Investigating Large-Scale Internet Crimes

Computer Crime andIntellectual Property Section

Junio 2010 1

Large-Scale Internet CrimesGlobal Reach, Vast Numbers, and Anonymity

Albert ReesComputer Crime and Intellectual Property Section (CCIPS)

Criminal Division, United States Department of Justice


Junio 2010 2

REMJA Working Group on Cybercrimewww.oas.org/juridico/spanish/www.oas.org/juridico/english/

[email protected]+1 (202) 514-1026

Computer Crime and Intellectual Property Sectionwww.cybercrime.gov

USDOJ-CCIPSOEA-REMJA

Agenda

Globalization of crime

Some vexing problems

Anonymity Botnets Carding Digital currency

Junio 2010 3


Globalization of Crime

Junio 2010 4


Junio 2010 5

Globalization of Crime

The Internet knows no borders

Criminals exploit the Internet

Global reach Anonymity Safe havens Mass targets


Junio 2010 6

Global Cybercrime Snapshots – 2009

Botnets*

6.8 million bot-infected computers 47,000 active each day 17,000 new command and control servers

*Symantec Internet Security Threat Report, Vol. XV, April 2010


Junio 2010 7

Geographic distribution of infected computers in a single ZeuS botnet.


Junio 2010 8

Symantec Internet Security Threat Report, Regional Data Sheet – Latin America , April 2010


Junio 2010 9

Global Cybercrime Snapshots – 2009

2.9 million new malicious code threats*

Data breaches from hacking – examples**

160,000 health insurance and medical records – university 530,000 social security numbers – government agency 570,000 credit card records – business 750,000 customer records – mobile telephone service provider

130,000,000 credit card numbers – credit card processor

*Symantec Internet Security Threat Report, Vol. XV, April 2010**Open Security Foundation, Dataloss Database, 2009


Junio 2010 10

Symantec Internet Security Threat Report, Regional Data Sheet – Latin America , April 2010


Online Underground Economy

Junio 2010 11

Symantec Internet Security Threat Report, Vol. XV, April 2010


The Players

Cyber-economy crime organizations Traditional organized crime – drugs, guns, goods, people Gangs Extremists – terrorist organizations

Professional hackers Spammers Cybercrime organizations

12Junio 2010


13Junio 2010


Some Vexing Problems

Anonymity

Botnets

Carding Forums

Digital Currency

Junio 2010 14


Anonymity

Junio 2010 15


Attribution is Difficult…Impossible?

Savvy online criminals know how to hide

False identification Domain name registration Stolen credit cards Services that do not verify user information

Online tools Proxies Anonymizing network Peer-to-peer

Junio 2010 16

Decentralized – Segmented – Redundant – Resilient


Web Proxy

Sits between ISP and web server ISP and web server no longer talk to each other directly Result: user anonymity from web server

USER ISP WEB SERVER

WEB PROXY

17Junio 2010


Web Proxies

Type in the site you want

18Junio 2010


Web-Based Proxies

The proxy gets the site and passes it to

you

You are still communicating with

the proxy

19Junio 2010


20

Peer-to-Peer file sharing (P2P)

Sharing files, using servers as little as possible

Junio 2010


21

Old style P2P

Relied on a server to keep track of the peers

Who has KIDDIE.MPG?

Second computer from the

right.Junio 2010


22

Newer style P2P

Uses “supernodes” instead of central servers

Who has KIDDIE.MPG? I’ll ask the

other supernodes.

One of my nodes has it.

Junio 2010


P2P today: Gigatribe and Darknets

Small, private communities sharing files

23

Difficult to find and enter

Junio 2010


P2P today: BitTorrent

Efficient technology for a huge number of people to share huge files

24

Tracker: knows which computer has which

pieces of the file

Leacher: peer still downloading

Seeder: Peeroffering all pieces

To join, get a .torrent file that identifies the

tracker.

Junio 2010


Anonymizing Network: Tor

Client = computer using Tor for anonymity Onion Router (OR) = computer that forwards data and

anonymizes it (currently about 1200) Circuit = path taken by data through ORs

Client OR Web ServerOR OR

Tor = The Onion Router, an anonymity network that routes communication through multiple proxies, each with an independent layer of encryption (like an onion)

25Junio 2010


Botnets

Junio 2010 26


What is a Botnet?

A network of robots (bots) Robot :

an automatic machine that can be programmed to perform specific tasks

Also known as ‘Zombies’

Thousands of computers controlled

A powerful network at “no cost”

27Junio 2010


Purpose of a Botnet Distributed denial of service attacks Advertising – spamming Sniffing traffic Keylogging Spreading new malware Installing advertisements Attacking IRC networks Manipulating online polls or games Mass identity theft

28Junio 2010


IRC Botnets

Earlier Botnets controlled by Command and Control (C2) server

Botnet user

29Junio 2010


IRC Botnets

Newer Botnets distribute and have redundant C2 servers

Botnet user

30Junio 2010


P2P Botnets

Distributed control

31Junio 2010


P2P Botnets

Hard to Disable

32Junio 2010


Carding

Junio 2010 33


What is Carding?

Carding: large-scale fraudulent use of stolen credit or debit card information

Carding forums: websites and bulletin boards dedicated to carding

Data usually comes from phishing/spamming or data breaches, rather than “real world” thefts

Bulk transactions (“dumps”) are the norm

Credit card data can be encoded on plastic cards for card-present transactions

Junio 2010 34


What do Carding Forums Offer?

Identity documents

Stolen financial information

User names and passwords

“Full info” – package of data on victim

Card-making equipment and blanks

Tutorials on how to be a carder or hacker

Junio 2010 35


36Junio 2010


Digital Currency

Junio 2010 37


38Junio 2010


Characteristics of Digital Currency

Often “backed” by a precious metal such as gold May involve both an issuer and an exchanger Can be transferred to other digital currency Popular with cyber-criminals

Junio 2010 39

http://pecunix.com/money.refined...welcome�

http://www.e-gold.com/e-gold.asp�

http://goldmoney.com/en/index.php�

http://www.libertydollar.org/index.php�

https://www.libertyreserve.com/Default.aspx�


Example:

WebMoney Transfer (www.wmtransfer.com)

Based in Russia

Open account by downloading WebMoney client and providing name, address, and e-mail address

Accepts bank transfers, credit cards, money orders, and cash

Can transfer funds from one account to another

Junio 2010 40


Summary

Globalization of crime

Some vexing problems

Anonymity Botnets Carding Digital currency

Junio 2010 41


Junio 2010 42

REMJA Working Group on Cybercrimewww.oas.org/juridico/spanish/www.oas.org/juridico/english/

[email protected]+1 (202) 514-1026

Computer Crime and Intellectual Property Sectionwww.cybercrime.gov

Investigating Large-Scale Internet Crimes

Documents

Transcript of Investigating Large-Scale Internet Crimes