Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Insider threat: The snapnames case

Published: 2009-11-05
Last Updated: 2009-11-05 15:32:05 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

Insider jobs are not often made public. So, when one does come around it's very interesting to try to learn from those we can talk about. Even inside a company often there is not much said about it to other employees, making learning from it extra difficult unless you were involved somehow.

Snapnames is the company fessing up. Snapnames is in the "domain name after market": they grab domains that are expired and sell it in auctions to people they have in their customer base. There are more such companies.

Like any auction driving up the price is supposed to be the interest in the domain. And unlike a regular auction, the seller is the auction house itself - they grabbed it expired, it costs them the absolute minimum to get it, if they sell it for thousands: that's thousands of profit for them.

A shill is "a person who poses as a customer in order to decoy others into participating, as at a gambling house, auction, confidence game, etc." according to the dictionary. It's used in this context as a person who drives up the price artificially.

So what happened ?

  • A snapnames employee participated in 5% of auctions since March 2005.
  • Snapnames has a fessed up in email to some affected customers about it and is offering financial restitution to those affected by it. They do have a FAQ entry on that available at http://www.snapnames.com/faq.html
  • There are rumors that seem to get confirmations that the employee was a VP of engineering using the username of "halvares", and it seems to have been confirmed by the company.
    [I'm not going to republish his real name, there's plenty of places to find it for those interested]
  • Forum threads dating back to 2006 have customers of snapnames find the user "halvares" suspicious: http://www.dnforum.com/f205/important-message-snapnames-thread-197282.html
  • People who knew said person describe him as "the kind of guy that you wanted working on the other end of the phone; fast, courteous and intelligent.  To find out now that he was lying and betraying not only me, but everyone that he worked with leaves me speechless.  It left a fellow employee I spoke with at SnapNames speechless as well.  With such a small organization, I can only imagine the feeling of betrayal." [From http://www.domainnamenews.com/editorial/snapnames-insider-bidding-aftermath-editorial/6491]
  • Namejet -a competitor of snapnames- sent out the following to their customers:

Dear Valued NameJet Customer,

As you may have already heard, another company in our same line of business, SnapNames, was the victim of an internal security breach. We wanted to address any concerns you may have and assure you that at NameJet we have the necessary security protocols in place to prevent this kind of incident.

What Happened at SnapNames:

According to SnapNames, an employee set up an account on SnapNames under a false name. Under this account, the employee bid in SnapNames auctions. In many instances the bidding by this employee caused the ultimate auction winner to pay more for a name than had the employee not participated in the auction. In addition, on certain occasions, when the employee won an auction, the employee secretly arranged for a refund from SnapNames. This was in violation of SnapNames internal policy, and once discovered the company immediately closed the account in question and the employee was dismissed.

We commend SnapNames for taking quick and decisive action once it discovered its security breach.

NameJet has Strict Security to Prevent Anything Similar:

You should have full confidence nothing similar has occurred on NameJet. We have security procedures and policies in place that monitor all activities to ensure that “shill” bidding does not occur. Further, employees are strictly barred from bidding on auctions and NameJet has both internal and external monitoring to ensure all security procedures are enforced. These procedures were developed and are maintained by two of the world’s largest and most trusted registrars.

Thank you for your business and for your ongoing trust in NameJet.

If you have any questions regarding this issue, please contact us at customers@namejet.com.

Sincerely,

Steve Brown
General Manager
NameJet.com  

  •  Snapnames is said to have fired the employee and is working with an external party to settle it financially with those they think are affected.

What can we learn ?

  • That insider threats can be extremey damaging to your reputation, as evidenced by your competitors jumping all over it.
  • That the insider -in order to fly under the radar ?- is perceived as an excellent team member :"[the one] that you wanted working on the other end of the phone; fast, courteous and intelligent.
  • Those directly involved will feel betrayed because they trusted too much.
  • Polices alone might not be enough, we need to enforce them. And we need to actively detect breaches of our policies.
  • Detecting it is difficult. This went on for 4.5 years.
  • Suspicions had been raised by their customers after half a year, yet it seems to not have triggered whatever was needed for snapnames to catch him.

What can one implement in the form of controls to detect fraud ?

  • A policy prohibiting unwanted behavior. Make sure it passes the "speed limit test":  If -out on the road- it says 50 max and there is no consequence to going faster, who'll bother with it ? Even if there is a fine or other consequence, as long as there is no police officer wielding a radar, who'll care about the fine ?
  • Limit access to information using a role based model.
  • Use a need to have model for granting access rights.
  • Prevent accumulation of rights in any single employee.
  • Monitor what people who have broad access permissions to dangerous data do in real life (within limits of the law and regulations regarding privacy etc.), even if you trust them.
  • Rotate roles: don't let anybody get a position where they are the only ones doing the same thing every time it needs to be done. Hiding it becomes too easy if nobody else does that task for a long enough period.
  • Monitor for indicators changing when you rotate peoples responsibility. Seek the explanation for those changes.
  • Monitor for fraud: 5% of your transaction having the same account involved might be enough to dig a bit deeper
  • Automatically seek for fraudulent patterns in your transactions. This is the needle int he haystack, but computer are good at searching, as long as we can define the needle good enough.So you need to figure out how fraud could happen and what is unwanted behavior etc. and then find that. E.g. a sales person in your company might have read/write access to the directory where you keep the offers your company creates. But if you find a sales person copying (even slowly) every single offer, you might have a big problem.
  • As you learn more ways to commit fraud make sure you monitor for them.
  • Monitor for customers expressing suspicions on your users/employees/company outside of your involvement on e.g. forums where the professionals among your customers hang out and feel free to talk. They might not always need to be the type wearing tin foil beanies, sometimes they might have a point that could take years to grow if you don't follow it up..

 Got more lessons to learn or controls to implement, we love to hear about them!

--
Swa Frantzen -- Section 66

0 comment(s)
Diary Archives