Data Dive, Criminality Edition: Fingerprints And Wire Fraud And Money Laundering (Oh My!)

Data Dive: Fraud And Financial Crime Edition

Not every innovation is a good innovation. Some, like the pet rock, are merely fads. Others, like the iPhone, are change-the-world impactful. Then there are others that are clever but ill-applied – as in malicious and destructive.

We saw a bunch of that last week.

Fingerprints for Sale 

The problem with a password, everyone knows, is that it can be stolen and used by anyone. That’s not the case with a fingerprint. Even if a criminal were to take a finger, it wouldn’t work, since most fingerprint ID scanners also scan for a pulse.

Security solved.

Or not.

As it turns out, security researchers at Kaspersky Lab have found a darknet marketplace in which hackers are selling digital fingerprints.

According to Kaspersky, criminals are selling the digital fingerprints of more than 60,000 individuals on a marketplace called Genesis.

The site first emerged in fall of last year, when the creators started advertising it on forums where hackers sell stolen payment card details. The site offers up a rich trove of information on consumers, including their fingerprints. The marketplace operators sell the data to cybercriminals who use it for identity theft, online fraud and other crimes – and the data is worth anywhere from $5 to $200.

Using the data, however, is a bit complex for thieves, as it is only possible via a Chrome extension created by the Genesis market makers. The extension is free and allows users to import the data they bought from Genesis. The buyer’s browser then becomes almost an identical clone of the user’s actual browser. The Genesis site also offers guidance to banking and payment systems sites (283 of them) and claims to provide insight into the exact tracking detection systems the stolen fingerprints have to get through.

Phishing for Paychecks

HR departments need be on the alert for a new type of phishing scam that asks for reroutes on direct deposit accounts, CNBC reported. The goal? To move employee paychecks directly into a criminal’s account.

The scam has already been effective against KVC Health Systems, which reports the fraudulent emails look legitimate and appear to come directly from the firm’s CEO.

“They might just say, ‘I need to update my direct deposit information,’” Erik Nyberg, director of information technology at KVC, told CNBC. “Or they start with, ‘Hey, do you have a second?’ and if that target person responds, then they go from there.”

Unlike the normal spam mail, these notes aren’t full of misspellings and bad grammar. They tend to be cordial and short, like any other business email. Additionally, according to reports, scammers will say things that portray urgency but also dissuade communication, such as “I’m going into a meeting, I can’t talk.”

Last year, the Internal Revenue Service warned that scams like this were on the rise. The fraud is fairly easy to pull off because it bypasses many existing controls for capturing it. Also, because the amount of money stolen is relatively small, companies might just attribute it to the cost of doing business.

Most companies “have put processes in place to validate big wire transfers, so now [criminals] want to stay under the radar. It’s a new approach, and every day we have more customers reporting it,” noted Adrien Gendre, chief solutions architect with email security company Vade Secure.

The best way to fight it, KVC’s Nyberg said, is by training. “The CEO is never going to email you out of the blue and ask you for any deposit changes. And if you have any sliver of a doubt, call the person who is making the request.”

Crime and Punishment: Money Laundering

If there’s an upside to the crime-heavy news week, it’s that at least some of the headlines were about people actually getting busted for their illegal activities.

Last week, a federal jury convicted two Romanian cybercriminals of infecting computers with malware in order to steal credit card details and other information. That data was sold for millions on the dark web, according to a Department of Justice announcement by Assistant Attorney General Brian A. Benczkowski of the Justice Department’s criminal division and U.S. Attorney Justin E. Herdman of the Northern District of Ohio.

According to court documents, the pair, along with an unnamed co-conspirator, in 2007 began using malware to steal email addresses from 400,000 computers, mainly located in the U.S. The defendants were then able to take personal information, such as credit card details, user names and passwords, as well as mine cryptocurrency.

The scammers were enterprising and surprisingly Silicon Valley-like, in that most of the funds they stole were re-invested directly back into their business. Unfortunately, that business was crime, and the funds were invested in renting server space, registering domain names and paying for virtual private networks (VPNs).

“The defendants also used stolen email credentials to copy a victim’s email contacts. They also activated files that forced infected computers to register email accounts with AOL,” the announcement explained. “The defendants registered more than 100,000 email accounts using this method. They then sent malicious emails from these addresses to the compromised contact lists. Through this method, they sent tens of millions of malicious emails.”

Bogdan Nicolescu and Radu Miclaus were convicted of conspiracy to commit wire fraud, conspiracy to traffic in counterfeit service marks, aggravated identity theft, conspiracy to commit money laundering and 12 counts each of wire fraud. They are both scheduled to be sentenced on August 14.

So, what did we learn this week? Crime pays, no matter what you’ve been told – until it doesn’t. And we’re getting better at catching the bad guys, or spoiling their plans. Just ask the ones who are spending the next decade behind bars.

See you next Monday.