How to Investigate

SPAM

“WhoIs” behind the scam?

Who are the individuals who own that Web Site … ?

Introduction

The cost of spam

This section from http://www.cs.uml.edu/~pkrolak/91-113/DarkSideOfInternet.ppt

Spam

•Spam is electronic junk mail that clogs our internet like the fatty canned meat of the same name clogs our arteries.

•Communication lines back up at an alarming rate, •Storage is gobbled up, •Servers and processors thrash, and •Users are irritated at best – incapacitated at worst.

•Spam costs the ISPs and others a fortune to prevent and/or to remove. •At its worst spam is used by scammers, hackers, and others to market and prey on literally millions of users at a very low cost.Source: http://www.unt.edu/benchmarks/archives/2005/february05/spamandcookiescolor.gif

Spam

• What is Spam?Junk email – unwanted, resource robbing, and often contains viruses, worms,

and scams.• Why is it an increasing problem?

Spam is the fastest growing component of messages on the Internet that consumes bandwidth, storage, and angers the user. ISPs and some consumer groups are attempting to shut down the worst offenders.

Spam as harassment.Spam as DoS (Denial of Service) attack.Spam as Phishing (attempt to obtain a person’s ID, password, etc, by

pretending to be a legitimate request.)• What can be done about it? (Discussion questions)

– Closing down ISPs that permit email relaying (Is this too draconian?).– Apply filters and tools to remove it (Can they be by-passed?). – Lobby for federal legislation to create civil and criminal penalties for those

who send Spam. (Does this interfere with free speech?)– A recently passed law to prosecute commercial spammers. (When is

Internet advertising legitimate and when is it Spam?)

Why Estimate the Cost of Spam?

• Important for policy reasons to know severity of problem –helps in assigning priority to issue;

• To determine which economic actors have to bear costs – alsoimportant in focusing on solutions;

• Spam imposes negative externality on society (similar topollution in the manufacturing economy): economic damageand cost borne by third parties resulting in an overall loss ofwelfare for society;

• If costs of spam are unacceptable then have to put in placemechanisms to change behavior of producers of spam;

• Provides metric to “let the punishment fit the crime.” • Market itself does not provide mechanism to correct for costs

inflicted by spam. If economic solutions are used to combatspam, cost data can help determine prices applied to reduce oreliminate spam;

http://www.oecd.org/dataoecd/47/5/26618988.pdf

Spam Impact on Consumers• E-mail has value to recipient which varies with the content

and should at least equal processing cost;• Each e-mail entails the same receiving/processing cost for

consumer. For spam the value of the e-mail content is negative and to this must be added the processing cost;

• If the amount of spam received is extremely high it could conceivably outweigh the positive value of receiving e-mail;

• Costs to consumers for processing mail are declining as consumers switch to broadband from dial-up (where time based Internet access charges exist) and because of quicker download times;

• But increase in volume of spam is likely to result in net increase in costs – if you can go fast but you produce crap, all you get is more crap;

http://www.oecd.org/dataoecd/47/5/26618988.pdf

Overall Cost: Some Estimates• Reduced use of an efficient and cheap means of

communications among economic actors – slows down growth of e-commerce and development of digital economy.

Total economic impact of spam – estimates vary:• Global cost “conservatively” estimated at estimated at €10

Billion (European Commission Study 2001);• Ferris Research (Jan. 2003) estimated that spam cost US

companies $8.9 billion dollars in 2002. The same study estimated the cost of spam in Europe as US$2.5 billion.

• UNCTAD (2003): $20 billion;• Cost to Hong Kong economy $1.3 billion (HKISPA 2004);• $2 - $20 Billion per year and growing.

http://www.oecd.org/dataoecd/47/5/26618988.pdf

CAN SPAM Law of 2003

CAN-SPAM Act of 2003 (Pub. L. 108-187, S. 877)• The Controlling the Assault of Non-Solicited

Pornography and Marketing Act requires unsolicited commercial e-mail messages to be labeled (though not by a standard method) and to include opt-out instructions and the sender's physical address. It prohibits the use of deceptive subject lines and false headers in such messages. The FTC is authorized (but not required) to establish a "do-not-email" registry. State laws that require labels on unsolicited commercial e-mail or prohibit such messages entirely are pre-empted, although provisions merely addressing falsity and deception would remain in place. The CAN-SPAM Act took effect on January 1, 2004.

Crimes of Persuasion Crimes of persuasion are scams that appeal to peoples’ greed, goodwill, or other emotions to use the victim to provide the access and assistance to information, the money or other resources, that are the target of the criminal.

In other words – A Con Game

Internet Scams

Internet Scams

• Scams over the Internet unlike the fraud and similar crime can be difficult to detect, prosecute, and prevent – and easy to perpetrate.

• Email can be used to reach 250 million with a simple program and a CD-ROM with the email addresses.

• Example - The African businessman who offers to split a large sum of money (like, $20M) if he can only electronically wire it to your checking account. He also requires a (small) fee ($250.) wired to his account to bribe fellow country men. Your fee and your bank account are immediately seen to vanish.

• See: http://www.cnn.com/2000/TECH/computing/10/31/ftc.web.scams/

Internet Pyramid schemes

What is a Pyramid Scheme?• Pyramid schemes, also referred to as "chain referral", "binary

compensation" or "matrix marketing" schemes, are marketing and investment frauds which reward participants for inducing other people to join the program.   Ponzi schemes, by contrast, operate strictly by paying earlier investors with money deposited by later investors without the emphasis on recruitment or awareness of participation structure.

• Pyramid schemes focus on the exchange of money and recruitment.  At the heart of each pyramid scheme there is typically a representation that new participants can recoup their original investments by inducing two or more prospects to make the same investment.  

• For each person you bring in you are promised future monetary rewards or bonuses based on your advancement up the structure.  Over time, the hierarchy of participants resembles a pyramid as newer, larger layers of participants join the established structure at the bottom.

Source: http://www.crimes-of-persuasion.com/Crimes/Delivered/pyramids.htm

Internet Pyramid schemes (more)

• They say you will have to do "little or no work because the people below you will".  You should be aware that the actual business of sales and supervision is hard work. So if everyone is doing little or no work, how successful can a venture be? Too good to be true!

• The marketing of a product or service, if done at all,  is only of secondary importance in an attempt to evade prosecution or to provide a corporate substance.  Often there is not even an established market for the products so the "sale" of such merchandise, newsletters or services is used as a front for transactions which occur only among and between the operation's distributors. 

• Therefore, your earning potential depends primarily on how many people you sign up, not how much merchandise is sold.

• When the Pyramid gets too big, the whole scheme collapses and the people who lose are the people at the bottom.

Internet Pyramid schemes (more)

• Pyramid schemes are not the same as Ponzi schemes which operate under false pretences about how your money is being invested and normally benefit only a central company or person along with possibly a few early participants who become unwitting shills.

• Pyramid schemes involve a hierarchy of investors who participate in the growth of the structure with profits distributed according to one's position within the promotional hierarchy based on active recruitment of additional participants.

• Both are fraudulent, because they induce an investment with no intention of using the funds as stated to the investor.

Email FraudFraud has existed perhaps as long or longer than money. Any new sociological change can engender new forms of fraud, or other crime.

Source: http://en.wikipedia.org/wiki/Email_fraud

Email Fraud

• Almost as soon as e-mail became widely used, it began to be used to defraud people via E-mail fraud.

• E-mail fraud can take the form of a "con game" or scam.

• Confidence tricks tend to exploit the inherent greed and dishonesty of their victims: the prospect of a 'bargain' or 'something for nothing' can be very tempting.

• E-mail fraud, as with other 'bunco schemes' relies on naive individuals who put their confidence in get-rich-quick schemes such as 'too good to be true' investments or offers to sell popular items at 'impossibly low' prices. Many people have lost their life savings due to fraud. (Including E-Mail fraud!)

Avoiding e-mail fraud

E-mail fraud may be avoided by:• Keeping one's e-mail address as secret as possible, • Ignoring unsolicited e-mails of all types, simply

deleting them, • Not giving in to greed, since greed is the element that

allows one to be 'hooked‘, and • If you have been defrauded, report it to law

enforcement authorities -- many frauds go unreported, due to shame, guilty feelings or embarrassment.

Source: http://en.wikipedia.org/wiki/Email_fraud

Identity Theft on the InternetIdentity theft involves finding out

the user’s personal information and then using it commit fraud and other crimes.

Identity Theft“But he that filches from

me my good name

Robs me of that which not enriches him

And makes me poor indeed."  - Shakespeare, Othello, Act III. Scene III.

What is Identity Theft?• A Federal crime where someone wrongfully

obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain.

• In 2004, almost 250,000 claims of Identity Theft within the US alone (1:1000)

• More than $500 million in reported losses

Source: http://www.consumer.gov/sentinel/pubs/Top10Fraud2004.pdf

Categories of Identity Theft

According to the non-profit Identity Theft Resource Center, identity theft is "sub-divided into four categories:

1. Financial Identity Theft (using another's name and SSN to obtain goods and services),

2. Criminal Identity Theft (posing as another when apprehended for a crime),

3. Identity Cloning (using another's information to assume his or her identity in daily life) and

4. Business/Commercial Identity Theft (using another's business name to obtain credit)."

Source: http://en.wikipedia.org/wiki/Identity_theft

Tiger Woods“A man who used Tiger Woods' identity to steal $17,000 worth of goods was sentenced to 200 years-to-life in prison.

Anthony Lemar Taylor was convicted of falsely obtaining a driver's license using the name Eldrick T. Woods, Woods' Social Security number and his birth date.

Though he looks nothing like golf's best player, the 30-year-old Taylor then used the false identification and credit cards to buy a 70-inch TV, stereos and a used luxury car between August 1998 and August 1999.

Judge Michael Virga gave Taylor the maximum sentence under California's three-strikes law...”

Identity Theft by Age

0

5

10

15

20

25

30

% of Claims

Under18

18-29 30-39 40-49 50-59 60+

Claims by Age in 2004

Souce: http://www.consumer.gov/sentinel/pubs/Top10Fraud2004.pdf

Identity Theft

• Identity Theft – the acquiring of personal and financial information about a person for criminal purposes.

• Your Social Security Number, credit card numbers, and passwords on your machine can be used to gain information about you from the web sources.

• Once the information is gained it is used to charge large amounts for plane tickets, etc.

• The criminal can also assume your identity for fraud and terrorism.

• Some rings communicate data gathered to accomplices in other countries where the fraudulent charges are actually made.

• It can take up to 18 months and thousands of dollars to restore your credit.

See http://www.newsfactor.com/perl/story/15965.html

The role of private industry and government in identity theft

Techniques for obtaining information

Low Tech – Social Engineering• Stealing (snail) mail or rummaging through rubbish (dumpster diving) • Eavesdropping on public transactions to obtain personal data (

shoulder surfing) • Obtaining castings of fingers for falsifying fingerprint identificationHigh Tech – Internet Approaches• Stealing personal information in computer databases [Trojan horses,

hacking] – Including theft of laptops with personal data loaded.• The infiltration of organizations that store large amounts of personal

information • Impersonating a trusted organization in an electronic communication (

phishing) . • Spam (electronic): Some, if not all spam entices you to respond to

alleged contests, enter into "Good Deals", etc. • Browsing social network (MySpace, Facebook, Bebo etc) sites, online

for personal details that have been posted by users in public domains.

Soruce: http://en.wikipedia.org/wiki/Identity_theft

What is Pharming?Pharming is the exploitation of a vulnerability in the DNS

server software that allows a hacker to acquire the Domain Name for a site, and to redirect traffic from that website to another web site.

DNS servers are the machines responsible for resolving internet names into their real Internet Protocol (IP) addresses - the "signposts" of the internet. (e.g., Good_Stuff.com will translate to an address like 152 145 72 30 – i.e. four groups of base 8 (octal) numbers in IP version 4 (IPv4) or eight groups in base 16 (hex) in IP version 6 (IPv6). The Internet has thousands of DNS servers – each one a target for determined hackers.

Phishing

What is Phishing?– Using email or web sites to look like authentic

corporate communications and web sites to trick people into giving personal and financial information.

– FBI sees this a fast growing form of fraud and can lead to theft of identity.

See http://www.crimes-of-persuasion.com/Crimes/Delivered/internet.htm

What is Phishing?phishing (also known as carding and spoofing)n.

1. The act of attempting to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business with a real need for such information in a seemingly official electronic notification or message (most often an email, or an instant message).

Source: http://en.wikipedia.org/wiki/Phishing

Phishing Example

Register for eBay Dear valued customer Need Help?

We regret to inform you that your eBay account could be suspended if you don't re-update your account information. To resolve this problems please click here and re-enter your account information. If your problems could not be resolved your account will be suspended for a period of 3-4 days, after this period your account will be terminated.

For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us.

Due to the suspension of this account, please be advised you are prohibited from using eBay in any way. This includes the registering of a new account. Please note that this suspension does not relieve you of your agreed-upon obligation to pay any fees you may owe to eBay.

Regards, Safeharbor Department eBay, Inc The eBay team.

This is an automatic message. Please do not reply.

From: eBay Billing Department <aw-confirm@ebay.com> To: you@uml.eduSubject: Important Notification

Source: http://en.wikipedia.org/wiki/Phishing

This link points to a bogus site that often will infect and attempt to corrupt or steal data from your computer or to coerce you into divulging private information whenYou access it.

Spoofing

Spoofing

• E-mail sent from someone pretending to be someone else is known as spoofing. Spoofing may take place in a number of ways. Common to all of them is that the actual sender's name and the origin of the message are concealed or masked from the recipient. Many, if not most, instances of e-mail fraud use at least minimal spoofing, as most frauds are clearly criminal acts. Criminals typically try to avoid easy traceability.

Source: http://en.wikipedia.org/wiki/Email_fraud

Methods to Steal an Identity• TCP Spoofing

– Establish a fake session and act to the user like the real application the user thought was connected.

– Can be done by substituting valid access software with “hacked” software after compromising a host or server machine

• DNS Spoofing– Mentioned previously– Substitutes a fake IP address for the real one in the DNS table

• Typo Squatting (e.g. www.goolge.com)– Set up a real web site with URL that represents common typo.

Make site look enough like real one and try to get passwords, ID, etc.

– Similar to phishing, but the “phish” catches himself!

Your GoalIdentify the people who are behind the Spam

You want NAMES, and Civic Addresses, but be ready for the sad reality: the chances are very small that you will ever find them, but you will bring to light all the tools they are using to hide their real identity,

And this is INFORMATION, because this tells you that the SPAM is a SCAM, and these people are criminals

Their Goals

At the end of the investigation you will discover the goals pursued by the spammers

#1 - Have you send them money (Nigerian scam / buy their cloned products / medicine)

(maybe they will never ship anything, but they will get your money)

#2 – Steal your personal information by making your believe that you must enter your information to win something

#3 – Enroll your computer as a zombie: your computer is infected by a Trojan when you visit their website and is then used to spam other people to do #1 or #2

What to do at the end of your investigation

This is explained at the end of this presentation (part 5)

PART 1

List of steps to follow

for a SPAM investigation

Typical List of Stepsto investigate a SPAM Case

1) You need the email (body) AND the header of the email.

How to see the email header depends on the email client you are using

2) You divide your research into 2 parts:

- Finding information about the sender (spammer)

- Finding the information about the target

(the website where the spammer wants you to go)

List of Steps

3) For researching “Who is the Spammer” and for researching “Who is behind the target web site”,

You follow pretty much the same series of steps

4) Use “nslookup” to find the IP address of a domain name

5) Use the IP address to find who owns this address.

Most of the time you will see that the address is in a block of addresses that have been assigned to an ISP or to a Web Hosting Company

List of Steps

6) IPSs have large blocks of addresses, typically:

N x 256 X 256

If it is an ISP, then the spammer has a fixed IP address (no need to run DHCP), and it should be relatively easy to identify who is leasing this IP address:

Google with the IP address, the domain name, part of the message

List of Steps

7) Web Hosting Companies have smaller blocks of addresses, typically:

N x 256 X 256 and N = 1, 2 or 3

The WhoIs queries tell you the name of the company who owns the block of address

List of Steps

8) Google for the domain name of the spammer and the name of the web hosting company.

You should find the name of the registrant: the individual or the company WHO has registered the domain name that is attached to that IP address.

Sometime the name of the registrant is a small company that is itself a Registrar, and operates as an intermediary (front) between the real customer (here, the spammer) and the big registrars

Note that some of these intermediate companies do not really check the validity of the information provided by the customer: fake telephone numbers, no civic address, or a postal box, are all OK!

Additional Note: Registries and Registrars

A Registry is an organization that assigns IP addresses (typically to ISPs):

There are 5, each for one continent (AFRINIC, ARIN, LACNIC, APNIC and RIPE)

See part 2 of this presentation

You use WhoIs to query the registries

A Registrar is a company that attach a domain name to an IP address (www.uml.edu = 129.63.176.200)

Read on the web to learn more about Registries and a Registrars

List of Steps

Google then for the missing information, use anything you already know:

Track the names of the small fish

The telephone numbers (sometimes the company is officially I one country and the tel.no in another country)

Parts of the body of the message

PART 2

Understanding how the Registries work

Every computer needs an IP address to be accessible from other hosts on the Internet

An IP address is a unique identifier of a computer

You buy an IP address from your ISP, and your ISP buys blocks of addresses from a Registry

There are 5 Registries managing each one region of the world

The search is based on the IP address

When should you use the information maintained by registries?

Every time you want to know more about a website, especially when you suspect that the site is a rogue web site

e.g. you have received an un-solicited email asking you to go a web site you have never heard of before

When you want to know who owns a website

you query the databases of these Registries

Enter the IP address

The databases of these registries are based on the IP addresses that they have assigned

If you do not know the IP Address of a domain, first you need to run “nslookup”

Registries maintain Databases that can be searched using

a web browser

The search box is always on the home page of the Registry

AFRINIC

http://www.afrinic.net/

AfriNIC is a non-government, not-for-profit, membership based organization, based in Mauritius that serves the African Internet Community.

AfriNIC is the Regional Registry for Internet Number Resources for Africa. Membership is open to anybody.

APNIC

The Asia-Pacific Network Information Centremaintains the public Whois Database for the Asia Pacific region

The Whois search box is in the upper right corner

http://www.apnic.net/

Headquarters in Brisbane, Australia

ARINAmerican Registry for Internet Numbers

is the Regional Internet Registry (RIR) for Canada, many Caribbean and North Atlantic islands, and the United States.

ARIN manages the distribution of Internet number resources.

Headquarters in Fairfax County (VA), USA.

https://www.arin.net/

The Whois Search Box is in the right upper corner

LACNICThe Latin America and Caribbean Network Information Centre is the Regional Internet Registry for the Latin American and Caribbean regions.

LACNIC provides number resource allocation and registration services that support the global operation of the Internet. It is a not-for-profit, membership-based organization whose members include Internet Service Providers, and similar organizations.

Headquarters in Montevideo, Uruguay

http://www.lacnic.net/en/

The Whois Search Box is in the right upper corner

RIPE

http://www.ripe.net/Enter the IP address in the data base

search box

(in the middle of the page, on the right)

This is different search box from the search engine that searches the RIPE web site

Regional Internet Registry for Europe, the Middle East and parts of Central Asia.

Headquarters in Amsterdam, the Netherlands.

Five Registries?When you want to know who owns an IP address,

- You clearly do not know where in the world is this IP Address

- You do not know which of these 5 registries you should search

OK, just get “IP2C” a portable freeware tool that will query the 5 registries for you using a nice GUI

http://web.newsguy.com/lmgava/code/Download.php?a=ip2c&f=ip2c_1.0.12.zip

Unzip, run, enter the IP address

Additional Resources

WhoIs for TLD *.ru

http://whois7.ru (Russia Region - English)

http://whois.twnic.net for Taiwan

One website listing the blacklisted website

http://www.joewein.de/sw/dbl-update/2011-03-28.htm

Additional WhoIs Resources

PART 3

Searching the registrars

Input: IP address / Domain Name

Information on who has registered a domain

http://whois.domaintools.com

Example:

http://whois.domaintools.com/businessdevelopmentregistry.com

PART 4

SCAM / SPAM tracking Forums

The Spam Fighters

http://www.joewein.de/sw/dbl-update/

SPAMCOP

http://en.wikipedia.org/wiki/SpamCop

http://www.spamcop.net/

The SPAMHAUS Project

http://en.wikipedia.org/wiki/Spamhaus

http://www.spamhaus.org/

SPAM TRACKERS

• http://rbls.org/• Lists where a website is black listed

• List the Domains related with a specific domain• http://dnstree.com/

• Offers many services• http://www.robtex.com/

SPAM TRACKERS

http://www.scamomatic.com/

For the Lottery-type scam

http://www.419scam.org/

List of Web Tools

http://www.dmoz.org/Computers/Internet/Protocols/DNS/Web_Tools/

TRACK web sites infected with malware

http://support.clean-mx.de/clean-mx/viruses.php

http://malwaredomainlist.com

Read More

http://scamoftheday.com/

http://www.419scam.org/

Also Research the Telephone Numbers

http://www.callwiki.com

http://www.numberinvestigator.com/phone

PART 5

You are now at the end of your investigation. Probably you cannot put a name of the email address that sent that spam email, but you now have a clear understanding that these people are criminals trying to steal money, identity and computing resources of innocent people!

What can you do next?

How to Report SPAM

Report SPAM to

The Spammer’s ISP

Forums that track spam

http://email.about.com/od/spamandgettingridofit/a/report_spam.htm

Happy WhoIsing !

Appendix - 1

When you read the email header, you should know the following:

Bigfish, Forefront and Postini are software applications used to filter spam emails

They sometimes run on a different machine (not the email server: this explains address such as 10.xx)

Reference

•  http://email.about.com/cs/spamgeneral/a/spam_headers.htm

• http://email.about.com/od/spamandgettingridofit/a/report_spam.htm