1. How to (not to)become
an Internet
Fraudster
Boris Mutina
2. Disclaimer
There are so many kinds of the Internet frauds. It is possible to use
almost everything possible and impossible ...even the things
you've just discovered.
But don't try this at home. I've warned you.
btw1: everything mentioned in this presentation is real
btw2: i am sorry, if you've expected any new hacks against the banks
there are no such things here
btw3: you can ask questions during the presentation
3. I want to become rich!
1. legal ways are not all the time so boring but i recommend
- quite big choice
2. also a big choice of illegal ways
- consequences can hurt
vaseline costs almost nothing but paying taxes hurts less
4. Who is the victim?
Two approaches observed:
1. victims are profiled thoroughly - their social status, position, age, possible knowledge
of the IT technologies, profession etc., their colleagues, business partners, friends...
Financial crisis is also considerable in these days as there's problem of getting the funds
2. randomly selected victims - less sophistication observed when the fraud amount is too
high or too low
5. Accounts! Or?
Important is to understand what accounts the person uses
- emails, FB, whatever!
- Maltego Community is powerful enough to dig quite deep
- various online tools offer quite comprehensive analysis
of the online "existence"
- understanding the habits, skills and other details turned out
to be a crucial success factor
Fraudsters love FUD, NSA,
MH370,
but for financial sector this is too
obvious
and recognized.
What about something
LESS
sophisticated?
6. Dump. Because the future is uncertain
But also quite effective
Yes, agree, pretty lame!
Fraudsters are sending the phishing emails
to any email address they can get.
It makes them happy to find again
new passwords.
Btw0:considertherecipients
arenotoftenITskilled
Btw1:passwordreuse
isarealissuehere!
Btw2:whataboutthecredential
leaks?
8. I want your money!
Btw1: never reuse the money mules
Now the easier part. After analyzing the emails send few
to the bank, business partner or someone who can send
the money.
Money transfer to Singapore, China or even Austria, just
be inspired by the money mule location.
9. Social engineering tricks?
Oh yes, we love them very much, don't forget, we own all
emails, we know even the grandma's birthday.
Fraudsters request often the SWIFT messages, use words
"urgent", claim to be on a business trip unable to pickup
the phone (but respond to emails...).
In some cases they even call to the bank!
Btw1: vacation and Xmas time peaks
Btw2: there's no plan B, success rate
higher than Nigerian scam
10. Aftermath
After money arrives to the BNF bank, it becomes untraceable:
Money mule takes it out and sends to another destination
while taking small fee (can be up to 30% - nice job of the
money mules?)
11. Another scams?
Of course, this is not the only one scenario that works.
I can give you couple of others but we're
out of time and actually...
... don't try this! remember?
But there are nice forms of advanced fee...
12. Hypothetical thoughts
Research techniques in terms of OSINT or crossing the border?
How deep is the spear phishing involved? Other sources?
How deep is the target profiling?
Does anybody collect the data, analyze it deeply?
If so, what do they know about me, my family, my company?
What are the protective measures?
And what about security guys being sometimes too high?