Post on 30-Nov-2020
A Behind the Scenes Look at Cybercriminals - Their Methods and How To Stay Ahead of Them
Kevin Haley
Dir, PM Security Response
Colin Gibbens Principal Product Manager
SYMANTEC VISION 2014
2 A Behind the Scenes Look at Cybercriminals
How do you buy or sell ill gotten gains?
SYMANTEC VISION 2014 A Behind the Scenes Look at Cybercriminals 3
SYMANTEC VISION 2014 A Behind the Scenes Look at Cybercriminals 4
SYMANTEC VISION 2014 A Behind the Scenes Look at Cybercriminals 5
SYMANTEC VISION 2014 A Behind the Scenes Look at Cybercriminals 6
SYMANTEC VISION 2014 A Behind the Scenes Look at Cybercriminals 7
SYMANTEC VISION 2014
A Storefront
8 A Behind the Scenes Look at Cybercriminals
SYMANTEC VISION 2014 A Behind the Scenes Look at Cybercriminals 9
SYMANTEC VISION 2014
The Cyclosa Gang
• Write malware
• Run botnets in US and UK
• Breach companies to steal information
• Run online store – SSNDOB
– Sold
• Credit reports
• identity information
A Behind the Scenes Look at Cybercriminals 10
SYMANTEC VISION 2014
The Cyclosa Gang
•DarkMessiah
• JoTalbot
• Tojava
•Armand A. Avakimyan
A Behind the Scenes Look at Cybercriminals 11
SYMANTEC VISION 2014 A Behind the Scenes Look at Cybercriminals 12
SYMANTEC VISION 2014
Armand A. Avakimyan
A Behind the Scenes Look at Cybercriminals 13
SYMANTEC VISION 2014
Cybercriminal Timeline / 2007
2007 Joined cybercrime forum
A Behind the Scenes Look at Cybercriminals 14
SYMANTEC VISION 2014 A Behind the Scenes Look at Cybercriminals 15
How do I steal people’s data through unsecured
WiFi connection?
Try Google
SYMANTEC VISION 2014 A Behind the Scenes Look at Cybercriminals 16
SYMANTEC VISION 2014
Cybercriminal Timeline / 2007
A Behind the Scenes Look at Cybercriminals 17
Joined cybercrime forum
Started selling stolen info
Sought out help on hijacking chat accounts
How do I steal people’s data through unsecured
WiFi connection?
Try Google
SYMANTEC VISION 2014
Cybercriminal Timeline / 2008
• Exploring RATs
– Pinch Trojan
• Targeting US and UK
A Behind the Scenes Look at Cybercriminals 18
SYMANTEC VISION 2014
19 A Behind the Scenes Look at Cybercriminals
Sidebar – Zero-day Vulnerabilities
SYMANTEC VISION 2014
Sidebar – Zero-days
A Behind the Scenes Look at Cybercriminals 20
What do Zero-days have to do with toolkits?
13 15
9 12
14
8
14
23
0
5
10
15
20
25
30
2006 2007 2008 2009 2010 2011 2012 2013
Zero-Day Vulnerabilities, Annual Total, 2006 - 2013 Source: Symantec
SYMANTEC VISION 2014
Sidebar – Toolkits
A Behind the Scenes Look at Cybercriminals 21
Zero-Day Lifecycle
SYMANTEC VISION 2014
Sidebar – Toolkits
A Behind the Scenes Look at Cybercriminals 22
Zero-Day Lifecycle
4 days 312 days 30 days
SYMANTEC VISION 2014
Cybercriminal Timeline / 2009
• Partners with DarkMessiah, Tojava, JoTalbot
• Malware-based SEO
• Pay-per-click fraud
• Sold hijacked chat accounts, botnets traffic, personal & financial info
A Behind the Scenes Look at Cybercriminals 23
SYMANTEC VISION 2014
24 A Behind the Scenes Look at Cybercriminals
Sidebar - Cybercriminal Tradecraft
SYMANTEC VISION 2014
Sidebar – Tradecraft
1546 - Vision 2014 25
What do General Petraeus and Cybercriminals have in common?
SYMANTEC VISION 2014
Sidebar – Tradecraft
A Behind the Scenes Look at Cybercriminals 26
SYMANTEC VISION 2014
Sidebar – Tradecraft
A Behind the Scenes Look at Cybercriminals 27
SYMANTEC VISION 2014
Sidebar – Tradecraft
A Behind the Scenes Look at Cybercriminals 28
@
SYMANTEC VISION 2014
Sidebar – Tradecraft
A Behind the Scenes Look at Cybercriminals 29
SYMANTEC VISION 2014
Sidebar – Tradecraft
1546 - Vision 2014 30
What do General Petraeus and Cybercriminals have in common?
SYMANTEC VISION 2014
Sidebar – Tradecraft
A Behind the Scenes Look at Cybercriminals 31
Draft
SYMANTEC VISION 2014
Cybercriminal Timeline / 2010
A Behind the Scenes Look at Cybercriminals 32
SSNDOB Opens
Registers domain with real name
SYMANTEC VISION 2014
Cybercriminal Timeline / 2010
A Behind the Scenes Look at Cybercriminals 33
SYMANTEC VISION 2014
Cybercriminal Timeline / 2012
• Stocking the Store
– Breaches
• US-based credit Union
• California bank
• Georgian government agency
• Nigerian financial institution
A Behind the Scenes Look at Cybercriminals 34
SYMANTEC VISION 2014
Busted?
A Behind the Scenes Look at Cybercriminals 35
SYMANTEC VISION 2014
Busted?
A Behind the Scenes Look at Cybercriminals 36
SYMANTEC VISION 2014
Demo
A Behind the Scenes Look at Cybercriminals 37
SYMANTEC VISION 2014
Other Events of Interest
A Behind the Scenes Look at Cybercriminals 38
Cons, Frauds and Flimflam - An Examination of
Social Media and Mobile Application Scams May 14, 10 AM PT/1 PM ET
Register at: www.symantec.com/webcasts
1484 - The Evolving Threat Landscape 2014:
Postmortem and Lessons Learned from Simple
and Advanced Threats Discovered in 2013 Tuesday 4:00PM PALACE 2
Thank you!
39
YOUR FEEDBACK IS VALUABLE TO US!
Please take a few minutes to fill out the short session survey available on the mobile app—the survey will be available shortly after the session ends. Watch for and complete the more extensive post-event survey that will arrive via email a few days after the conference.
To download the app, go to https://vision2014.quickmobile.com or search for Vision 2014 in the iTunes or Android stores.
Kevin Haley khaley@symantec.com @kphaley
Thank you!
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Kevin Haley
khaley@symantec.com
@kphaley
A Behind the Scenes Look at Cybercriminals 40