How a 'Refund Fraud' Gang Stole $700,000 From Amazon
Nethone (acquired by Mangopay)
Know Your Users™ to reject only fraudsters
In the October edition of the Fraud Intelligence Report (FIRe), we discuss topics like the top 10 ATO challenges for merchants, with a big caution on new fraud techniques and the countermeasures that will strengthen your business.
From emerging scams to new trends in fraud, we keep you informed:
Fraudulent activities
How a 'Refund Fraud' Gang Stole $700,000 From Amazon
Artemis Refund Group (ARG) is alleged to have committed refund fraud on a massive scale, using insiders at Walmart and online tricks to convince retailers to refund high-end items, which the group would then sell for profit. The group provided "Refund-as-a-Service" scamming services, with charges of 15-20% of the purchase price, and also used "malicious insider" tactics to gain insights into customer retail accounts.
Read more
New millionaires, new music: How cybercrime was codified into Afrobeats
The author explores the connection between cybercrime and the Afrobeats music genre in Nigeria. It discusses how a popular song called "Yahooze" by Olu Maintain became a hit despite being associated with internet fraud. The article highlights the rise of "Yahoo Boys," the term for internet fraudsters in Nigeria, who have become patrons of the arts, financing music projects and boosting the careers of upcoming artists.
Read more
Nearly 5,000 Okta employees affected by third-party data breach
A third-party data breach incident has impacted nearly 5,000 Okta employees and dependents. The breach occurred after Rightway Healthcare, a third-party provider used by Okta for healthcare services, experienced a cyberattack on September 23. Names, Social Security numbers, and health or medical insurance plan numbers were leaked during the attack. Although Okta clarified that the incident does not relate to the use of Okta services and that Okta services remain secure, the incident raises concerns about how third-party attacks can impact even those companies with robust security measures.
Read more
BBTok Banking Trojan Impersonates 40+ Banks to Hijack Victim Accounts
The article warns of a new variant of the BBTok banking Trojan targeting banking customers in Latin America, specifically in Mexico and Brazil. The campaign utilizes phishing techniques to trick victims into unknowingly divulging their two-factor authentication (2FA) codes and payment card details, allowing attackers to take control of their bank accounts. What sets this campaign apart is the use of fake interfaces for over 40 banks, which are so convincing that they convince unsuspecting users to disclose personal and financial information. The malware's capabilities include process enumeration, mouse and keyboard control, clipboard manipulation, and traditional banking Trojan features. The campaign demonstrates the attackers' evolving tactics and highlights the need for users to be vigilant in detecting and avoiding phishing scams.
Read more
GoldDigger drains your bank account: new Trojan uncovered by Group-IB targets 50+ Vietnamese banks
The article discusses the discovery of a new Trojan malware called GoldDigger, specifically targeting more than 50 banks in Vietnam. The Trojan is designed to steal user credentials and transfer money from victims' bank accounts to multiple mule accounts, draining their funds.
Read more
Blockchain engineers’ Macs are targets of North Korea-linked malware
Hackers associated with North Korea have been found targeting the Apple devices of blockchain engineers with advanced malware. The tactics used in this campaign are similar to those of the Lazarus state-sponsored hacker group. The ultimate goal of these attacks is to steal cryptocurrency as part of North Korea's efforts to evade international sanctions. The engineers targeted worked for a cryptocurrency exchange.
Read more
Cybercrime Exposed Podcast: The Phisherman
The podcast episode focuses on Bex Nitert, an incident response and forensics professional in Australia who specializes in investigating phishing attacks. Bex reveals her discovery of a threat actor known as "The Phisherman", who conducts credential theft on an industrial scale.
Listen to the podcast
Fraud Prevention
10 common challenges with account takeover and how to deal with them
The author emphasizes the importance of maintaining a low ATO rate and highlights the metrics that can be used to measure the performance of an ATO solution. It also discusses the challenges of manual review and suggests leveraging machine learning models or implementing automated rules-based systems to reduce false positives and prioritize high-risk ATO cases. The article further explores challenges such as device fingerprint spoofing, account recovery, guest checkout fraud, balancing security with friction, lack of knowledge to improve ATO rules, false positives, and setting key performance indicators for ATO fraud. Behavioural biometrics, device fingerprinting, and effective communication with affected users are key strategies to overcome these challenges.
Read more
SupplyChain Object Deep Dive
The article explores the adoption and compliance of the SupplyChain Object standard four years after its release. The standard, developed by the IAB Tech Lab, aims to enhance transparency in the supply chain and detect fraudulent activities. The article highlights the challenges in validating schains (supply chain objects) and reveals that only a portion of bid requests include schains, with app inventory showing a lower adoption rate. Furthermore, most of the provided schains fail validation, indicating inconsistencies in authorization, transparency, and consistency.
Read more
The Privacy Shift and What it Means for Fraud Prevention
The article discusses the evolving digital landscape and its impact on user privacy, particularly fraud prevention. With the decline of third-party cookies and increased crackdown on cross-site tracking, digital marketing will see a shift towards privacy-first innovation. However, the article highlights the emerging concern around IP privacy and its implications for fraud detection and digital security.
Read more
Recommended by LinkedIn
Automating Your Phishing Playbook
The playbook is the second instalment in a blog series on security automation. It emphasizes the importance of automating the response playbook for phishing attacks. The article provides practical strategies for automating three critical phases: containment, investigation, and remediation. It suggests automated actions for swift response and damage control during the containment phase, automated queries for gaining insight during the investigation phase, and automated actions for recovery and prevention during the remediation phase.
Read more
Detecting and Stopping Malicious Traffic
The article emphasizes detecting and stopping malicious traffic as a crucial aspect of security operations. It discusses the growth of cybercrime-as-a-service and the need to track threat actors, their infrastructure, and their offerings to identify likely malicious traffic. The article highlights various methods used to detect and investigate threats, including network detection and response, endpoint detection and response, and security information and event management.
Read more
Fraud Tools
BADBOX, PEACHPIT, and the Fraudulent Device in Your Delivery Box
BADBOX sold off-brand mobile and Connected TV devices preloaded with malware called Triada, which after being turned on or plugged in, were remotely installed with several fraudulent modules, including the PEACHPIT ad fraud model. The article explains how the botnet used these infected devices to perpetrate ad fraud, make money from fake ad impressions, and drain device batteries.
Read more
Phishing Emails Abusing QR Codes Surge
The article discusses the surge in phishing emails that are abusing QR codes as a technique. This increase in attacks using QR codes as a method is driven by cybercriminals' desire to improve their return on investment. QR codes offer advantages to attackers as they add an extra layer of abstraction, making it harder for security software to detect malicious links.
Read more
How BPF-Enabled Malware Works. Bracing for Emerging Threats.
BPF is a technology that allows programs to execute code in the kernel of modern operating systems for network packet filtering and more general purposes. Because BPF can support rootkits and other types of malware, it is seen as a new threat vector that needs to be addressed by security measures. Cybercriminals have already started using BPF as an attack vector, and several groups have been targeting specific industries with BPF-enabled malware.
Read more
Vulnerabilities recognition
Mining Through Mountains of Information and Risk: Containers and Exposed Container Registries
The authors highlight the role of APIs in pulling container images from registries and discuss their findings from investigating open registries. They discovered a significant amount of data stored in these registries, including multiple versions of the same image and sensitive information such as authentication credentials and keys.
Read more
Critical Confluence Vulnerability – CVE-2023-22518
The article discusses a critical vulnerability, CVE-2023-22518, discovered in Atlassian's Confluence Data Center and Confluence Server software. This vulnerability, rated with a severity score of 9.1, can potentially lead to substantial data loss if exploited. The article highlights the widespread adoption of Confluence in various industries and the risk it poses. While no real-world attacks have been observed yet, the presence of forthcoming Proof of Concepts (POCs) has been detected.
Read more
The Discovery of F5 BIG-IP Vulnerability CVE-2023-46747
A critical vulnerability, CVE-2023-46747, has been discovered in the widely used F5 BIG-IP Configuration Utility. This vulnerability allows unauthenticated attackers to execute arbitrary commands, potentially compromising the system. F5 has released security patches to address the issue. Organisations that have not applied the patches and have left the Traffic Management User Interface (TMUI) exposed to the internet are at risk.
Read more
Q3 Reports
External Threat Intelligence Service Providers, Q3 2023
The Forrester Wave™ report on External Threat Intelligence Services evaluates the offerings, strategies, and market presence of 12 significant service providers in this field. Recorded Future has been named as a Leader in the report, with their Intelligence Cloud platform being highlighted as best suited for customers who need comprehensive threat intelligence in an intuitive and user-friendly platform.
Top Cyber-Threat Techniques in Q3 2023: What We’re Seeing
The article highlights the prevalence of spearphishing and malware as the most commonly observed attack methods, accounting for almost 65% of all true-positive incidents in Q3 2023. As well as providing context around the significance of these threats, the article offers practical steps organisations can take to reduce their risk of falling victim to cyber-attacks.
Read more
If you are interested in first-hand and real-time Darknet insights to help you spot if you are on a fraudster’s radar, go to nethone.com