OSINT Fighting Fraud: Going Beyond Validation

Transcript

1. FIGHTING FRAUD: BEYOND VALIDATION By: Tazz @GRC_ninja https://osint.fail

2. OVERVIEW • Verification vs Validation • What does legitimate look

   like? • Is Stripe Legit? • Research Techniques • Summary & Questions

3. VERIFICATION VS VALIDATION • Validation: • have we investigated the

   correct customer information? • Name appears in Google • Address exists per the post office database • Phone has been issued • Email passes a regex check and automated validator • Verification: • have we investigated the customer information correctly? • Name belongs to a “real person” • Address is for a place where the business operates • Phone number is a land line or mobile that matches on name/address • Email is not from pwned dataset

4. VERIFICATION VS VALIDATION • Valid information != Legitimate Business •

   Bad Guy Rule #1 Use valid data to pass automated validation (ex: Angler exploit kit domain registrations, poor winery) • Valid email = stolen in data breach • Valid address = scraped from a site • Valid phone = sales guy business card • Valid name = Twitter pic of a driver’s license

5. VERIFICATION VS VALIDATION Verification • Integrity • Data points viewed

   collectively • Data considered holistically, w/ context • “We have verified the customer’s eligibility status, and validated the information provided in their application.” Validation • Accuracy • Data points checked individually • No context • “We have validated the applicant’s information, however we are unable to verify the customer is eligible for our services.”

6. WHAT DOES LEGITIMATE LOOK LIKE? • Registered: city, county, state,

   country • Pays taxes • Not owned by extraterrestrials • Credible Website • Phone number, address, email • Not a digital gypsy

7. IS STRIPE LEGIT? • Do they have a website? •

   What is its credibility? • Ownership history • Registration with stolen information • Is the business registered? • Foreign Stock?! • Do they have a physical office? • California: Palo Alto, San Francisco, San Diego, • Australia +61 ?! • Switzerland +41 ?!

8. DOES STRIPE HAVE A WEBISTE? • Yes https://stripe.com/ • Is

   it owned by aliens? • 1995 goodeye@*****.com Robert Cooley (858)###-##41 (LL) Stripe Software Solutions • 2007 Ben Haylock (760)###-##07 QuickSource, Inc. San Diego, CA +61 4######16 • 2010-12-23 Patrick Collison, HGSC, Palo Alto, CA +41 5#####39 • 2010-12-25 Name, Address, Phone change (650) ### - ##76

9. IS STRIPE REGISTERED? There’s that Patrick guy again

10. IS STRIPE REGISTERED?

11. DOES STRIPE HAVE A PHYSICAL OFFICE?

12. POP QUIZ: PHYSICAL OFFICE? • 660 4th St., Ste 502,

    San Francisco, CA 94107 • 460 Brannan St, Ste 1703, San Francisco, CA 94107 • Have you validated the customer addresses? • Have you verified the customer correctly?

13. RESEARCH TECHNIQUES • DOCUMENT – DOCUMENT – DOCUMENT – DOCUMENT

    • Xmind.net  AMAZING MINDMAPS • Pivot phone -> type -> caller ID name -> carrier -> domains • Pivot email -> other domains -> names -> phones -> addresses • Pivot domain -> email -> name -> org • Pivot org -> address -> registration • Pivot domain -> dns SOA email • Pivot address -> property owner info • Pivot name -> voter registration

14. WHAT DOES LEGITIMATE LOOK LIKE? • Registered • Pays taxes

    • Not owned by extraterrestrials • Credible Website • Phone number, address, email  that haven’t been stolen/scraped • Address is a location where the business operates, not just receives mail • Not a digital gypsy

15. QUESTIONS • Tazz • @GRC_ninja • https://osint.fail