OSINT Fighting Fraud: Going Beyond Validation

839fc2503083a6d6bff4aebdf87a5e1d?s=47 Tazz
January 12, 2018

OSINT Fighting Fraud: Going Beyond Validation

Audience: fraud prevention teams, sales departments, Intelligence and analysts, security operations center (SOC) analysts.

Presents critical thinking and investigation technique.

Presenter is available upon request, send a direct message (DM) in Twitter.

839fc2503083a6d6bff4aebdf87a5e1d?s=128

Tazz

January 12, 2018
Tweet

Transcript

  1. FIGHTING FRAUD: BEYOND VALIDATION By: Tazz @GRC_ninja https://osint.fail

  2. OVERVIEW • Verification vs Validation • What does legitimate look

    like? • Is Stripe Legit? • Research Techniques • Summary & Questions
  3. VERIFICATION VS VALIDATION • Validation: • have we investigated the

    correct customer information? • Name appears in Google • Address exists per the post office database • Phone has been issued • Email passes a regex check and automated validator • Verification: • have we investigated the customer information correctly? • Name belongs to a “real person” • Address is for a place where the business operates • Phone number is a land line or mobile that matches on name/address • Email is not from pwned dataset
  4. VERIFICATION VS VALIDATION • Valid information != Legitimate Business •

    Bad Guy Rule #1 Use valid data to pass automated validation (ex: Angler exploit kit domain registrations, poor winery) • Valid email = stolen in data breach • Valid address = scraped from a site • Valid phone = sales guy business card • Valid name = Twitter pic of a driver’s license
  5. VERIFICATION VS VALIDATION Verification • Integrity • Data points viewed

    collectively • Data considered holistically, w/ context • “We have verified the customer’s eligibility status, and validated the information provided in their application.” Validation • Accuracy • Data points checked individually • No context • “We have validated the applicant’s information, however we are unable to verify the customer is eligible for our services.”
  6. WHAT DOES LEGITIMATE LOOK LIKE? • Registered: city, county, state,

    country • Pays taxes • Not owned by extraterrestrials • Credible Website • Phone number, address, email • Not a digital gypsy
  7. IS STRIPE LEGIT? • Do they have a website? •

    What is its credibility? • Ownership history • Registration with stolen information • Is the business registered? • Foreign Stock?! • Do they have a physical office? • California: Palo Alto, San Francisco, San Diego, • Australia +61 ?! • Switzerland +41 ?!
  8. DOES STRIPE HAVE A WEBISTE? • Yes https://stripe.com/ • Is

    it owned by aliens? • 1995 goodeye@*****.com Robert Cooley (858)###-##41 (LL) Stripe Software Solutions • 2007 Ben Haylock (760)###-##07 QuickSource, Inc. San Diego, CA +61 4######16 • 2010-12-23 Patrick Collison, HGSC, Palo Alto, CA +41 5#####39 • 2010-12-25 Name, Address, Phone change (650) ### - ##76
  9. IS STRIPE REGISTERED? There’s that Patrick guy again

  10. IS STRIPE REGISTERED?

  11. DOES STRIPE HAVE A PHYSICAL OFFICE?

  12. POP QUIZ: PHYSICAL OFFICE? • 660 4th St., Ste 502,

    San Francisco, CA 94107 • 460 Brannan St, Ste 1703, San Francisco, CA 94107 • Have you validated the customer addresses? • Have you verified the customer correctly?
  13. RESEARCH TECHNIQUES • DOCUMENT – DOCUMENT – DOCUMENT – DOCUMENT

    • Xmind.net  AMAZING MINDMAPS • Pivot phone -> type -> caller ID name -> carrier -> domains • Pivot email -> other domains -> names -> phones -> addresses • Pivot domain -> email -> name -> org • Pivot org -> address -> registration • Pivot domain -> dns SOA email • Pivot address -> property owner info • Pivot name -> voter registration
  14. WHAT DOES LEGITIMATE LOOK LIKE? • Registered • Pays taxes

    • Not owned by extraterrestrials • Credible Website • Phone number, address, email  that haven’t been stolen/scraped • Address is a location where the business operates, not just receives mail • Not a digital gypsy
  15. QUESTIONS • Tazz • @GRC_ninja • https://osint.fail