Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day

Computer Crime andIntellectual Property Section

August 2010 1

Large-Scale Internet CrimesGlobal Reach, Vast Numbers, and AnonymityLarge-Scale Internet CrimesGlobal Reach, Vast Numbers, and Anonymity

Anthony V. TeelucksinghComputer Crime and Intellectual Property Section (CCIPS)

Criminal Division, United States Department of Justice


August 2010 2

REMJA Working Group on Cybercrimewww.oas.org/juridico/spanish/www.oas.org/juridico/english/


[email protected]+1 (202) 514-1026

Computer Crime and Intellectual Property Sectionwww.cybercrime.gov

USDOJ-CCIPSOEA-REMJA

AgendaAgenda

Globalization of crime

Some vexing problems

AnonymityBotnetsCardingDigital currency

August 2010 3


Globalization of CrimeGlobalization of Crime

August 2010 4


August 2010 5

Globalization of CrimeGlobalization of Crime

The Internet knows no borders

Criminals exploit the Internet

Global reachAnonymitySafe havensMass targets


August 2010 6

Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009

Botnets*

6.8 million bot-infected computers47,000 active each day 17,000 new command and control servers

*Symantec Internet Security Threat Report, Vol. XV, April 2010


August 2010 7

Geographic distribution of infected computers in a single ZeuS botnet.


August 2010 8

Symantec Internet Security Threat Report, Regional Data Sheet – Latin America , April 2010


August 2010 9

Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009

2.9 million new malicious code threats*

Data breaches from hacking – examples**

160,000 health insurance and medical records – university530,000 social security numbers – government agency570,000 credit card records – business750,000 customer records – mobile telephone service provider

130,000,000 credit card numbers – credit card processor

*Symantec Internet Security Threat Report, Vol. XV, April 2010**Open Security Foundation, Dataloss Database, 2009


August 2010 10

Symantec Internet Security Threat Report, Regional Data Sheet – Latin America , April 2010


Online Underground EconomyOnline Underground Economy

August 2010 11

Symantec Internet Security Threat Report, Vol. XV, April 2010


The PlayersThe Players

Cyber-economy crime organizationsTraditional organized crime – drugs, guns, goods, peopleGangsExtremists – terrorist organizations

Professional hackersSpammersCybercrime organizations

12August 2010


13August 2010


Some Vexing ProblemsSome Vexing Problems

Anonymity

Botnets

Carding Forums

Digital Currency

August 2010 14


AnonymityAnonymity

August 2010 15


Attribution is Difficult…Impossible?Attribution is Difficult…Impossible?

Savvy online criminals know how to hide

False identificationDomain name registrationStolen credit cardsServices that do not verify user information

Online toolsProxiesAnonymizing networkPeer-to-peer

August 2010 16

Decentralized Decentralized –– Segmented Segmented –– Redundant Redundant –– ResilientResilient


Web ProxyWeb Proxy

Sits between ISP and web serverISP and web server no longer talk to each other directlyResult: user anonymity from web server

USER ISP WEB SERVER

WEB PROXY

17August 2010


Web ProxiesWeb Proxies

Type in the site you want

18August 2010


Web-Based ProxiesWeb-Based Proxies

The proxy gets the site and passes it to

you

You are still communicating with

the proxy

19August 2010


20

Peer-to-Peer file sharing (P2P)Peer-to-Peer file sharing (P2P)

Sharing files, using servers as little as possible

August 2010


21

Old style P2POld style P2P

Relied on a server to keep track of the peers

Who has KIDDIE.MPG?

Second computer from the

right.August 2010


22

Newer style P2PNewer style P2P

Uses “supernodes” instead of central servers

Who has KIDDIE.MPG? I’ll ask the

other supernodes.

One of my nodes has it.

August 2010


P2P today: Gigatribe and DarknetsP2P today: Gigatribe and Darknets

Small, private communities sharing files

23

Difficult to find and enter

August 2010


P2P today: BitTorrentP2P today: BitTorrent

Efficient technology for a huge number of people to share huge files

24

Tracker: knows which computer has which

pieces of the file

Leacher: peer still downloading

Seeder: Peeroffering all pieces

To join, get a .torrent file that identifies the

tracker.

August 2010


Anonymizing Network: TorAnonymizing Network: Tor

Client = computer using Tor for anonymityOnion Router (OR) = computer that forwards data and anonymizes it (currently about 1200)Circuit = path taken by data through ORs

Client OR Web ServerOR OR

Tor = The Onion Router, an anonymity network that routes communication through multiple proxies, each with an independent layer of encryption (like an onion)

25August 2010


BotnetsBotnets

August 2010 26


What is a Botnet?What is a Botnet?

A network of robots (bots)Robot :an automatic machine that can be programmed to perform specific tasks

Also known as ‘Zombies’

Thousands of computers controlled

A powerful network at “no cost”

27August 2010


Purpose of a BotnetPurpose of a BotnetDistributed denial of service attacksAdvertising – spammingSniffing trafficKeyloggingSpreading new malwareInstalling advertisementsAttacking IRC networksManipulating online polls or gamesMass identity theft

28August 2010


IRC BotnetsIRC Botnets

Earlier Botnets controlled by Command and Control (C2) server

Botnet user

29August 2010


IRC BotnetsIRC Botnets

Newer Botnets distribute and have redundant C2 servers

Botnet user

30August 2010


P2P BotnetsP2P Botnets

Distributed control

31August 2010


P2P BotnetsP2P Botnets

Hard to Disable

32August 2010


CardingCarding

August 2010 33


What is Carding?What is Carding?

Carding: large-scale fraudulent use of stolen credit or debit card information

Carding forums: websites and bulletin boards dedicated to carding

Data usually comes from phishing/spamming or data breaches, rather than “real world” thefts

Bulk transactions (“dumps”) are the norm

Credit card data can be encoded on plastic cards for card-present transactions

August 2010 34


What do Carding Forums Offer?What do Carding Forums Offer?

Identity documents

Stolen financial information

User names and passwords

“Full info” – package of data on victim

Card-making equipment and blanks

Tutorials on how to be a carder or hacker

August 2010 35


36August 2010


Digital CurrencyDigital Currency

August 2010 37


38August 2010


Characteristics of Digital CurrencyCharacteristics of Digital Currency

Often “backed” by a precious metal such as goldMay involve both an issuer and an exchangerCan be transferred to other digital currencyPopular with cyber-criminals

August 2010 39


Example:Example:

WebMoney Transfer (www.wmtransfer.com)

Based in Russia

Open account by downloading WebMoney client and providing name, address, and e-mail address

Accepts bank transfers, credit cards, money orders, and cash

Can transfer funds from one account to another

August 2010 40


SummarySummary

Globalization of crime

Some vexing problems

AnonymityBotnetsCardingDigital currency

August 2010 41


August 2010 42



[email protected]+1 (202) 514-1026

Computer Crime and Intellectual Property Sectionwww.cybercrime.gov

Documents

Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day