Fraud is only one of several online threats sharing digital dark space with a diverse range of harms – from terrorist propaganda and human trafficking to election interference, and of course, hacking.
For many years, fraud has been seen as the less urgent of those harms. Consequently, it has flourished, with the UK’s Public Accounts Committee reporting that fraud now accounts for 41% of all crimes committed in England and Wales. That same report also featured a Home Office estimate which puts the cost of fraud against individuals at £4.7 billion.
While a significant amount, it is likely to be an underestimate with a recent Global Anti-Scam Alliance (GASA) survey, conducted in association with Cifas, arriving at a figure of £7.5 billion. And that is only in the UK.
Now apply that to the more than 190 other nations around the world, and you begin to see the potential size of this global “scampocalypse.” Despite intense efforts on the part of the financial services industry to curb the fraud epidemic, the forecast is not improving, and a new approach is needed.
Enter kill chains.
What Are Kill Chains?
Kill chains are nothing new, having been adopted widely by those who seek to tackle a multitude of online threats. The online operations kill chain, proposed by Ben Nimmo and Eric Hutchins, is designed to address two key gaps in other frameworks by providing an analytical framework that offers a common taxonomy and vocabulary and avoiding the pitfalls associated with approaches that focus on a single threat activity.
Using the Online Operations Kill Chain to Tackle Fraud
Financial institutions recognise that much of their fraud risk doesn’t start in the online spaces they directly control. Adopting a kill chain approach to manage fraud reinforces that reality by providing a common means by which the entire online ecosystem can analyse, describe, compare, and collaborate to disrupt fraud threats.
The online operations kill chain starts with a single premise – an online operation must be able to get online. Focusing on the commonalities between different online threats provides a starting point that works regardless of whether the threat actor is seeking to defraud an individual or distort an election.
Nimmo and Hutchinson’s model divides an online operation into ten distinct phases. For the sake of argument, let us test this approach by aligning it to a familiar fraud like Remote Access Tool (RAT) attacks.
Imagine that you’re working in a cyber fraud fusion centre of a bank and want to alert colleagues and partners to the tactics, techniques, and procedures (TTPs) used by RAT attackers using the ten phases of the online operations kill chain. Here is an example of what it might look like.
Phase One: Acquiring Assets, anything the threat actor controls
- Office Space
- Highspeed Internet
- Hardware & Software
- Remote Access Software Licenses
- Telephony services
Phase Two: Disguising Assets
- Mixing of legitimate and illegitimate business through multiple shifts
- Bribery of local officials
Phase Three: Gathering Information
- Sucker lists comprised of prior victims of tech support fraud
Phase Four: Coordinating and Planning
- Crime as a Service (CaaS), money laundering, cloud-based call centres, hijacked remote access licenses
Phase Five: Testing Defences
- In-country origination for calls, avoiding the active blocking done by telcos
- Identifying how many calls they can make before being blocked
Phase Six: Evading Detection
- Relying on the reputation of the customer's device
- Limiting control of the device once the banking session is active
Phase Seven: Indiscriminate Engagement
- Using fake support accounts on X (Twitter) to create an inbound flow of calls
Phase Eight: Targeted Engagement
- Using Search Engine Optimisation (SEO) to trap customers who are looking for computer support.
- Taking over legitimate advertiser's accounts to targeted place ads
Phase Nine: Compromising Assets
- Socially engineering customers to onboard with crypto exchanges, enabling payments to be represented as going to the customer's account
- Locking the customer out of those crypto accounts using hijacked two-factor authentication
Phase Ten: Enabling Longevity
- Continually changing the numbers they call from and receive calls on
- Evading device blocking by rebuilding machines and using new RAT accounts
Breaking the Kill Chain
Whilst I’ve chosen to represent this summary as the work of a single person, having a unified taxonomy enables different teams to describe the operations they have uncovered and allows collaboration within and across organisations and industries without the sharing of personal data.
Crucially, it also provides a basis on which collaborating partners can identify ways of breaking the chain. For instance, phase five identifies the need to originate calls “in-country” providing scope for telco partners to identify how this is being done and work together to counter the actions of bad actors within their industry. Another example is in phase six which suggests that the threat actors are aware of attempts to detect them. Here, fraud prevention vendors could partner with providers of remote access software to confirm session status of a client associated with a specific IP address to improve detection of remote access scams.
These are only two examples of an endless world of possibilities that could really move the needle in the fight against fraud which brings me to my key point. A common approach to describing a problem is a great starting point, but it only becomes effective when observations turn into action.