Insider Threat Profile Case Study: [Frontline Fraudster] Real-World Cases In Action

By Tyler Lalicker, Principal Detection Engineer, Data Science

Introduction

By their very nature, insider threats are difficult to detect and prevent as the culprits are authorized users with access to sensitive information. Frontline Fraudsters represent a unique breed of insider threats who exploit their access to financial accounts, customer information, or other valuable data for personal gain. Their privileged access to systems and information allows them to cover their tracks and avoid detection, making them a formidable adversary. In this blog post, we analyze real-life cases of Frontline Fraudsters and the damage they inflicted upon their organizations.

The Frontline Fraudster threat profile

To carry out their attacks, Frontline Fraudsters follow a calculated plan of action, including rehearsing their actions, exploring systems and resources, escalating their access privileges, collecting and staging data, and then executing the fraud. These stages can take place over a period of time, providing them with ample opportunity to strike. Frontline Fraudsters are usually motivated by financial gain or personal enrichment, and may justify their actions to themselves as an entitlement, believing that their organization owes them something. External pressures, such as debt or family problems, can make them more susceptible to committing fraud. Moreover, fraudsters may experience stress related to their job or living situation, and may see committing fraud as a way to alleviate that stress. All these factors, in combination with a lack of financial literacy, make them even more vulnerable to being lured into fraudulent activities.

Case 1: insider sells customer data to spam company

In one real-life case, the insider had a severe impact on the privacy and security of 68,000 customers whose data was sold to a malicious third party that used it to perpetrate scam calls. The stages of the attack involved the perpetrator gaining unauthorized access to a customer-support database and unlawfully exporting the data to the attacker. While the motivation behind the attack remains unclear, the insider was in a position of trust and had access to sensitive information such as customer names, email addresses, support ticket numbers, and in some instances, telephone numbers. Although no technical indicators to signal the attack were detected, this real-life case exemplifies the importance of detecting and preventing insider threats before they can cause serious damage to an organization and its customers by monitoring critical assets and access events.

Case 2: call center employee leaks customer data

In another case study, hundreds of thousands of sensitive customer records including names, phone numbers, and some social security numbers were leaked by a call center employee. Unfortunately, this was detrimental to the customers affected, as they are now at higher risk of identity theft and fraud. The attack involved outsiders recruiting call center employees and paying them to provide sensitive customer information. What followed was the theft and leak of customer records by the employees at the victim organization’s foreign call centers in Mexico, Colombia, and the Philippines. In this case the insider was motivated by financial gain and bribes by outsiders. This case study highlights the importance of monitoring vendor and employee access to sensitive information, as well as the need to have proper controls in place to prevent insider threats from exploiting company vulnerabilities.

Case 3: Twitter data exposed

In a recent case involving a global social media company, personal information about Saudi Arabia’s dissidents and critics was exposed, putting them at risk of persecution. While employed as a media partnerships manager at the victim organization from 2013-2015, the insider utilized his access to gather identifying information and gave it to the Kingdom of Saudi Arabia in exchange for compensation. He then laundered $100,000 of the payment and sold a luxury watch obtained as part of the compensation. The motivations behind the insider’s behavior were financial gain and loyalty to the Kingdom of Saudi Arabia. This case highlights how critical it is for organizations to closely monitor employee access to sensitive data, including personal information, in order to prevent insider threats from causing significant harm.

Conclusion

Being aware of the Frontline Fraudster threat profile is necessary to prevent malicious activities from causing significant damage. Knowing their methods of attack and the factors that motivate them is a key part of protecting your organization and its customers. The cases highlighted in this story showcase the reality of this insider threat profile, its many forms in different businesses and the risks it poses to organizations and individuals. The key takeaway is the urgent need for better access monitoring and control within organizations. Identifying and managing insider threats must be a top priority for security professionals. With enhanced security measures in place, organizations can minimize the risk of data breaches and protect their sensitive information from falling into the wrong hands.