Applying the Online Operations 'Kill Chain' to Combat the Global Scam Epidemic

Fraud is a growing threat in the digital space, alongside terrorist propaganda, human trafficking, election interference, and hacking. Despite its prevalence, fraud has often been underestimated, allowing it to flourish. The UK’s Public Accounts Committee reports that fraud constitutes 41% of all crimes in England and Wales, with an estimated annual cost of ￡4.7 billion. However, a survey by the Global Anti-Scam Alliance (GASA) and Cifas suggests this figure might be as high as ￡7.5 billion. When considered globally, the scale of the problem is enormous.

The Kill Chain Approach

Kill chains, derived from military strategy, are effective tools for addressing various online threats. Ben Nimmo and Eric Hutchins proposed an online operations kill chain that offers a common taxonomy and vocabulary to tackle these threats comprehensively.

Online Operations Kill Chain Framework

Financial institutions recognize that much of their fraud risk originates outside their direct control. Adopting a kill chain approach allows the entire online ecosystem to analyze, describe, compare, and collaborate to disrupt fraud threats systematically.

The kill chain framework operates on a premise that an online operation must establish an online presence. This model divides an online operation into ten phases, which can be applied to common fraud scenarios, such as Remote Access Tool (RAT) attacks:

Phase One: Acquiring Assets

• Office Space, High-speed Internet, Hardware & Software, Remote Access Software Licenses, Telephony services

Phase Two: Disguising Assets

• Mixing legitimate and illegitimate business, Bribery of local officials

Phase Three: Gathering Information

• Compiling lists of prior victims

Phase Four: Coordinating and Planning

• Utilizing Crime as a Service (CaaS), money laundering, cloud-based call centers, hijacked remote access licenses

Phase Five: Testing Defenses

• In-country call origination, call volume testing

Phase Six: Evading Detection

• Exploiting device reputation, limiting control during banking sessions

Phase Seven: Indiscriminate Engagement

• Using fake support accounts on social media

Phase Eight: Targeted Engagement

• Search Engine Optimization (SEO), hijacking legitimate advertiser's accounts

Phase Nine: Compromising Assets

• Social engineering for crypto exchanges, hijacking two-factor authentication

Phase Ten: Enabling Longevity

• Rotating contact numbers, rebuilding devices, and using new RAT accounts

Breaking the Kill Chain

A unified taxonomy enables teams to describe and share their findings consistently, facilitating collaboration across organizations without compromising personal data. This framework also helps identify and disrupt specific stages of the kill chain.

For example:

• Phase Five: Telco partners can develop strategies to detect and block in-country call origination by fraudsters.
• Phase Six: Fraud prevention vendors can collaborate with remote access software providers to verify session statuses, enhancing the detection of remote access scams.

Implementing the Kill Chain in Practice

To effectively use the kill chain framework, financial institutions and partners should:

1. Adopt a Unified Taxonomy: Standardize terminology across the industry.
2. Develop Inter-organizational Partnerships: Share intelligence and coordinate responses.
3. Invest in Advanced Analytics: Use data analytics and machine learning to identify fraud patterns.
4. Enhance Real-time Monitoring: Implement systems to detect and respond to fraud swiftly.
5. Educate and Train Personnel: Keep employees updated on the latest fraud tactics.
6. Engage in Continuous Improvement: Regularly refine strategies based on evolving threats.

The global scam epidemic demands innovative and collaborative approaches. The online operations kill chain provides a comprehensive framework to understand, describe, and disrupt fraud operations. By adopting this model, stakeholders can enhance their ability to detect and prevent fraud, protecting individuals and the economy.

Unified terminology, strategic partnerships, advanced analytics, real-time monitoring, continuous education, and iterative improvement are crucial. The kill chain framework transforms observations into decisive actions, offering a coordinated response to the global fraud epidemic and fostering a safer digital environment for all.