Corporate Identity Fraud
Author: Bryan Fite
May 2007
Editor’s Note: This is the first of a two part series.
The advent of the World Wide Web has provided many new and innovative ways for organizations to conduct business. It has also exposed organizations to new and innovative forms of trademark & brand abuse.
Corporate Identity Fraud can be defined as the abuse of traditional and non-traditional identity assets with the intent to divert, deceive or defraud consumers.
Trademarks and brands are traditional corporate identity assets. Trademark enforcement and brand protection programs are governed by legal precedence and legacy business procedures. These mature practices are based on very narrow criteria. The litmus test being: Is it “actionable”? This archaic approach is no longer adequate, because it is steeped in the “brick and mortar” world of the recent past. In the new marketplace, many assets are not kept in bank vaults or protected by fences and guards. In addition, standards of conduct and laws are not universally defined or enforced.
Organizations have created new non-traditional corporate identity assets by embracing the Internet. Websites, domain names, email addresses and subscribers are just a few of these new assets. It is imperative that they be afforded protection commensurate with their value. Any comprehensive trademark and brand protection program must address these evolving threats.
Threats
Trademarks, brands, logos, mascots, registered domains, email addresses and even key personnel can all be classified as Corporate Identity Assets. Once viewed as an asset, we can use traditional risk assessment techniques to identify our exposure and formulate an appropriate response.
In order to determine the residual risk within in an existing program or to define the requirements for a new program, it is important to understand the threat landscape. Essentially, these are all of the known “bad things” that COULD happen to your corporate identity asset.
Spoofing is the term used to describe the electronic impersonation of an IP address, email address or other electronic identity asset. The use of this technique is usually malicious in nature since its purpose is to deceive.
Example: A forged email is sent to someone from their boss’s boss asking them to take some kind of action. If the victim executes the action then the fraud attempt was successful. This type of fraud is not new and can be executed using alternative communications methods including fax, telephone, paging and others. This can be a highly effective attack and is typically easy to execute especially for the skilled attacker.
Another method criminals use involves highly targeted attacks that do not indiscriminately send email to unrelated targets. This type of Phishing is called “Spear Phishing”. These scams sometimes use malicious software, called “Crimeware”, to capture privileged information or take command & control of a victim’s computer. Keyboard loggers are a favorite piece of Crimeware. By monitoring each keystroke the criminals can obtain privileged information.
Pharming is the practice of creating a forged website or other online forum designed to deceive the potential victim. By impersonating a trusted partner, criminals trick victims into revealing privileged information: social security numbers, addresses, birth dates, passwords, bank account numbers and/or credit card numbers.
Example: An attacker registers a dot com domain name that is a variation or misspelling of a trusted Corporate Identity Asset. In this case, a home banking service is impersonated. Legitimate users of the home banking services are duped into believing that the bogus site is legitimate. Victims enter their usernames and passwords which are captured at the bogus site.
This is a highly effective attack because the bogus websites are exact duplicates. They can even broker transactions between the victim and the legitimate website. This allows the attacker to compromise sensitive information without causing the victim to become suspicious and possibly report the problem to the legitimate trusted partner’s help desk. This technique is commonly referred to as a “Man-in-the-Middle” attack.
In addition, criminals use Spyware and malicious Adware to modify host files, DNS queries or DNS responses. This allows the criminals to divert victims from the legitimate partner site to a comprised site controlled by the criminal. According to scans performed by AOL/NCSA in support of their recent study, 61% of all respondents had some form of Spyware or Adware installed on their computer.
