Category Archives: Investigating on the internet

Industrialized Theft

In at least one way you have to hand it to Ethically Challenged, Inc.;  it sure knows how to innovate, and the recent spate of ransomware attacks proves they also know how to make what’s old new again. Although society’s criminal opponents engage in constant business process improvement, they’ve proven again and again that they’re not just limited to committing new crimes from scratch every time. In the age of Moore’s law, these tasks have been readily automated and can run in the background at scale without the need for significant human intervention. Crime automations like the WannaCry virus allow transnational organized crime groups to gain the same efficiencies and cost savings that multinational corporations obtained by leveraging technology to carry out their core business functions. That’s why today it’s possible for hackers to rob not just one person at a time but 100 million or more, as the world saw with the Sony PlayStation and Target data breaches and now with the WannaCry worm.

As covered in our Chapter’s training event of last year, ‘Investigating on the Internet’, exploit tool kits like Blackhole and SpyEye commit crime “automagically” by minimizing the need for human labor, thereby dramatically reducing criminal costs. They also allow hackers to pursue the “long tail” of opportunity, committing millions of thefts in small amounts so that (in many cases) victims don’t report them and law enforcement has no way to track them. While high-value targets (companies, nations, celebrities, high-net-worth individuals) are specifically and individually targeted, the way the majority of the public is hacked is by automated scripted computer malware, one large digital fishing net that scoops up anything and everything online with a vulnerability that can be exploited. Given these obvious advantages, as of 2016 an estimated 61 percent of all online attacks were launched by fully automated crime tool kits, returning phenomenal profits for the Dark Web overlords who expertly orchestrated them. Modern crime has become reduced and distilled to a software program that anybody can run at tremendous profit.

Not only can botnets and other tools be used over and over to attack and offend, but they’re now enabling the commission of much more sophisticated crimes such as extortion, blackmail, and shakedown rackets. In an updated version of the old $500 million Ukrainian Innovative Marketing solutions “virus detected” scam, fraudsters have unleashed a new torrent of malware that hold the victim’s computer hostage until a ransom is paid and an unlock code is provided by the scammer to regain access to the victim’s own files. Ransomware attack tools are included in a variety of Dark Net tool kits, such as WannaCry and Gameover Zeus. According to the ACFE, there are several varieties of this scam, including one that purports to come from law enforcement. Around the world, users who become infected with the Reveton Trojan suddenly have their computers lock up and their full screens covered with a notice, allegedly from the FBI. The message, bearing an official-looking large, full-color FBI logo, states that the user’s computer has been locked for reasons such as “violation of the federal copyright law against illegally downloaded material” or because “you have been viewing or distributing prohibited pornographic content.”

In the case of the Reveton Trojan, to unlock their computers, users are informed that they must pay a fine ranging from $200 to $400, only accepted using a prepaid voucher from Green Dot’s MoneyPak, which victims are instructed they can buy at their local Walmart or CVS; victims of WannaCry are required to pay in BitCoin. To further intimidate victims and drive home the fact that this is a serious police matter, the Reveton scammers prominently display the alleged violator’s IP address on their screen as well as snippets of video footage previously captured from the victim’s Webcam. As with the current WannaCry exploit, the Reveton scam has successfully targeted tens of thousands of victims around the world, with the attack localized by country, language, and police agency. Thus, users in the U.K. see a notice from Scotland Yard, other Europeans get a warning from Europol, and victims in the United Arab Emirates see the threat, translated into Arabic, purportedly from the Abu Dhabi Police HQ.

WannaCry is even more pernicious than Reveton though in that it actually encrypts all the files on a victim’s computer so that they can no longer be read or accessed. Alarmingly, variants of this type of malware often present a ticking-bomb-type countdown clock advising users that they only have forty-eight hours to pay $300 or all of their files will be permanently destroyed. Akin to threatening “if you ever want to see your files alive again,” these ransomware programs gladly accept payment in Bitcoin. The message to these victims is no idle threat. Whereas previous ransomware might trick users by temporarily hiding their files, newer variants use strong 256-bit Advanced Encryption Standard cryptography to lock user files so that they become irrecoverable. These types of exploits earn scores of millions of dollars for the criminal programmers who develop and sell them on-line to other criminals.

Automated ransomware tools have even migrated to mobile phones, affecting Android handset users in certain countries. Not only have individuals been harmed by the ransomware scourge, so too have companies, nonprofits, and even government agencies, the most infamous of which was the Swansea Police Department in Massachusetts some years back, which became infected when an employee opened a malicious e-mail attachment. Rather than losing its irreplaceable police case files to the scammers, the agency was forced to open a Bitcoin account and pay a $750 ransom to get its files back. The police lieutenant told the press he had no idea what a Bitcoin was or how the malware functioned until his department was struck in the attack.

As the ACFE and other professional organizations have told us, within its world, cybercrime has evolved highly sophisticated methods of operation to sell everything from methamphetamine to child sexual abuse live streamed online. It has rapidly adopted existing tools of anonymity such as the Tor browser to establish Dark Net shopping malls, and criminal consulting services such as hacking and murder for hire are all available at the click of a mouse. Untraceable and anonymous digital currencies, such as Bitcoin, are breathing new life into the underground economy and allowing for the rapid exchange of goods and services. With these additional revenues, cyber criminals are becoming more disciplined and organized, significantly increasing the sophistication of their operations. Business models are being automated wherever possible to maximize profits and botnets can threaten legitimate global commerce, easily trained on any target of the scammer’s choosing. Fundamentally, it’s been done. As WannaCry demonstrates, the computing and Internet based crime machine has been built. With these systems in place, the depth and global reach of cybercrime, mean that crime now scales, and it scales exponentially. Yet, as bad as this threat is today, it is about to become much worse, as we hand such scammers billions of more targets for them to attack as we enter the age of ubiquitous computing and the Internet of Things.

RVACFES May Event Sold Out!

Liseli_2

On behalf of the Central Virginia Chapter and our partners the Virginia State Police and national ACFE, our Chapter officers would like to thank each of you, all our Chapter members and training attendees who made our May Event such a resounding success!  Taught by Liseli Pennings, Deputy Training Director for the ACFE, ‘Investigating on the Internet – Research Tools for Fraud Examiners’ presented a treasure trove of information for the effective utilization of hundreds of readily available on-line resources and tools to support every step of even the most complex fraud investigation and subsequent prosecution.

Liseli_1As the course makes clear, investigations today can be undertaken solely through the investigative resources a computer offers. But there are so many tools available to a fraud examiner beginning an online investigation that it can be difficult to sort out the applicable resources. By better understanding computer and Internet media, examiners can more efficiently conduct investigations and save valuable time and money. While fraud examiners can easily begin searching the Internet without a plan, they will benefit if they develop a strategy prior to conducting a search. Employing a focused search strategy can save time, maintain direction, and make better use of resources.

Liseli presented two analytical techniques designed to analyze the following in an investigative scenario:

SWOT Analysis

— Strengths
— Weaknesses
— Opportunities
— Threats

The SWOT methodology can help professionals achieve the goals of a due diligence investigation or when evaluating a company or person. SWOT is also suited for investigating a product, market, organization, or business venture. Additionally, investigations that entail comparing financial aspects to other companies or markets, such as analyzing one small business or cost in relation to the competition, can benefit from this type of analysis. If an investigator is conducting a search on an individual, it provides analysis into life aspects and characteristics of the person. This method can also be used to conduct a risk assessment that details what an organization can and cannot do, as well as alert the examiner to potential threats and opportunities.

CARA Analysis

Commonly used by law enforcement and private investigators to develop information on a subject, the CARA method analyzes:

— Characteristics
— Associations
— Reputation
–Affiliations

This type of analysis can be used to gain an understanding of an individual rather than a company.

Electronic evidence can change with usage and be altered by improper or purposeful mishandling and storage. Electronic evidence such as social media pages and blog posts can be deliberately removed or altered. Examiners should never assume that a website or post that was available one day will be there the next. Capturing information as it is found is essential because the subjects of an investigation often delete websites and social media profiles. Web pages can be preserved by selecting print screen and pasting the screen capture into a document. When possible, examiners should capture the time, date, time zone, or any other information that can prove when or where data was captured. Not doing so could lead to timeline inconsistencies and contradict alibis when used as evidence and could result in evidence being dismissed due to inaccuracies. It could also affect the examiner’s credibility and negatively impact the case if brought to trial.

When using public and paid-access databases to conduct research, it is important to determine the age of the information. If the date that the information was aggregated is not listed, examiners should look for other sources of information that do include dates.  Examiners must recognize that there are often delays in the reporting and dissemination of information from the sources used by these types of databases.

Some state or local databases might only compile information from certain cities or counties. Examiners who do not find the information they are looking for on a particular site might believe that the information does not exist or that the subject does not have an arrest record when in fact the jurisdiction in question is not included on that site or database. For this reason, it’s important to gain an understanding of exactly which jurisdictions a database covers and what type of information it provides. Determining how long the website or database retains information is also important. Some only retain information for a certain period of time (e.g., five, ten, or twenty years). Furthermore, many databases archive their records after a set number of years to allow faster searches on current information. In such cases, the examiners should search the archived database for information, try another source, or hire a service to conduct a manual record search at the local level. Examiners should avoid the assumption that a lack of records means that an incident did not occur when in fact the database simply might not have the records the examiners need.

Most websites and databases have disclaimers and disclosure statements that users should thoroughly review. Some public and paid databases contain disclosure statements informing users that the subject is notified when someone searches for their information. One such example is when credit header or certain background information is accessed online. The person to whom the information belongs is usually notified when searches pertaining to credit information are conducted with permission by an employer, but notifications can also be enacted when searching other databases for basic information. This could have a significant impact on an investigation. Disclosure practices vary from company to company and across various jurisdictions. It is crucial that examiners review all disclaimers as they will often indicate when the database was last updated or caution that information is not always current or accurate. As such, all information found online should be corroborated for accuracy and all disclaimers should be read thoroughly. Another important legal aspect to consider regarding public and private databases is the dissemination clause-if one exists. Finally, there can be legal ramifications for disseminating third-party information to attorneys or courts, or for using information compiled from certain sources. Sometimes permission is required before disclosing information. Therefore, it is important to read all legal notices and consult an attorney if unsure how to proceed.

Again, our thanks go out to all for making this May event one of our most informative and successful ever!

Before It Happens

tone-at-the-topRegister Today for Investigating on the Internet May 18-19 2016 RVACFES Seminar!

An attendee at our summer seminar on fraud prevention last year, reported that she had become quite discouraged by the amount of in-house fraud her auditors were detecting among the employees of the overseas subsidiary of her non-profit organization.  She asked our speaker, Chris Rosetti, what he would recommend to head off what seemed like a growing number of defalcations that were costing her firm large amounts of time and money to investigate and, in some case to prosecute.   Chris told her it was always motivation that drives employees to commit fraud, and that motivation can take many forms, ranging from family needs or a desire to keep up with a colleague’s lifestyle. Often, employees’ motivation to commit fraud depends on how they perceive they’re being treated by their employers. Nevertheless, there are many ways any management can minimize employees’ motivation to commit fraud. Some common methods include increasing morale, implementing employee support programs, creating a culture of high ethical standards, rewarding loyalty, establishing an open-door policy,  and reducing pressures to make the numbers.

Fraud occurs less frequently when individuals feel positively about their employers than when they feel abused, threatened, or ignored. Negative workplace environments diminish morale and can affect employees’ attitudes about committing fraud. Employees who consider themselves to be unfairly treated are more prone to commit fraud. Accordingly, increasing employee morale can be a powerful tool in decreasing employees’ motivation to commit fraud.  Chris recommended that our questioner’s management might consider steps like the following, relatively low cost ways to boost employee morale in the overseas subsidiary …

–Provide organization-sponsored social events;
–Routinely recognize employees for good work and make the recognition a big deal, taking time to really celebrate accomplishments;
–Offer flexible work arrangements to the greatest extent possible;
–Exhibit a strong ethical tone at the top;
–Engage individual contributors in the decision-making process;
–Listen closely to employee grievances and settle them as soon as possible;
–Tune into employees’ emotional needs;
–Offer competitive compensation and benefits;
–Show employees the results of their work.

Chris went on to emphasize that competitive compensation and benefits are especially important for increasing employee morale. Perceived inequities between a home office and a subsidiary in compensation and benefits policies can contribute to fraud, and less-than competitive compensation is always a negative factor that can increase the risk of fraud. The ACFE reports that employees who feel adequately compensated for their work are less likely to commit fraud against their employers. Management should compare its organization’s compensation structure with those of their competitors to ensure that their employees are not underpaid.

On the flip side management should reduce the following factors, which the ACFE has identified as detracting from a positive work environment:

–Top management who do not seem to care about or reward appropriate behavior;
–Negative feedback and lack of recognition for job performance;
–Perceived inequities in the organization;
–Autocratic rather than participative management;
–Low organizational loyalty or feelings of ownership;
–Unreasonable budget expectations or other financial targets;
–Fear of delivering bad news to supervisors or management;
–Less-than-competitive compensation;
–Poor training and promotion opportunities;
–Lack of clear organizational responsibilities;
–Poor communication practices or methods within the organization.

Chris went on to say that many organizations have begun to realize the benefit of employee support programs. Support programs are designed to help employees cope with personal problems that might motivate them to commit fraud or adversely affect their work performance, health, and well-being. These programs generally include assessment, short-term counseling, and referral services for employees or their family members.

These programs can provide support for a range of issues, including:

–Substance abuse;
–Emotional distress;
–Major life events, including births, accidents, and deaths;
–Health care concerns;
–Financial or legal concerns.

If organizations can offer employees a means to address such issues, they might be able to prevent fraud by those who are suffering. Providing safe outlets for coping can reduce an employee’s motivation to commit fraud.
Creating a culture of high ethical standards is a necessary component to any fraud prevention program. That is, management must be committed to preventing fraud, and it must build an ethical environment. The tone at the top, which is created by the organization’s leadership, refers to the ethical (or unethical) atmosphere in the workplace. According to Chris, whatever tone top management sets will have a trickle-down effect on employees. If the tone set by managers upholds ethics and integrity, employees will be more inclined to follow those same values. But if management appears unconcerned with integrity and focuses solely on the bottom line, employees will be more prone to engage in corrupt activities because they feel that ethical conduct is not a focus or priority within the organization.

Organizations that cultivate ethical cultures frequently encompass strong governance practices, such as:

–Free information flow;
–Employee access to multiple layers of management and effective control of a whistleblower hotline;
–Effective senior management team (including chief executive officer, chief financial officer, and chief operating officer) evaluations, performance management, compensation, and succession planning;
–An employee code of conduct that is clear, concise, and communicated;
–A code of conduct specific for senior management.

An ethical organization culture also includes management assurance of ethical considerations in hiring, evaluating, promoting, and earning policies for employees, as well as ethical considerations in all aspects of the entity’s relationships with customers, vendors, and other stakeholders. Ethical organizations will also address issues of ethics and the impact of ethical behavior on their strategies, operations, and long term survival. The level of management’s commitment to these areas varies widely and directly affects the fraud risk profile of an organization.

Rewarding employees for their loyalty might reduce the likelihood of fraud, but this type of morale boosting activity, according to Chris, can be successful only if the organization has an ethical culture. From a fraud prevention point of view, it’s probably more important that management establish an open-door policy to minimize employee pressures. Having an open door policy gives employees an opportunity to voice their concerns and feel heard. Employees who feel empowered and valued as a member of a team might feel a sense of loyalty to their organization and will be less inclined to commit fraud against their employer. Likewise, if employees can speak freely, managers will understand the pressures facing their employees and might be able to eliminate or reduce them.

Finally, Chris recommended reducing the pressures on employees to “make the numbers at any cost”. This alone can reduce the likelihood of fraud. One way to reduce pressures is to provide performance-based compensation rather than profit based or revenue-based compensation. When compared to profit or revenue-based compensation, performance-based compensation-such as bonuses calculated as a function of clearly set performance indicators-can reduce the motivation to cut corners, cheat, or fraudulently make the numbers. In some industries, it’s possible to tie compensation only to sales or profits. When this is done, it’s important to monitor staff performance closely, and management must encourage ethical behavior on a regular basis.

Investigating on the Internet

online-investigationThis May our Chapter, along with our partners the Virginia State Police and national ACFE will be hosting a two day seminar – ‘Investigating on the Internet – Research Tools for Fraud Examiners’.  This in-depth session will be taught by Liseli Pennings, Deputy Training Director for the ACFE.  We’ll begin enrolling students in mid-March, so pencil in the dates, May 18th and 19th!

Fraud examiners now have the ability to gain insights from, and test correlations with, a vast array of investigative relevant information on the Internet, which can be as diverse as suspect competitor information, regulatory filings, and conversations on social media.  Such analytics can provide CFE investigators with a variety of capabilities from investigative planning and risk assessment to fieldwork. They also enable fraud examination practitioners to provide clients with more compelling information about every experienced fraud.

Internet based investigation tools can be classified into three broad categories:

–Retrospective statistical analysis, used to gain deeper insight into important sub-processes in financial and operational areas related to the investigation subject.

–Forward-looking models, built to predict which areas of the business are riskier or simply require a greater level of fraud prevention focus.

–Advanced visualization analytics, used to help transform the investigation by providing deep analytical insights and actionable information through visual tools like interactive charts and dynamic graphics. In short, investigation on the internet has rapidly evolved from simply allowing CFE’s the ability to provide perspective in hindsight to helping them assemble rich digital views of the present investigative situation. Investigative, internet based analytics provide investigators with the potential to dramatically increase the value of the insights they can provide clients at every level of the examination from evaluation of business risks, to suspect analysis, and on to prosecutorial issues and challenges.

The first step in deploying internet based investigative tools effectively is determining the exact fraud scenario that needs to be addressed – what are the features constituting the scenario under review? Once specific fraud features have been identified, on-line analytical capabilities can be used to source facts, drive understanding, and generate knowledge by addressing three general questions:

–What data can be leveraged to enhance understanding of the exact fraud scenario and improve the performance of its investigation? It’s important to understand the source of the on-line data available and the systems and processes that produce it. Effective data evaluation by the examiner supports the accuracy, completeness, and reliability of the data used in her investigation.

–What is known about the general type of business processes related to the fraud?

–Exactly what fraud scenario is suspected to have transpired and why? What steps should be taken by the client immediately?

Canny use of the internet by the trained investigator can play an important role in answering these questions with a view to optimizing immediate investigative performance. The knowledgeable examiner can frequently look at on-line data from within the organization and outside it, with a focus on patterns, data mining and optimization, data visualization, advanced algorithms, neural analysis, and social networks.

These data can provide powerful insight into every aspect of our cases under investigation. In addition to examination field-work one of the most important uses of internet based investigative tools is to enhance fraud risk management. Analytics available on-line from the ACFE and others help provide a clearer understanding of risks and furnish insights as to how they can be mitigated. Ultimately, the objective is to develop and implement an analytical capability that provides the individual CFE with greater insight into the control failures associated with each major category of fraud. A second important use for internet analytics is to develop a deeper understanding of common fraud related issues. Once a potential issue has been identified, analytics can source the facts (e.g., what does the data tell us about the issue?), drive understanding of the facts (e.g., what has happened?), and generate knowledge (e.g., why did it happen?) to ultimately build a more complete presentation of fraud report findings. A third area for CFE’s to consider is how to leverage the use of the analytics performed for the fraud examination for use by the client throughout their organization. In this regard, the CFE’s report can become an important change agent, driving fraud prevention insights throughout the organization. Business managers and leaders of other organizational risk functions have a need to understand fraud risks and the correlations between data. In many cases, fraud investigative tools developed for use during a fraud examination can evolve into valuable fraud prevention tools and ownership can be transferred to business or functional leaders for ongoing use.

Consider keeping the following in mind when using internet based investigative tools in your investigation:

–Establish a clear understanding of what you’re trying to achieve in your investigation and ensure a linkage to examination planning. This should translate into defined objectives that drive the strategy and long-term vision for the use of the tools as well as surface near-term opportunities.

–Know the data.  It’s important for examiners to understand both the data they have and the data they don’t have when determining how and where to begin using the internet as an investigative tool. This knowledge also prioritizes efforts to collect what’s missing for future analyses and for enhancements to the data driven investigative program.

–Start with a targeted, ad hoc program which will likely yield greater benefits in terms of speeding insights, learning, and long term value. Take the time to learn first and then deploy necessary capabilities across your tool kit.

–Lever existing cumulative insights. These ever building insights may provide clues related to the risks and related fraud scenarios to start with, jump-starting the investigative program and build consistency with prior initiatives.

–Take steps to develop a written plan early on in every examination to take action and measure results accurately. Don’t forget that the client organization, systems, and processes that support fraud response and control remediation must be able to take action working with the insights that your final report provides.

Fraud examiners stand at the beginning of a new era in the use of internet based data to enhance the entire fraud examination life cycle. Taking the steps outlined above can help individual practitioners realize gains in effectiveness and efficiency while providing enhanced investigative services.

Please make plans to join your fellow RVACFE Chapter members and guests for an outstanding learning experience on May 18th and 19th.  You won’t be disappointed!