Editor Note: This article originally appeared on The Association of Certified Financial Crimes Specialists (ACFCS) website on December 1, 2017.

Written by: Brian Monroe

In the last month, organized criminal groups, fraudsters and identity thieves have shown their creativity to launder money and monetize stolen credit card data, in some cases using online rental services to cleanse funds, while in others duping millennials into becoming “money mules” through sham social media job posts.

Early last month, in the aftermath of the Paul Manafort indictment, more than two dozen New York city and state lawmakers sent a letter to online home rental site, Airbnb, pressuring the company to identify and remove illegal listings on its site that could be used by thieves and criminals to launder money, according to the New York Daily News.

This week, The Daily Beast reported that illicit groups are using Russian crime forums to look for colluding hosts on Airbnb to launder cash from stolen credit cards, according to posts on underground forums and cybersecurity researchers. This adds a new wrinkle in the broader trend of using high end real estate in hot markets to legitimize sullied funds.

At the same time, United Kingdom fraud prevention group, Cifas, reported this week it is seeing a massive increase in criminal organizations attempting to use younger people, often referred to as millennials, to unwittingly move money on their behalf.

The analysis revealed a 75 percent increase in the “misuse of bank accounts involving 18 to 24-year-olds during the first nine months of 2017, compared to the same period last year,” according to the group. To read the full report, please click here.

The most common example of the increasing trend is when a person acts as a “money mule,” meaning they “allow their bank account to be used to facilitate the movement of criminal funds. Young people and students are particularly vulnerable as fraudsters know they are often short of cash.”

Criminals may approach them with what looks like a genuine job offer, asking them to receive money into their bank account and transfer it onto someone else, keeping some of the cash for themselves.

They can approach them through social media and online job postings.

Overall, there were 8,652 cases of “misuse of facility” cases amongst 18 to 24-year-olds between January and the end of September this year, according to the report. The 2017 figures also demonstrate a dramatic rise in money mule fraud over the last five years, with cases involving 18-24-year-olds more than doubling since 2013.

“Our new figures show that money muling amongst young people is on the rise,” said Simon Dukes, Chief Executive of Cifas, in a statement. “This is a serious issue that not only has consequences for the money mule, but for society as a whole. The criminals behind money mules often use the cash to fund major crime, like terrorism and people trafficking.” 

Airbnb’s Russian money laundering problem

The Daily Beast stated in its story it “found a number of recent posts on several Russian-language crime forums, in which users were looking for people to collaborate with to abuse Airbnb’s service.”

These operations typically work by relying on an individual or group using “legitimate or stolen Airbnb accounts to request bookings and make payments to their collaborating Airbnb host. The host then sends back a percentage of the profits, despite no one staying in the property,” or in some cases double books the property to make even more money.  

“The money is 50/50,” one apparent scammer wrote on a Russian crime forum in August, according to the Daily Beast. “You receive the money within two days after the booking date,” it continues, and adds that there are “story-telling hosts” ready, likely referring to hosts who are proactively participating in the money laundering scheme.

The issue of Airbnb money laundering came up in the Manafort indictment as part of his alleged strategies to launder tens of millions of dollars from he made from overseas activities. Prosecutors say he funneled nearly $3 million to buy a Manhattan apartment he said would be for personal use, but later rented on AirBnB.

For the many entities involved in a transaction for Airbnb – the company itself, a credit card company, merchant acquirer, payment processor and bank – it’s likely that the rental company is in the best position to see potentially fraudulent transactions that could be tied to money laundering, said Keith Furst, Founder of Data Derivatives, a boutique consulting firm focused on financial crimes technology.

The company “is the one accepting the credit card payments, so they should be the ones doing the screening,” he said, adding that they would be able to see what is happening with the host, such as if rental revenues are rising in a seasonally slow time, if an address is double booked, or if there are cards tied to the same IP address or even an IP address in Russia.

On the bank, credit card or merchant acquirer side, those entities would likely be the ones getting calls from irate customers saying that Airbnb has charged their credit cards, but they had never used the service or approved the charge, Furst said, adding that these groups should be looking for a higher rate of “charge backs” involving Airbnb.

“With a stolen credit card, there is a small window, a certain timeline the criminals have to act before the customer or bank shuts it down,” he said, adding that one of the reasons fraudsters would pick Airbnb is that it’s a large company used a lot by people across the world and would quickly accept and process the stolen credit card details.

That makes it harder for the company, banks or credit card companies to immediately realize something is amiss – putting the onus on the customers to better monitor themselves.

More information sharing needed

The scenario also illustrates gaps in information sharing across different entities, Furst said.

Although banks have Patriot Act Section 314(b) safe harbors to share information on customers suspected of money laundering and terrorism, it’s not as clear if, when and how banks, credit card companies and a private company like Airbnb, can share data to put all of the various puzzle pieces of a fraud like this together.

On the banking side, sniffing out that side of the fraud is a challenge, particularly if the institution didn’t know a customer was an Airbnb host.

If they did at least know that, they could get a hint of criminal wronging when, say, a person receives a batch of credit card transactions in larger amounts, and then immediately wires the money back to Russia or to anonymous shell companies in offshore secrecy havens, Furst said.

“The bank would only see the money going into the person’s account, but wouldn’t know it was from fraudulent credit cards” as it would probably just look like funds from Airbnb to a host.

“Online marketplaces such as Airbnb are attractive to money launderers for several reasons,” said Alison Jimenez, President of Tampa, Fl.-based Dynamic Securities Analytics, a consulting firm specializing in AML and financial services litigation issues.

“One factor money launders look for is the ability to conduct cross-border transactions,” she said. “Many online marketplaces facilitate legitimate cross-border transactions such as vacation home rentals that can be used as a cover for a criminal trying to remit illicit proceeds across borders.”

For instance, a criminal gang could smuggle fentanyl into the USA and then remit the proceeds back home via a fake “IT consulting gig” or via multiple fake home rentals run through a legitimate online marketplace, Jimenez said.

“Money launderers also look for the ability to lauder large sums of dollars at once,” she said. “Home rentals can cost several thousand dollars and serve as a quick way to cash out a stolen credit card if you have a corrupt or hacked host account on the other end.” 

She agrees with Furst that banks could be hard pressed to uncover the schemes, potentially having to be exceedingly creative.

“A financial institution that ultimately holds the account where the illicit proceeds land would need to follow KYC best practices,” Jimenez said. “One red flag could be a host that only receives payments but does not have normally associated costs like paying a cleaning service.”

Editor's Note: This article originally appeared on the Corporate Compliance Insights on June 23, 2016.

A series of cyber fraud attacks targeting financial institutions through the SWIFT global messaging system has prompted an industry wide review of IT security measures and has highlighted the rising risk of cyber fraud against financial institutions in Southeast Asia and beyond. SWIFT has responded with a five-part customer security program to reinforce the security of the global banking platform, yet its CEO has warned “there will be more attacks.”

Cyber fraud risk is heightened in developing countries that often lack the technological resources to detect and thwart such attacks, while geopolitical dynamics also play into the risk equation. In light of these factors, Access Asia views Southeast Asia as a region of heightened risk for cyber fraud targeting financial institutions due to socioeconomic conditions, proximity to suspected centers of cyber fraud operations in North Korea and China and the existence of strong transnational criminal networks.

Indeed, one of the most recent cases to come to light involves an attempted attack on Vietnam’s Tien Phong Bank (TP Bank), while the money trail of an $81 million cyber heist from the State Bank of Bangladesh’s account at the New York Federal Reserve in February has been traced to the Philippines. Hong Kong (which lies on the periphery of Southeast Asia) is the reported end of the money trail for a US$2 million cyber theft on an Ecuadorian bank in early 2015, while the Philippines was also the target of an earlier attack in October 2015.

Access Asia views Cambodia, Myanmar, Indonesia and the Philippines as the countries most at risk in Southeast Asia for future cyber fraud attacks targeting financial institutions due to a perception of lax IT security measures, weak governance and law enforcement, high levels of corruption that could facilitate inside collusion and the existence of well-established transnational criminal networks.

North Korean involvement?

Many cybersecurity experts believe these SWIFT attacks have been conducted by the same group of hackers due to the similarities of the malware used and link the same group with the 2014 hacking attack on Sony Pictures Entertainment. The FBI concluded the 2014 attack was perpetrated by North Korea, which makes the rogue nation a key suspect in these SWIFT attacks. However, many security experts outside the IT realm refute direct North Korean involvement in these SWIFT attacks, questioning why a nation-state would engage in cyber theft, particularly given the relatively small amount of money involved in them (with the exception of the attack on Bangladesh Bank.) Moreover, these attacks would have required a number of agents operating in numerous countries to coordinate both the attacks and retrieval of the money, likely with the cooperation of other international criminal networks – a modus operandi not fitting with North Korea in Southeast Asia. The North Koreans tend to be tightly nationalistic and unwilling to trust other ethnic groups – especially criminals – and are most unlikely to be dealing with international crime groups in Southeast Asia.

“DPRK is usually vilified given their ‘last rogue nation standing’ status; however, there are some underlying changes at work that most outside do not realize due to the media’s lack of positive coverage,” noted one of Access Asia’s China-based security partners who recently co-authored a report on the internal political dynamics of North Korea.  “I’m hearing that it’s more likely Russian or Chinese hackers,” the source added.

A recent investigative report in the Epoch Times, which cited an insider with reportedly direct knowledge of the recent attacks, puts the blame on former Chinese state hackers who identified the initial vulnerability and then sold the information to cyber crime groups.

No matter who is responsible for these recent attacks, greater emphasis should be placed on enhancing security defenses to protect against future attacks. In Vietnam, the country’s leading network security firm BKAV believes 30 percent of Vietnamese commercial banks’ websites have vulnerabilities, two-thirds of which are at medium or high risk for cyber attacks. This figure is likely much higher in lesser developed Southeast Asian countries, such as Cambodia and Myanmar.

New fraud detection models needed

“The recent SWIFT attacks definitely point to the need for tighter cybersecurity protocols, but even such tighter measures may not be enough,” explained Keith Furst, founder and a financial crimes technology consultant at Data Derivatives. “There are other ways to initiate payments through social engineering or even by holding a key employee’s family hostage in an extreme example – so when the security measures fail, what else can be done?”

Furst suggests developing a model in which banks could detect fraudulent activity to the SWIFT payment traffic before the messages leave the bank’s network. Using the example of detecting credit card fraud through historical profiling and blocking transactions that are deemed to be a deviation from that profile, Furst believes similar fraud detection models could potentially be applied to SWIFT traffic before the messages leave the bank’s network.  Furst explained:

“Think of it kind of like an expected range of values where the currency, amount, banks and countries involved in the payment activity all contribute to the historical profile. So, in the case of Bangladesh Bank, if they had these type of models running for all SWIFT messages, then they may have detected that something was off when $951 million worth of instructions were requested.  The final beneficiaries of the transfers could also be a strong indication of fraud, because why would the Bangladesh Bank send such high-value transfers to beneficiaries they don’t normally deal with on a regular basis?  In essence, it is taking what financial institutions have learned from anomaly detection and fraud models and applying it to SWIFT traffic before the transfers leave the bank’s network.”

As heightened security measures are being debated and developed, financial institutions should remain vigilant and aware that the group or groups responsible for these recent bank attacks will likely strike again. Security software company Symantec warns that these attacks are part of a “wide campaign against financial targets in the region” and that recent publicity of the attacks “may prompt other attack groups to launch similar attacks.”

“The recent SWIFT attacks may be only the beginning of a larger scale campaign where cyber criminal organizations systemically target weak banks and exploit known vulnerabilities,” said Data Derivative’s Furst. “Recent events may accelerate discussions surrounding groundbreaking technological innovations, such as using a blockchain ecosystem as an alternative for high-value, cross-border money transfer,” he added.

Meanwhile, SWIFT officials are warning all banks to review their security controls and to take special care with PDFs.

Editor's Note: This article originally appeared on the Access Asia Consulting blog on June 6, 2016.

A series of cyber fraud attacks targeting financial institutions through the SWIFT global messaging system has prompted an industry-wide review of IT security measures and has highlighted the rising risk of cyber fraud against financial institutions in Southeast Asia and beyond. SWIFT has responded with a five-part Customer Security Programme to reinforce the security of the global banking platform, yet its CEO has warned “there will be more attacks.”

Cyber fraud risk is heightened in developing countries that often lack the technological resources to detect and thwart such attacks. In addition, geo-political dynamics and the presence of sophisticated transnational criminal networks also play into the risk equation, all making certain areas of the world more vulnerable than others. In light of these factors, Access Asia views Southeast Asia as a region of heightened risk for cyber fraud targeting financial institutions due to socio-economic conditions, proximity to suspected centers of cyber fraud operations in North Korea and China, and the existence of strong transnational criminal networks.

Indeed, the most recent case to come to light involves an attempted attack on Vietnam’s Tien Phong Bank (‘TP Bank’), while the money trail of an $81-million cyber heist from the State Bank of Bangladesh’s account at the New York Federal Reserve in February has been traced to the Philippines. Hong Kong (which lies on the periphery of Southeast Asia) is the reported end of the money trail for a US$2 million cyber theft on an Ecuadorian bank in early 2015, while the Philippines was also the target of an earlier attack in October 2015.

North Korean involvement?

Many cyber security experts believe these SWIFT attacks have been conducted by the same group of hackers due to the similarities of the malware used and link the same group with the 2014 hacking attack on Sony Pictures Entertainment. The FBI concluded the 2014 attack was perpetrated by North Korea, which makes the rogue nation a key suspect in these SWIFT attacks. However, many security experts outside the IT realm refute direct North Korean involvement in these SWIFT attacks, questioning why a nation-state would engage in cyber theft, particularly given the relatively small amount of money involved in them (with the exception of the attack on Bangladesh Bank.) “DPRK is usually vilified given their ‘last rogue nation standing’ status, however there are some underlying changes at work that most outside do not realize due to the media’s lack of positive coverage,” noted one of Access Asia’s China-based security partners who recently co-authored a report on the internal political dynamics of North Korea. “I’m hearing that it’s more likely Russian or Chinese hackers,” the source added.

Still, Access Asia believes the possibility of North Korean involvement should not be ruled out, yet greater emphasis should be placed on enhancing security defenses to protect against future attacks.

New fraud detection models needed:

“The recent SWIFT attacks definitely point to the need for tighter cyber-security protocols, but even such tighter measures may not be enough,” explained Keith Furst, founder and financial crimes technology consultant at Data Derivatives. “There are other ways to initiate payments through social engineering or even by holding a key employee’s family hostage in an extreme example – so when the security measures fail what else can be done?”

Furst suggests developing a model in which banks could detect fraudulent activity to the SWIFT payment traffic before the messages leave the bank’s network. Using the example of detecting credit card fraud through historical profiling and blocking transactions that are deemed to be a deviation from that profile, Furst believes similar fraud detection models could potentially be applied to SWIFT traffic before the messages leave the bank’s network. Furst explained:

“Think of it kind of like an expected range of values where the currency, amount, banks and countries involved in the payment activity all contribute to the historical profile. So, in the case of Bangladesh Bank, if they had these type of models running for all SWIFT messages then they may have detected that something was off when $951 million worth of instructions were requested. The final beneficiaries of the transfers could also be a strong indication of fraud because why would the Bangladesh Bank send such high value transfers to beneficiaries they don’t normally deal with on a regular basis? In essence, it is taking what financial institutions have learned from anomaly detection and fraud models and applying it to SWIFT traffic before the transfers leave the bank’s network.”

As heightened security measures are being debated and developed, financial institutions should remain vigilant and aware that the group or groups responsible for these recent bank attacks will likely strike again. Security software company Symantec warns that these attacks are part of a “wide campaign against financial targets in the region” and that recent publicity of the attacks “may prompt other attack groups to launch similar attacks.”

Access Asia views Cambodia, Myanmar, Indonesia and the Philippines as the countries most at risk in Southeast Asia for future cyber fraud attacks targeting financial institutions due to a perception of lax IT security measures, weak governance and law enforcement, high-levels of corruption that could facilitate inside collusion, and the existence of well-established transnational criminal networks.

SWIFT officials are warning all banks to review their security controls and to take special care with PDFs.