New Episode Alert EP105

Dark Web Fraud and Cybercrime! 🔥

January 27, 2020

Weekly Blaze PodcastEpisode 105January 27 2020

Dark Web Fraud and Cybercrimewith Emily Wilson from Terbium Labs

Business travel can be tough on our privacy as airports, airplanes, hotels, Uber's and even other travelers can put our personal data at risk. That's why when I travel I use a Silent Pocket faraday bag for my laptop and smartphone so I can stay completely off the grid. Silent Pocket's line of patented faraday bags are built to protect your digital privacy. Not only that, their products are well made and stylish too. You can receive 15% off your order right now at

. Use discount code "sharedsecurity" at checkout to take advantage of this exclusive offer just for listeners of this podcast.

Below is the transcript from Tom Eston's interview with Emily Wilson, VP of Research at Terbium Labs. Emily speaks with us about the latest fraud and cybercrimes on the Dark Web. Enjoy!

00:00 Tom Eston:

Joining me today to talk about fraud and cyber crime is Emily Wilson, VP of Research at Terbium Labs. Welcome to the show, Emily.

00:08 Emily Wilson

: Thank you for having me.

00:09 Tom Eston:

So tell us a little bit about your background and how you got into researching fraud and cyber crime.

00:15 Emily Wilson

: Sure, definitely. I'm not sure if there's a traditional path to becoming a dark web researcher.

00:21 Tom Eston:

I don't think so (laughing).

00:23 Emily Wilson

: But in my case at least, my background is actually in international relations, so not computer science, not technology strictly speaking. Actually, a lot of my earlier research was on war crimes, primarily in Eastern Europe, and that sort of after school led me to a few different projects. I ended up working as an independent consultant for several years with some international clients trying to solve technology problems, trying to solve communication problems and kind of the overlap of those two. And then I ended up joining Terbium about almost five years ago now as one of the first hires trying to solve this, what ends up being a technology problem and a communications problem, which is we have this community online of criminals who are broadcasting to us how they're thinking about data, how they value data, how they're developing fraud, because they have to broadcast that information to each other, right? This is an economy. This is a cyber crime economy. And so for me, it was just shifting from analysis of one type of community to another type of community and of course ended up getting back a little bit closer to Eastern Europe than I was anticipating.

01:31 Tom Eston:

Do you see a lot of cyber crime now? I mean I've known this for years and I used to work at a bank in their fraud and IT security department, and we always knew that Eastern Europe was the hotbed of criminal activity. I assume it's still the same.

01:47 Emily Wilson

: There's certainly a prolific operation based in Eastern Europe and not just Russia, but a lot of former Soviet Bloc countries as well, and then, of course, there's activity in the Middle East and Gulf states. There's interesting stuff coming out of East Asia. There's a lot of really interesting developing activity in South America. So I think we are seeing the growth of some of these global hotbeds. But certainly when it comes to fraud and things like payment cards, it's really hard to beat something like Eastern Europe.

02:21 Tom Eston:

Now you recently wrote

. So how will criminals be leveraging this data and why do you think this is more valuable to criminals than ever before?

02:36 Emily Wilson:

There's a few different pieces here, one which may sound obvious, but I think can't be overstated is, the more marketing data, and when I say marketing data, the things I'm thinking about here are social media profiles or purchasing histories or preferences that we set on certain sites, all of the things that are really useful for a given retailer or organization or tech giant to really tailor what they deliver to you, whether it's ads or content. In the hands of criminals, that kind of information is really good for targeted phishing, right, for going after whether groups of individuals or specific individuals. If you have a little bit more information about how they operate, or if you know that, for example, sending them a phishing email based on dogs instead of cats is more likely to get them to click, then being able to do that is going to be helpful for phishing.

03:28 Emily Wilson:

Aside from that, I think this same information in the hands of not just traditional kind of average cyber criminals but also more sophisticated actors, obviously when we think about things like OPM data, that packs a little bit more of a punch, whether we're thinking about putting pressure on people, some sort of blackmail or some sort of more government-based operation, the more information that you have on a target, the better, whether you are looking to get information on them. If you're trying to groom someone for corporate espionage, there's a lot of potential there. The third piece is we're heading into an election year. I suppose we are in an election year now. It's 2020. This kind of information can be very useful for micro-targeting groups of individuals, whether that's for misinformation or disinformation campaigns or even under certain regimes where particular groups of people might be targeted for ethnic reasons or for their gender or sexual orientation. You can imagine the more information you have on a person, if you give that over to people who have a lot of resources at their disposal and can play around with this, you can imagine the fraud and cyber crime could scale up quite quickly.

04:42 Tom Eston:

You had also talked about something called account access as a service and you also talk about dark web operators offering booking services for travel and hospitality brands. Can you talk a little bit about this new form of fraud, and is this something that we should all be concerned with?

04:57 Emily Wilson:

Sure. I think this is really interesting. One of the things in my community analysis approach to dark web research is, what are the new goods and services, how are things developing, how are they changing, how are they being marketed or remarketed, and with something like access as a service, what this looks like in practice is there's a couple of different ways that manifests. Either people can pay to fraudulently have their legitimate accounts upgraded. So if you have a standard airline account and you want to be super gold, platinum, premium, you can opt in to have someone make that change for you so that you can then benefit from the access to that particular level or group or ranking, or you can have someone book you similar luxury travel using their own third-party resources. And so in this case, perhaps you would pay someone 25% or 30% of the retail value of a flight or a hotel booking, and they offer to take care of that for you, whether that's through a booking service that they're connected to, or perhaps they are integrated with the travel brands themselves.

06:12 Emily Wilson:

But this is being pitched as you want that luxury, but you don't want to go through the hassle and the risk of committing the fraud yourself, so pay me a little bit extra. It'll still be less than you would pay to book it directly and I'll take care of it for you. Vendors are actually marketing this as a safer alternative than using a stolen credit card because based on their marketing tactics, they think that that's going to appeal to this fraud by our audience.

06:37 Tom Eston:

Wow, that's fascinating. So have you seen a lot of instances just recently? Like when do you think the shift happened? Is it just like last year?

06:46 Emily Wilson:

Being able to opt into status of some kind has been around for a while. It's popular in beauty brands, for example. I saw this begin to pop up a little bit more for travel brands over the last couple of years and last year in particular, and I think it's interesting. It's something that I'm watching. I think similar to the expansion of something like child data or some shifts in the way that phishing is handled online. I think it's really interesting to watch how this develops and how it might spread across different brands and what that means for those companies, for those travel or hospitality brands that are being targeted. I saw a similar thing with phishing where it used to be that perhaps you would buy email addresses, big email lists to go off and kind of dragnet, attempt to phish, or maybe you would buy a guide on how to do phishing and you would take that information and then take this guide and go execute your strategy.

07:38 Emily Wilson:

And now, we see more developed goods and services where you can buy preformatted phishing pages with all of the malicious code already incorporated, all of the branding already incorporated for your financial institution or your tech company. It's much more plug and play. And so I think it's interesting to see how dark web vendors are developing these new goods and services and these new offerings to remove some of the technical requirements and make it a little bit... You lower that barrier to entry for fraudsters who want to start to play around.

08:10 Tom Eston:

Yeah, and I think one of the most concerning topics you had mentioned is your research that you've done on child identity theft. What's being done about this issue and what should those of us with kids do to combat this threat?

08:21 Emily Wilson:

So the first in combating the threat, the best thing and really the only thing that we as individuals can do is if you have children or you know someone who has children, you can freeze children's credit. We as adults can also freeze our credit, but what a credit freeze does, which is a little bit different from some of the identity monitoring services that brands tend to favor after they've had a security incident. Identity monitoring services will let you know, or credit monitoring services will let you know once a new account has been opened with your information. Freezing your credit, on the other hand, stops criminals from opening those accounts in the first place. It puts a block on the account and says this account is not looking to open anything new. If you receive any requests, you should deny them immediately. And that's important, right? Because as adults, at least we can keep an eye on our accounts.

09:07 Emily Wilson:

If we see something unusual, we can go and investigate it, but how many of us are thinking about the credit status of a three-month-old? Criminals rely on that confusion and they are using information on children or perhaps even social security numbers that haven't been issued yet, people who haven't been born yet, haven't been identified yet, to go and open these credit accounts, and they're able to exploit them for decades, right? When's the first time that you check your credit status? You're buying your first car maybe or you're going to school? And so, one piece of this is just raising awareness and encouraging people to understand that children are appealing targets for cyber criminals, right? We think about physical safety for children, but we need to be thinking about their digital safety as well.

09:52 Emily Wilson:

The other thing to keep in mind, and this is coming around this year now, is that previously there was no system in place for financial institutions or credit agencies to check social security numbers against the Social Security Administration database and confirm that, one, the social has been issued and that, two, that the social security number matches the contact information that's assigned to it. That is something that we would think would already exist, but it doesn't, but it's going to starting this year. They're going to be piloting that program this year. And so, I for one, am very curious to see how many of these synthetic identity accounts we see appearing once banks are actually able to go and check on this information and then how they handle it in the aftermath.

10:35 Tom Eston:

Yeah, and good to see that they're doing that because I can just imagine how big of a problem this is going to become.

10:42 Emily Wilson:

It's a big issue and it's a hard thing to deal with because these credit profiles are tied to our social security numbers. And so the process of getting a new social issued is, it's difficult at best and near impossible in many cases. There's one story that I talk about a lot with folks in the industry about a six-year-old who had her information stolen and the parents did everything they could to try and get her a new social including changing her name, which was required by the Social Security Administration that you get a new social security number issued. And how do you explain to a child that you have to change their name because someone got a hold of their information and used it to open a credit card at JC Penny or something? How do you begin to have that conversation? And then how do you scale that kind of resolution as a financial institution or as the government agency? What do you do when you realize that there are millions of people who haven't even learned to write their names yet who have had their information compromised? How do we deal with that?

11:44 Tom Eston:

Tough stuff for sure, but glad to see that you and others are helping to do something about it. So where can our listeners find out more about you and Terbium Labs?

11:54 Emily Wilson:

Sure. So you can find out more about Terbium Labs by visiting and surprisingly

. We work with customers to monitor their sensitive information online on the dark web and as its criminals are beginning to spread across the open web and social media now. So we track data and alert companies when their information shows up so they can take action before, for example, that complex marketing data as used to phish their employees. And

or you can find me on Twitter

if you're interested to see me ranting about child data exposure and lack of regulation in the financial industry.

12:32 Tom Eston:

Awesome, and we'll have all those links in our show notes. So thank you once again, Emily, for being on the show. We really appreciate it.

12:40 Emily Wilson:

Great. Thank you so much for having me.

DecemberMonthly ShowEpisode 95In episode 95 of our monthly show we're joined by special guest Rebecca Herold, the "Privacy Professor". Rebecca is a well known expert in the privacy and cybersecurity community and gives us an update on what she's been working on, what her thoughts are on the current state of privacy regulations (CCPA, GLBA, etc), and what we may see in 2020 from a privacy perspective. We also talk about Rebecca's favorite books and her encounter with famed author Cliff Stoll who wrote "The Cuckoo's Egg".

Watch this episode on our YouTube Channel!

Top 10 Episodesin 2019We've had a fantastic year bringing you the latest cybersecurity and privacy topics and news. Thank you for being a listener and supporting the show!If you haven't listened to our most downloaded episodes from the year, here's your chance. Click the link below to listen to each episode and share with your friends!

Shared Security is now on GetVokl!

We live stream our monthly show on a new interactive video chat and streaming service called GetVokl!

to get notified when we will be live and to watch previous episodes!

Thank you to our sponsor

Silent Pocket!

Take advantage of this exclusive offer and help support this podcast!

Visit

to shop Silent Pocket's great line of privacy focused products.