Behind the scenes of online fraud

RSA security expert tells of blogs that review of Trojans, IRC chat room marketplaces for online fraud tools, and new types of Web attacks designed to steal sensitive data.

Elinor Mills
Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
4 min read

I sat down on Thursday with someone who watches the underground criminals who are trying to break into people's bank accounts and steal their money. And the picture isn't pretty.

Online fraudsters are coming up with more types of dangerous attacks and more sophisticated methods, says Uri Rivner, head of new technologies for RSA Consumer Solutions, which is owned by EMC.

I've already written about how the cybercriminals are borrowing organizational structures from the mafia and even legitimate businesses, and have further explored the threats from identity fraud. Rivner filled in some details with his assessment of how the fraudsters are operating. He talked about the "Fraud Supply Chain" in which harvesters steal the data and then sell it to people who are expert at turning the data into cash by emptying out the bank accounts.

The two sides of this e-commerce underground communicate via informal marketplaces on IRC Chat channels. They also share information on sites like "Carder's Market," where you can read industry blogs and even reviews of Trojans and other malware.

Fraudsters aren't just targeting bank customers. They are also luring victims off social networks, where they harvest sensitive private information, and online gaming sites, where they steal accomplished avatars and accounts and sell them for money, Rivner says.

Another recent trend is the blending of phishing and malware on spoof Web sites that look legitimate but prompt visitors to run an executable in order to see a video, for instance. Instead, the executable is a Trojan that can grab the sensitive data on the computer. The recent "Obama sex video" spam is an example of this.

An example of a blended phishing/malware attack that lures victims to a trusted Web site and then prompts them to download malware. CNET News

Online fraud tools have price tags just like any other software. For example, the Mpack Infection Kit costs $700, a Dream BotBuilder costs $500, and at just $350, the Limbo Trojan is practically a steal, according to Rivner.

The Limbo Trojan hijacks a session between a computer user and a site they want to visit. Say you want to visit the site of your bank. You type in the URL and the site comes up, but there is something different about it, like it asks not just for your username and password, but also your ATM PIN. It's the real bank site, but the Limbo Trojan has exploited the Browser Helper Object in the browser to change the page display, Rivner says.

For people who don't have the skills to install, run, and manage their own Trojans and other tools, fraudsters are offering fraud software as a service for $299 a month, "which means anyone can do it," he says.

But don't freak out just yet. The financial institutions, aided by technology from companies like RSA, are taking steps to detect fraud and protect customers, Rivner says. The banks are monitoring transactions and phoning customers when they see irregular or suspicious activity or asking for additional secret information to prove that the transaction is legitimate, and are taking action when they don't recognize the IP address, device, or ISP a Web visitor is using.

While online attacks get the headlines, a bigger risk is from skimmers, fake faceplates for ATM machines that steal card data from the magnetic strip. The data is then used to make forged cards.

One fraudster, whose alias is "Chao," specialized in selling skimmers and provided customers with support and road maps for future product features on his site. It appears that electrical power switches from Ikea were used as one of the components of his ATM skimmers, Rivner says. Chao even had a video in which a cartoon character provides tips on installing skimmers, such as targeting ATMs near stores that only accept cash, but avoiding small towns where people might recognize that the ATM credit card slot looks different.

A screenshot from Chao's video with tips for how best to use credit card skimmers. CNET News

Chao was recently arrested by Turkish police after an informer turned him in, but there are plenty of other people out there willing to share their products and advice to would-be criminals.

Here are some of Rivner's suggestions that consumers can follow to protect themselves from identity fraud:

•Do not put sensitive information on social networks and beware of phishing attempts on those and game sites.

•Be careful about downloading files from unknown sites and clicking on links, and don't provide unnecessary or uncommon information to sites you trust without first checking with the company.

•Beware of "vishing" (voice-over-IP phishing) attacks in which an e-mail provides a phone number to call and then prompts the caller to provide personal information.

•Shield your hand when it is typing in your PIN at ATMs from anyone standing nearby and from hidden video cameras.

•And, of course, update the antivirus and firewall software and install the latest security updates for the operating system.