Cyber Fraud Landscape- Jordan Powell

everyone so welcome to my talk uh I'm going to do it on Cyber fraud landscape so go through the boring stuff who am I um I'm a cyber fraud intelligence Analyst at cjax so I'm on I'm a placement student um I focus on sockman which is a subsection of oen where essentially I focus on um social media sites with the use of sock puppets um I'm studying cyber security digal forensic to Le Becket University and St in September I'm going to be president of the lead Becket fical hacking Society my main interests are CTI You' H with my job would you uh oing and offensive security um I'm top 5% of try hat me and I've done way too many

free Sears I need a life um and then Hobbies gym art so my first question is to you lot what stereotypes do you think of when I say fraud so to shout them out I don't mind so do you think fraud Act FR for actors what do you think of yeah yeah cat out that's the best one yeah any others yeah call centers that type of stuff credit card fraud credit card fraud there you go so there's there you go I'm liking this is good keep you going um but yeah there's loads of different types of fraud there's loads of different stereotypes but a few you might be missing drill rappers so a lot of drill

rappers nowadays they're actually frauders um does anyone know the names of these two lovely gentlemen at all so Bill yeah CL enough yeah uh so they got an onos masy called tanks and the other one's called punch made Dev um they haven't really helped themselves with a robse sec um literally punch M dev has a YouTube video how to write a dump so not incriminating at all um which again this typ has influence on youngsters um the threat actors the major like how it operates um with the cyber crime on forums and then just the spam accounts on Instagram so those are two accounts I monitor so you see like cryptocurrency um and just a targeting

of like you know elderly people and then child frauders which is um a huge thing that not a lot of people are aware of so fraud there some of the terminology I best go through so a lot of these frauds has use term FS which refers to full information so that's credit card information for full names that type of stuff so for ACT might say I have FS of X bank so they'll sell that information methods so it's a way to commit um fraud against a certain organization so it could be against a retail brand how to get an item for free how to get a domain for free that type of stuff chops and SL chopping essentially buying

or selling information for quick cash so they might have a bulk of fs and they'll say right let's get rid of it this chopp it carding is a practice of sing credit card information to become on white card so you might see it on Instagram we have like the White cards and they'll have like the pin on it and the amount so they'll sell that to like other FR actors to use mainstream size High Street so it's the most popular Banks and the on SE on High Street so an example of a main um a main stream could be like Lloyds Barkley and then ones that could be like revolute and Monza so a lot of factors

say I'm looking for mainstreams so they're looking for big Banks and then loading cards which have pre-loaded cash ready for use and then proof so that's just a way of showing legitimacy of a fraud action so it could be like proving that a loaded car has so much information proving that a method works that type of thing so different types of scams so you have the phone call scams so you know a block Rings up and says I can get your latest iPhone limited Wi-Fi for 2250 in a Fredo a month seems legit um romance scams so at my work with seen a significant increase with African based TI um targeting 30 to 55 year olds so

essentially a threat actor will build for a PA with a victim they'll quickly prend them and say oh I'm in love with you um but I mean I need money please send me money and they'll eventually do that you have email scam such as the classic Nigerian prints um so again again I think most people are aware of that deep F scams which is seen in significant rise so they're using like Joe Rogan for example they watch is Jo podcast um they'll use his face to promote Brands which it's not legit just because he's big we have pig butcher him so Pig Buton is a type of scam where eventually a fractor will build up a ra

of a victim um and it'll eventually s get into a vestin so they'll say build up a report and they'll say we have this this uh platform um put him into it and they'll basically lead them dry and pig butchering um and typically you see these type of actors operating from Southeast Asia I believe Pig butchering started in China I might be incorrect with that uh retail scams so retail scams typically is just like how to get an it for free um so a lot of them rely on social engineering so as a customer service you you know you want to build a rapport of customer you want to keep them happy a lot of these FR actors

they'll abuse that so they'll say I'm not happy with this band I'm going to kick off um you know leave a report and then no other the brands will go don't worry about we'll leave it it's not worth it and then Hein so eh- horing is a type of way of fraud that's seen a lot of increase past few years so a FR actor Will pretend to be an attractive female um what they'll do is they'll get imagery of the like a only fans model one that's not typically known and they'll build up a PA with a victim and they'll say hey why don't you appear for my private ear fans I'll send these images it's not real you know they using

someone else's images um which is seen again significant rise so this is an example of U ER and so FR actors will sell packs of like nudes healthies stories that type of stuff and then they'll also have like voice AI they'll use that technology and they'll even provide like guides on how to do it um eh- horing can turn quite dark unfortunately I've seen with some of the Frat actors they actually use blackmail so they'll essentially like you know sell them the the imagery um and then use that information they'll find out who the like the the the daughter is who the the wife is and they'll black them and say hey we're going to expose this to him unless you

give his money which is you know just horrible market so this is just some of the markets that could hear all day and it's just some of the places where you know a lot of fraud operates so you have good old telegram uh Snapchat wwh club which is a I believe it's on T um it's a Russian Forum which focuses on Carden fraud you have xss which is pro predominantly Russian cyber crime but they do have card in on it uh WhatsApp signal and then good old Discord so recruitment so this covers this is more focused on like the under a frauders so I'll go through the process so child frauders get um recruited during secondary school and

they'll operate under a more established for actor um and then later the child will build up their own operation expand it to their own classmates um motives why kids might do this is you know financial gain lack of identity to attract relationships clout and cling so a lot of these unfortunate kids they're vulnerable um children so it's very similar to the process of county lines where like a fractor will identify a vulnerable child and say hey look you need some money let me buy you some clothes here let me buy some food and then they'll eventually say hey look I'm making all this money why don't you come work for me and then they'll eventually

just use them and abuse them and yeah um all demographics can fall victim to this U regardless age background everything I've seen factors who are female male upper class lower class it's a huge vary so what happens to court frauders underage frauders they tend to get just social support and the the school tends to get involved so obviously this depends on scale so like if a 15-year-old is doing like millions of pounds and it might be different but a lot of the time they'll just get support from the school um cuz they identified them more as a victim the difficulty is with a lot of these is they're vulnerable adults and they get groomed vulnerable sorry

underage adults underage kids but they words um so Social Services will try and help them change um but it's a lot of difficulty because how how can they relate to them cuz they're having like an adult speak to them and try and understand them um but you know they struggle with it um adult ta if they get caught it's usually fines community service really rarely it's jail um why such amount the issue is is in the UK in particular we have way too many CT cases there's a lot of going on and it's really hard to prove um a lot of these cases unfortunately um and there's a lack of knowledge of Legal Professional so

there's very few solicitors who focus on S crime and they understand it well um so yeah so victim def fraud so I think I was covered earlier fishing victims they're targeted um and Ed for their sensitive information so fral fish of victims they'll use the credit card information saved and they might sell that on forums such as xss um and other places Asians and Eastern Europeans actually typically less targeted because of biases from Banks so say if I was John Powell and I was Liv in a posh area of um London and I bought a 10 a 10 grand game in PC if I put that payment through the bank's probably going to go yep seems legit um if I was an Eastern

European name and I paid a 10 grand gaming PC it's much more likely to be picked up as fraud uh unfortunately so a lot of these factors Bally ones I monitor they'll say I'm looking for FS white names only because I know that's not going to be detected and picked up as quickly um unfortunately elderly assers better targets more money they don't understand the landscape they don't understand like the easily tricked unfortunately um so a lot of them they will go out the way to Target elderly people um everyone can be victims fraud um even us even us working professionals um if you ever fall victim to fraud don't give up please chase after the money cuz a lot of these

frauds they do not want to be chased after if you have an issue with fraud P it to your bank get it chased up go after it so fall victim to fraud first things first Contact your bank ASAP sooner you report it to your bank the better it can be sorted you can contact action frauds they'll provide some support and if you're up Scotland call 111 they'll also help you um if you're struggling mentally please contact Samaritans um they'll always be there to talk to you and help you and if you say for example fell victim to Pig butchering there's loads of support groups out there um which have you know previous victims and they

all help each other um which is a really wonderful thing to see so the impact of fraud on victims so the psy psy psychological effects um anxiety depression um lot of mistrust you know particularly with like a lot of the um romance scams you know you fallen in love with this individual you f the real and they just completely robbed your money social damages relationships like it might damage your Rel it will damage your relationships with other people um you w a lot of these people struggle with trust again which is you know unfortunately understandable physical health deterioration a lot of people struggle to leave the house after suffering and being frauded um and the long-term

Financial damage um you know a lot of these frauds is they'll use your account for like max out learned it might be sorted with a bank but it's still going to damage your credit store um which obviously has a longterm effect and then suicide so if you ever fall victim to fraud or you know someone please reach out um a thing of what a lot of these frauds say I've personally moled they see fraud as a victimless crime which is completely [ __ ] untrue um it's it's horrible they do not care so probably thinking why is there a fraud talk at um besid leads um the sophistication with factors I monitor at work is insane a lot of them

are using the same tactics as you know typical cyber crime forums so has anyone one seen us in the news no recognize it I believe so yes yeah um so Financial Officer pays up 25 million after a physical we deep fake Financial chief officer you know this is this is really new stuff this is stuff that's ongoing and developing and there's not enough knowledge out there of training organizations to recognize you know this person's de fake it's incredibly hard so this is from one of the telegram groups I monitor at work I see this stuff getting pumped out every day you know they focusing on defect technology they're selling that bypassing apps and web browsers um they're focusing a lot

on it which I see a lot uh family warns after about a new AI family scam so I think someone covered it earlier in the talk but essentially a actor will use the voice of Someone Like You Love Ring you up and say oh my god I've been in a car crash in Spain I need health bills or whatever and because you're hearing that voice of your loved one if like wife your sister or whatever you obviously emotionally react go I need to help this person um which is you know it's you seen in a significant increase and there's a lot of guid on it on YouTube it's getting easy to do every single day and the sophistication again this is

from telegram groups I'm monitor you got hacking tutorials you got how to build rats got carding higher hacker all this stuff uh got proxies and then we got Redline Steeler I've seen Redline Steeler getting pumped out quite a lot that is a common tool use among cyber crime threat actors um an example I can give actually there was a threat actor I was monitoring at work um he was providing Services of how to set up Redline Steeler proxies um Sim swapping all sorts and I thought oh this this is sophisticated this frat actor was 14 I later found out after identifying him it was mental is sophistication um and again this is stuff is just small example there's

loads more I see every day and then you seeing the rise of worm GPT and fraud GPT I remember when I started actually at SX I wrote the report for worm GPT for the client and I was amazed by it so worm GPT can help you do fishing emails uh business email compromises and there's no limitations it'll help you with whatever there's no you don't have to bypass chat CHP T safety regulations with this you'll just do it it's fine um it's crazy it's crazy um and as well like I see the thing is with with ger G GPT as well it can help fraud frat actors make emails in select languages so it doesn't matter if you're a FR

operate in India and you don't speak English this thing will make you perfect English emails to pump out you know that's stuff that's in the past we could pick up on and say hey the grammar in this isn't right it's clearly fraud it's getting way mental so what can we do about it unfortunately I don't have a magic wand I don't think any of us do in here um I wish we could wish away you know fraud um but what I personally believe is its knowledge and awareness of the landscape of fraud um the sophistication is increasing and um it's not talked about enough I feel um so I feel sharing awareness amongst organizations and like

who the loved ones to say hey look if you get a call from me saying I'm in in Spain and I need Healthcare ask me questions on the call say hey where was you last week ask me stuff that only I would know if he was on a deep fake call with your CEO and he says hey I need you to transfer some money into my account ask him what when did I get recruited ask him questions that he wouldn't he would only know if it was actually him because they cat bypass at the moment um but yeah I just say increase awareness of the threat landscape um so yeah um just before I get on questions I just want to give a

massive shout out to AIS here at my work my so manager it's helped me a lot with a St so Legend thank you uh is there any questions yeah so could you repeat that again

mate um I personally haven't seen it but I can certainly imagine so that's a thing um worm GPT came out around summerish time I believe I might be in r with that um but yeah it wouldn't surprise me if there's some type of technology for that um be developed yes mate is that a

I believe it's its own model it uses the large language model but it's its own thing and there's like no limits so you can get it to make whatever um you can even ask it like I saw on the form advertisement like the M example of with a normal chat GPT if you ask it for it like political opinions it won't give you it you can ask worm and it'll just go yeah that seems right yeah I agree with this um just a small thing to know uh but yeah yeah it's its own thing is that is that hosted in the do yes yes I believe so you have to pay a membership I don't remember the form I've talking

yet but yeah there's a membership I believe to access it this is a thing though like when I started doing sock Min cuz I got essentially got moved over because they needed help on the team I honestly thought like oh I'm just be deal with some emails you know just be someone who got tricked with a call you know no I started and I was like wow this is not what I expect is like the sophistication amongst the fractor is insane like again that 14-year-old I made example of compared to stuff I was doing when I was 14 I like wow I was playing Minecraft and playing Call of Duty that's about it um this kid's doing Sim swapping and

setting up malware mental um but yeah yeah yes so how do we validate identities when it comes to these threat actors you know I mean you can't CU what you see you can't believe anymore The Fakes can't use a password spoken over teams because as soon as it turns into a digital footprint somebody's going to be there man in the middling it and stealing that password can't use your Biometrics because it's probably going to be the same thing it's going to go digital and somebody can steal that and replicate it what's what's kind of out there that we could utilize to to validate the authenticity of the person at the other side realistic I'm I don't have full

knowledge in this era so I can't give it a fancy answer but at the moment I would say just ask questions like oh you know like ask questions that only that individual will know like the CEO like oh um who do I work with or like that's actually bad example but like as something like it would the CEO would only know what what's my favorite video game that we talked about the other day some something silly like that um I would say say stuff like that unless the Frat actor has done some amazing social engineering and O and has discovered everything about you it's going to be very hard to bypass um but again as well like it comes back to if

you get a weird like you get a weird call like that verify it with the ceso verify it with a financial officer Say Hey I just had my CEO ring me and he's asked me to transfer some money is this legit has he done this too um just verify just check cuz no organizer is going to have a go with you for double cheing transferring money um

yeah yeah yeah exactly

yeah yeah exactly yeah and it's like um you know if you have the personal number just ring them on another number like contact them um elsewhere just verify it just cuz this is something thing let's say you did get into a call CEO and he says I need 50 million right now just go right one minute let me and let me double check this give me a minute if the pressure if he's saying I need it right now right now rise red flags like question it um I understand that might be tricky because it's an authority figure but think things through before you start sending stuff and stuff like that just verify Check and Go hey is is

is this correct with this individual has this person said yeah it's okay to send money is that all right yes sorry another go on is it is it is it maybe the ownest uh is on an organization to make their user awareness training a little bit more robust in and have US policies in housee as well that states verify validate we you know a lot of companies out there have had an attack of some kind yeah whether they've been Incorporated that into some kind of policy procedural or user awareness training should the owners then be on the companies rather than the staff members I believe so yeah it should be company policy and there should be training around it like I

can't speak for other organization but a jack say if I got an email a link through from one of my colleagues I'd verify and check that with three other people before I open anything just to double check is that you're parano I'm very paranoid myself to be honest mate but but yeah um yeah I would say company training and policy just have become a regular thing of if you get questioned why is another member of Staff asking me to send money can you just double check this is right you shouldn't be having to go and that employee you should go I have an intelligent employee here who's looking after the security of the company and go yes this if it ends up

being legit for some reason I highly doubt it fair enough but you've checked with multiple people not just one other people who might have been compromised that were account check and check off like if you have a personal number of your team leag like I do I'd ring them up say hey are you ring messaging me on teams to send me this money as well so as the CEO just a just a double check like double check verify that's but yeah definitely I'd agree company training it's something that old companies should do for new change back details it's something when I work with companies is it's a free thing that can do which mitigates a lot of risk and makes stuff

makes it more secure and save so much money as well as well because think about all the fines and then losing the money as well it's like it's mental yeah the verify does make sense on person level but looking from an organizational point of it doesn't seem like a formal process that that can be that is robust that Mak sense um I I guess we don't have an answer for this at the moment but there needs to be some kind of formal process which someone can follow and not just yeah yeah yeah yeah yeah that was a bit of a bad example to I was spit on the spot um but yeah just yeah I

definitely agree that like you could have it as I won wait I wouldn't say like in the policy layout and go hey ask this question just in case the fractor gains access to that but have it as P like say hey I don't know's your favorite video again what's your favorite video again yeah just do you know what I mean you know what I mean but yeah yeah no 100% I think there should be like some official training and policy that comes around it but obviously it's such a new area the industry is trying to learn it yes

mology that's the thing as well like again like a lot of these teenage frers I I monitor they're not just teenagers starting out with nothing they have an established ta who's been doing it for God knows how long teaching them how to do everything with the methods and everything they develop very fast sisc particularly social engineering um so

yeah we seen that Chang threat intelligence sharing that information fre across organizations because I work in the fin certain Banks inform yeah

yeah yeah exactly yeah um are I I personally can't comment because I only work with One bank I don't know the foot again I'm just a n um but I definitely believe that more knowledge should be shared so for example like I found a bunch of methods for um ehh horing for example I shared that with a bank um and I know that they're passing that around the the Departments and they're understanding it sharing the threat intelligence of frauders is so important because understanding the method so how do they operate when it comes to Blackmail how do they operate when they comes to deep fake technology the quicker we can pick up these methods and alert the bank they

can go right I'm not just having a person who's trying to scam get a free item no they've actually been frauded cuz it matches you know these methods yes just to add to that maybe AI is the answer you know co-pilot stuff like that where the co-pilot's been injected into into all these different organizations not to pull the information about what's in the banking their pii and all that kind of stuff but how the fraud are getting in and sharing that information across all the banks the AIS can monitor that stuff

yeah

yeah yeah yeah 100% And this is the thing like the sophistication of the methods I see like I personally monitor they change all the day they they they adapt very quickly cuz they'll realize that something is isn't working anymore and they'll go oh that's fine I'll just shift to this um as well with the targeting they know like not to Target you know Asian and Eastern European names because they know that gets flagged very quickly with banks unfortunately um so target white names you know um yeah yes you're liking his subjects aren't you M for the good reasons um I going to say I'm not giving you any methods it's not happening how much are you seeing AI an increase

in the use of AI rather than it being the usual standard threat actors that are training somebody else how much are you seeing an uplifting AI being presented as the go-to for threat just to go I don't need to train several people I can just create an do I from what I've personally seen in my opinion I wouldn't say the fraud is particularly going straight to AI technology all this so far there's there certainly a change to adopt it and use it but I would definitely say they're more relying on The Grooming process of younger T um because again they can just basically use them they'll know they get lighter sentences and they'll just use them up

there's um I I a got long there was a um I'm not going to name the individual but there was um a Tik Tok video of a lad who was speaking basically he went through this process he got groomed by in all the TA and he used his account max out all his credit and the lad is now de Banks from major Banks he can't get a bank account he's now suffering with mental health issues um and I monitored one of the threat the telegram groups and the FR actors were laughing about it and doxing them um yeah these people are not nice they're not your friends they do not care about they're earning it for the money um so yeah yeah

I definitely say that it's definitely shifting towards AI there's more AI coming into it but they're still using you know vable uh teenagers essentially

move yeah um I would say some of the individuals are considering that some of them are consider but a lot of them they they're not too bothered to be honest it depends on the fror cuz the thing is with the fraud landscape it's so SC like you can have like the standard just eat fishing emails and then it goes all the way up to malware deployment fishing emails and data dumps on like the T Network you know um but I definitely say they do consider some fret actors do consider that where where they're posting their data where they're sharing it with like Ai and that type stuff any other questions one time perfect thank you very much