Can Hackers Use FraudFox VM to Defeat Your Fraud Prevention?

By
Services for Real Estate Pros with IDTheftSecurity.com Inc

In the last few days, a number of tech magazines like Computerworld and PC Advisor have reported that FraudFox VM poses a threat to the security of online businesses—especially banks and payment services.

FraudFox VM is a special version of Windows with a heavily modified version of the Firefox browser that runs on VMware's Workstation for Windows or VMware Fusion on OSX. It's for sale on Evolution, the apparent successor to the Silk Road online contraband market, for 1.8 bitcoins, or about $390.

FraudFox VM was created to defeat device recognition, or fingerprinting, which is used in fraud prevention to assess the risk of a device connecting to a business. Web browsers are used to collect data like operating system version, time zone and IP address. Each of these characteristic can be used to assess risk and uncover possible fraud.

So how worried should your business—and customers—be about this new software? I sat down with Scott Waddell the Chief Technology Officer of iovation, the fraud prevention experts, to find out what the reality is behind the media headlines.

  1. How reliant are banks and financial institutions on this kind of technology to stop fraudulent transactions these days? Is fingerprinting used more for mobile than on desktop?

    Banks leverage device reputation solutions with great success in both fraud mitigation and risk-based authentication strategies. Of course, good security is all about layered defenses, so smart banks use these tools as part of a defense-in-depth strategy to avoid over-reliance on any one security technology.

    Device recognition is used on all Internet connected devices these days, mobile and desktop alike. Mobile transactions are the fastest growing segment being protected with these tools, but the majority still originate from desktop operating systems.

     
  2. Do you think this would be an effective method for cybercriminals to get around those defenses?

    FraudFox VM may be interesting for its purpose-built virtual machine packaging, but there's really nothing new in the approach. Tools have been available to fraudsters for years to facilitate changing device parameters, manipulating JavaScript, blocking data collection, obscuring IP address and location, and so on. Many of these capabilities have even migrated into easy-to-use settings in the major web browsers to make testing easier for web developers.

    Device reputation solutions have evolved along with such tools and continue to provide great uplift in fraud catch in spite of them.

    From the reported attributes that FraudFox can change, it would be unable to evade native recognition tools (those embedded in native desktop apps) and it would stumble over transactional similarity scoring on the web that considers more device attributes along with tagged recognition. So the tendency at financial institutions would be to trigger step-up authentication to one-time passwords through out-of-band channels (SMS, mobile app, voice) that FraudFox could not intercept.

     
  3. Is possible to fake browser fingerprints manually or using other tools? Does this thing look like a good consolidation of other tools that people might use to defeat fingerprinting?

    As previously mentioned, there are other tools and techniques fraudsters use to evade recognition or to try to mimic the devices of their victims. These often stand out from actual browsers in ways that defeat their intended purpose. A couple years ago, the Gozi Prinimalka trojan attempted to duplicate device attributes of compromised systems much as FraudFox VM aims to do. However, its limitations made it ineffective against modern device reputation offerings that evaluate risk and reputation through multiple strategies including link analysis, profiling techniques, velocity rules, proxy and Tor unmasking, device attribute anomalies, and more.

    FraudFox VM seems to be relatively limited in its capabilities considering the variety of techniques sophisticated fraud mitigation tools bring to bear.
     
  4. Any other thoughts?

    It's certainly interesting to see tools like this for sale on Evolution, which appears to be catering to fraudsters and identity thieves. All the more reason for online businesses to take advantage of collaborative technologies that bring the power of community to the fight against the increasingly organized economy of cybercrime.

Fraudsters will always look for new ways to commit cybercrimes. However, a strategic, multi-layered approach to fraud prevention is the best defense.

Robert is a guest contributor to Stories. He is a Bostonian dedicated to keeping people safe online. Robert speaks and writes extensively about personal security and identity theft. His work has appeared in The New York Times, USA Today, Forbes and Business Week to name just a few. When he's not speaking or writing he enjoys long-distance running and motorcycles, particularly his 1987 Harley-Davidson Low Rider.

close

This entry hasn't been re-blogged:

Re-Blogged By Re-Blogged At
Topic:
ActiveRain Community
Tags:
fraud prevention
identity fraud
online fraud
cyber fraud
cyber criminals

Post a Comment
Spam prevention
Spam prevention
Show All Comments
Rainmaker
47,214
Youree Lundy
Keller Williams Advantage III Realty - Orlando, FL
Your Realtor For Life

It is naive for any of us to think that any corporation is completely safe, and for us with our internet security programs, even less so.  It is just the world that we are in right now.  Be vigilant about our own accounts as the earlier the detection, the less damage we may have done to us.

Jan 21, 2015 09:31 PM #1
Ambassador
2,752,418
Lenn Harley
Lenn Harley, Homefinders.com, MD & VA Homes and Real Estate - Leesburg, VA
Real Estate Broker - Virginia & Maryland

This is quite above my pay grade.  However, I suspect that each individual Internet user must use normal security precautions for passwords, etc.

A few years back, I ran across a fellow ActiveRain's real estate web site that had been hacked and was full or serious pornography.  She was appalled and got it fixed immediately.

Jan 21, 2015 09:58 PM #2
Post a Comment
Spam prevention
Show All Comments

What's the reason you're reporting this blog entry?

Are you sure you want to report this blog entry as spam?

Rainmaker
912,229

Robert Siciliano

Realty Security and Identity Theft Expert Speaker
Ping me to book a program for your group
*
*
*
*
Spam prevention