17 December 2017
Uri Rivner

The Joy of Fraud Fighting

Uri Rivner - BioCatch

78Posts 364,813Views 36Comments
Innovation in Financial Services

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

First Bullet Fired in a Virtual War

21 January 2010  |  4873 views  |  0

I’m interrupting my series of 2009 mega-trends and 2010 projections to discuss the current situation in cybercrime.

What a crazy week. First Google says it is prepared to pull its business out of China after cybercriminals used Trojans to hack into Gmail accounts of anti-Chinese government human rights activists. Then it becomes clear over 30 corporations from the Internet, Media, Finance and Technology, as well as defense contractors were also attacked last month. The hackers were reportedly looking for intellectual property and source code. Yikes.

In the aftermath of all of this, the governments of France and Germany warned the public not to use Microsoft Internet Explorer, to move instead to using Firefox or Chrome. I don’t speak French, but “Le CERTA recommande l'utilisation d'un navigateur alternative” seems quite clear.

As I said, crazy week. No wonder security executives call this a watershed moment. I’d even go further and say it’s a dawn of a new era in information security: the era of high-profile Corporate Cybercrime.

In my Curse of the Were Laptop blog I suggested that the next big threat on corporate networks will not come from insiders or from direct attacks; it will come from employees infected with Trojans.

Which is what happened here. On January 12th, Google posted a blog titled “a new approach to China”. In the blog Google shared that multiple corporations were attacked by taking over employee PCs, and that there’s evidence the perpetrators attacking Google tried to access the gmail accounts of human rights activists that oppose the Chinese regime. Google alleged that the source of the attack was in China.

As a result, Google said it would stop censoring search results in google.cn and review its entire operation in China, pulling off completely if need be. Later on Google announced it had stopped plans to launch its new Android phone in China. Without going to the political ramifications of Google’s statement, this blog post started a virtual war between the red giant and the search giant. The US secretary of state Hillary Clinton called China to seriously investigate the allegations, raising the issue to a national foreign policy level.

The full scale of the highly coordinated attack on multiple corporate targets was revealed by McAfee, who named it Operation Aurora. According to the anti virus company, a zero-day vulnerability in Internet Explorer combined with a known vulnerability in PDF allowed cybercriminals access into employee PCs in multiple corporations.

The employees opened a Spear Phishing email containing a poisoned PDF file, and triggering a chain of exploits that ended up with the cybercriminals taking over their machine. This RSA Online Fraud Report describes what Spear Phishing and Whaling (spear phishing for senior executives) look like. For those seeking a more technical description of the attacks, you can try here.

Once the PC was compromised a Trojan was then downloaded to the machine and following that the corporate network was accessed from the hijacked end-point. Google, Adobe and 32 other companies are said to be the targets of the attack.

Note that the attacks were not directed at the network. They were directed at corporate employees, and their objective was reportedly to steal intellectual property by first taking over the end-points, and from there continue to breach the corporate network. This methodology is made possible by the combination – almost a celestial alignment – of two major trends that ripened in 2009: high-grade Trojans and unprecedented infection capabilities.

Who was behind the attack? The fact that the attack was well coordinated and combined tried and true techniques such as spear phishing and PDF poisoning with a rare zero day exploit and various pieces of advanced malware suggests a certain degree of sophistication, but not something beyond the capability of talented, knowledgeable hackers wishing to get their hands on intellectual property. It could also be a foreign-power-backed industrial espionage effort as suggested by USA Today, the Wall Street Journal and Krebs on Security. One has to wonder, though: in such situations you want to have a silent excursion and get away with a lot of assets without leaving incriminating traces. This wasn’t the case with Operation Aurora. It was quite noisy.

In any event, the first bullet in a virtual war was fired. Google vs. China; Cybercriminals against 34 giant corporations; France and Germany vs. Internet Explorer (due to the new zero day vulnerability); there are a lot of interests at stake.

It will also be an interesting decade from a cybercrime perspective. Employees are one of the weakest links in corporate security; cybercriminals and cyber warfare specialists now fully understand that. The current defenses cannot suffice, and the industry must think of a new defense doctrine.

As general advice I’d say: go and talk to the security folks in the financial sector. They’ve been fighting an almost identical problem for years: rather than rob the bank, the fraudster penetrates the user accounts. The same thing is happening now in the enterprise. Here’s what worked well in the financial struggle against the Dark Cloud of cybercrime: multiple layers of visible and invisible defenses; behavioral profiling of user activities; collaborative threat mitigation; cybercrime intelligence and pro-active countermeasures. In the enterprise space you can add advanced Data Leak Prevention technologies, Virtual Desktops complete with embedded controls, and desktop hardening to the mix. But essentially the same principals can work in the corporate fight against these emerging cyber threats.


Flowers were put on Google China HQ sign TagsSecurity

Comments: (0)

Comment on this story (membership required)

Latest posts from Uri

Brazil vs. Germany: A Surprising Find

12 July 2014  |  3805 views  |  1 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Sweetheart Scams: When Fraudsters Turn to Romance

30 June 2014  |  3107 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

BitCoin Explained: How to Become a BitCoin Thief - part 1

04 December 2013  |  22291 views  |  1 comments | recomends Recommends 1 TagsMobile & onlinePaymentsGroupInformation Security

A Message from Hell

01 October 2013  |  3774 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Uri's profile

job title Head of Cyber Strategy
location Tel Aviv
member since 2008
Summary profile See full profile »
Internet. The perfect fraud frontier. These are the thoughts of Uri Rivner, head of Cyber Strategy at BioCatch and formerly Head of new technologies, identity protection, at RSA, the security division...

Uri's expertise

Member since 2008
78 posts36 comments
What Uri reads

Who's commenting on Uri's posts