Investigating Large-Scale Internet Crimes
Transcript of Investigating Large-Scale Internet Crimes
Computer Crime andIntellectual Property Section
Junio 2010 1
Large-Scale Internet CrimesGlobal Reach, Vast Numbers, and Anonymity
Albert ReesComputer Crime and Intellectual Property Section (CCIPS)
Criminal Division, United States Department of Justice
Computer Crime andIntellectual Property Section
Junio 2010 2
REMJA Working Group on Cybercrimewww.oas.org/juridico/spanish/www.oas.org/juridico/english/
[email protected]+1 (202) 514-1026
Computer Crime and Intellectual Property Sectionwww.cybercrime.gov
USDOJ-CCIPSOEA-REMJA
Agenda
Globalization of crime
Some vexing problems
Anonymity Botnets Carding Digital currency
Junio 2010 3
Computer Crime andIntellectual Property Section
Globalization of Crime
Junio 2010 4
USDOJ-CCIPSOEA-REMJA
Junio 2010 5
Globalization of Crime
The Internet knows no borders
Criminals exploit the Internet
Global reach Anonymity Safe havens Mass targets
USDOJ-CCIPSOEA-REMJA
Junio 2010 6
Global Cybercrime Snapshots – 2009
Botnets*
6.8 million bot-infected computers 47,000 active each day 17,000 new command and control servers
*Symantec Internet Security Threat Report, Vol. XV, April 2010
USDOJ-CCIPSOEA-REMJA
Junio 2010 7
Geographic distribution of infected computers in a single ZeuS botnet.
USDOJ-CCIPSOEA-REMJA
Junio 2010 8
Symantec Internet Security Threat Report, Regional Data Sheet – Latin America , April 2010
USDOJ-CCIPSOEA-REMJA
Junio 2010 9
Global Cybercrime Snapshots – 2009
2.9 million new malicious code threats*
Data breaches from hacking – examples**
160,000 health insurance and medical records – university 530,000 social security numbers – government agency 570,000 credit card records – business 750,000 customer records – mobile telephone service provider
130,000,000 credit card numbers – credit card processor
*Symantec Internet Security Threat Report, Vol. XV, April 2010**Open Security Foundation, Dataloss Database, 2009
USDOJ-CCIPSOEA-REMJA
Junio 2010 10
Symantec Internet Security Threat Report, Regional Data Sheet – Latin America , April 2010
USDOJ-CCIPSOEA-REMJA
Online Underground Economy
Junio 2010 11
Symantec Internet Security Threat Report, Vol. XV, April 2010
USDOJ-CCIPSOEA-REMJA
The Players
Cyber-economy crime organizations Traditional organized crime – drugs, guns, goods, people Gangs Extremists – terrorist organizations
Professional hackers Spammers Cybercrime organizations
12Junio 2010
USDOJ-CCIPSOEA-REMJA
13Junio 2010
USDOJ-CCIPSOEA-REMJA
Some Vexing Problems
Anonymity
Botnets
Carding Forums
Digital Currency
Junio 2010 14
Computer Crime andIntellectual Property Section
Anonymity
Junio 2010 15
USDOJ-CCIPSOEA-REMJA
Attribution is Difficult…Impossible?
Savvy online criminals know how to hide
False identification Domain name registration Stolen credit cards Services that do not verify user information
Online tools Proxies Anonymizing network Peer-to-peer
Junio 2010 16
Decentralized – Segmented – Redundant – Resilient
USDOJ-CCIPSOEA-REMJA
Web Proxy
Sits between ISP and web server ISP and web server no longer talk to each other directly Result: user anonymity from web server
USER ISP WEB SERVER
WEB PROXY
17Junio 2010
USDOJ-CCIPSOEA-REMJA
Web Proxies
Type in the site you want
18Junio 2010
USDOJ-CCIPSOEA-REMJA
Web-Based Proxies
The proxy gets the site and passes it to
you
You are still communicating with
the proxy
19Junio 2010
USDOJ-CCIPSOEA-REMJA
20
Peer-to-Peer file sharing (P2P)
Sharing files, using servers as little as possible
Junio 2010
USDOJ-CCIPSOEA-REMJA
21
Old style P2P
Relied on a server to keep track of the peers
Who has KIDDIE.MPG?
Second computer from the
right.Junio 2010
USDOJ-CCIPSOEA-REMJA
22
Newer style P2P
Uses “supernodes” instead of central servers
Who has KIDDIE.MPG? I’ll ask the
other supernodes.
One of my nodes has it.
Junio 2010
USDOJ-CCIPSOEA-REMJA
P2P today: Gigatribe and Darknets
Small, private communities sharing files
23
Difficult to find and enter
Junio 2010
USDOJ-CCIPSOEA-REMJA
P2P today: BitTorrent
Efficient technology for a huge number of people to share huge files
24
Tracker: knows which computer has which
pieces of the file
Leacher: peer still downloading
Seeder: Peeroffering all pieces
To join, get a .torrent file that identifies the
tracker.
Junio 2010
USDOJ-CCIPSOEA-REMJA
Anonymizing Network: Tor
Client = computer using Tor for anonymity Onion Router (OR) = computer that forwards data and
anonymizes it (currently about 1200) Circuit = path taken by data through ORs
Client OR Web ServerOR OR
Tor = The Onion Router, an anonymity network that routes communication through multiple proxies, each with an independent layer of encryption (like an onion)
25Junio 2010
Computer Crime andIntellectual Property Section
Botnets
Junio 2010 26
USDOJ-CCIPSOEA-REMJA
What is a Botnet?
A network of robots (bots) Robot :
an automatic machine that can be programmed to perform specific tasks
Also known as ‘Zombies’
Thousands of computers controlled
A powerful network at “no cost”
27Junio 2010
USDOJ-CCIPSOEA-REMJA
Purpose of a Botnet Distributed denial of service attacks Advertising – spamming Sniffing traffic Keylogging Spreading new malware Installing advertisements Attacking IRC networks Manipulating online polls or games Mass identity theft
28Junio 2010
USDOJ-CCIPSOEA-REMJA
IRC Botnets
Earlier Botnets controlled by Command and Control (C2) server
Botnet user
29Junio 2010
USDOJ-CCIPSOEA-REMJA
IRC Botnets
Newer Botnets distribute and have redundant C2 servers
Botnet user
30Junio 2010
USDOJ-CCIPSOEA-REMJA
P2P Botnets
Distributed control
31Junio 2010
USDOJ-CCIPSOEA-REMJA
P2P Botnets
Hard to Disable
32Junio 2010
Computer Crime andIntellectual Property Section
Carding
Junio 2010 33
USDOJ-CCIPSOEA-REMJA
What is Carding?
Carding: large-scale fraudulent use of stolen credit or debit card information
Carding forums: websites and bulletin boards dedicated to carding
Data usually comes from phishing/spamming or data breaches, rather than “real world” thefts
Bulk transactions (“dumps”) are the norm
Credit card data can be encoded on plastic cards for card-present transactions
Junio 2010 34
USDOJ-CCIPSOEA-REMJA
What do Carding Forums Offer?
Identity documents
Stolen financial information
User names and passwords
“Full info” – package of data on victim
Card-making equipment and blanks
Tutorials on how to be a carder or hacker
Junio 2010 35
USDOJ-CCIPSOEA-REMJA
36Junio 2010
Computer Crime andIntellectual Property Section
Digital Currency
Junio 2010 37
USDOJ-CCIPSOEA-REMJA
38Junio 2010
USDOJ-CCIPSOEA-REMJA
Characteristics of Digital Currency
Often “backed” by a precious metal such as gold May involve both an issuer and an exchanger Can be transferred to other digital currency Popular with cyber-criminals
Junio 2010 39
USDOJ-CCIPSOEA-REMJA
Example:
WebMoney Transfer (www.wmtransfer.com)
Based in Russia
Open account by downloading WebMoney client and providing name, address, and e-mail address
Accepts bank transfers, credit cards, money orders, and cash
Can transfer funds from one account to another
Junio 2010 40
USDOJ-CCIPSOEA-REMJA
Summary
Globalization of crime
Some vexing problems
Anonymity Botnets Carding Digital currency
Junio 2010 41
Computer Crime andIntellectual Property Section
Junio 2010 42
REMJA Working Group on Cybercrimewww.oas.org/juridico/spanish/www.oas.org/juridico/english/
[email protected]+1 (202) 514-1026
Computer Crime and Intellectual Property Sectionwww.cybercrime.gov