CyFin

The CyFin initiative is dedicated to identifying, mitigating, and neutralizing cyber threats targeting the financial services industry. As a predecessor to the initiative, the Stock-Aid initiative was started in February 2007 in an effort to provide a collaborative forum in combating online stock manipulation schemes. The “account compromise” aspect of this initiative stemmed from phishing and identity theft scenarios and via the use of key loggers loaded on victim computers through a variety of social engineering schemes. This initiative grew to more than 75 members and convened 12 joint conferences to further develop/refine common objectives. Numerous noteworthy investigations were developed and advanced via NCFTA partnerships with domestic and international law enforcement, and millions of dollars in compromised accounts were secured before significant financial losses could occur. Several examples include:

• In Feb. 2009, six search warrants at five subject locations throughout the US were executed by federal agents regarding a scheme in which approximately 290 stock symbols were manipulated, a plan which resulted in millions of dollars in estimated losses. As a direct result of these investigative efforts, several brokerage firms reported close to 100% decrease in stock manipulations for an extended period following these events.

• One Ukrainian subject was identified/neutralized as having more than $48 million in compromised brokerage accounts.

• One additional subject was identified for selling, from one single financial institution, brokerage credentials valued at more than $10 million, which law enforcement recovered.

• Through additional intelligence developed via online criminal forums and from other NCFTA initiatives, $29 million in compromised brokerage account credentials was recovered as well as an additional $40 million+ in other compromised payment instruments. This number continues to rise as additional compromised accounts continue to be identified through NCFTA analysis in support of these initiatives.

Cyber threats to the brokerage industry, as with other financial services or e-commerce stakeholders, are increasing in complexity and scope. In recognition of this, Stock-Aid and other overlapping initiatives involving phishing, identity theft and credential fraud, must be able to adapt and change in order to effectively mitigate and neutralize these current and emerging threats.

Beyond stock manipulation, other cyber-facilitated schemes impacting many public and private organizations have evolved to include: Electronic Funds Transfer (EFT) fraud, ACH-related scams, increased use of sophisticated money mule networks, and the use and abuse of a growing number of telecommunication (mobile banking, SMS, VOIP) and other utilities. Recent initiative-specific focus group meetings have also confirmed the need to evolve each project to incorporate additional SMEs (stakeholder companies) relative to this expanding threat.

To address this ever-changing landscape, and to ensure that timely intelligence regarding emerging schemes is received and shared in a timely manner, the NCFTA has combined several ongoing and increasingly overlapping initiatives into one broader “umbrella” initiative named CyFin. This name was chosen to reflect the broader topic of “Financial Crimes over the Internet” and, in part, to reflect increased tendency of international organized cyber-criminals to rapidly “siphon” victim accounts via a variety of social engineering techniques as well as the use of malware and keystroke loggers.

In moving this initiative forward, refined information sharing and triage tools have been developed, and teams of dedicated analysts and investigators have been assigned to this endeavor. Partners in this effort include a growing list of financial services organizations, on-line merchants, anti-virus companies, payment/payroll processors, and telecommunications providers. Similarly, a growing team of federal and international law enforcement is regularly enlisted in support of this cause.