francesca bosco, cybercrimes - bicocca 31.03.2011
DESCRIPTION
Cybercrime: dall'hacking all'UndergroundEconomyTRANSCRIPT
Cybercrime: dall'hacking all'Underground Cybercrime: dall'hacking all'Underground EconomyEconomy
Francesca BoscoProject Officer
Interregional Crime and Justice Research Institute (UNICRI)
31 Marzo 2011Università degli Studi di Milano Bicocca
Agenda• Definitions,Trends & Statistics: why
the topic is relevant• The Underground Economy and
Cybercrime• Business models applied to
Cybercrime• Social Network and How to Protect
Yourself• Who are the criminals: Two case
studies
Every new technology opens the doors to new criminal approaches
3
CybercrimeWhat do you know?
CybercrimeWhat do you want
to know?
What is cybercrime?Many possible definitions - no widely accepted definition
Any conduct proscribed by legislation and/or jurisprudence that (a) is directed at computing and communications technologies
themselves;(b) involves the use of digital technologies in the commission of the
offence; or (c) involves the incidental use of computers with respect to the
commission of other crimes
Forms • crimes against the confidentiality, integrity or availability of
computer systems (e.g. theft of computer services)• crimes associated with the modification of data (e.g. theft of data)• content-related crimes (e.g. dissemination of illegal and harmful
material, child pornography)• relation between terrorism and the Internet (e.g. terrorist
propaganda, recruitment for terrorist organizations)6
The Convention on Cybercrime - Budapest, 23.XI.2001- defines cybercrime in Articles 2-10 on substantive criminal law in four different categories: (1)offences against the confidentiality, integrity and availability of computer data and systems; (2)computer-related offences; (3)content-related offences; (4)offences related to infringements of copyright and related rights.
What is cybercrime?
7
DefinitionAccording to the European Convention on Cybercrime, cybercrimes are defined as
“offences against the confidentiality, integrity and availability of computer data and systems”, thus considering as offences:
“Illegal access” (art.2), “Illegal interception”(art.3), “Data & System Interference” (artt.4-5),
“Misuse of devices”(art.6), “Computer-related fraud and forgery” (artt-7-8)
“Offences related to child pornography”(art.9) “Offences related to infringements of copyright and related
rights” (art.10).
Types of cybercrimeAttempt to categorize:
Financial - crimes which abuse businesses' ability to conduct 'e-commerce' (or electronic commerce). Piracy - the act of copying copyrighted material. The personal computer and the Internet both offer newmediums for committing an 'old' crime. Online theft is defined as any type of 'piracy' that involves the use ofthe Internet to market or distribute creative works protected by copyright. Hacking - the act of gaining unauthorized access to a computer system or network and in some casesmaking unauthorized use of this access. Hacking is also the act by which other forms of cyber-crime (e.g., fraud, terrorism, etc.) are committed. Cyber-terrorism - the effect of acts of hacking designed to cause terror. Like conventional terrorism,e-terrorism' is classified as such if the result of hacking is to cause violence against persons or property, or atleast cause enough harm to generate fear. Online Pornography - There are laws against possessing or distributing child pornography.Distributing pornography of any form to a minor is illegal. The Internet is merely a new medium for this ‘old‘crime, but how best to regulate this global medium of communication across international boundaries and agegroups has sparked a great deal of controversy and debate.
Financial Public confidence in the security of information processed and stored on computer networks and apredictable environment of strong deterrence for computer crime is critical to the development of e- commerce,or commercial transactions online. Companies' ability to participate in e-commerce depends heavily on theirability to minimize e-risk. Risks in the world of electronic transactions online include viruses, cyber attacks (distributed denial of Service(DDOS) attacks) such as those which were able to bring Yahoo, eBay and other websites to a halt in February2000, and e-forgery. There also have been other highly publicized problems of 'e-fraud' and theft of proprietaryinformation and in some cases even for ransom ('e-extortion'). 9
VIDEO
Is there any difference between Hackers and Cybercriminals?
What is Hacking ?• The act of gaining unauthorized
access to computer systems for the purpose of stealing and corrupting data.
-Types Of Hackers:• Black Hats - Malicious hackers• White Hats - Ethical hackers• Grey Hats - Ambiguous
Hackers types• Low level hackers “script-kiddies”
• Phishing, Remote low-level social engineering attacks
• Insiders
• Disgruntled Employees
• High-level, sophisticated hackers,organized crime- medium/high level
• Hobbyst Hackers
• Unethical security guys (Telecom Italia and Vodafone Greece Scandals)
• Structured/Unstructured Attacks
• Industial Espionage-Terrorism
• Foreign Espionage
• Hacktivists
• Terrorist Groups
• State Sponsored Attacks
What is interesting for cybercriminals?Data is more valuable than money. Once spent, money is gone, but data can be used and reused to produce more money or for further leverage.The ability to reuse data to access on-line banking applications, authorize and activate credit cards, or access organization networks has enabled cyber criminals to create an extensive archive of data for ongoing illicit activities.Intellectual property: keep in mind a database of credit cards = easy to monetize, a database of PII = more difficult, monetizing stolen IP is much harder and also much more lucrative if done correctly
Outcomes of cyberattacks and reactionsSeveral computer security consulting firms produce estimates of total worldwide losses attributable to virus and worm attacks and to hostile digital acts in general. The reliability of these estimates is often challenged; the underlying methodology is basically anecdotal.A central issue, in both public and private sectors, is whether or not we are devotingenough resources to information security.Part of the answer must come from economic analysis. Investigations into the stock price impact of cyber-attacks show that identified target firms suffer losses of 1%-5% in the days after an attack. Organizations of all sizes and industries have suffered losses at the hands of cybercriminals – though only a low percentage report such incidents. Concomitantly, cybercrimes offer high financial yields and can often be performed in a manner that incurs only modest risks because of the anonymity it presents. The lack of incident reporting and the ease of access to electronically stored data have led experts to predict that cybercrime will continue to increase in the years to come. Accurate and statistically comprehensive data on the incidence and costs of cyber-attacks are critical to the analysis of information security. 13
The Underground Economy• “Underground Economy” has historically been used to denote business that occurs outside
of regulatory channels. Around the turn of the 21st century, Team Cymru adapted the term to the cyber locations and individuals who buy, sell, and trade criminal goods and services.
• Today the Underground Economy can be found in IRC(6) networks, HTTP forums (web boards), various Instant Messaging services, and any other communications platform that lends itself to anonymous collaboration.
• The Underground Economy is comprised of criminals who typically specialize in a specific criminal commodity. A few of the more common commodities include credit/debit cards, personal identities, hacked servers, hacked network equipment, malware (malicious code), Internet vulnerability scanners, e-mail spam lists, fictitious identification documents, and fraudulent money movement services
• The higher levels of the Underground Economy involve technically talented actors who work with other criminals through private communication methods often involving encryption. The public criminal market place is contracting, but the criminal activity itself is increasing in both volume and sophistication
The State of Cybercrimes- FreedomFromFear , March 28, 2011
The day money became the focus of malware is the day the Internet changed.
Graham Ingram, AusCERT GM
Brazil
United States
China
Germany
India
Italy
Taiwan
Russia
Poland
United Kingdom
Major Threats and Countries Subjected to Attacks• Malware (Malicious Code)
• Botnets
• Phishing
• Spam
• SQL-Injection
Malicious Activity 18 %
Threat Rank
Malware1
Spam10
Phishing1
Botnets1
SQL-injection 2
Malicious Activity 7 %
Threat Rank
Malware8
Spam1
Phishing9
Botnets3
SQL-injection 6
Malicious Activity 7 %
Threat Rank
Malware3
Spam9
Phishing4
Botnets5
SQL-injection 1
Malicious Activity 6 %
Threat Rank
Malware15
Spam7
Phishing3
Botnets6
SQL-injection 5
Malicious Activity 5 %
Threat Rank
Malware2
Spam2
Phishing18
Botnets19
SQL-injection n/a
Malicious Activity 4 %
Threat Rank
Malware13
Spam12
Phishing12
Botnets4
SQL-injection n/a
Malicious Activity 3 %
Threat Rank
Malware22
Spam20
Phishing16
Botnets2
SQL-injection 7
Malicious Activity 3 %
Threat Rank
Malware11
Spam4
Phishing7
Botnets13
SQL-injection n/a
Malicious Activity 3 %
Threat Rank
Malware19
Spam5
Phishing10
Botnets7
SQL-injection n/a
Malicious Activity 3 %
Threat Rank
Malware4
Spam22
Phishing6
Botnets15
SQL-injection 4
Top Malware Source Countries
Source: Symantec, Kaspersky, McAfee, Sophos
New Malware Statistics
Top Attack Sectors
Malware: Hostile, intrusive, or annoying software or program code designed to infiltrate a computer system (virus/worms/Trojans/rootkit/backdoors/spyware).Botnets: Software agents/bots that run autonomously and automatically under a common command-and-control structure and perform malicious activities.Phishing: Fraudulent process of attempting to acquire sensitive information by masquerading as a trustworthy entity in an electronic communication. Spamming: Abuse of electronic messaging systems to send unsolicited bulk messages indiscriminately in the form of e-mail, instant messaging etc.SQL injection: Code injection technique that exploits vulnerability in the database of an application resulting in unexpected execution of code.
Top 20 countries with the highest rate of cybercrime attacks
Source: Anti-Phishing Working Group, 2nd Quarter 2010 Trends Report
Statistics
19
Damages, fraud, crime estimates Worldwide direct damage due to malware in 2006: $13.2 bn (Computer
Economics) Decline from $17.5 bn in 2004 Effects of anti-malware efforts and shift from direct to indirect costs
U.S. Federal Bureau of Investigation estimated cost of computer crime to U.S. economy in 2005 to $67.2 bn (upper ceiling, not all malware-related)
Global cost of spam in 2007: $100 bn, of which $ 35 bn U.S. (Ferris Research) Cost of spam management to U.S. businesses in 2007: $71 bn (Nucleus
Research) Direct costs to U.S. consumers in 2007: $7.1 bn (Consumer Reports) Range of estimates on online consumer fraud
$240-340 million for U.S. £33.6 for financial fraud in UK
Cost of click fraud in 2007: $1 bn (Click Forensics)
Complaints of online crime, 2010 at the Internet Crime Complaint Center (USA)
YEARYEAR COMPLAINTSCOMPLAINTSRECEIVEDRECEIVED
US$ LOSSUS$ LOSS
20102010 - million- million
20092009 560 million560 million
20082008 265 million265 million
20072007 239 million239 million
20062006 207,492207,492 198 million198 million
206,884206,884
275,284275,284
336,655336,655
303,809303,809
OC activities shift
Original ActivityLocal numbers gambling
Heroin, cocaine trafficking
Street prostitution
Extortion of local businesses for protection
Loansharking
Fencing stolen property
Modern VersionInternet gambling (international
sites)
Synthetic drugs (less vulnerable to supply problem)
Internet prostitution and trafficking in human beings.
Extortion of corporations, kidnappings.
Money laundering, precious stones, commodities.
Theft of intellectual property.
Trends of organized crime: Transnational, Adaptive,
MultifacetedA. Drug trafficking B. Illicit arms tradeC. Trafficking and smuggling of human beingsD. Traffic of human organsE. Counterfeiting F. Environmental-related crimes G. Maritime piracy H. Cyber crimeI. Financial crimes: corruption, money laundering.
23
Why has Cybercrime become so pervasive?
– Extremely profitable
– Very low infrastructure cost and readily available attack tools
– Barriers to prosecution combined with weak laws and sentencing
– Anonymity and financial lure has made cyber-crime more attractive
– Separation between the physical and virtual world
– Organized cybercrime groups can conduct operations without ever making physical contact with each other
VIDEO
Underground update
Cybercrime today
How the black market works
UE Business Model
Organised crime borrows and copies business models from the legitimate economy sector. Cyber-criminals employ models similar to the B2B (business-to-business) for their operations, such as the highly sophisticated C2C (criminal-to-criminal) models, which use very effective crime tools available through digital networks.
Let’s go shopping...how much do they cost?
Credit card number with PIN
Change of billing data, including account number, billing address, SSN, name, address and birth date
Driver's license number
Birth certificate
Social security card
Credit card number with security code and expiration date
Paypal account ID and password
Items for saleA sampling of items for sale in typical cybercrime forums:
$1000 – 5000 Trojan program to steal online account information
$500 Credit card number with PIN
$80-300 Change of billing data, including account number, billing address, SSN, name, address and birth date
$150 Driver's license number
$150 Birth certificate
$100 Social security card
$7-25 Credit card number with security code and expiration date
The black market:what they offer
•In 2009, 60 percent of identities exposed were compromised by hacking attacks.•75 percent of enterprises surveyed, experienced some form of cyber attack in 2009 (From Symantec State of the Enterprise Report 2010)•The top Web-based attacks observed in 2009 primarily targeted vulnerabilities in Internet Explorer and applications that process PDF files•Mozilla Firefox had the most reported vulnerabilities in 2009, with 169, while Internet Explorer had just 45, yet Internet Explorer was still the most attacked browser.•The United States was the top country of origin for Web-based attacks in 2009, accounting for 34 percent of the worldwide total.•In 2009, botnets were responsible for sending approximately 85 percent of all spam email.•There were 321 browser plug-in vulnerabilities identified in 2009, fewer than the 410 identified in 2008. •ActiveX technologies still constituted the majority of new browser plug-in vulnerabilities, with 134; however, this is a 53 percent decrease from the 287 ActiveX vulnerabilities identified in 2008
TRENDING COMMODITIES IN UNDERGROUND MARKETS•In 2009 black market shift where email accounts were the third most available virtual good for sale. •Online credentials are composed of username/ password combinations in order to gain access to different Internet applications:•Online banking service – the credentials allow the attacker to transfer funds from the victim’s account to accounts controlled by the criminal •Health-care providers – stolen accounts may be used for prescription drug trading or for health information compromise •Webmail applications – a hacked webmail account allows the hacker to scrape the victim’s address book and use those addresses in spam lists. The criminal can then send the phishing messages from the compromised account, making the message all the more credible. •Social networks – the inherent viral nature of social networks, together with real-time updates in search engines, make stolen social network accounts most valuable. The price of these credentials varies according to the popularity of the application.
CRIMES & TECHNIQUES FOCUS
Malware/spam and the underground economy
Players in the underground economy include (see slide 19):Malware writers and distributors (trojans, spyware,
keyloggers, adware, riskware, …)Spammers, botnet owners, dropsVarious middlemen
Emergence of institutional arrangements to enhance “trust” in the underground economyService level agreements, warranties, etc.
Steady stream of new attacks E.g.: spear-phishing, chained exploits, exploitation of social media.
Hardware, software
Securityservice
providers
Fraudsters,criminals
ISPs
IndividualusersBusiness
users
12
13
5
3
8 9
4
10
1211
67
Government
Society at large
Example of some of the possible financial flows
14
Society at large
1:Extortion payments, click fraud,compensated costs of ID theft and phishing2:Uncompensated costs of ID theft andphishing, click through, pump and dumpschemes, Nigerian 419 scams, and otherforms of consumer fraud3, 4, 5, 6:Hardware purchases by criminals,corporate and individual users7, 8, 9, 10:Security service purchases by hardware
manufacturers, corporate andindividual users, ISPs11, 12, 13:ISP services purchased by corporate and
individual users, criminals14:Payments to compensate consumers for
damages from ID theft (if provided)
Legal financial flows
Potentially illegal financial flows
Financial aspects of malware and spam
Benefits of cybercrime
Costs of cybercrime
Malwareeconomy
Indirectcost tosociety
Cost of law enforcement
Damage done,fraud, crime
Cost of prevention, adaptation
Total, direct and indirect
cost
+
+
+
+
+
-
- +
+
+
+
-
-
Data Theft
(what data are we talking about?)Personally Identifiable Information (PII): Identifying information means any name or number that may be used alone or with other information to identify a specific person:
Name, social security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number, biometric data, etc.
Likely one of the most valuable assets that we have and one that businesses need to protect. Why? Information is exponential and reusable. Information can be sold to multiple buyers and be can be used in many profitable ways.
Click to edit Master title style
• Click to edit Master text styles– Second level• Third level– Fourth level» Fifth level
June 10th, 2009 Event details (title, place)
Credit card thefts, 2009
Source: Kaspersky Lab
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010
ID Theft is the fastest growing crime
in the world.
• Over 9 million victims a year on average worldwide
• Only Top consumer complain to Police or the Federal Trade Commission
• Studies on the total cost of identity theft vary. One study indicates that identity theft cost U.S. businesses and consumers $50 to $60 billion dollars a year
• Individual victims lose an average of $1,500.00 each in out of pocket expenses and require tens or hundreds of hours to recover – some never do.
• Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain.
• Types of identity theft include, among others:
• Account take over
• Financial fraud – credit card or bank account (most common
• New account
• Social Security Number (SSN) identity theft. Someone steals your SSN and obtains employment in your name. The thief's employer reports wages earned to the IRS under your SSN leaving you to pay income taxes on these earnings.
• Medical identity theft. Someone steals your identity and either obtains medical insurance in your name or uses your current medical insurance policy to obtain treatment or prescriptions.
• Driver's license identity theft. Someone commits traffic related offenses in your name. When the identity thief fails to appear in court, warrants are issued in your name.
ID Theft
Phishing• Use of email to trick someone
into providing information or to go to a malicious Web sites by falsely claiming to be from a known entity. These attacks are becoming more and more sophisticated. Use of social networking sites will become an issue.
"At its peak in 2010, the total number of unique botnet victims
grew by 654 percent, with an average incremental
growth of eight percent per week" Danballa Report 2010.
Of the top 10 largest botnets in 2010, six did not exist in 2009. Only one (Monkif) was present, ranked among the 10 largest botnets of 2009. The top 10 largest botnets in 2010 accounted for approximately 47 % of all botnet compromised victims -- down from 2009, when the top 10 botnets accounted for 81% of all
victims.
Botnets
Botnet Definition
A Botnet is a network of compromised machines (bots) remotely controlled by an attacker.
B ot
Key
U ncompromised Host
B
Attacker
B
B
B
U
UCommands
CommandsAttacks
Attacks
Botnet C&C locations (all types):
Lifecycle of Botnet Infection
VIDEO
Social networking
Email and social networking accounts
Facebook offers
Click to edit Master title style
• Click to edit Master text styles– Second level• Third level– Fourth level» Fifth level
June 10th, 2009 Event details (title, place)
Social network malware: distribution 2009
Source: Kaspersky Lab
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, Moscow, January 28-31, 2010
Cost depends on how many followers do you have and how commercial your name is
Who are the criminals? Three case-studies
• Are financially-motivated cyber-criminals actively working with traditional organized crime groups? Or are they opportunistically organizing among themselves? Or, still, are they simply passively working with O.C. groups for support tasks eg: money laundering?
• Three case studies
53
• Formed circa 2002.• 2008 revenue estimated at $180 million.• Estimated to employ 200-500 staff (HR, call center operators to
dissuade victims and avoid credit complaints, malware & scareware developers, etc…) in Ukraine, India, and the United States.
• Criminal activities: Scareware (or “Ransomware”, meant to frighten users into providing their credit card data in order not to lose their data), Adware, Credit Card Fraud (Reselling of the credit cards “customers” were ransomed into providing to IMU). Early activities included the selling of pirated media (music, pornography) and software as well as pharmaceuticals such as Viagra.
• 2010: F.T.C. persuades a U.S. federal judge to fine IMU and two associated individuals $163 million USD.
Case Study: Innovative Marketing Ukraine
54
• Registered in 2006• Revenue estimated at 150 $ million
• Glavmed is the public-facing affiliate program which sponsors spammers
to promote what are generally known to be illegal pharmacy websites. It appears to be a cover for the real
sponsor organization behind all of these sites: Spamit. These include Canadian Pharmacy, one of the most-spammed properties (2006-2008).
• In September 2010, Russian authorities announced a criminal investigation. Around that same time, SpamIt.com was closed down.
Consequently, the volume of spam flowing into inboxes around the world fell precipitously, likely because SpamIt.com affiliates fell into a
period of transitioning to other partner networks. Meanwhile, Glavmed remains open for business, and is still paying affiliates to promote
pharma sites.
Case Study: GlavMed
55
• Based in St-Petersburg (RU). Operated as a host or Internet Service Provider for illicit services such as child pornography, malware distribution, etc…
• Domain names registered in 2006.• 2006-2007 revenue estimated at $150 million.• Criminal activities: Spam (estimated to have been actively involved
with up to 50% of worldwide spam distribution at their height), malware, phishing scams (estimated to have been behind up to 50% of phishing spams throughout 2007), all the while providing hosting services for other criminal activities such as the dissemination of child pornography, identity theft, credit card fraud, etc...
• Alleged to have dispersed (but not suspended) its activities as of 2008, due to increasing attention from international security vendors, media, and law enforcement.
Case Study: Russian Business Network
56
RBN
© 2008 Craig A Schiller
RBN Operations
11/21/07Ref: Bizeul.org -
Services: Some external services are used byRBN and affiliates. Those services can be MXrelay or NS hosting.RBN: This is the core business of RBN. It is used to offer Hosting for cybercrime. Inside this part, we can identify the direct subsidiaries from RBN : Nevacon and Akimon.Hosting: This is the part used to host most ofRBN public websites, to register RBN domainnames… Hosting and registration is a reallystrong partner for RBN. Incidentally, it could bepossible that those two blocks are under thesame company.Telecom: This is the entity which aims atproviding the Internet access. It seems thatSBTel has obtained from Silvernet to accessSaint Petersburg Internet Exchange Point (SPBIX).
What we can do10 golden rules
• Use a modern browser with anti-phishing protection • Isolate and regularly change key passwords • Use regularly updated anti-virus • Use a firewall • Update your operating system regularly • Check your bank statements regularly • Subscribe to a Credit Protection service • Use 2 factor authentication when you can • Be highly suspicious of anyone asking for personal info
via email or any web 2.0 medium, even folks myou know as they may have had their own account compromised.
• Be highly suspicious of anything that you receive electronically that is unsolicited.
Protect Yourself at Public Wi-Fi Hotspots
• Any data transferred between a user and a Website using an HTTPS address and SSL encryption, such as online banking sites, is just as secure on a hotspot as it would be on a private secured network. Wi-Fi hackers or eavesdroppers sitting around the hotspot cannot capture a user’s login credentials or see any information from these secured sites.
• Your risks increase, however, if you must login to sites that aren’t secured. Even if the site isn't all that sensitive, such as a discussion forum, eavesdroppers can capture your login credentials, which they may also use for other more important sites. That’s why it’s important to use unique usernames and passwords for every site
• To secure any unencrypted Internet traffic that's sensitive (such as e-mail) on hotspots, the most simple, affordable solution is to implement a Virtual Private Network (VPN). Connecting to a VPN server or service would encrypt all of your Internet traffic, so local Wi-Fi eavesdroppers can’t capture it.
• Practice defensive computing: use a VPN, vary your usernames and passwords, learn how to adjust the sharing and privacy settings on your device, and don’t enter login information if you’re unprotected at a public hotspot.
BRIGHT
BRIGHT is the first online magazine entirely focused on transnational organized crime and is run by FLARE, an international research network (Fight, Learn, Act, Report, Explore).Get your own, FREE copy of the special issue of BRIGHT on “Digital Mafia: into the Cybercrime World”.
Articles: Preface Cybercrime: reasons, evolution of the players and an analysis of their modus operandi Cybercrime & underground economy: operating and business model The power of networking: an insight on the Russian Business Network International cybercrime Innovative cybercrime: made in Ukraine? UNICRI : knowledge and information on emerging threatsDownload:
http://www.flarenetwork.org/report/enquiries/article/digital_mafia_into_the_cybercrime_world.htm
FREE copy of “F3” (Freedom from Fear, the UNICRI magazine) issue #7, totally focused on Cybercrimes!
DOWNLOAD:www.FreedomFromFearMagazine.org
Thank you for your attention
www.unicri.it
Ms. Francesca BoscoProject officer on cybercrimeEmerging Crimes Unit
E-mail: [email protected]
63