Identity Theft - Australian Response - OECD · 2016-03-29 · • Smaller local incidents of...

1

Copyright © 2005 AusCERT 1

Identity Theft -Australian Response

Jamie Gillespie [email protected]

Senior Security Analyst, AusCERT


Overview

• Scope of Identity Theft in Australia• AusCERT’s Role

– Local IR– International IR– Analysis

• Response Procedures• Trends (Present and Future)

2


Scope of Australian ID theft

• Primary instances:– Target: Financial Institutions– Methods: Phishing web sites and Trojan malware– Perpetrators: evidence to suggest non-Australian

based organised crime• Other (incl. Government) systems have been

“collateral damage” in attacks targeting financial institutions

• Smaller local incidents of identity theft• Evidence of more targeted attacks against

Australian (and other) government sites


Scope of Australian ID Theft

17

1

134

7 120 5 3

1120

6

67

11

76

5

61

6

71

9

61

13

113

22

85

12

100

24

177

15

112

24

134

50

20

40

60

80

100

120

140

160

180

Apr2004

May2004

Jun2004

Jul2004

Aug2004

Sep2004

Oct2004

Nov2004

Dec2004

Jan2005

Feb2005

Mar2005

Apr2005

May2005

Jun2005

Jul2005

Aug2005

ID Theft Incidents Handled by AusCERT1 April 2004 to 23 August 2005

Trojans Phishes Mules

3


• centrelink.gov.au– Government social services

• ebay.com.au• etradeaustralia.com.au• gu.edu.au

– University• iinet.net.au

– ISP• melbourneit.com.au• myob.com.au• optusnet.com.au• qantas.com.au

– Airline• sa.gov.au• thrifty.com.au

– Car rental company

• .gov.au• .gov.uk• .gov• .mil

• “Question for seller”• 8.7 MB of text• Bitmap screenshots• 1652 unique IP addresses• 1130 domains

• Not just the banks…




Tsunami Trojan: Infections and Logging

0

2000

4000

6000

8000

10000

12000

19/11/2004 24/11/2004 29/11/2004 04/12/2004 09/12/2004 14/12/2004 19/12/2004

Date / time

Logg

ing

site

hits

Data logged Trojan infections

4


AusCERT’s Role: Local

• Local response arrangements– Strong co-operation with the Australian High Tech

Crime Centre (AHTCC)– Banking and Financial Sector information sharing

and threat/incident analysis– AusCERT members and the general public– Australian ISPs– Local law enforcement mailing lists (local

forensics groups)


AusCERT’s Role: International

• APCERT teams – excellent assistance in the rapid closure of sites within their constituencies

• CERTs, AV vendors and other security researches providing reverse engineering and analysis

• CERT.br (Brazil) – future trends due to advanced local ID theft

• Other national CERTs assisting with site closure

5


AusCERT’s Role: International

• APACS and BFK – sharing incident response with AusCERT enabling (limited) 24 hour coverage

• Closed mailing lists: APWG, FIRST, APCERT, AVIEN, others

• ISPs and registrars (e.g. YesNIC)


AusCERT’s Role: Analysis

• Analysis– Mailing lists to share information and intelligence

between banks and AusCERT– Crime survey– Threat analysis– Monitoring vulnerabilities, PoCs and exploit

activity

6


Scam Reporter• Aus Bank

• UK Bank

• All Bank

Trawlinator

Troj-O-MaticWeb Report

Scanner

Incident Created!

Banking Reporter• Phishing Report Form• Trojan Report Form

AusCERT CC Team

Evil Scammer

Response Procedures


Incident

AHTCCTemplate

APACSTemplate

Local CERTTemplate

ISP/RegistrantTemplate

Virus-SubmitTemplate

Scamalizer

APACS

Virus-Submit

Local CERT

ISP/Registrant

Offending Website

DNS/Whoisand Contacts

AusCERT CC Team

Response Procedures

7


Questions

Questions or comments ?

Identity Theft - Australian Response - OECD · 2016-03-29 · • Smaller local incidents of...

Documents

Transcript of Identity Theft - Australian Response - OECD · 2016-03-29 · • Smaller local incidents of...