Without a Trace
June 2013
Fraudsters have found a way to use a well-­‐intended service to divert banking-­‐related confirmation emails while also covering their tracks. As part of financial fraud schemes, they are using “disposable email addresses” to redirect emails without having to compromise the victims’ email accounts. Case Background Disposable email addresses (DEAs) increasingly are being used by consumers to avoid unwanted email and spam. Consumers use DEAs when registering for an online service or purchasing a product so they can get the confirmation email without receiving any additional emails that may follow. DEA mailboxes are created automatically when mail is received, without any registration or additional information about the person creating the address. All that’s needed to retrieve email is the email address itself. And fraudsters, as is their nature, have found a way to turn this service to their advantage. Fraud Incident Details Fraudsters use DEAs to divert email alerts in a way that makes it harder for financial institutions and law enforcement to track them. DEAs are an alternative to compromising the victim’s legitimate email account for fraud schemes that require the fraudster to have control over email alerts. Here’s a typical attack that would use such an email address. The fraudster: 1. Researches a financial institution’s policies and procedures to learn the types of transactions that are confirmed via email. 2. Compromises an online account through any one of a number of schemes designed to capture login credentials. 3. Changes the email associated with the victim’s account to a disposable address that they have created, typically one that would not look suspicious, such as changing <victim_name>@yahoo.com to <victim_name>@mailinator.com. 4. Initiates a transaction, such as a wire transfer, that generates a confirmation email 5. Receives and responds to the confirmation email, causing the financial institution to process the fraudulent payment While the above is typical for how fraudsters use DEAs, it is not the only possible scenario. We have observed cases where fraudsters use DEAs any time they want to intercept an alert email, such as when a new payee is added or there’s a change to the phone number or other profile information. After some period of inactivity, the service provider automatically erases the DEA, removing all traces of the email activity. www.GuardianAnalytics.com
© 2013 Guardian Analytics
Without a Trace
June 2013
Observations and Trends: There are hundreds of service providers offering such email addresses. While all of these are legitimate businesses, the ones that we have observed that are most often used by fraudsters are listed here, any of which can use multiple extensions, such as .com, .net, .org, .us, and others: • gmx • teleworm • mailinator • yopmail As an indicator of the growing popularity of DEAs, we analyzed all confirmed fraud cases that involved a changed email address. Of these, 30% used a disposable email address (based on Guardian Analytics Fraud Intelligence data). So, in nearly 1/3 of all fraud cases where there was a change to the email address, the fraudster used a DEA, which is a significant new fraud trend. Prevention Tips •
Pay close attention to any changes to email addresses, which account holders typically change very infrequently. •
When you do notice email changes, look for other suspicious activity that could be part of pre-­‐attack reconnaissance or setting up a fraudulent transaction. •
In particular watch for any disposable email address. It is highly unlikely, therefore highly suspicious, for account holders to user disposable email addresses for their online banking accounts. (list of DEA service providers) To learn more about DEAs in general (not just as a tool for cyber crime), there’s a good overview on Wikipedia. Published by: About Guardian Analytics – Guardian Analytics is the leading provider of behavior-­‐based anomaly detection solutions for preventing online, mobile, ACH and wire fraud. Hundreds of financial institutions and millions of account holders are protected by FraudMAP and benefit from our Fraud Intelligence research and expertise. www.GuardianAnalytics.com
© 2013 Guardian Analytics