Cybercrime De ning cybercrime - University of TulsaDe ning cybercrime We (mainly) adopt the European...
Transcript of Cybercrime De ning cybercrime - University of TulsaDe ning cybercrime We (mainly) adopt the European...
CybercrimePart I
Tyler Moore
Computer Science & Engineering Department, SMU, Dallas, TX
Lecture 11
Characteristics of cybercrimeCybercrime supply chains
Defining cybercrimeHow is cybercrime different?Primary vs. infrastructure cybercrimes
Defining cybercrime
We (mainly) adopt the European Commission’s proposeddefinition:
1 traditional forms of crime such as fraud or forgery, thoughcommitted over electronic communication networks andinformation systems;
2 the publication of illegal content over electronic media (e.g.,child sexual abuse material or incitement to racial hatred);
3 crimes unique to electronic networks, e.g., attacks againstinformation systems, denial of service and hacking.
For this part of the course, we are mainly concerned withcybercrimes that are profit-motivated, not so much crimesfitting the second component of the definition
The boundary between traditional and cybercrimes is fluid
3 / 28
Characteristics of cybercrimeCybercrime supply chains
Defining cybercrimeHow is cybercrime different?Primary vs. infrastructure cybercrimes
Distinguishing between types of cybercrime
Online banking fraud
Fake antivirus
‘Stranded traveler’ scams
‘Fake escrow’ scams
Advanced fee fraud
Infringing pharmaceuticals
Copyright-infringing software
Copyright-infringing music and video
Online payment card fraud
In-person payment card fraud
PABX fraud
Industrial cyber-espionage and extortion
Welfare fraud
Tax and tax filing fraud
‘Genuine’ cybercrime
Transitional cybercrime
Traditional crime becoming ‘cyber’
4 / 28
Characteristics of cybercrimeCybercrime supply chains
Defining cybercrimeHow is cybercrime different?Primary vs. infrastructure cybercrimes
How does cybercrime differ from traditional crime?
1 Scale – a single attack can make little money and beunsuccessful most of the time, yet still be hugely profitable ifit is replicated easily for almost no cost
2 Global adddressability – pool of available targets remainspractically infinite
3 Distributed control – stakeholders have competing interestsand limited visibility across networks, which hampers ability todefend against attacks
4 International nature – makes law enforcement more difficult
5 / 28
Notes
Notes
Notes
Notes
Characteristics of cybercrimeCybercrime supply chains
Defining cybercrimeHow is cybercrime different?Primary vs. infrastructure cybercrimes
Distinguishing between ‘primary’ cybercrimes andinfrastructure crimes
‘Primary’ cybercrimes perpetrate a particular scam (e.g.,phishing steals bank credentials, illicit pharmaceuticalprograms sell prescription drugs without prescription)
Yet these primary cybercrimes rely on a criminal infrastructurecommon to most scams
1 Exploits: offer a way to compromise computers so thatunauthorized software can be executed
2 Botnets: provide anonymity to criminals and a resource forexploitation
3 Email spam: advertises scams to unsuspecting victims4 Search-engine poisoning: exposes unsuspecting victims to
scams
6 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Supply chains and the division of labor
Adam Smith on pin production (1776):
One man draws out the wire, anotherstraights it, a third cuts it, a fourth pointsit, a fifth grinds it at the top for receivingthe head: to make the head requires two orthree distinct operations: to put it on is aparticular business, to whiten the pins isanother ... and the important business ofmaking a pin is, in this manner, dividedinto about eighteen distinct operations,which in some manufactories are allperformed by distinct hands, though inothers the same man will sometime performtwo or three of them.
8 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
The underground economy: division of labor in cybercrime
Advertisement
i have boa wells and barclays bank logins....have hacked hosts, mail lists, php mailer
send to all inboxi need 1 mastercard i give 1 linux hacked rooti have verified paypal accounts with good balance...
and i can cashout paypals
Source: http://www.cs.cmu.
edu/~jfrankli/acmccs07/
ccs07_franklin_eCrime.pdf
9 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Credit card #s for sale on underground
Source: http://www.cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdf
10 / 28
Notes
Notes
Notes
Notes
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Services on offer on underground
Source: http://www.cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdf
11 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Some advertised prices on the underground
Source: http://press.pandasecurity.com/wp-content/uploads/2011/01/The-Cyber-Crime-Black-Market.pdf
12 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Cybercrime supply chains
traffic host hook monetization cash out
13 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Phishing supply chain step 1: traffic (email spam)
14 / 28
Notes
Notes
Notes
Notes
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Phishing supply chain step 2: host (compromise server)
15 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Phishing supply chain step 3: hook (phishing kit)
16 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Phishing supply chain step 4: monetize (bank transfer)
17 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Phishing supply chain step 5: cash out (hire mules)
18 / 28
Notes
Notes
Notes
Notes
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Illicit online pharmacies
What do illicit online pharmacies have to do with phishing?
Both make use of a similar criminal supply chain1 Traffic: hijack web search results (or send email spam)2 Host: compromise a high-ranking server to redirect to
pharmacy3 Hook: affiliate programs let criminals set up website
front-ends to sell drugs4 Monetize: sell drugs ordered by consumers5 Cash out: no need to hire mules, just take credit cards!
For more: http://lyle.smu.edu/~tylerm/usenix11.pdf
20 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Abusing dynamic search terms
21 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
At best you may encounter ad-filled sites
22 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
At worst you may encounter malware
23 / 28
Notes
Notes
Notes
Notes
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Abusing search-engine results
Once again the criminal supply chain is similar1 Traffic: hijack unrelated web search results2 Host: compromise a high-ranking server3 Hook: install an exploit (for fake AV), or fill with
auto-generated content (for ad sites)4 Monetize: peddle fake AV or load page with ads5 Cash out: credit cards or hire mules (fake AV), or get paid by
ad platforms
For more: http://lyle.smu.edu/~tylerm/ccs11.pdf
24 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Cybercrime supply chains: common mode of operation
Cybercrime Traffic Host Hook Monetization Cash out
Phishing (bank) email spam hacked server website kit ACH transfer money mulePhishing (email acct.) email spam hacked server website kit ‘stranded traveler’ -Phishing (email acct.) email spam hacked server website kit malware -Phishing (social net.) email spam hacked server website kit ‘stranded traveler’ -Phishing (social net.) email spam hacked server website kit malware -Illicit pharma email spam hacked server website frontend payments -Illicit pharma web poisoning hacked server website frontend payments -Fake antivirus web poisoning hacked server exploit install payments -Fake antivirus web poisoning hacked server exploit install e-currency money mulesAd-laden sites web poisoning own server - PPC ads ad platformTyposquatting user error own server - PPC ads ad platform‘Stranded traveler’ social net. takeover - deceptive msg. wire transfer -‘Fake escrow’ scams auction buyers own server deceptive msg. wire transfer -Industrial espionage email spam own server exploit install exfiltrate data -
25 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Market for crimeware
traffic host hook monetization cash out
Alice Bob Charlie David
Option 1: underground market as pin factoryAttacker
buys
bu
ys
buyssells
Mules
Phisherman
buy
spam
bu
yco
mp
.
serv
er
buykit
sell credentials
Mules
hires
Counterfeit drugs salesman
buy
spam
hir
ese
rver
beaffi
liate
complete sale
Option 2: traffic brokers
Alice
Attacker
buys
traffi
c
monetize
advertising fraud
infect with malware
More info: http://iseclab.org/papers/weis2010.pdf
Option 3: exploit-as-a-serviceAttacker
provid
etraffi
c,b
uy
EaaS
install malware
More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
Option 4: pay-per-installAttacker
order
PP
I
use compromised machines
(e.g., show fake AV, steal
credentials, launch DoS)
More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf
26 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Market for crimeware
traffic host hook monetization cash out
Alice Bob Charlie David
Option 1: underground market as pin factory
Attacker
buys
bu
ys
buys
sells
Mules
Phisherman
buy
spam
bu
yco
mp
.
serv
er
buykit
sell credentials
Mules
hires
Counterfeit drugs salesman
buy
spam
hir
ese
rver
beaffi
liate
complete sale
Option 2: traffic brokers
Alice
Attacker
buys
traffi
c
monetize
advertising fraud
infect with malware
More info: http://iseclab.org/papers/weis2010.pdf
Option 3: exploit-as-a-serviceAttacker
provid
etraffi
c,b
uy
EaaS
install malware
More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
Option 4: pay-per-installAttacker
order
PP
I
use compromised machines
(e.g., show fake AV, steal
credentials, launch DoS)
More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf
26 / 28
Notes
Notes
Notes
Notes
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Market for crimeware
traffic host hook monetization cash out
Alice Bob Charlie David
Option 1: underground market as pin factory
Attacker
buys
bu
ys
buys
sells
Mules
Phisherman
buy
spam
bu
yco
mp
.
serv
er
buykit
sell credentials
Mules
hires
Counterfeit drugs salesman
buy
spam
hir
ese
rver
beaffi
liate
complete sale
Option 2: traffic brokers
Alice
Attacker
buys
traffi
c
monetize
advertising fraud
infect with malware
More info: http://iseclab.org/papers/weis2010.pdf
Option 3: exploit-as-a-serviceAttacker
provid
etraffi
c,b
uy
EaaS
install malware
More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
Option 4: pay-per-installAttacker
order
PP
I
use compromised machines
(e.g., show fake AV, steal
credentials, launch DoS)
More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf
26 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Market for crimeware
traffic host hook monetization cash out
Alice Bob Charlie David
Option 1: underground market as pin factoryAttacker
buys
bu
ys
buys
sells
Mules
Phisherman
buy
spam
bu
yco
mp
.
serv
er
buykit
sell credentials
Mules
hires
Counterfeit drugs salesman
buy
spam
hir
ese
rver
beaffi
liate
complete sale
Option 2: traffic brokers
Alice
Attacker
buys
traffi
c
monetize
advertising fraud
infect with malware
More info: http://iseclab.org/papers/weis2010.pdf
Option 3: exploit-as-a-serviceAttacker
provid
etraffi
c,b
uy
EaaS
install malware
More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
Option 4: pay-per-installAttacker
order
PP
I
use compromised machines
(e.g., show fake AV, steal
credentials, launch DoS)
More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf
26 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Market for crimeware
traffic host hook monetization cash out
Alice Bob Charlie David
Option 1: underground market as pin factoryAttacker
buys
bu
ys
buyssells
Mules
Phisherman
buy
spam
bu
yco
mp
.
serv
er
buykit
sell credentials
Mules
hires
Counterfeit drugs salesman
buy
spam
hir
ese
rver
beaffi
liate
complete sale
Option 2: traffic brokers
Alice
Attacker
buys
traffi
c
monetize
advertising fraud
infect with malware
More info: http://iseclab.org/papers/weis2010.pdf
Option 3: exploit-as-a-serviceAttacker
provid
etraffi
c,b
uy
EaaS
install malware
More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
Option 4: pay-per-installAttacker
order
PP
I
use compromised machines
(e.g., show fake AV, steal
credentials, launch DoS)
More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf
26 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Market for crimeware
traffic host hook monetization cash out
Alice Bob Charlie David
Option 1: underground market as pin factoryAttacker
buys
bu
ys
buys
sells
Mules
Phisherman
buy
spam
bu
yco
mp
.
serv
er
buykit
sell credentials
Mules
hires
Counterfeit drugs salesman
buy
spam
hir
ese
rver
beaffi
liate
complete sale
Option 2: traffic brokers
Alice
Attacker
buys
traffi
c
monetize
advertising fraud
infect with malware
More info: http://iseclab.org/papers/weis2010.pdf
Option 3: exploit-as-a-serviceAttacker
provid
etraffi
c,b
uy
EaaS
install malware
More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
Option 4: pay-per-installAttacker
order
PP
I
use compromised machines
(e.g., show fake AV, steal
credentials, launch DoS)
More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf
26 / 28
Notes
Notes
Notes
Notes
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Market for crimeware
traffic host hook monetization cash out
Alice Bob Charlie David
Option 1: underground market as pin factoryAttacker
buys
bu
ys
buys
sells
Mules
Phisherman
buy
spam
bu
yco
mp
.
serv
er
buykit
sell credentials
Mules
hires
Counterfeit drugs salesman
buy
spam
hir
ese
rver
beaffi
liate
complete sale
Option 2: traffic brokers
Alice
Attacker
buys
traffi
c
monetize
advertising fraud
infect with malware
More info: http://iseclab.org/papers/weis2010.pdf
Option 3: exploit-as-a-serviceAttacker
provid
etraffi
c,b
uy
EaaS
install malware
More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
Option 4: pay-per-installAttacker
order
PP
I
use compromised machines
(e.g., show fake AV, steal
credentials, launch DoS)
More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf
26 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Market for crimeware
traffic host hook monetization cash out
Alice Bob Charlie David
Option 1: underground market as pin factoryAttacker
buys
bu
ys
buys
sells
Mules
Phisherman
buy
spam
bu
yco
mp
.
serv
er
buykit
sell credentials
Mules
hires
Counterfeit drugs salesman
buy
spam
hir
ese
rver
beaffi
liate
complete sale
Option 2: traffic brokers
Alice
Attacker
buys
traffi
c
monetize
advertising fraud
infect with malware
More info: http://iseclab.org/papers/weis2010.pdf
Option 3: exploit-as-a-serviceAttacker
provid
etraffi
c,b
uy
EaaS
install malware
More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
Option 4: pay-per-installAttacker
order
PP
I
use compromised machines
(e.g., show fake AV, steal
credentials, launch DoS)
More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf
26 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Vertical integration of supply chains
traffic host hook monetization cash out
While underground forums, pay-per-installs andexploit-as-a-service attracts the most attention, somecriminals vertically integrate
Why? better defense against ‘rippers’ (seehttp://research.microsoft.com/pubs/80034/
nobodysellsgoldforthepriceofsilver.pdf)
Some EaaS and PPI suites are not for sale, but instead usedexclusively by particular gangs (e.g., Carberp)
27 / 28
Characteristics of cybercrimeCybercrime supply chains
The underground economySample cybercrimesStrategies for integrating criminal supply chains
Vertical integration in phishing: rock-phish gang
‘Rock-phish’ gang used vertical integration to carry outphishing attacks
At 2007-08 peak, accounted for half of phishing attacks1 Purchase several innocuous-sounding domains (e.g.,
lof80.info)2 Send out phishing email with URL http:
//www.volksbank.de.netw.oid3614061.lof80.info/vr
3 Gang-hosted DNS server resolves domain to IP address ofone of several compromised machines
4 Compromised machines run a proxy to a back-end server5 Server loaded with many fake websites (around 20), all of
which can be accessed from any domain or compromisedmachine
28 / 28
Notes
Notes
Notes
Notes