Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Fraud as a Service (FaaS): Everything You Need to Know


The 2017 LexisNexis True Cost of Fraud report makes for sobering reading. After surveying nearly 1,200 risk and fraud executives, the report concluded that fraud in retail, commerce, lending and financial sectors cost these industries more than 2.5 times the dollar amount of the actual fraud. Up to 31 percent to 43 percent of monthly transactions involved fraud attempts.

It gets worse. According to PwC’s 2018 Global Economic Crime and Fraud Survey, 49 percent of organizations globally said they had been a victim of fraud and economic crime.

What is FaaS?

In CSO Online, Daniel Cohen of the Online Threats Managed Services group at RSA says that FaaS offerings range from: “DDoS attacks and botnet rentals to stolen payment cards, healthcare records, and social media accounts for sale in just a single click. And with the increasing demand and competition in the deep web, some cybercriminals are making customer service guarantees a key differentiator for their services with try-before-you-buy options and returns for ‘faulty’ merchandise such as bad payment cards.”

However, FaaS is not just a blanket definition for digital fraud. While it does utilize techniques like phishing, whaling, insider fraud, SQL injection, and ATM-skimming, the concept more accurately refers to an insidious invasion of cyber criminals in an organized manner by:

Utilizing a global network of criminals for international fraudulent collaboration through underground forums Creating a Dark Web platform from which FaaS activities take place Making fraud a profitable product that can be sold on Developing a network of services to aid fraudsters in committing digital crimes and converting stolen goods into cash

The FaaS model will gain traction in 2019 as it provides would-be cybercriminals with the means and opportunity to develop their own fraud businesses, at low cost and with little knowledge. The product itself can be acquired on the Dark Web; supporting services can be bought or rented; and the underground platform provides a supportive network of like-minded criminal collaborators.

FaaS as a Global Network

FaaS organizations operate in a similar manner to any other organization: there are menial workers, money mules, researchers, contractors, Dark Web hackers, technical specialists, managers and team leaders. While undoubtedly not quite so lavishly opulent, one might nevertheless imagine the Deep Web of organized cybercrime as the equivalent digital location of a James Bond movie. In fact, the Bond movie SPECTRE presented a global terrorist organization that could well have been a precursor to criminal syndicates in the Dark Web.

FaaS as a Dark Web Platform

More prosaically, FaaS is likely the criminal heir to cloud services that have enabled fraudsters to take underhanded advantage of the same services people use in their private lives and online businesses every day. Once simply a way to share everyday life with friends and family, Facebook is now one of many popular hunting grounds for criminals hoping to snare victims and steal their personal information.

It was bound to happen, opined The Weekly Geek as far back as 2010: “… on-demand, web-based fraud that mirrors the efficiency, sophistication, and universality of Software-as-a-Service (SaaS).” The Geek extracts some interesting takeaways from a whitepaper presented by Rick Van Luvender, Director of First Data’s InfoSec Incident Response Center:

Today’s criminals are not operating out of seedy boiler rooms. They are sophisticated and smart Even though it is “underground,” the fraud-based economy is subject to the same supply-and-demand pressures of any other economy The most popular items for sale on the underground are credit cards, inexpensive to buy with a high profit potential At the center of FaaS are online fraud forums that operate in a very similar manner to legitimate online marketplaces. These forums utilize specialists to brainstorm news ideas to harvest data

The result: “Just as corporate IT managers have come to rely on the Internet to satisfy on-demand software needs in the form of Software as a Service (SaaS), so has the underground economy developed a similar infrastructure for delivering Fraud as a Service (FaaS).”

FaaS as a Profitable Product

FaaS is not just about instituting attacks to defraud large organizations. Indeed, it has become a profitable product to sell to other fraudsters. According to Hacker News, underground forums sell malicious code, hacking services and bullet-proof hosting at reasonable prices and even rent out entire botnets. The Zeus malware, freely available on the Internet, was improved and upgraded by developers who designed a commercial demo website for would-be buyers and, without blushing, published a dedicated Facebook page to the toolkit’s latest version (the page has since been shut down).

FaaS as a Network of Services

It’s not just raw code that is being distributed by fraudsters. Says Eric Geier at eSecurity Planet: “There are also numerous other associated services out there that are required to carry out a large successful attack such as malware quality assurance (QA) (yes, it’s true), distribution, and search engine optimization (SEO). All these goods and services can come together to make a cookie-cutter process for the attack originator while also making it nearly impossible to catch them due to all the third-party providers involved.”

Other services available to criminals include money laundering, money mules, making friends with bent insiders at large corporations, pay-as-you-go infection and exploitation services, and virtual criminal markets.

If you wanted to start your own digital crime outfit, why do all (or any) of the work yourself when you could harness FaaS?

Ideally, such a hacker would operate through the Dark Web , but you can also find criminal compatriots on the surface web via forums and word of mouth. However, doing so is dangerous and illegal. Often, white hats pose as black hats on these sites.

How much will it cost you? Prices vary and you have to balance the risk; criminals are not known for their ethics. An article by Business Insider describing the prices you can expect to pay for hacking activities includes an interesting offering by one hacker to boost Yelp ratings ― interesting because some online job boards on the surface web have been known to advertise for similar services, seeking freelancers to give their business a good rating. But using the Dark Web is no doubt more lucrative, more anonymous and more cost-effective, although much, much more risky.

Cybercrime as a Service (CaaS) As is often the case on the Internet, the different of trending terms are sometimes confusing, even contradictory. Relevant to this article is that FaaS and Cybercrime as a Service (CaaS) acronyms are sometimes used interchangeably. FaaS is perhaps better described as an independent, specialized (and lucrative) segment in the CaaS business model. Strictly speaking, FaaS attacks are aimed primarily at financial industries and related service in

Viewing all articles
Browse latest Browse all 12749

Latest Images

Trending Articles

Latest Images