Financial fraud has existed as long as financial institutions. The online world is rapidly changing how age-old financial crimes, from Ponzi schemes to identity theft, are approached—but it is also creating entirely new types of financial fraud.
The threat landscape is rapidly evolving as fraud perpetrators discover vulnerabilities and attack strategies faster than institutions adapt security processes. The dark web and other hidden online networks are critical for locating financial fraud in action—but many institutions face barriers to accessing this information. Finding this data quickly and easily enables banks to prevent and mitigate relevant fraud schemes.
What do these threats look like, and how can security analysts discover financial fraud intelligence more safely and efficiently?
The Financial Fraud Landscape
Finance and insurance are the most targeted industries by cybercriminals today, covering 19% of online criminal activity according to a 2019 IBM report. Most financial institutions are aware of their appeal to fraudsters (breached account data is easily and quickly monetized) and are actively preparing for attacks and investing in cybersecurity.
Banks are moving more of their services online and utilizing cloud services. These changes streamline the customer experience and internal processes, but also expose more attack surfaces. Third-party cloud services are also often governed by external security protocols, giving institutions less control over how this data is protected.
Like most industries, financial cybersecurity teams are burdened with processing an overwhelming and varied amount of threat data, separating noise from real threats, and contextualizing data into actionable intelligence. Mastercard security reported as many as 460,000 attack attempts on a “typical day” in 2019.
With this level of risk, it’s no wonder that banks focus their efforts more on finding and responding to threats than preventing them: a 2019 Ponemon Institute study on financial security software found that only 31% of surveyed institutions claim to effectively prevent attacks, compared to detecting (56%) or containing (53%) them.
Prevention is clearly the ideal solution, considering breach costs. In the United States, a single breach costs organizations USD $7.91 million on average, and a “mega” breach of 1 million records can cost upwards of USD $40 million. Attacks also immeasurably cost financial institutions their global brand reputation and customer and stakeholder trust.
7 Financial Fraud Threats
Understanding current financial fraud tactics is one of the best ways for banks to prevent and detect attacks. The “hidden internet,” which includes the deep and dark webs, contains thousands of sites either selling financial data and fraud services or discussing financial fraud strategies. Some of the most common forms of financial fraud include:
Exploiting Breached Data
Breached financial data has a huge presence on the dark web, often in the form of “fullz” for sale on dark web marketplaces. “Fullz,” a complete set of financial PII, can include an individual’s full name, address, SSN, DOB, bank name/number, account numbers and balances, and credit card information.
Listing for bank “fullz” on Empire Market, a dark web marketplace—discovered using Beacon
Breached data can also be found on paste sites, such as Pastebin (open web) or DeepPaste (dark web), which are used for publicly sharing blocks of plain text. These leaks can appear innocuous (e.g. public dumps of bank employee emails) because they can’t be monetized as easily as fullz. However, this information is often an early indicator of a more extensive data breach. Access to employee or executive names, emails, and phone numbers could be all an attacker needs to execute a phishing campaign or strengthen a social engineering strategy.
Email dump on Pastebin.com—discovered using Beacon
Breached financial and other personal data can also be published as a dox. Doxxing is an extensive PII breach targeted at a specific individual, usually on paste bins or anonymous doxxing sites on the deep and dark webs. Individuals are doxxed for a variety of reasons, but executives and other VIPs are often targeted as a form of anti-capitalist hacktivism or harassment.
Exposed executive information also gives attackers more leverage when impersonating bank executives in a phishing campaign. This can leave financial institutions more susceptible to business email compromise (BEC) scams, where attackers request employees to conduct financial transactions or other actions on behalf of an executive. BECs are recognized as the most costly type of fraud in the US by the FBI.
Scampages are fraudulent webpages used to obtain personally identifying information. In the financial industry, scampage links are commonly sent via phishing email requesting the customer to login and/or verify account information.
An online banking scampage for sale on the Canadian Headquarters dark web marketplace—discovered using Beacon
Attackers can purchase and sell scampages and templates on the dark web specifically designed to impersonate most major financial institutions. Scampage designs can be quite convincing, especially if targets do not evaluate their emails for suspicious links and content.
Bank drops are illegal bank accounts that enable money laundering. Drops are created using stolen financial information, typically from individuals or businesses with sound credit scores who are unlikely to be flagged. Fraudsters commonly use drops to hold stolen funds or order cards to commit ATM fraud.
Bank drop guide for sale on Apollon market (dark web)—discovered using Beacon
Skilled fraudsters are careful with bank drop activity to avoid being flagged, so they can be difficult to detect. Searching for the term “bank drop” using Beacon, a dark web discovery tool, discovered over 17,000 results across the deep and dark webs. Many of these are vendors offering bank drops or bank drop services, and individuals discussing bank drop strategies (e.g. how to avoid being flagged).
Dark web marketplaces offer a variety of fraudulent documents, including bank statements, cheques, fake debit or credit cards, and counterfeit currencies. Some of these are created by the vendor, while some of them are PSD templates that individuals can purchase and customize in Photoshop.
Customized counterfeit bank statement for sale on the Berlusconi dark web marketplace—discovered using Beacon
The screenshot above shows an example of a vendor offering counterfeit bank statements that users can “print … out with any regular printer.” This document can be used to illegally validate activities supported by bank statements—such as proving fake address, opening a fake PO box, or generating a fake net worth to commit mortgage fraud, for example.
Perhaps the most powerful intelligence for financial institutions on the hidden internet is criminal discussions. Public deep and dark web discussion forums give banks access to current hacking strategies, many of which are adapted to circumvent physical or digital bank security measures. Financial security teams can use this information to make system changes or inform customers and personnel about up-to-date risks.
For example, Beacon discovered financial fraud how-to discussions on the dark web about:
- Setting up bank drops and preventing them from being flagged by institutions
- Social engineering strategies
- ATM fraud
- Trojan how-to’s
Bank drop strategy discussion on DreamMarket Forum (dark web) as viewed in Beacon
There is also a dark web market for hacker-published guides explaining how to carry out common financial fraud tactics, which institutions could potentially purchase and evaluate.
Cloud Service Attacks
Cloud services offer financial institutions efficient, scalable, cost-effective data storage solutions. They also make internal data more prone to attack, and their vulnerabilities are rapidly increasing. Financial cloud services are expected to grow 33% by 2024, pointing to a greater need for more robust cloud security. In July 2019, an Amazon Web Services breach compromised 106 million Capital One credit card holder accounts—one of the largest financial breaches to-date.
Dark web users continuously share up-to-date information about cloud service exploits. Any data leaked from these exploits can also be posted on pastebins and dark websites. Finding this information as soon as possible is critical for a financial security team’s ability to mitigate cloud breaches in their early stages.
User on Dread (the dark web’s Reddit) seeking “API keys of … cloud services” in addition to other private data, as viewed in Beacon
Internal Vulnerabilities & Human Error
The 2019 Capital One breach was caused by a misconfigured firewall protecting the Amazon Web Services cloud. Human error is often to blame for misconfiguration, which is considered “the single-biggest risk to cloud security” by a 2019 IBM report.
In fact, human error is much easier for attackers to exploit than computer vulnerabilities. IBM reports that almost a third of attacks analyzed by its Incident Response and Intelligence Services team in 2018 involved phishing email compromises. Attackers often use social engineering to gain access to internal data or funds through employee-targeted phishing, business email compromises (BEC), or by phone. BEC scams have cost organizations more than USD $3 billion since 2016.
Neglecting security best practices, such as reusing passwords or failing to scrutinize email requests, is a significant vulnerability caused by human error. Cross-industry studies show that employees are likely to reuse passwords, sometimes across work and personal accounts.
Accessing threat intelligence on the deep and dark webs keeps financial security teams up-to-date on security risks and what to watch out for. Educating bank personnel and employees about these risks, as well as cybersecurity best practices and fraud detection, helps institutions prevent breaches and other forms of financial fraud caused by human error.
Accessing Financial Threat Intelligence Online
Most financial institutions are aware that these threats are publicly accessible on the deep and dark webs, but face barriers to accessing it. For one, content on the deep and dark webs are unindexed, so finding relevant information by manually searching is a time-consuming and laborious process. Navigating the dark web can also be dangerous, potentially exposing investigator identities and subjecting their organizations to further risk. Many financial institutions prohibit internal teams from directly accessing networks like Tor to avoid adding further risk to an already vulnerable industry.
These challenges point to a need for specialized tools that enable financial security teams to access threat data from the safety of their usual browser. Beacon, an Echosec Systems platform tool, enables financial security analysts to quickly access relevant, specific threat intelligence on unindexed open websites and the dark web.
Beacon’s UI allows users to view text-based content within the platform to avoid risks associated with navigating blindly on Tor. The platform also provides users with direct content links so that users know exactly where they’re going and what they can expect to see if they wish to access Tor sites directly.
Train, Adapt, Inform, & Monitor
What do financial security teams do with this information once they have the tools to access it?
The dark web gives users total anonymity—so accessing threat data isn’t necessarily an effective way of locating criminals, unless banks are working with law enforcement. Financial fraud strategies evolve quickly, so accessing current threat data is more about staying informed to prevent attacks and taking action as soon as they surface.
Here are a few actions that financial institutions can take with the data they find on pastebins, marketplaces, and forums on the deep and dark webs:
- Adapt security features and processes to patch vulnerabilities and hacking tactics discussed by threat actors. For example, financial institutions could introduce more security processes to prevent or flag bank drops, counterfeit documents, or ATM fraud, and reinforce vulnerable systems (e.g. cloud services) discussed on the dark web.
- Inform and educate executives, employees, and customers. Enforcing security best practices is one of the best preventative measures against financial fraud. Accessing financial threats on the dark web also enables institutions to keep executives, employees, and customers up-to-date about what potential attacks look like and how to deal with them if and when they happen. Searching for risks facing the financial industry as a whole also keeps institutions more prepared for what is likely to come, even if it isn’t directly targeting their brand.
- Detect data breaches in the early stages and respond more quickly to active threats, such as malware campaigns. Banks can use this information to freeze compromised accounts or bank drops, notify affected individuals, contain compromises more effectively, and prepare for any PR fallout of a breach.
Most bank managers and fraud analysts are aware of how aggressively their institutions are attacked by cybercriminals. The fact that most cybercrime is targeted towards financial institutions is not news as much as how these attacks are strategized over time and how this information can be accessed.
Because of the risks associated with navigating the deep and dark webs, banks typically outsource threat analysts or require specialized tools to filter critical data safely. Specialized search tools utilizing machine learning technology are becoming crucial to financial threat analyst teams overwhelmed by the amount of processable threat data.
Data discovery tools like Beacon are specifically designed for financial security teams to quickly and safely find and filter relevant online threat intelligence without having to directly access networks like I2P and Tor. Knowledge is power: staying up-to-date on financial fraud tactics, from BEC scams to cloud service exploits, puts institutions in a better position to prevent attacks and retain the trust of their customers, employees, and stakeholders.
Is your customers’ financial data being sold on the dark web? Schedule a demo with us to find out.