding shop called ValidCC that sells the stolen Credit Card data to other fraudsters.

  • The skimmer uses malicious JavaScript code that is injected into online e-commerce sites and is used to steal payment card data. UltraRank has used similar methods to hide server locations, dynamically change the IP address, and store the JavaScript code at multiple locations using various domain names. They successfully intercept customer bank card data on all online stores infected by the malicious script.

In September 2020, researchers warned to Visa Merchant and customer about a recently uncovered digital skimmer called “Baka” that stole payment card data from e-commerce sites while hiding from security tools.

  • The Baka Skimmer has functionalities similar to other java script skimmers but with added capabilities like dynamic loading into e-commerce sites and then hiding from security tools using obfuscation techniques. This Skimmer has been found in several merchant websites across multiple global regions, and it uses the same command and control infrastructure that previously hosted the ImageID skimmer. The skimmer begins to collect payment and other customer data from various fields and sends the information to the fraudsters’ command-and-control server.

Financial institute and Bank compromise:

·     Attacks on banking infrastructures

Hackers/cyber criminals are well versed in targeting the banking organizations with zero day/unpatched vulnerabilities in order to gain access to the bank’s infrastructure.

Even though the attacking of banking infrastructure is uncommon, hackers use different techniques like the watering hole attack with which they implant exploit codes on the websites that employees from the targeted organizations frequently visit.

This may lead to major data breach of banking data. In the recent past, there were multiple discussion about one such incident associated with the RCE Brazilian Bank, in which the threat actor had been selling RCE vulnerability in different forums, as shown in the image below.

·     Point-Of-Sale (PoS) attacks:

Cyber criminals also target network infrastructure. There are a great number of Banking system components such as PoS interfaces that are often left exposed on the Internet, making them  a potential target for the attacker.

The following are the major Point-Of_Sale attacks that happened in the past.

In May 2020, researchers observed a targeted Phishing Email Campaign that hosts PoS malware called TinyPOS on a healthcare firm’s network and devices.

  • The TinyPOS malware attempts to collect the cardholder’s names, account numbers, card expiration dates, and other information.

In June 2020, there were three POS malware variants designed to scrape payment card data were found on the targeted firm’s network and devices. These were identified as  RtPOSMMon and PwnPOS, according to the Visa report. These campaigns employed various RAT tools and credential dumper to gain initial access and laterally deploy malwares in the Point-Of-Sale (PoS) machine.

  • The RtPOS malware uses a specialized algorithm to check for payment card data before bundling the information into a file that the fraudsters later exfiltrate through a command-and-control server.
    • The MMon malware, on the other hand, deploys a command-line memory scraping technique that collects payment card data from a POS device’s memory.
    • The PwnPOS malware creates persistence within POS devices and attempts to scrape payment card data from memory.

Financial Supply chain compromise

·     Bank’s Third Parties Being Attacked

Hackers/cyber criminals use supply chain attacks to get access to sensitive data and critical systems of the targeted financial organization. Attackers need to learn about targeted organization employees such their position, topic of interest in order to perform successful Business Email compromise (BEC) or Spear Phishing attempts. The best way to gather employee information is to compromise third-party vendors that target companies such as vendors serving ATM equipment, outsourced marketing, and loan services, etc.

In the past, there have been multiple instances of third-party compromise that lead to major banking data leaks, some examples of which are presented below.  

In December 2018, cybercriminals attacked the European Central Bank’s website hosted by a third-party provider. The attack remained unnoticed for several months. According to official statements, there was a huge risk of data leaks due to malware injected by the attackers.

In January 2019, several US banks and financial firms suffered a serious data leak due to error on part of a third-party vendor. A server in which Ascension stored digital versions of paper financial documents was misconfigured. As a result, anyone could get access to a database with over 24 million credit reports containing sensitive customer information.

In 2020, P&N Bank located in Australia experienced a cyberattack when it was performing a server upgrade, and the data was stolen through a third-party hosting provider. As a result, customer information such as names, addresses, email addresses, account numbers, and balances were compromised. The bank sent an email to 96,000 members informing them of the breach. 

Recently, hackers/cybercriminals were selling a data dump from a developer of banking management systems in the underground dark web markets, as shown below.

·       Ransomware Group Leaking Banks’ Data:

Ransomware groups typically target organizations, infecting them with file-encrypting malwares and holding the victim’s files for a ransom. In case victims fail to pay the ransom demanded by the threat actor, the stolen data is sold in underground markets. The information for sale is used by fraudster in activities such as carding and making counterfeit cards.

The following is a recent incident of Ransomware leak of banking data, leading to further financial frauds.

In June 2020, Cyble research team warned about an alleged data leak of the IndiaBulls Group by the CLOP ransomware operators. This data includes various personal information as well as highly sensitive bank-related documents of the company such as account transaction details, vouchers, letters sent to bank managers, and much more.

How to secure yourself from Financial frauds:

  • Secure all links to payment system engines with a certificate-based mechanism such as mutual transport layer security, for all external or internal traffic to the organization.
  • Limit the number of certificates used on the production server and restrict access to those certificates.
  • Require two-factor authentication before any user can access the switch application server.
  • Verify that perimeter security controls prevent Internet hosts from accessing the private network infrastructure servicing your payment switch application server.
  • Ensure that perimeter security controls prevent all hosts outside of the authorized endpoints from accessing your system.
  • Validate your third parties and make sure they have the necessary level of cybersecurity and financial stability to provide your organization with the required services or products.

About Cyble

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.io. 

Leave a Comment

Your email address will not be published.

%d bloggers like this: