Overview of OSINT use for KYC/AML and Crime Investigations
by Oussama Louhaïdia
This article is a part of free preview, which can be downloaded here: https://pentestmag.com/download/preview-fintech-security/
Keywords: OSINT, open-source intelligence, online investigation, search behaviour, domain-specific search, investigative process, automation
Money, and its dynamics, are central to financing, investing in, and ultimately profiting from criminal activities. With the rise of the internet, mobile and APIs centric banking, the majority of fraud incidents are now cyberrelated, and carried out by cyber criminals.
Cybercrime is a broad term that encapsulates a wide range of deceiving activities, to which financial services companies are relentlessly subject to either through their customers or directly through their services. For those financial institutions, the battle against fraudsters is an eternal and ever evolving and complex one, with latest reports confirming an increasing trend of fraud in both the number of reported cases and the overall cost incurred to financial institutions from such activities.
Banks, as the central part in the world of financial crime, spend thousands of days, and billions of dollars, through their compliance teams to search for and detect fraudulent activities in order to work with authorities detecting, stopping and limiting impact.
On the other side, regulators and watch-dogs keeping an eye on any types of "consensual fraud" that some financial institutions might take part in puts fraud prevention activities not just on the financial institutions, but more on the regulators.
International financial systems are becoming more and more complex and intertwined. The increased speed of transacting, the increased easiness to open a bank account to drive violent growth strategies, the development of sophisticated services and the creation of very demanding regulations has been followed by the demand of elaborate security, surveillance and reporting.
The 4th EU Directive against money laundering and the financing of terrorism increases the regulatory burden on the financial services sector and requires training for internal teams in how to make the best use of new techniques to recognise and investigate fraud cases. Obliged entities are also required to carry out enhanced due diligence on higher risk customers.
Very recently, Swedbank and Danske bank, two of the largest Nordic banks, were involved in largely publicised scandals in which and through their Baltic branches they were involved in schemes to move hundreds of billions of euros in capital from Sanctioned countries to Europe, with even the Russian central bank itself warning Danske Bank about the laundering operations.
The numbers are quite scary, as 5% of the global GDP is laundered globally each year, which is equivalent to about $2 trillion (UN Office on Drugs and Crime). In the UK, banks spend £5bn each year fighting financial crime with only 1% detected by law enforcement agencies. This creates a huge challenge for smaller/challenger banks, and financial institutions.
Regulatory compliance requires financial service institutions, law and accounting firms and similar organisations to conduct due diligence checks and compliance screening on all prospective clients. These regulatory requirements include Know Your Customer (KYC), Anti Money Laundering (AML), Politically Exposed Persons (PEP) and Countering the Financing of Terrorism (CFT).
In this article, we are looking at innovative approaches to address those requirements, where new technologies, public and private datasets from the open, deep and dark webs can be leveraged to spot criminal behaviour.
OSINT for KYC and AML
Today, the lives of many modern individuals are intertwined with online services they rely on. The times of Frank Abagnale Jr. are far behind and have been so for decades. The Internet has transformed many facets of modern society, radically changing how we communicate and share information. Social media platforms, blogging sites and messaging services allow individuals to broadcast their thoughts or otherwise express themselves online.
There is a large amount of publicly and privately available data that, when correlated and analysed in context, would allow detection and eventually prevention of financial fraudulent activities.
Intelligence is a must in building both an effective defence and an effective attack, for both the financial institutions and eventually the fraudsters. OSINT becomes a key aspect in understanding the cybersecurity and the cybercrime trends that rule the Internet these days.
OSINT becomes a key skill-set for analysts and investigators.
Open Web Intelligence
More and more people share biographical information online, and it is becoming less and less likely for an actual living person in the modern and banked society not to have an up to date online presence (social media,email, etc.)
Social media presence plays an important role in this ecosystem, where most information about the lives, interests, activities, and personal information are publicly exposed willingly in ways not available by traditional means. Social media users openly share sensitive and compromising information.
Studies of web search patterns show around 10% of web search requests contain the name of a person, and some search engines are specialising in searching for people, focusing on low profiles, not celebrities.
Information discovered from these sources, which includes publicly available social media information, may be utilised for a variety of purposes. In some cases, illegitimately (e.g. Cambridge Analytica, stalking, ID Theft,Terrorism...).
Other valid and legitimate use cases include vetting, anti-crime, and fraud detections, the latter we will discuss here, mainly the collection of publicly available data on high risk individuals in order to make risk based fraud prevention decisions. Security intelligence analysts are charged with the task to look into different data streams in order to quickly identify risks related to people.
Some of the tools that can be used to cover this:
• Google dorks: “Person/Entity Name" AND marijuana OR embezzlement OR corruption OR bribery OR arrest OR bankruptcy OR BSA OR conviction OR criminal OR fraud OR lawsuit OR laundering OR OFAC OR Ponzi OR terrorist OR violation OR "Honorary Consul" OR "Panama Papers"
A Google search string that covers some of the basics: if the entity name has any obvious/reported links to financial crimes, including bribery, drug trafficking, fraud, etc., this will return that information.
• Shodan.io - The most obvious tool for searching exposed services and devices. And YES, ATMs running old versions of WinXP (nearly 95% in 2014 run on XP) can be found on Shodan (With very like a good amount of honeypots)
Looking up open website like cvv.me contains a million card details (with or without CVV) with prices ranging from $2 to $20 for premium credit cards. Similar carding websites include YoHoHo, Buceohalus, BuyCC, and many others. This website and others can be crawled regularly to identify personal risks, an entity or an individual are exposed to.
Dark Web Intelligence
Moving away from Google, Bing, and Yahoo indexed pages, we find the deep web, which is estimated to hold 96% of the data accessible through the internet (believe it or not). Within this deep web, and looking towards the dark side/wild west part of it, criminals and data thieves showcase their products and services to a large number of customers.
The dark web brought the attention of the media and the general public with the rise of Bitcoin and, more specifically in 2013, when one of its biggest markets was shut down by the FBI (The notorious Silk Road).
The FBI’s deep knowledge of the platform and OSINT techniques were crucial for the success of that operation. This makes the dark web a very valuable place for open source intelligence gathering. This intelligence can only be accessed using dark web tools, especially forums and communities that are sharing sensitive information. More and more investigations are being conducted on Tor and many of them can also include investigating Bitcoin transactions.
In 2016, a known British political aide to a famous Brexit campaigner was convicted for several criminal activities on the dark web, including wire fraud, blackmail and money laundering. He was offering his money laundering service on the darknet, guaranteeing $150,000 of laundering per month, when he came to the FBI’s attention. Another individual was operating Darknet sites (Agora, Evolution, etc.), providing money laundering services, which includes cashing out for vendors, buyers and market administrators using stolen identities to create bank accounts.
Discovering, collecting and monitoring information are the most significant processes for OSINT. Several different techniques (i.e., advanced search engine querying and crawling, social media mining and monitoring, restricted content access via cached results…etc.) are applied to the surface web for retrieving content of interest from the intelligence perspective. On the other hand, the distinctive nature of the dark web, which requires special technical configuration for accessing it, while it also differentiates the way the network traffic is propagated for the sake of anonymity, dictates that the traditional OSINT techniques should be adapted to the rules that govern the dark web.
Some of the open source tools that can be used to harvest dark web data in a financial investigation case, or in an automated and continuous way, include:
• OnionScan - https://github.com/s-rah/onionscan
Advocating a free and anonymous web, this open source tool also allows investigating onion sites for legitimacy and reputation, incentivising anonymity technologies. At a high level you need to:
1. Setup a server somewhere to host our scanner 24/7 because it takes some time to do the scanning work, and get TOR running on the server.
2. Get OnionScan setup
3. Write some Python to do the scanning and the managing of scan results.
4. Finally, analyse and correlate the results.
There are thousands of websites like CVV.ME on the DarkWeb, providing millions of full card details e.g. CVV
Scrapping those websites, continuously provides an idea of what potential customers identities or cards in are compromised and are susceptible to be fraudulently used. Many open source projects were developed for a scrapping agent operating and crawling anonymously. To get started:
1. Setup a server somewhere to host the crawler 24/7, as the crawling will be done continuously, slowly, and without interruption.
2. Setup a backend database with an ELK stack/integration.
3. Write some python to increment the database results continuously.
4. Use the ELK stack to query and analyse!
With the exploding size of data available on the internet, and with the evolving cyber-crime economy ($1.5T in 2018), the financial institutions and the regulators are pushed to tackle cyber crime threats. Crawling and extracting open and valuable intelligence from public records to automate profiling entities and individuals is becoming an important mechanism for Cyber Intelligence Professionals.