WEBVTT 00:00:00.396 --> 00:00:03.984 One of the things I noticed in the last two very public breaches that 00:00:03.984 --> 00:00:09.570 have worked this way was that the criminals had actually registered a 00:00:09.570 --> 00:00:14.836 reasonably good-sounding domain that looked sort of almost credible and 00:00:14.836 --> 00:00:18.348 bought a TLS search for it as well. 00:00:18.348 --> 00:00:21.493 So if you were just first, if you were just glancing through the code, 00:00:21.493 --> 00:00:23.635 it would look quite, it would look sensible, 00:00:23.635 --> 00:00:24.148 wouldn't it? 00:00:24.148 --> 00:00:24.483 Yeah. 00:00:24.483 --> 00:00:26.679 We've actually seen those before where they 00:00:26.679 --> 00:00:28.738 registered domain name that's just really, 00:00:28.738 --> 00:00:32.486 really close to the merchants, probably one letter off, 00:00:32.486 --> 00:00:35.458 they substitute an I for an L or something like that, 00:00:35.459 --> 00:00:37.667 and reading through the code, oh, that's just going to them, 00:00:37.667 --> 00:00:44.105 that's going to them, and it looks all legitimate. 00:00:44.106 --> 00:00:47.086 And so that's the type of social engineering attack 00:00:47.086 --> 00:00:49.625 really that attackers just use. 00:00:49.625 --> 00:00:53.138 They use in a phishing tool where they'll send emails from a very similar 00:00:53.138 --> 00:00:56.371 domain so people think they're getting a message from HR, 00:00:56.371 --> 00:00:58.281 and they get right in. 00:00:58.281 --> 00:01:01.000 So forensically, this is changing the way you do forensics? 00:01:01.000 --> 00:01:03.298 You're not imaging systems in the same way. 00:01:03.298 --> 00:01:06.291 You're looking at what's sent to the consumer's browser and 00:01:06.291 --> 00:01:08.837 working out how that's got corrupted. 00:01:08.837 --> 00:01:15.486 A lot of times with an e-commerce attack, we're not going onsite as much. 00:01:15.486 --> 00:01:20.732 A lot of times, these websites are hosted in giant data centers. 00:01:20.732 --> 00:01:23.746 Sometimes the merchant doesn't even know where they're website really is, 00:01:23.746 --> 00:01:28.092 and it can be spread across cloud servers. 00:01:28.092 --> 00:01:31.387 Every single data operating center has their own policies. 00:01:31.387 --> 00:01:33.260 Some let a forensic analyst in. 00:01:33.260 --> 00:01:36.968 Some say, if you want in here, go get a court order; otherwise, 00:01:36.968 --> 00:01:37.949 we're not letting you in. 00:01:37.949 --> 00:01:44.409 Yeah, so talk to me about how you do forensics for cloud-based e-comm systems.