The Green Sheet Online Edition
June 25, 2012 • Issue 12:06:02
Combating faceless fraud
Recently, a variation on an old type of fraud surfaced: a social engineering scheme. This type of fraud can be described as the art of manipulating people into performing actions or divulging confidential information. And one such scheme recently exposed 500,000 credit card numbers.
Social engineering techniques
There are certain techniques used in order to achieve a social engineering scheme, including pretexting, phishing and diversion, which are defined below:
- Pretexting is the act of creating a false scenario to engage a targeted victim to increase the chance that the victim will divulge or perform actions that would normally not take place. This technique is mostly used to fool businesses into disclosing customer information.
- Phishing is done through emails that appear to come from a legitimate business, bank or credit card company. These e-mails typically request verification of information. The emails always contain links to fraudulent web pages requesting more confidential information.
- Diversion is a type of "con" exercised by professional thieves, normally against a transport or courier company. The objective is to persuade the people responsible for legitimate delivery that the consignment is requested elsewhere than initially indicated.
A case in point
WHMCS is an all-in-one client management, billing and support solution for online businesses that was recently hit with a social engineering scheme. According to The Register, a U.K.-based technology news and opinion website, 500,000 credit cards were compromised as a result. Experts believe the incident highlights the persistent security risks third parties pose when it comes to protecting cardholder data.
A group called UGNazi claimed responsibility for this attack and the temporary takedown of WHMCS. UGNazi fooled customer service representatives at HostGator, which is WHMCS' web hosting firm, into providing administrative credentials to UGNazi servers. Once hackers accessed the servers, they copied the company's billing database and left WHMCS' services unavailable. UGNazi also temporarily took over the WHMCS Twitter account.
This was a clever third-party hack. It relied on a third-party provider for WHMCS because chances are a support technician is not likely to recognize a customer via email or over the telephone. One of the most common requests is a password change.
WHMCS followed up this incident with a May 23, 2012, post on its blog. Matt Pugh, the founder and lead software developer of WHMCS, wrote, "The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.
"This means that there was no actual hacking of our server. They were ultimately given the access details. This is obviously a terrible situation, and very unfortunate, but rest assured that this was no issue or vulnerability with the WHMCS software."
Once access was gained, the company's main server was hit by a distributed denial of service (DDoS) attack. A DDoS attack is an attempt to make a machine or network unavailable to its users by saturating the target machine with external communication requests. The attack rendered WHMCS temporarily unable to deliver its web hosting control panel and client management, billing and support services to its customers.
"Further investigations have shown that the social engineering attack did not involve the compromising of any email account," Pugh added. "This was only done after access to the server had been gained. ... We've been working very hard with our web hosting provider to restore and secure services. The DDoS mitigation continues to be ongoing, and we are doing everything we can to limit the impact of this."
The role of payment pros
What can you, as payment professionals, do to help prevent this from happening to you and your merchants? Educate. As simple as it sounds, it really is the truth. There are organizations whose goal is to educate the end user and reduce fraud. One such company is Florida-based KnowBe4, an Internet security awareness training provider. Among other fraud prevention efforts, KnowBe4 strives to enable businesses to quickly solve the urgent security problem of social engineering.
Japan's Consumer Credit Association recently released information stating that the country's online credit card fraud recently increased to 5.2 billion yen ($65 million) in 2011, up from 2 billion yen ($25 million) in 2010. Japan's CCA put out a warning stating that a credit card number and its expiration date are not enough to obstruct fraud on the Internet, and that online merchants need to change their guidelines of verification in order to reduce the rate of crime.
Online fraud is faceless and occurs worldwide every second of every day. Fraudsters and hacktivists will find new ways to infiltrate systems. Advanced solutions and training are needed to protect ISOs, merchant level salespeople (MLSs), and merchants from this constantly evolving threat.
Services to provide
What can payment professionals provide to assist merchants with bolstering system security? Keep it simple. Help merchants set up their fraud monitoring systems. Small or large, all merchants should use some type of fraud scrubbing software. Monitoring should include the following:
- Customizable filters: Set these filters based on the merchant's processing trends.
- Pending reviews: Review and decline transactions prior to authorization if a transaction is flagged.
- Email notifications: Receive emails each time a transaction triggers an alert based on preset filters.
- Controlled responses: Set customer responses or create your own response for transactions that have been triggered and are awaiting review.
Providing assistance of this kind will help ensure that your merchant customers' systems are safe from intrusion while also adding tremendous value to your services as an ISO or MLS.
Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.