The Dark Net’s Fraud as a Service (FaaS)

Over the past three decades cybercrime has evolved from being a pimple faced teenager, to organized crime selling Fraud as a Service, feeding the underground economy.

hercules hydra
Luis García (Creative Commons BY or BY-SA)

One of the biggest public relations nightmares a company can face is the theft of customer data for the purposes of fraud. This is especially true when the company is operating in a heavily regulated industry such as healthcare, insurance, or finance.

We have seen what widely publicized incidents can do to a company’s reputation, shareholder value, and customer confidence. These incidents can also generate additional regulatory scrutiny. All of these impacts can and have shortened the careers of CEOs; Sony and Target are good examples.

FaaS has matured to the level of diversification and specialization. In the arena of cybercrime, groups have emerged into areas of specialization, with the top of the food chain acting as general contractors. According to Daniel Cohen, of the Online Threats Managed Services group at RSA:

As with any free market, suppliers and vendors must innovate to keep up with the needs of their customers. The dark market is no different. “Fraud-as-a-service” based offerings have become so commonplace, with everything from DDoS attacks and botnet rentals to stolen payment cards healthcare records, and social media accounts for sale in just a single click. And with the increasing demand and competition in the deep web, some cybercriminals are making customer service guarantees a key differentiator for their services with try-before-you-buy options and returns for "faulty" merchandise such as bad payment cards.

The demise of Carder Planet, Dark Market, and Silk Road I and II only represented a bump in the road, momentarily influencing the underground economy, but not stopping it. Like the mythical hydra, when the head is cut off, two grow to replace it. More recently an 18-month long investigation dubbed Operation Shrouded Horizon, led by the FBI, took down a site called Darkode. Members were accused of money laundering, conspiring to commit computer fraud, and wire fraud. A new iteration of the site was launched two weeks after the announcement of the arrests and indictments. Raj Samani, chief technology officer, EMEA, Intel Security believes:

The as a service nature of cybercrime tools products and services is one the main drivers behind the exponential rise in attacks, combining this with a perverse set of incentives where returns are high, and the risk is lower than physical crime it represents a major challenge for society in stemming the tide. What has been particularly noticeable is how fluid this economy has become, whilst the introduction of new services is no surprise, the sheer breadth of available data for sale is simply remarkable. With everything from PII, but also criminals selling direct access into compromised organisations.

Dark Net add

A recent advertisement from the Dark Net for “uniquely high quality American identities” with “Name, SSN, DOB, Address, Phone number and Medical Insurance Policy Numbers."

Cybercriminals have even developed a lucrative technique for using the identities of people with low or no credit. Healthcare records, specifically medical IDs, can be used to purchase narcotics and pharmaceuticals with a high street value. They have also implemented sophisticated scams where they use the identities of deceased doctors to bill insurance companies for fake procedures against the identities of legitimate patients. This technique alone can net fraudsters over $100,000 per incident.

The value of fraud transactions RSA

The graph demonstrates the prevalence of fraud in online prescription services by showing the average value of legitimate transactions vs. fraudulent transactions across different vertical markets.

The inherent value of Protected Health Information (PHI) to criminals is these types of records can be recycled over and over again. Changing a credit card account is as easy as calling your bank or filling out a form online. You can’t dial into a call center and ask them to change your identity.

Cybersecurity is the arms race of this and future generations. Unlike modern warfare which has thousands of years of history on which to build rules of engagement, we are in the position of developing many of these rules as the technology and resulting threats develop rapidly. As the information age continues to grow, mature, and innovate so will its criminal class. We, as corporations and nations, need to begin taking the fight to the enemy. I am not talking about preventative or detective controls, processes, or even hack backs. I am talking about putting people in jail. Steve Santorelli, former Scotland Yard cybercrime detective, now director of analysis and outreach at Team Cymru, sums it up nicely:

Couple our industries traditional propensity to hide incidents wherever possible, for fear of bad publicity, with the relatively recent trend towards mandatory breach reporting in several of these key areas, and you have a group of victims that are reeling from the impact. The offenders here are really thriving and we’re helping them with our antiquated systems that will take aeons to evolve.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)