The second episode of Digital Tells: A BioCatch Podcast looks at how sophisticated cybercrime networks perpetrate mass account take over fraud. Former U.S. federal prosecutor and consumer identity expert Tom O’Malley shares an overview of the GozNym cybercrime network, from which three members were prosecuted in 2019. We also talk with Jonathan Barnes, a retired attorney who discovered while on vacation that his personal bank account was being drained by cybercriminals. Finally we speak with Tim Dalgleish and Ayelet Biger-Levin, both of BioCatch, to discuss both the tactics of cybercriminals and the ‘Digital Tells’ that may help to identify account take over fraud.
Tom O’Malley founded a website, FrozenPII.org, which helps consumers protect their identity. Check it out!
The concept of technology that can use the ‘Digital Tells’ of online behavior (mouse movements, typing habits, etc.) to validate users or determine fraudulent intent may seem like the stuff of science fiction. In fact, it initially did to some of the leaders of BioCatch. But today, it’s real, preventing over 6 million fraud incidents per year and protecting hundreds of millions of people.
Cybercriminal – if you drew a picture in your mind of a cybercriminal – what would it look like? A highly-skilled knowledge worker, probably working from home, but networked and highly organized? Or a pimply-faced kid in a hoodie, working from their parent’s basement?
It turns out that today – the cybercriminals we need to worry most about are no longer kids in hoodies. Today's cybercriminals are professional, organized, and effective.
Tom O’Malley is a recently retired federal prosecutor. He worked in financial and online crimes during his 30 year career with the US Department of Justice. We’ve been chatting about financial crime, and the international crime syndicates that victimize people of all ages and businesses alike. In 2020 alone there were over 790K complaints of suspected internet crime reported to the FBI’s Internet Crime Complaint Center, with losses exceeding $4.2B
Tom is telling me about the GozNym Case, an Account-Take-Over story that made headlines in 2019. Here’s Tom.
On December 16th, 2019, Casimir Nikolayev, 47, of Bulgaria, was sentenced to 39 months in prison following his conviction on charges of criminal conspiracy, computer fraud and bank fraud for his role as a member of the Gosnum malware cybercrime network.
I think they identified approximately $100 million was the loss figure, and the victims were often small businesses and small merchants.
Losses in the 100’s of $millions in cases like these are not unusual. What is unusual is that some of these people were actually indicted, prosecuted, and brought to justice. That guy, Krasimir Nikolov was arrested in Bulgaria and extradited to the Western District of Pennsylvania in the U.S.
Why is it unusual?… well, these complex networks are recruited through the dark web. Members are frequently geographically dispersed and reside in countries without extradition authority. In the GozNym case, the conspirators were located in various countries around the world including, but not limited to Russia, Georgia, Ukraine, Bulgaria and Kazakhstan. And, these members are experts in their individual fields… fields with high degrees of specialization… all crucial for campaigns devised with sophistication and scale. Here’s Tom O’Malley again.
In the case of GozNym, they basically created malware and they had a group of people. The malware developers and their role in the conspiracy was to create, develop and manage and lease out malware. Then you had the crypters and their job. The conspiracy was to encrypt malware in a way to avoid detection systems by banks and victims. And it included ways to defeat antivirus tools. And so this is mostly on the victim's computers. That being somebody in a business? And then you had another group, the conspiracy. These are the spammers, and it was the spammers job and conspiracy to mass distribute the malware through phishing emails. And people may be familiar with the phishing emails where you know you're enticed to think it's one thing and you click on something thinking it's something legitimate. And what it does is it downloads malware on your computer and you've got no idea. And the other part, an essential part of this type of conspiracy is a group of conspirators known as the bulletproof hoster, and they host the malware campaigns on a very intricate network of servers. And it's designed to thwart the detection by law enforcement cybersecurity researchers and enables a malware related criminal activity to continue without disruption. Then you've got the two final important parts and that is the casher or account takeover specialists, and it was the conspirators’ role for those people to use the victim's stolen login credentials in this case that we mentioned was obtained through the GozNym malware infections to access the victim's online bank accounts and see or attempt to steal the victim's funds through a lot of talk track funds transfer. And then finally, and this is the most important part of any crime, right? It's payday. It's cash out. It's money laundering. So it was the job of the cash out people. They are also sometimes called the drop masters. What was their role in a conspiracy to be the account takeover specials and cashers and provided those people with those members of conspiracy who had access to the bank accounts and to receive the stolen funds in the form of electronic funds transfer from the victims online bank account to another bank account, often through the use of money mules and to open up accounts through the money mules for the purpose of withdrawing the funds, transferring funds and getting those funds outside to banks.
So, where the GozNym group went wrong was several members were operating in countries with cooperative law enforcement agencies, such as Ukraine and Bulgaria. But the blueprint they used, that Tom just described, is textbook cybercrime syndicate. Malware developers, crypters, spammers, bulletproof hosters, Account take over specialists, Mules… all experts, anonymous, and usually beyond the reach of law enforcement… all of them focused on stealing account credentials… stealthly gaining access to bank account… transferring money out into a network of accounts they control… and then cashing out. They are precise in their execution and extremely organized.
Now, imagine finding yourself on the losing side of a sophisticated theft like this.
When my producer Doug and I started working on this episode, he mentioned to me that a couple years ago while on vacationing on Block Island a couple years ago with another couple, his friend Jon Barnes was hit with a serious Account Take Over. I asked to speak with Jon – who by the way – is also an attorney.
Here’s Jon Barnes:
So this was back in 2018. And we had gone to Block Island, My mom had passed away in 2013, and I had inherited a fairly small beneficial IRA from her, which I had to withdraw from the account by that particular date. So just before we headed it, the Block Island, I withdrew the beneficial IRA, which was somewhere in the vicinity of 20000 dollars, and I just quickly dumped it in my checking account. So we headed off to Block Island, and then somewhere in the middle of the trip, three or four days into Block Island, my wife Anna mentioned to me that she saw on an email. We have an overdraft protection built in which will kick in if the checking account is overdrawn. They sent us an email indicating that it was, in fact, overdrawn. Not sure that they indicated how much, but that was a surprise since we were on an island 12 miles off the coast of Rhode Island and hadn't accessed the account since long before. And I immediately called the one one 800 number, and found out that, yes, in fact, the overdraft protection had been utilized because somebody unknown through the Internet had been slowly and steadily withdrawing the the 20000 dollars. So the overdraft protection kicked in. I immediately froze that account.
And so what did you do? What what were your next. And you were on vacation as this was happening.
Right? Yeah, we were we were in the house on Block Island, which doesn't have. It does have an ATM and a bank, but it doesn't have my bank. So, yeah, I was I was freaked out about it. Both of us were freaked out about it because I knew I had just put this 20 some odd thousand dollars into the account. And I realized that I was now out. Twenty seven thousand dollars. So I freaked out, quite frankly.
John went on to share a subsequent conversation he a week or two later with his branch manager, who having initiated an investigation and reimbursing his losses, explained what had happened. He learned that in the days prior to that overdraft notice kicking-in, the criminals logged in a few times just to check things out, then a week or two later began making daily transfers of just under $5K, apparently in an attempt to stay below the radar.
So, What are law-abiding account holders, ordinary folks like you and me, businesses, or even our financial institutions to do to have a fighting chance against this menacing threat?
In this Episode of Digital Tells, sponsored by BioCatch, we’re talking about Account Take Over fraud, and how behavioral biometrics can help route out fraudsters.
Now there are certainly conditions in every online banking session financial institutions can monitor. Let’s take for example, a typical login with a username and password. Banks may be monitoring to see if the login is coming from the same machine and IP address… but with malware and other ingenious methods, it could still be a cybercriminal in disguise. The bank might add some friction, such as sending an SMS code to the users cell phone… again, there are techniques to overcome that bit of friction too.
Tim Dalgleish is a global advisory leader at BioCatch… he leads the team of data scientists and engineers who help financial institutions implement behavioral biometrics. Here’s Tim
Yeah. So if we think about log-in, traditionally, we might look people logging from his normal device, from his normal home network, normal IP address, and it's very small number of data points for you to make an assessment. Right. It's like it's basically saying that if you're at home on your device, fraud can’t happen, which we know from scams and all the variants of malware, the sophistication of the attacks. Now, that's no longer plays true. And the same thing if you think about payments, if you're looking at how much you're paying, who you're paying, time of day, things like that. It's really quite a small number of fields that you're making an assessment on. What Biocatch does is look at the how not just the what you know, lots of people pay someone they've never paid before. Lots of people make payments of large amounts. Doesn't mean it's risky. Right. But if you know how someone is doing that, it makes a big difference to the context. So in my mind, that's the difference.
Ok, so what is the difference… the difference in how someone behaves in the context of one of these attacks? Let’s start with just a normal log-in.
Imagine I’ve stolen your login credentials, and I'm the criminal. And I'm going to log in and start making a payment. Now, I don't know how you behave. I don't know whether you're left handed or right handed. I don't know how quickly you type. I don't know how you navigate, how you choose to navigate. Do you point and click with a mouse or do you shortcut keys do you use a scrollbar, things like that. So I don't know how you behave. I've got your log-in credentials. So the way Biocatch helps is that we can tell if there's different behaviour in all of those things. That means a criminal. I don't know about your behaviour. The bank does by BioCatch. So we can see both just at the very start of the journey when the criminals starting the attack, that something's not right. The behaviour is different from what we normally see.
OK, so, then what… is the log-in just denied or… let’s say there’s a stepped-up authentication. The bank sends an SMS code… but the cybercriminal might be spoofing the phone, or doing some kind of social engineering scam where they’ve got the legit user on the phone - maybe they are pretending to be the bank – and they get the user to read back the SMS code.
So, you know, when we recall a number over the phone, you go, one, two, three, four, five, six. And we see similar behaviours in terms of entering. So we'll see three digits, three digits, which is different to have someone would typically do it if it was on the phone in front of them. You know, they'll talk the whole thing straight out, these little of what I would call breadcrumbs, behavioural breadcrumbs to help you make better decisions. It gives you an idea of how it works.
OK so with these Digital Tells… behavioral biometrics is able to identify say, differences in behavior between a normal user… someone who, by the way, we’re also able to observe over a long period of time and a criminal who may have just gotten access to the account. What about the presence of malware?
Some of the most sophisticated malware will have features like remote access. And what that is, is that it allows the criminal to take control of your phone or your computer remotely and in an automated or even in a manual way where the criminal can remote control your phone. So they do this. So, you know, the bank thinks it's low risk. You know, you're looking to do your banking from your typical device, a typical phone. But again, from a behavior perspective, we can see if your phone's being operated, but there's no one actually physically interacting with your phone. There's no such event on the screen. It's not moving. We're not seeing presence of physical interaction with the device. It's very clear from a behavioral perspective something's not right here and there's red flags going on.
OK, we’ll talk more about malware, and the cybercrime ecosystem, and scams in future episodes.. but I hope we’re at least beginning to make the point that behavior, in the digital realm is well… telling.
But it occurred to me while talking about detecting and comparing behavior in account take over scenarios that some may be thinking… yes, this makes sense people behave differently… but how does this stuff actually work? Or are digital tells and behavioral biometrics still the realm of science fiction?
Ayelet Biger-Levin is Vice President of Market Strategy at BioCatch, she’s another industry veteran with a couple decades of IT, fraud, and identity management experience. We chatted recently about how behavioral biometrics actually works. Starting from collecting the data:
And this assessment is done in the cloud, in real time… like actually during the session… which is amazing in and of itself. Can you talk about the analysis that’s actually occurring?
So there are three levels actually of analysis that we perform and leveraging machine learning. One level is the user level analysis. So comparing the current user behavior to their historical profile in the sense we look at the press size and cadence, and do they use their left hand or right hand and what are the physical and cognitive choices that they make and that they've made when they interacted with the application throughout their journey in the past? And then we ask, what are they doing today and does it compare or is it anomalous to what they've done in the past? And that can raise flags if there are anomalies. The second layer is a population level analysis, as you said earlier. And so the population level analysis is really comparing the population level activity against indications of good and bad, or if we have confirmed fraud cases and confirmed genuine cases, we learn from those cases at the population level. That's particularly important and helpful when we don't have user history, when we don't have any information about the user, either it's a new user or that's an account opening situation where we haven't seen this user before. But the combination of those two is very, very powerful to protect the account lifecycle. The third layer is the combined analysis. And we're saying even if it's the legitimate user, in other words, we look at the user profile and everything looks great. Are there signs on a population level that show us that there are anomalies and that at a level really combines the two and is able to detect things like the scams? Yes, it is the legitimate user, but something is off.
And can you talk about how that information is fed back to the financial institution and what they do with that.
Once the data is analyzed BioCatch then provides the risk assessment that risk assessment ranges and scores between zero and one thousand or one thousand is a very high risk and zero is a very low risk or high degree of confidence. And the output that is provided to customers is the score and a set of risk and genuine indicators
Those scores and indicators, once shared with financial institutions drive decisions ranging from no action taken… all the way to denied transactions in the event that risk score is too high… the data can also be presented as evidence when investigating fraud reports. That part is really up to the institution itself, but BioCatch works with the institutions to figure-out and implement the right procedures for each scenario.
So yes, while this may all still seem a little science-fictiony. IT’s happening today. In fact, BioCatch protects over 2 Billion sessions per month, protecting over 200 million people around the world, and stopping over 6 million fraud incidents annually!
So suffice to say, while Account take over fraud remains a gigantic problem, we’re chipping away at it.
Digital Tells is written and narrated by me Peter Beardmore, in partnership with my producer Doug Stevens of Creative Audio and Music, and with the unwavering support and sponsorship of my employer, BioCatch.
Special thanks to Jonathan Barnes, Tim Dalgleish, and Ayelet Biger-Levin. We opened this episode with Tom O’Malley. Since Tom retired from the US Department of Justice, he’s started a website called FrozenPII.org. Pie is spelled PII (as in Personally Identifiable Information). The site helps consumers protect their identity. You can find a link in our show notes, check it out!
For more information about this episode, behavioral biometrics , or to share a comment or idea, visit biocatch.com/podcast.
Join us for episode 3, in which we’ll explore Account Opening Fraud. How do you detect an account application with fraudulent credentials like stolen or synthetic identities?
Until then, take care.