Online Fraud

In 1992, when the Internet domain was established and the World Wide Web released by Conseil Europ en pour la Recherche Nucl aire (CERN), the world truly became a global village. The Internet started linking individuals and businesses and there was no question that cross border communication had entered a new era. Today, virtually no organization can run without the use of the Internet, and increasingly more companies are seeing the benefits of leveraging the public cloud and Web 2.0; as a result conducting their business transactions online.

However, nothing is perfect. While the Internet has enabled countless businesses since its inception, it has also become a hotbed for organized crime. Online fraud has affected millions worldwide and hackers are getting better at breaching security perimeters and duping users. Scarily enough, this form of attack knows no boundaries.

Gartner believes security measures such as one-time passwords and phone-based user authentication, previously considered the most robust forms of security, are no longer enough to protect online transactions. In October 2009, the FBI's Internet Crime Complaint Centre reported that cybercrooks had attempted to embezzle approximately US $100 million from US banks with stolen log-in credentials.

A decade into the new millennium and the problem still exists. Firewalls, anti-viruses and a vigil eye can put the problem somewhat at bay but solving it will take an even greater effort -- from both organizations and individuals -- to keep the online realm safe and beneficial for everyone.

There are some predictions on the online fraud techniques that we should be aware of and concerned about in 2010:

Expansion of the 'dark cloud'
Enterprises should expect malware infection and Trojan attacks to intensify as fraudsters hone their ability to quickly exploit newly discovered vulnerabilities in websites and desktops. Companies will seek to gain better visibility into the 'dark cloud' of cybercrime infrastructure and feed information such as stolen credentials and mule accounts directly into their back-end monitoring systems.

Tipping point for enterprise fraud
At the moment, thousands of Fortune 500 and government employees' computers are infected with Trojans that targeted them as consumers. A large amount of these computers are laptops that go home or on the road using secure access through a VPN. In 2010, it will not be a surprise if fraudsters develop ways to monetize these infected resources, which can lead them straight into the affected organizations' networks. Bank employees will be a primary focus for these cybercriminals.

The malware crystal ball
The economic downturn in 2009 means that legitimate programmers are available, making the cost to build malware cheaper -- so expect more of it. With formerly 'legitimate' programmers working on code, enterprises should expect an influx of 'benefits' into malware packages or of malware disguised as 'performance optimization' or even 'PC enhancement' software.

Mobile banking fraud
More customers will be enrolled in mobile banking, and more services will be offered via mobile channels. Banks in Asia and Europe are already experiencing mobile Trojans and SMS redirection attacks. We can expect the US to experience the first wave of attacks towards middle of 2010. Banks will start funding the extension of their online banking protection to the mobile channel.

Web 2.0-based social engineering attacks
Companies are developing Web 2.0 functionality in order to support a growing consumer demand but this makes them an easier target for social engineering attacks that are combined with malware. We predict that fraudsters will use fake chat programs to collect quality data from Trojan victims, fake social network-based bank applications, and direct attacks on Web 2.0 banking capabilities.

Return to telephony fraud
Armed with data stolen via Trojans and phishing attacks -- including 'vishing' (voice phishing), 'smishing' (SMS phishing) and spear phishing variants -- fraudsters around the world can call customer service departments to perform fraud called account takeover. These fraudsters often outsource the actual phone call to a multi-lingual third party services provider operating 24/7 out of Russia, since the fraudsters do not speak the language of the target bank. Caller ID spoofing is also prevalent. On a related note, expect to see an increase in new account fraud as the wealth of personal information becomes available after massive data breaches. Technologies such as knowledge-based authentication are widely deployed to defend against this growing trend.

Wildfire infection will increase exponentially
The rate of malware infection of personal computers was 10 times higher during 2009 as compared to 2008. Leading the infection methods are drive-by-download (taking over legitimate websites; routing visitors to an infection server) and social network infections (spamming a victim's entire social network 'friend list' with links to infection servers).

Massive mule recruitment
The poor economy serves as the perfect breeding ground for 'work from home, make lots of money' scams designed to lure unsuspecting and innocent people to become 'mules' in money laundering, online fraud and re-shipping scams involving stolen e-commerce goods (a US-centric activity). Mitigation includes intercepting databases full of information on 'muling' schemes, as well as sharing of known mules in real-time between banks in order to leverage a network effect.

Like a deadly disease, online fraud is here to stay. But with vigilance and proper information risk management strategies in place, the Internet is a place where opportunities are limitless for individuals and businesses alike for many generations to come.