Digital forensics: how the banks know when you’ve been phished

Share on facebook
Share on twitter
Share on linkedin
Share on email

[vc_column_text width=”2/3″ el_position=”first”]

South African banks – ABSA, in particular – have taken a beating in the press over the last few months. At the centre of the most recent outrage was the SIM swapping scam, where customers were having their accounts drained – some to the tune of hundreds of thousands. The epidemic seemed unstoppable, with no clear answers from the two parties involved, ABSA and MTN, about what the cause was.

Now that it’s all but behind us we know what was involved, and who was to blame. But what about the victims?

For those who lost money there was often no recourse. The banks have policies in place that protect them, simply because it’s impossible to insure the billions of rands kept in all those accounts. Those policies – part of the internet banking terms and conditions – stipulate that users need to ensure the security of their login details, data transmission, and any other influencing factors. Basically, if you’ve been reckless with your internet banking credentials, you are the only one to blame.

And it’s easy to find out, too.

When the SIM swap cases at ABSA and the other financial institutions reached critical mass, and due to the high technical nature of these attacks, an external forensics firm, Cyanre, was asked to help investigate.

With expertise in digital crimes and forensics, its team of computer experts was bound to find answers. Some banking customers were certain that their computers were free of malware, and others insisted they never once clicked on a link in a phishing email.

To get the real answers, the banks send the computers of those affected to Cyanre’s team of data forensics analysts. This way, an independent body that adheres to international standards could review the evidence, without bias. The drives were cloned, in a clean environment where the source drives had none of their data modified, and scans were run to find deleted files, or traces of malware.

Cyanre’s managing director, Danny Myburgh, says that in 15- to 20% of cases it’s possible to run up to four different virus and malware scanners on a hard drive without finding anything – more than reasonable, for the average computer user. Even then, the analysts dug deeper and found malware that had gone undetected. Malware that would sit and log activity when users typed in passwords and details for internet banking.

In some of those cases, banks could reimburse clients for money that they’d lost. It would still be up to the banks to determine if negligence was an issue, and who was at fault.

However, there are cases that required more extensive sleuthing. Technicians can bring up deleted information in email archives as well as internet browsing histories. Through this, and lots of hours of linking the dots, they can pin point the exact moment when a user clicked on a phishing link in an email.

Myburgh says that when users are presented with this information they often recall the circumstances under which they clicked the links and entered their details – honest mistakes, ranging from having a busy day, or being distracted while working. In those cases the banks won’t reimburse money, since it’s classified as a user being careless with their login credentials.

In either case, it’s possible for firms like Cyanre to pull up digital records, no matter how hidden or obscure, that solve the mystery. In each investigation the findings are published for peer review, to get input from qualified experts – individuals who have expertise in presenting evidence in the high courts. Any evidence gathered and analysed still has to comply with the ECT act, which has provisions for submission of digital evidence. Ultimately, clients can also get a copy of the report.

Myburgh points out that while banks aren’t obliged to, they’re still assisting clients tremendously by paying for external forensics firms to investigate cases of fraud.

A small consolation for those unfortunate victims who’ve learned a hard lesson, and paid dearly.

[/vc_column_text] [vc_column_text width=”1/3″ el_position=”last”]

SIM-swap fraud explained

The scam starts with a traditional phishing email, where a person would enter their banking details on a fraudulent website after clicking on a link in an email. Once those details were obtained fraudsters then had a victim to target.

With the victims details now captured it was a matter of exploiting of a (now-plugged) loophole in MTN’s SIM swapping procedure. It allowed a third party to apply for a SIM swap, despite the person who owns the phone number not being present, or even needing to give consent for a SIM swap to take place.

In turn, this gave fraudsters control of their victim’s phone line – the same number that would receive a one-time password (OTP) when logging in to internet banking.

With both the bank details and phone number secured, scammers could then log in using banking credentials, receive the OTP, and transfer money – all without the accountholder being aware.

[/vc_column_text] [vc_column_text width=”1/2″ el_position=”first”]

Cyanre: even your deleted secrets aren’t safe

Located in Centurion, the Cyanre offices are all but hidden in a small office park. Remaining out of sight is perhaps best for the electronic sleuths that work there. Managing Director Danny Myburgh explains his company’s curious name, saying that it’s short for Cyber Analysis and Recovery (pronounced sigh-an-ray). And it’s exactly that the company specialises in: digital forensics, often the kind requiring the recovery of data.

Myburgh, who has a background in the police force, once serving as the commanding officer for the national cybercrime unit, doesn’t look like a the policemen you’d encounter on the street or at a police station. Wearing a suit and pair of glasses, he’s most affable, and comfortably chats about both the cases he’s worked, including investigations into child pornography, commercial espionage, and even political cases.

After a stint at auditing firm Deloitte & Touche, where he headed up the cyber forensics programme, he started Cyanre – which this year celebrates its 8th birthday.

Now, the company has computer emergency response teams (CERT) it can send to scenes for crimes where technology is involved. The lead investigator, a forensics expert, gathers untarnished evidence and information. Thereafter, experts in mobile technology, network security, and data recovery will either consult clients on securing their facilities, or go to the lab and analyse the evidence.

Cyanre is also able to do fraud trend analysis – investigating a number of systems to find clues that link them to one another. For example, a company could have its employee database scanned to see if any workers have interests, or a history, at competing firms.

The forensics experts employed by Cyanre are usually best-in-field, but the company actively recruits university students and former HAWKS investigators, as well as data recovery and networking specialists.

With a staff of just 33, he says they’re always busy – often on very high-profile cases, the details of which he’s reluctant to talk about, or is simply bound by law to not share.

“We assist in child porn investigations – but we don’t get involved unless the police ask us,” he says. In the last year Cyanre has also dealt with four teen suicides where the deceased left no notes. The only evidence in these cases lies in communications with friends, often using Facebook or mobile phones.

“Otherwise, anything where a computer is involved, we’ll investigate,” he says.

“The only cases we don’t get involved in are divorce cases. It gets ugly”.

[/vc_column_text] [vc_column_text width=”1/2″ el_position=”last”]

Tools of the trade

Marius, one of the forensic analysts at Cyanre, walked us through some of the tools that are used in digital forensics investigations. Their general workstations, seen here, are used for analysing deleted and recovered data, as well as running virtual machines.

Cyanre can completely mirror a computer hard drive of a client that’s being investigated, to ensure forensic consistency. The data on the hard drive is analysed to find deleted files, internet histories, received emails, and password-encrypted files. It’s even possible to recreate a virtual machine using the operating system on a hard drive. This way they can scan for viruses, use applications on the computer, and sift through data as they would on the actual computer – but without influencing the evidence.

Mobile phones are increasingly involved in digital crimes, and the mobile toolkit comes with everything needed to rescue (or search for) data on mobile phones. Almost all phones can have their memory banks read by this machine, save for iPhones, which have high-end hardware encryption.

A write-blocker tool aids in the mirroring of hard drives without manipulating any data on the source hard drive. Plug in the source drive, with the data that needs to be analysed, and it’ll copy that drive in its entirety to a new hard drive. The new drive can be treated as normal while investigators search for digital footprints of deleted files and password-stealing viruses.


Christo van Gemert

Christo van Gemert

Eleven years ago Christo started writing about technology for one of South Africa's (then) leading computer magazines. His first review? A Samsung LCD monitor. Hey, it was hot news, back then. Nowadays he gets more excited about photography, cars, game consoles, and faster internet connections. He's sort of an Apple fan, but will take any opportunity to remind you about his Windows-powered home theatre PC and desire to own a vanilla Android tablet.   Currently uses: Apple 13-inch Macbook Pro with Retina Display, Apple iPhone 5, Microsoft Laser Mouse 6000, Audiofly AF78 Earphones, Xbox 360, Nikon D50.