Cyber Crime Prepare for the next wave: Business Process Hacking

Richard Stiennon – Chief Research Analyst, IT-Harvest

Friday, July 1, 2011

IT-Harvest 2011

The Rise of Cybercrime

Ubiquitous Internet

New vulnerabilitiesMarket for identities

Success (profits) ‏30 million bots

Insider recruitmentOrganization

International cooperation (or not) ‏

Better security

DRIVERS

INHIBITORS

Friday, July 1, 2011

IT-Harvest 2011

Historical Criminal Societies

Friday, July 1, 2011

IT-Harvest 2011

The first wave: the adware economy

E-commerce Sites

Hit StatsFake “Top Ten”BrokersWebrings

Affiliate Web SitesSoftware parasitesWormsVirusesSpamInfected DesktopsADware

Friday, July 1, 2011

IT-Harvest 2011

The Adware economy

E-commerce Sites

Hit StatsPopularity- StatsBrokersWebrings

Affiliate Web SitesSoftware parasitesWormsVirusesSpamInfected DesktopsADware

Friday, July 1, 2011

IT-Harvest 2011

IP theft as a service in Israel

Friday, July 1, 2011

IT-Harvest 2011

Physical presence targets “where the money is” - Willie Sutton• Sumitomo Mitsui Bank Branch

Friday, July 1, 2011

IT-Harvest 2011

Cyber Defense :-) Sumitomo Best Practice

Friday, July 1, 2011

IT-Harvest 2011

Stop&Shop

Friday, July 1, 2011

IT-Harvest 2011

Stop&Shop cyber defense

Friday, July 1, 2011

IT-Harvest 2011

TJX: targeting data repositoriesTJ MAXX, Marshall’s45 Million Credit cards@ $80/card=$3.6 Billion in costs!

Pringle’s can or…?

Friday, July 1, 2011

IT-Harvest 2011

Business Process Hacking• Step one: identify the business process• Step two: identify key vulnerabilities and trust

relationships Insiders Customers Partners

• Step three: steal something• Step four: monitization

12

Friday, July 1, 2011

IT-Harvest 2011

An insider’s perspective• Major railroad in US• Major computer manufacturer in US

13

Friday, July 1, 2011

IT-Harvest 2011

Pump and dump• Break in to online trading account• Sell off owner’s portfolio• Purchase penny stocks • Dump attacker’s holdings when stock price jumps• Leave account holder with worthless portfolio• Canadian attacks thwarted $11 million frozen in

Lithuanian bank.

14

Friday, July 1, 2011

IT-Harvest 2011

E-ticketing fraud• Indian railway reservations. Scalpers use software to

corner the market for tickets and resell them at a mark up.

• Concert tickets. Scammers snipe tickets when they go on sale using elaborate hacks to avoid fraud detection schemes. They resell them immediately on sites such as StubHub.com or TicketsNow.com ($1,000)

• Even better: scammers buy seats and block others from getting seats.

15

Friday, July 1, 2011

IT-Harvest 2011

Carbon credits• 2010 Phishing attack against dozens of companies • Seven out of 2,000 German companies fall for it• Carbon credits transferred to two accounts owned by

attackers• $4 million stolen

• 2011 1.6 million carbon credits stolen from the Romanian branch of Swiss cement company Holcim. $36 million.

16

Friday, July 1, 2011

IT-Harvest 2011

Vulnerable business processes• Treasury functions• Logistics• Payroll• Trading platforms for energy, natural resources, commodities,

securities• Voting platforms• Gaming sites• Foreign Exchange• “Deal rooms” • Central banks•

17

Friday, July 1, 2011

IT-Harvest 2011

Beyond theft

• Commerce relies on trust. Break that trust and commerce fails.

18

Friday, July 1, 2011

richard@it-harvest.comthreatchaos.comtwitter.com/stiennon

Friday, July 1, 2011