Dissecting unlawful Internet Activities

Fyodor Yarochkin

@fygrave

АГЕНДА

Observations

Case studies

Sampling goods and services

Q & A

MEET THE AUTHORS

Our environment

Honeypots (http, ftp, ssh, smtp, ...)

Sandboxes + proactive internet “browsing”

End points around the globe

Public discussion groups of interest: scrapping and indexing

Overview

What makes the news..

MALWAREBlack SEO

Fake AVMass Injections

CC abuse

MAIN ACTORS

KiddiesProfit Oriented

Crime APT

Range of players!

Kiddies: hit our honeypots daily :)

Still live in IRCBOT age

APT

• Kiddies are not very interesting. Following the APT guys is a bit more fun

APT – advanced persistent threat (made lots of noise after Aurora attacksBut, .. how advanced that is.. really :-))

APT: attack vectors – often plain silly

APT: in taiwan

• Targets: academics, post, rail, ..

APT: main characteristics

• Attacks are planned and methodological

• In many instances – the primary aim of an action is information gathering (i.e. javascript that collects and posts the user environment information)

• Malicious content is well-prepared (digitally signed w/ valid certificates etc etc)

APT Research from xecure-lab guys

Aptdeezer: apt analysis platform from xecure-lab

Businessmen are fun to study:)

Online goods

services

Traffic

How to steal a million?

Effectiveness

• Old school: steal it from a bank. Make a lot of noise and either get caught (or run to South America)

• New school: steal a dollar from a million people. It is still a million (and no noise).

So, where is the money?

CC cashing

Banking credentialsAds (PPC)

Mobile scam

Pharm

Pr0n

DIRECT SOURCES:

Extortions“Software”

INDIRECT SOURCES:

TRAFF Credentials Online goods& services

TRAFFIC..

• You need users to start visiting your “milking resource” to start with..

TRAF. COST

• AU - 300-550$

• UK - 220-300$

• IT - 200-350$

• NZ - 200-250$

• ES,DE,FR - 170-250$

• US - 100-150$

• RU, UA, KZ, KG .. 10-40$

Case studies~

Infrastructure compromise: case study

UNDER THE HOOD

Looking into Packet fields

TRACKING THE GHOST

HYPO: ATTACK SCENARIO

RESULTED IN...

http://tools.cisco.com/security/center/viewAlert.x?alertId=17778

Compromised CAs

• How about combining this and compromised CA?

WHAT HAD HAPPENED..

Your taffic is mirrored!!

tunnel source <interface>

tunnel destination <badIP>

How were they 0wn3d?

AND MORE..

LESSON LEARNT

• The whole city compromised

• Users infected on the fly. Visiting legimate web sites

• Tricky to investigate

• Affected parties - complete denial

Other varieties ;-)

Ad ABUSE: “MALVERTISEMENT”

Introducing ad. Space hell :)

Source: razorfishmedia.com

Ad network dynamic bidding

• Ad network dynamic bidding system is asking for abuse :-)

• Decentralized, small players feed data to bigger guys (doubleclick), verification is mostly manual, real-time content tampering is easy, automated target selection, number of mechanisms that prevent click fraud (and makes automated analysis hard!!!)

•

MALVERT. Mechanics

iframe

redirect

iframe

redirect

iframe

Iframe to TDS

Malvertisement (cont)

Malvert: agencies get 0wned

• Pulpomedia incident:

Extortions going international

Also spanish version

Credit: http://xylibox.blogspot.com/

Common characteristics

• Hosting and domain registration

Registration Service Provided By: Bizcn.comWebsite: http://www.cnobin.comWhois Server: whois.bizcn.com

Domain name: bundespol.net

Registrant Contact: Whois Privacy Protection Service Whois Agent gmvjcxkxhs@whoisservices.cn +86.05922577888 fax: +86.05922577111 No. 61 Wanghai Road, Xiamen Software Park xiamen fujian 361008 cn

person: Ionut Triparemarks: SC GoldenIdeas SRL

address: Str. Drumul Sarii, nr. 57Caddress: Sector 6, Bucuresti

phone: +0744885334abuse-mailbox: goldenideas.ionut@yahoo.com

nic-hdl: IT1737-RIPEsource: RIPE # Filtered

mnt-by: GOLDENIDEAS-MNT

person: Ionut Triparemarks: SC GoldenIdeas SRL

address: Str. Drumul Sarii, nr. 57Caddress: Sector 6, Bucuresti

phone: +0744885334abuse-mailbox: goldenideas.ionut@yahoo.com

nic-hdl: IT1737-RIPEsource: RIPE # Filtered

mnt-by: GOLDENIDEAS-MNT

WAS ON THE NEWS

COMMON PATTERNS

Exploits Social tricks

“Social engineering”

Well-operated :)

• Spreads through advertisements (social engineering and exploits)

• Reboots machine until license is purchased (80USD)

• Provides support hotline (hosted in India)• Uses legimate payment gateways (possible

to do refunds)

Another attack: infrastructure

Infrastructure

Speedtest.net

Ads.ookla.com

http://35ksegugsfkfue.cx.cc

TDS systems: TRAFF marketplace

COMMON TDS

TDS + verification srv

SEO:Another option

• Black SEO:

SEO USE and abuse :)

<*bad* word (rus)

SEO SERVICES

Goods and services :Sampling :)

Digital currencies

• Modern day hawalla

Amusing portals

PASSPORT COPIES

.. OR A SET

For money of any state of dirtinessPack includes1. Online bank account access2.ATM card (1000/6000USD per month withdrawal limit)3. online access passwords4. Passport copy of “poor john”5. SIM card

MALWARE Q/A AND HOSTING

Abuse-resistant hosting

CLOUD-cracking

AND CAPTCHA

MOBILESo far - easy to spot with

static analysis tools (android, j2me)

Press the button “stop” as soon as Press the button “stop” as soon as possible!possible!

LEARNING POSSIBILITIES :)

Questions

l