Online Fraud When Justin Bieber was 5!
This was an article that I hit upon a month ago that I thought was kind of interesting: Bank Systems & Technology, “Though Hairstyles May Change, Online Banking Fraud Remains the Same.”
To be honest, I was initially drawn to the reference to hair styles, since many of my friends and colleagues regularly tease me about my tendency to flick my hair – not unlike the Emo Skype Emoticon! So linking hair styles and fraud was intriguing. But as you can see, it was less about the hair (sigh!) than connecting the type of attacks that occurred ten years ago to those today.
That’s the thing with online fraud – it’s not so important that we’re inventing new categories: as the author of this article states, it’s still about trojans, keyloggers, malicious account takeover, and malware. But contrary to the article, there is a huge difference between online fraud in 1999 and what’s occurring today. Ten years ago it was the script kiddies that were wreaking havoc on the Internets. Today it is sophisticated crime groups. And the tools they’re using, ZeuS, SpyEye and the like, are available to virtually anyone with a credit card. . . SpyEye can actually be purchased for as little as $500 for a base bundle! This is sophisticated malware. As this author for eWeek.com described it in an article published when the ZeuS and SpyEye botnets merged late last year, “SpyEye works in stealth mode, is invisible from the task manager and other user-mode applications, hides the files from the regular explorer searches, and also hides its registry keys”.
Have a look here for some of the features that you’d be buying: SpyEye (v1.0.75).
Granted, the process of getting malware onto desktops today is not unlike it was ten years – typical phishing attacks, getting people to click on links in emails etc… But today, the target is less the consumer than the corporate banking user – where the money is! And while attacks on consumers occur, it’s as much about hijacking their computer and absorbing it as part of a botnet to be used in much larger, more malicious attacks.
And as the fraudsters have become more sophisticated, their attacks have become more sophisticated: Man-in-the-Browser attacks that launch after a user has authenticated to a site has been the focus of a number of corporate banking attacks over the past 24 months. And as we move increasingly into the mobile space, the attacks are moving there as well (man-in-the-browser has become man-in-the-mobile) – and instead of just targeting the desktop with malware, they’re targeting the desktop and the mobile device; and to gain control of the mobile device they’re coming from multiple vectors – email, web, SMS and voice. Have a look at this Whitepaper for a read on these threats: Addressing Advanced Fraud Threats in Today’s Mobile Environment.
So yes, we still talk about trojans, keyloggers, malicious account takeover, and malware – and we’ll probably be talking about these in 5 years time when they’ve consumed the mobile environment – but the threats and consequences are much more alarming than they were a decade ago.
And my hair style ten years ago? Well, I pretty much looked the way I do today – it’s just that my friends couldn’t compare me then to Justin Bieber!