Hacking Exposed

by Aaron Philipp

  While most consumer frauds typically involve amounts of under $100, certain types of fraud (mainly investment and mortgage fraud) can cost consumers, as well as other parties impacted by the frauds, significantly more. Many victims may have lost millions of dollars. When frauds of this nature are exposed, they quickly garner the attention of investigative and regulatory agencies that will engage to expose the fraud, recover funds for those damaged, and punish the parties responsible. As with various types of corporate fraud discussed, the agencies may include the FBI, Department of Justice, SEC, US Attorneys, and others, and may lead to various civil lawsuits by the injured parties. When investigations and lawsuits of this nature occur, the computer forensics specialist plays a significant role in uncovering the specifics of the fraudulent scheme, identifying the use and potential whereabouts of the money received during the scheme, and developing evidence to support the actions of various individuals and entities in perpetrating the scheme.

  TYPES OF CONSUMER FRAUD

  There are many types of consumer fraud, and the types of fraud are constantly changing. Consumer fraud varies in size and the scope of the people affected. The more significant consumer frauds involve the theft of an individual’s identity, access to some form of credit or monetary accounts, and frauds involving the investment process and the mortgage loan origination and underwriting process. In this chapter, we focus on three areas of consumer fraud that have been, and continue to be, more prevalent in today’s business environment: identity theft, investment fraud, and mortgage fraud.

  Identity Theft

  Identity theft has become the most widespread and prevalent form of consumer fraud in recent years. The schemes used to victimize consumers are ever-changing. Most forms of identity theft involve the theft of credit card data, while others involve the unauthorized receipt of utilities or other services in someone else’s name. Others still may involve someone receiving loans or other forms of monetary gain using someone else’s identity. However, while identity theft is widespread, the frauds are typically concentrated on one individual at a time and fairly limited to certain transactions. While identity theft typically doesn’t rise to the level at which an individual’s savings are completely wiped out, they can be costly to consumers in terms of monetary losses and damage to the individual’s credit rating, which often can be difficult and time-consuming to correct.

  What to Understand

  When identity theft is suspected, you must first determine the potential sources of the stolen information. Identity theft often results not from the unauthorized access to private financial and other information resident on personal computers or computer networks and databases, but from the interception of credit card offers or other information in snail mail. Many schemes rely on using personal information gleaned from stolen or improperly discarded personal information that is later used to gain access to credit cards, bank accounts, or other services that provide value to the perpetrator at the potential cost of the consumer. In these instances, computer forensics may have only a limited role, if any. However, it is not uncommon for the source of the illicitly obtained information to be computer based, which may require an evaluation of how access to the information in question was achieved.

  Identity theft can also begin with the theft of customer data, as described in Chapter 16. As with customer data, when identity theft is confirmed or even suspected, standard protocols are recommended for identifying, reviewing, and evaluating personal consumer information to determine whether any of the information has been put at risk, and if so, to determine how the information was accessed and by whom. As with the potential theft of information in electronic format, what to look for will depend on the type and format of information suspected to have been stolen and how that information was maintained and secured.

  Important information in relation to a person’s “identity” (such as name, address, date of birth, Social Security number, driver’s license number, bank account numbers, and so on) are maintained by numerous organizations with which an individual may have dealings over the years. In addition to an individual’s employer, banks, hospitals, insurance agencies, universities, and even the local video rental establishment may keep records unique to a person’s identity. In reality, the source of the theft of an individual’s identity may not be easily determinable and may have resulted from something as simple as someone gaining access to an individual’s Social Security number and receiving a credit card in that person’s name. So much information about an individual’s identity is dispersed throughout multiple organizations and entities that trying to source the potential theft may be a fruitless task. However, the information stolen may be more acute, such as specific access to bank and/or investment accounts.

  When specific information is suspected to have been stolen, and the potential sources of that information are reasonably narrow in scope, you need to understand what security procedures exist to protect the information and how that protection may have been circumvented to evaluate the relative risk of a perpetrator gaining access to the information and to narrow the potential source of the theft. As a general preventive measure, users should be cautious when providing personal information to unsecure Internet and bill pay sites, in maintaining important passwords and account access information in unsecure formats and locations, and in responding to requests for personal information relative to various applications to join Internet sites, clubs, or other types of services (such as video rental stores).

  Unfortunately, the list of potential suspects and access points for identity theft may be significantly greater than you might realize. In reality, finding the source of the identity theft and tracing it to a potential suspect may be relatively impossible. Still, where information is significantly specific to one account or unique type of information, the exercise may be warranted, if only to understand what precautions and preventive measures should be put in place to avoid subsequent occurrences. Ultimately, preventing identity theft through the practice of safe and secure management of both hard-copy and electronic personal information is the best bet, as well as periodic monitoring of one’s credit report to identify suspicious credit transactions and stop identity theft before the damage becomes too great.

  What to Look For

  What to look for depends on the circumstances surrounding the personal information in question. However, several areas of information are typical sources of identity theft that warrant more careful inspection.

  Detecting Spam Attacks

  Take a look at a victim’s inbox. Then look at the number of spam e-mails that are in the junk mail folders. Think about how you could best determine which of those hundreds of e-mails was accessed by the victim when their identity was stolen. Finding out whether a spam message was the vector of attack could be an extremely difficult task due to the shear volume you must deal with.

  How to Find the Spam Message

  Your best bet is to start elsewhere and see if you can link it back to an e-mail, but if your only lead is an e-mail, following are some tips on what to look for.

  How Many People Were Involved? If more than one person was the victim of identity theft and it is believed that the method used was a spam message, look for commonalities between the users. We are starting to see a lot more custom-crafted and targeted messages in these types of crimes. It is not uncommon for an entire organization to receive the same malicious e-mail in hopes that a few people will believe that it is pertinent to their business operations and follow through. If multiple people have been compromised in the same fashion and have uploaded to the same server around the same time, chances are they were all victims. Identifying the general timeframe can help as well. Use near–de-duplication technologies and tools such as Equivio or Trident to assist with this process. While it will take some time to get to a single e-mail using this methodology, it can at least give you a place to start.

  What Did the User Look At? Another thing that can help in identifying a specific spam me
ssage is to look at what e-mails the user opened and read. This can significantly reduce the number of e-mails that you have to review. Depending on what e-mail client the individual used, this can be dealt with in several different ways. If the e-mail was received using a tool such as Outlook, look in the message store metadata for the is_read flag. This flag is used by the tool to identify which e-mails should be marked as unread to assist the user. From a forensics standpoint, you can use this flag to help determine what e-mails the user opened and read. If the e-mail was believed to come in via webmail, perform the standard webmail retrieval and review the cache for the likely culprit.

  Interview the Victim This isn’t exactly a technical solution, but in these types of situations it can be extremely helpful. If you know the general timeframe when the theft occurred, talk to the victim about what she read and accessed during that time period. Ask general questions like “Did anything jump out at you as being off?” or “Do you remember any of your services contacting you about a bill around those days?” You’d be amazed how much the right question can replace hours and hours of forensic analysis.

  Phishing Web Sites

  Phishing is the act of getting an individual to give up personal information under the premise that it is needed for some official reason (such as a request supposedly from a bank asking for a person’s SSN). Generally, the net result of a spam e-mail is directing the user to a phishing Web site. These sites are designed to appear as though they were affiliated with a large financial institution or utility company, and they require some form of payment. The user thinks she is paying a PayPal or cable bill and dutifully enters private information into an online form. Unfortunately, the information isn’t going where it is represented to be going. In fact, it’s going to a hacker Web site located in Eastern Europe or China, for bundling and selling on the black market. These phishing Web sites can be extremely difficult to detect after the fact due to their perceived similarity to the sites they purport to be affiliated with. The user may not even realize she went to a malicious site.

  Detecting and Finding Phishing Access

  The good news for the forensic examiner is that phishing generally takes place over the Web and as such, you can use the standard Web site review process to find the phishing sites. Perform the standard history and cache extraction, just as with any other web activity review.

  Looking at the Internet History and Cache From here, you can start looking for URLs that are designed to look as though they came from a popular site but in fact reside on a third-party site. For instance, it is not uncommon to see URLs that look similar to this: http://80.84.121.35/.www.eBay.com/. This URL is clearly designed to look like a legitimate eBay site, when in fact it leads to a Web site located at 80.84.121.35. As shown in Figure 21-1, the page is designed to look like the eBay login page. The unsuspecting user then enters her username and password for her eBay account and the criminals enter the information into a database that they will later use to conduct auction fraud.

  Understanding this process and what to look for is vital when you’re performing a web activity review looking for phishing sites. Be aware that the URL is going to be intentionally designed to look like something it isn’t. In addition, an incredible amount of resources are out there to help you identify phishing sites. One such resource, www.phishtank.com, actually keeps a list of all known or suspected phishing sites on the Net. If you run across a suspicious site in your review that is no longer in operation, PhishTank offers search capabilities that let you determine whether the site had been identified as a phishing Web site.

  Figure 21-1 A phishing Web site; looks real, doesn’t it?

  Looking at the Network Logs If you are dealing with an organization that has centralized logging of web traffic, these logs can be a real asset in these types of investigations. If you find a site through the analysis of the web history on a single computer, you can use the central logs to determine whether anyone else visited the same Web site and may have fallen victim to the same type of crime. Alternatively, if you can’t find anything in the web history but you believe phishing occurred, use the logs to find the malicious site. Compile a list of all sites visited during the suspected time period and compare them to a phishing black list to see what bubbles up. These logs can also tell you how much interaction the victim had with the site, as it is common for these proxies to log the data size and duration of the interactions.

  Match Up the Timeline with E-mails One thing that can be very helpful in these types of reviews is to correlate data between the e-mails and the web history. If you see that a spam e-mail purporting to come from eBay was read on a certain day, look for web traffic around that time to see if any Web sites could have been accessed from that e-mail. Look at the URLs contained in the e-mail to get at least a starting point for the web history review.

  Going the other direction can also be helpful. Study the suspicious URL metadata and try to determine what caused the user to access the site. Do you notice similarities among e-mails that were opened around that time? If so, did anyone else in the organization receive the same e-mail and visit the same site? Put together a timeline of activity not only on the user’s computer, but across the entire organization.

  Identity Theft Malware

  We discussed malware at length in Chapter 20, but it bears a bit more discussion in the specific context of identity theft. Malware is placed on a machine with the explicit purpose of stealing personal information and uploading it to a central server. While we discussed a couple of entry vectors in Chapter 20, some others are worthy of your attention in the context of identity theft. We have encountered manually installed malware on public machines (in coffee shops, copy stores, libraries, and so on) to steal people’s passwords and other personal information. This is a much different infection vector than the traditional “visiting a shady Web site” or “clicking on the wrong link” and requires some additional techniques.

  Finding the Source of Manually Installed Malware

  If you are tasked with finding how a public terminal was infected, you should start by asking several preliminary questions:

  • Did the machine have Internet access? If it didn’t, then you narrow down what you have to look at initially. If it did, your first step is to perform a traditional malware analysis, like that discussed in Chapter 20.

  • Who had access to the physical box? Depending on how the terminal was set up, the public may or may not have been able to plug USB drives or other external storage devices into it. If the public had access, you need to start by looking at the records of external device usage. If not, look to the network and Internet to see if a device could have been attached from another computer or over the Internet.

  • Where was the data going? Depending on the malware, the data may have been uploaded onto the Internet, or it could have been stored on the computer, for the hacker to pick up at a later point in time.

  Locally Installed Malware If you suspect the malware did come from a USB drive, you can take a few additional steps to close the loop on the malware analysis. Perform the steps discussed in Chapter 20 to find out when the malware was installed. Then use the USB drive techniques discussed throughout the book to see what drives were plugged into the computer when the malware was installed. This can be extremely important in these matters, as the USB drive can be used to get information off the system as well. (In one case, a hacker periodically returned to the computers and downloaded stolen information from the computer to a thumb drive and then reset the data repository on the compromised computer.)

  If you have performed the standard network analysis and it doesn’t appear that the malware is transmitting information out to an external server, or the computer isn’t connected to the Internet in that way, look for the repeated accesses by way of thumb drive or CD-ROM. The information has to be getting off the computer in some form or fashion; otherwise the malware is all for naught.

  Theft of Personal Records by an Insider

&nb
sp; We covered how to identity theft of customer data in Chapter 16, and those principles apply here as well. The data is usually stored in some type of a centralized location, such as a database, mainframe, or customer relationship management (CRM) system where it can be managed uniformly. The one twist between IP theft and identity theft is that, in our experience, there is more of a remote access component in insider identity theft. This can change the way you conduct your investigation, as you will want to check a few extra nooks and crannies in addition to the standard places we discuss in Chapter 16.

  Detecting Remote Transfer of Personal Data

  In addition to looking for the standard methods of getting data off a computer used in IP theft, you should look for remote connections into the databases or data repositories. For instance, if the data is stored in an SQL server, look at the access and firewall logs to see if any long-duration connections to the database were made. Also, since the database stores personal information, regulations may mandate that logging and auditing are kept at a higher level than for general databases. Consult with counsel about this and work with them to determine what additional audit logs may exist that can help you find the stolen information.