As organizations tighten their online security against hacking, cybercriminals are constantly finding new ways to commit fraud. Ethical hacker and cybercrime investigator Inti De Ceukelaire explains the growing phenomenon of abuseware – and offers some advice to help avoid falling victim.
Until recently, it was relatively cheap and easy to conduct successful large-scale spam email campaigns to defraud the unwary. But by using AI, email providers have raised the bar in terms of being able to differentiate between a legitimate email and a scam. Always in search of the path of least resistance, fraudsters are therefore turning to other means to separate the unsuspecting from their money.
In this context, the misuse and weaponization of legitimate apps and tools for fraudulent or illegal purposes is on the rise. Instead of messaging targets directly with a scam like the classic ‘Nigerian Prince’ email, fraudsters exploit a brand's identity and legitimate features to pass through spam filters and interact with their potential victims. This is abuseware in a nutshell.
An underestimated problem
As the Chief Hacker Officer at bug bounty and vulnerability disclosure platform Intigriti – and founder member of the Hacking Policy Council – Inti De Ceukelaire is in a prime position to witness what cybercriminals are getting up to. He sees abuseware as the most underestimated issue in online fraud.
“Of course, people are always finding actual vulnerabilities, software bugs that, for example, allow you to talk to a computer and convince it to give you all the data records it has. But then there are also scenarios in which something wouldn't really be classified as a vulnerability. It's a behavior of a system, or you can maybe tweak a behavior in a certain way, but it doesn't really affect the integrity or the confidentiality of that system. However, if you put on the hat of a fraudster or somebody with bad intentions, you can actually do something malicious with it.”
We’ve got a file on you
Perhaps the best-known example of abuseware currently out there is the misuse of file uploads. Many enterprises have some sort of file upload functionality as part of their online presence. Sometimes it's just to upload your personal photo to your profile. In other cases, you can actually host files. However, sometimes a fraudster can find a way to bypass the file size limits and upload larger files.
“Now you might say, okay, other than just maybe taking some extra space, why would we care?” comments Inti. “But then a lot of people started abusing that for, for example, hosting malicious phishing sites or content that if you’re hosting it, as a company that could really get you in trouble. So, even though it's an intended functionality, if people are able to abuse it, it can cause a lot of harm to your company.”
Taking Uber for a ride
Another use of legitimate apps for nefarious purposes is for money laundering. A famous example exploited the well-known ride-sharing app Uber. The scam involved spoofing GPS signals to two separate phones (representing the driver and the passenger) to make them think they were travelling along legitimate, albeit very long, routes. In fact, both phones were sat on the desk of a fraudster. The perpetrator of the scam would then use a stolen credit card to pay the ‘fare’ via Uber, with the money being received in the ‘driver’s’ account.”
“Of course, Uber have since implemented very good measures to prevent this, and it's something that any company can encounter,” says Inti. But it's just another example of how legitimate companies get involved in fraud. And it's not easy to put in something like a risk assessment matrix or a vulnerability, severity scoring system.”
Double booking.com
A third common example that has recently taken on a new form is the exploitation of online marketplaces. You probably know someone who has had the experience of purchasing something online that never arrived. However, Inti highlights a growing phenomenon whereby scammers hack the login credentials of a hotel on a site such as booking.com and impersonate this legitimate business for illegal gain. For example, fraudsters send a message via the hotel’s account to users who have booked to stay at the property explaining that they need to pay tourism tax – and helpfully providing a QR code to do this!
“It's something that for most companies wasn't really on the radar. They know that user accounts can get hacked, and they think about the individual impact,” comments Inti. “But they rarely think about the broader ecosystem, where the interaction between your users is essentially being leveraged to conduct a phishing scheme. That is certainly something that we've seen an uptick in over the last few years.”
Inti’s top tips
As someone in daily contact with the behavior and vulnerabilities of both individuals and enterprises online, Inti has some sage advice that goes beyond the more common tips out there.
Separate your professional and personal profile online: Many of us now operate in a hybrid remote working environment where it can be difficult to maintain the dividing line between your professional and private lives. It may seem like a natural extension of having a photo of your kids on your desk to add one as a screensaver on your work laptop. You may even feel comfortable to access a whole range of personal files through your work computer. However, if your company falls victim to a ransomware attack, your family pictures or personal financial information can also be ransomed, and the company’s problem becomes your personal problem.
Dispose of legacy email addresses properly: Most people change jobs over time, while companies often change their names or merge with other businesses. As a result, company email addresses often become redundant, however, they are not always properly retired or deleted. Often these addresses are used to register for third-party services such as Dropbox or Jira without two-factor authentication protecting them. In time, the email domain becomes available, allowing a fraudster to buy your email address, set up a password reset link, and access whatever you set up via that email account. CISOs in particular need to be aware of this issue and ensure the necessary protocols are in place to prevent redundant email addresses being exploited in this way.