Fraud as a Service
In working with various clients on the topic of security, a common theme has emerged. Management and employees still labor under the perception that fraud is still the purview of unorganized individuals with an axe to grind against a specific company. Another popular opinion is that the company or individuals that are experiencing fraud are the unfortunate victims caught in the blast of some hacker’s scatter shot attempt to make money. While this can sometimes be the case, the more likely explanation is far more disturbing and organized.
Fraud as a service or FaaS for the acronym collectors, has been a topic of concern for security professionals since 2008. RSA and others showcased this new trend emerging from the underground economy around November of that year. The acronym itself was coined from the Software as a Service (SaaS) term.
Before we delve into the various facets of FaaS let us lay aside some of the assumptions that we have about the hacker/phisher crowd. Gone are the days where the primary theft is being perpetrated by the sociopath lone-wolf in the basement. The major player is now organized crime, responsible for 70 percent of online fraud and billions in ill-gotten gains. Organized crime generates more revenue with fraud than narcotics. For many not closely involved or interested in the security industry these are surprising facts. Even more surprising are the business models that organized crime employs to maximize their profits. For the businessperson the fraudster is you competitor. One who is not hindered by ethics and has highly talented people working for them. They also can function in a dark mirror image of corporate culture, complete with ROI studies and the whiteboarding of ideas.
With the backdrop properly set, we can now focus on the components of FaaS. Fraudulent activity is rapidly becoming based on Supply Chain Management (SCM). Reviewing the SCM framework, this includes, outsourcing/partnerships, development, procurement, manufacturing flow management/support, distribution, performance management and customer support. This translates into the underground economy and its fraud hosting services that are based on a subscription or flat-rate fee. Once purchased, a fraud customer can review monthly status reports within a customer “dashboard” to check a current scheme’s profitability. The services can include “All in One” Trojan suites, which provide the subscriber custom command and control tools over thousands of infected computers in a botnet, from which you can direct a custom fraud campaign. A Pay-Per-Infection service or Centralized Trojan Infection, where a subscriber (criminal groups) can use the fraud providers resources to target specific computers and then only pay for those computers that are successfully infected with the preferred Trojan. HTML Injection (XSS) kits are commonly created and sold by the fraud service provider as a means to soften targeted computers for Trojan infection by using exploitable html code or as another method of gathering target data. Customer Support is also available to answer subscribers issues with their purchased package and Service Level Agreements (SLAs) are discussed to ensure those perpetrating the fraud are provided the service for which they paid.
More specialized services offered are Phone Channel Fraud (Vishing), where the fraud service provider can spoof Caller ID numbers (ANI Spoofing) of financial institutions, provide native language speakers for your target market and the ability for the fraudster to “cash out” their ill-gotten gains. Another is Money-Muling or Mule-Herding. Here the fraud service provider can rope innocent people into laundering money via wire services so criminals can cash out their profits from one compromised bank account to another. The mules are then paid a percentage of the money transacted. These muling jobs are sometimes advertised as “Regional Managers” or “Money Transfer Agent”, a growth market due to the economic downturn and subsequent large unemployment.
Law enforcement is in a bind when it comes to tracking down and prosecuting fraudsters due to their dispersed geographical locations and various legal issues with local governments. Most fraudsters operate out of former Eastern Bloc countries where the laws are lax or non-existent on cyber crime. The regional police have too few resources to prevent and solve local criminal activity without trying to keep a lid on online fraudsters that may have setup shop in their country. Also, the tool makers for enabling fraud are rarely targeted since international law is very vague and weak on that front. Law enforcement would rather go after those who have actively stolen data or funds than the folks who support them.
Much remains to be discussed regarding FaaS and security in general within the corporate environment, which cannot begin to be covered in just one short blog post. However, it was the intent to provide a brief overview to hopefully chip away at the outdated concepts that surround online fraud and it’s ramifications to online and offline business.