Personal Mag

Borrowing from a model that has achieved popularity in the software world, online criminals are now offering Fraud as a Service, hawking their wares in Internet chat rooms. Among their offerings: data-harvesting Trojans, patching and upgrades to help Trojans evade detection, stolen credentials, and hosting and money-laundering services.

Newly organized methods of online criminal activity are threatening to democratize fraud and undermine banks and online traders, according to security experts at this year's RSA Conference Europe
Speaking to vnunet.com, security vendor RSA's Head of New Technologies Uri Rivner shared new data and trends spotted by the firm's Anti Fraud Command Center, which has now shut down over 100,000 phishing attacks.

Rivner warned of a new trend where criminals offer fraud services in a Software as a Service (SaaS) model, which can be purchased from Internet chat rooms and forums. This "Fraud as a Service" could feature information-stealing Trojans, together with bulletproof hosting Rackspace is the expert when it comes to delivering Windows and Linux hosting solutions. Click here to learn more. to ensure zero downtime, and a fully integrated infection service to provide patching and upgrades so the Trojan escapes detection by security software.
Online Hubs of Criminal Activity

"You can then sit back and watch how many computers are infected with the Trojan and how many user credentials come rolling in," Rivner said. "Anyone can do fraud these days -- you just need to go to the right place to get user credentials."

Rivner explained that roughly half of phishing attacks are now carried out by individuals or small groups who meet, exchange information and trade each other's services in Internet chat rooms. He added that most online fraudsters can be broken down into two groups: harvesting fraudsters, who specialize in stealing user credentials; and cash-out operators, who focus on laundering the money from stolen accounts or fraudulently purchased goods.

While the former can now easily buy Fraud as a Service packages to help them harvest account details, the latter work on the operational side, transferring money from these accounts into a network of so-called mule accounts. The money is then sent via Western Union from these accounts to someone else, who will take a cut and pass on the funds to the cash-out fraudster. At the end of the chain the cash-out operator and harvester will share their gains.
Industry Response

Banking e-crime experts echoed Rivner's evaluation of the current threat landscape.

Marc Cramer, information security consultant at insurance group ING, warned that hacking and phishing tools are now "very customer-friendly," while Mark Stanhope, senior e-crime manager at Lloyds TSB, argued that fraudsters are "a lot more agile than we are."

"They are a lot smaller than we are and will always evolve faster than us," Stanhope added. "We have to make it as difficult as possible for them to target mass attacks."

To mitigate the risk of being defrauded, Rivner advised firms to employ several key strategies. They involve limiting credit harvesting by detecting, blocking and shutting down attacks and then rolling out two-factor and adaptive authentication to customers, and finally transaction monitoring.

"It's not all doom and gloom. The most effective method of defense is a multilayered approach," Rivner said. "The threats are becoming more mass market and scalable, but the industry is developing an arsenal of tools to fight them."

Xavier Serrano Cossio of Spanish bank Banco Sabadell explained that his firm has had success using SMS messages to alert customers of unusual account activity, as well as using one-time password generators integrated into their mobile phones with which to log on to online banking.

"We have also had a good experience of transaction monitoring -- we use a lot of parameters and have grown very comfortable with it," Cossio said