Criminal efficiencies: Fraud-as-a-Service
Software-as-a-service (SaaS) has grown in popularity as a way to minimize complexity and maximize efficiencies. Why host your own software when that means you will have to maintain it and buy hardware for it? The growing trend is that companies are willing to host their software for you. Companies are seeing that the economies around this make a lot of sense.
As I’ve said before, internet fraud seems to be run very much like a legitimate business would be run. The bad actors try to optimize return on investment (ROI) and conversion rates in the same way legitimate businesses try to optimize them. For example, just like an e-commerce company will attempt to tweak the text, images, etc. in an email to be sure that it is not caught by spam filters and customers open it, bad actors do exactly the same things with their phishing or 419 scam emails. Just like a legitimate business, the bad actors want their emails to avoid spam filters and they want their potential “customers” to be intrigued enough to both open and respond to the email.
Phil Muncaster posted an article about how the bad actors are starting to take advantage of the same philosophies behind SaaS. Phil calls this “Fraud-as-a-service” (FaaS?) and I see this as a continuation of how the bad actors mirror legitimate businesses in perpetrating their fraud. The bad actors want to make their money as efficiently and economically as possible. To do this, they have imitated the way legitimate businesses are optimizing their operations.
The examples I’ve seen of FaaS include where one bad actor will host a phish site for another bad actor, for a fee. The data collected is sent to the “customer” (and likely kept by the service as well). I’ve also seen cases where one group would collect passwords for a site and determine which are the most valuable. The less valuable userID/password pairs would be sold to other groups.
All of this is just a way to make the business of fraud more efficient. I’m sure there are other examples of bad actor efficiency. If you have some, let me know.
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- December 2009 (5)
- November 2009 (7)
- October 2009 (8)
- September 2009 (7)
- August 2009 (8)
- July 2009 (7)
- June 2009 (6)
- May 2009 (6)
- April 2009 (14)
- March 2009 (8)
- February 2009 (5)
- January 2009 (8)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
