If you really want to understand the security and fraud threats to the digital economy, you need to visit a darknet. Although they sound like some shadowy society in a science fiction movie, darknets are very real.
Co-existing with the public Internet, darknets are essentially private networks where connections are made between trusted peers using non-standard protocols and ports. Unlike other distributed peer-to-peer networks, darknets keep IP addresses hidden so that users can communicate anonymously with less risk of being traced by governments or law enforcement agencies.
Although darknets are sometimes associated with dissident political groups, they are also widely used by organized crime and fraudsters. Our research has uncovered numerous closed forums or chat rooms, protected by passwords and vetting processes, where criminals and would-be criminals exchange information about how to attack and defraud telecoms companies, banks and other enterprises.
It seems likely that a recent attack on the U.S. bank JPMorgan Chase, which compromised the accounts of 76 million households and seven million small businesses, involved the trade of information on darknets. The hackers appear to have obtained a list of the applications and programs that run on JPMorgan’s computers, which they could crosscheck with known vulnerabilities in each program and web application, according to a report in the New York Times. The hackers drilled deep into the bank’s vast computer systems, reaching more than 90 servers, according to the report, indicating they had in-depth knowledge of the bank’s IT architecture.
In the past a hacker would have taken a trial and error approach to breaking into a specific company’s systems, giving the target organization time to detect the attack and take countermeasures. Today, the exchange of information on elicit forums means hackers may already know exactly what security systems they have to deal with in advance of making an attack.
Informed and subtle attacks
Brian Rexroad, Executive Director, Technology Security at AT&T, recently warned that attackers are getting savvy to specific protections. “They will test against specific intrusion detection systems,” he said in a video interview filmed for a Light Reading conference in London in May. “They are looking for subtle ways to subvert security policies [...] tunneling things over HTTP, for example.”
Darknets facilitate such attacks by acting as marketplaces in which knowledge of specific vulnerabilities are bought and sold. In darknet forums, hackers might offer to retrieve data on a particular company’s customers and/or employees with a view to hijacking certain accounts. Some posts explain how to dupe a telco’s call center agents into providing information on a customer, for example, that can then be used to hack into their account.
Other posts detail how to get free WiFi tethering from a certain telco, while some offer a python script that scrapes calls and texts history from a particular telco. Fraudsters also outline PBX hacking and other fraudulent techniques. Criminals also use darknets to enable underground trade in anonymous SIM cards and tools and methods for changing the International Mobile Station Equipment Identity (IMEI) numbers the industry uses to blacklist stolen handsets. There are also posts explaining how to get multiple local country numbers on a SIM card, allowing the user to make long distance calls at local rates.
As darknets enable more fraudsters and hackers to join forces, telcos’ fraud and security departments need to work closely together. And telcos may need to recruit additional expertise. Several chief security officers have told us they are beginning to hire specialists from law enforcement agencies to help them address the threat from organized crime.
The predictive power of big data
There are a range of techniques and tools that can be used to monitor and infiltrate the shadowy forums on darknets and identify potential threats. With the right solutions, analysts can conduct a passive or an active search, scouring underground forums and boards for discussions relating to specific companies. Advanced Fraud Management solutions can be used to collect and analyze this information, combine it with other data, and generate dedicated alerts and cases that a fraud analyst needs to investigate and prevent the attack.
Identifying which companies are being targeted for attack and through which vulnerabilities in a timely fashion requires a combination of manual detective work and data analytics. As Mr. Rexroad told the Light Reading conference, security experts need to make much greater use of big data if they are to anticipate future attacks on their networks and systems. “There is still a tendency to look for very specific indicators of something that is indicative of a security event, as opposed to looking for properties or behaviors that are indicative of some type of security problem,” he said.
Analysts say enterprises are beginning to see the value of applying data analytics to security challenges, as well as commercial opportunities. Research firm Gartner predicts 25% of large global companies will have adopted big data analytics for at least one security or fraud detection use case by 2016, up from 8% today.
Earlier this year, Avivah Litan, vice president and distinguished analyst at Gartner, outlined how the game of cat and mouse between hackers and their targets is now being played at a different pace. “A year or two ago, hackers would look around, conduct extensive cyberespionage on their targets, and then go in for the theft — whether it was for money or information,” she said. “Now, hackers — aware of more-effective security and fraud prevention measures erected by their target victim enterprises — simply go directly to the theft without a drawn-out reconnaissance phase.”
In summary, darknets are enabling the rapid exchange of information and expertise across the criminal world. To respond effectively, security and fraud specialists need to correlate both internal and external information to anticipate future attacks. Moreover, that analysis needs to be ongoing and relentless.