Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Computer Crime andIntellectual Property Section
August 2010 1
Large-Scale Internet CrimesGlobal Reach, Vast Numbers, and AnonymityLarge-Scale Internet CrimesGlobal Reach, Vast Numbers, and Anonymity
Anthony V. TeelucksinghComputer Crime and Intellectual Property Section (CCIPS)
Criminal Division, United States Department of Justice
Computer Crime andIntellectual Property Section
August 2010 2
REMJA Working Group on Cybercrimewww.oas.org/juridico/spanish/www.oas.org/juridico/english/
REMJA Working Group on Cybercrimewww.oas.org/juridico/spanish/www.oas.org/juridico/english/
[email protected]+1 (202) 514-1026
Computer Crime and Intellectual Property Sectionwww.cybercrime.gov
USDOJ-CCIPSOEA-REMJA
AgendaAgenda
Globalization of crime
Some vexing problems
AnonymityBotnetsCardingDigital currency
August 2010 3
Computer Crime andIntellectual Property Section
Globalization of CrimeGlobalization of Crime
August 2010 4
USDOJ-CCIPSOEA-REMJA
August 2010 5
Globalization of CrimeGlobalization of Crime
The Internet knows no borders
Criminals exploit the Internet
Global reachAnonymitySafe havensMass targets
USDOJ-CCIPSOEA-REMJA
August 2010 6
Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009
Botnets*
6.8 million bot-infected computers47,000 active each day 17,000 new command and control servers
*Symantec Internet Security Threat Report, Vol. XV, April 2010
USDOJ-CCIPSOEA-REMJA
August 2010 7
Geographic distribution of infected computers in a single ZeuS botnet.
USDOJ-CCIPSOEA-REMJA
August 2010 8
Symantec Internet Security Threat Report, Regional Data Sheet – Latin America , April 2010
USDOJ-CCIPSOEA-REMJA
August 2010 9
Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009
2.9 million new malicious code threats*
Data breaches from hacking – examples**
160,000 health insurance and medical records – university530,000 social security numbers – government agency570,000 credit card records – business750,000 customer records – mobile telephone service provider
130,000,000 credit card numbers – credit card processor
*Symantec Internet Security Threat Report, Vol. XV, April 2010**Open Security Foundation, Dataloss Database, 2009
USDOJ-CCIPSOEA-REMJA
August 2010 10
Symantec Internet Security Threat Report, Regional Data Sheet – Latin America , April 2010
USDOJ-CCIPSOEA-REMJA
Online Underground EconomyOnline Underground Economy
August 2010 11
Symantec Internet Security Threat Report, Vol. XV, April 2010
USDOJ-CCIPSOEA-REMJA
The PlayersThe Players
Cyber-economy crime organizationsTraditional organized crime – drugs, guns, goods, peopleGangsExtremists – terrorist organizations
Professional hackersSpammersCybercrime organizations
12August 2010
USDOJ-CCIPSOEA-REMJA
13August 2010
USDOJ-CCIPSOEA-REMJA
Some Vexing ProblemsSome Vexing Problems
Anonymity
Botnets
Carding Forums
Digital Currency
August 2010 14
Computer Crime andIntellectual Property Section
AnonymityAnonymity
August 2010 15
USDOJ-CCIPSOEA-REMJA
Attribution is Difficult…Impossible?Attribution is Difficult…Impossible?
Savvy online criminals know how to hide
False identificationDomain name registrationStolen credit cardsServices that do not verify user information
Online toolsProxiesAnonymizing networkPeer-to-peer
August 2010 16
Decentralized Decentralized –– Segmented Segmented –– Redundant Redundant –– ResilientResilient
USDOJ-CCIPSOEA-REMJA
Web ProxyWeb Proxy
Sits between ISP and web serverISP and web server no longer talk to each other directlyResult: user anonymity from web server
USER ISP WEB SERVER
WEB PROXY
17August 2010
USDOJ-CCIPSOEA-REMJA
Web ProxiesWeb Proxies
Type in the site you want
18August 2010
USDOJ-CCIPSOEA-REMJA
Web-Based ProxiesWeb-Based Proxies
The proxy gets the site and passes it to
you
You are still communicating with
the proxy
19August 2010
USDOJ-CCIPSOEA-REMJA
20
Peer-to-Peer file sharing (P2P)Peer-to-Peer file sharing (P2P)
Sharing files, using servers as little as possible
August 2010
USDOJ-CCIPSOEA-REMJA
21
Old style P2POld style P2P
Relied on a server to keep track of the peers
Who has KIDDIE.MPG?
Second computer from the
right.August 2010
USDOJ-CCIPSOEA-REMJA
22
Newer style P2PNewer style P2P
Uses “supernodes” instead of central servers
Who has KIDDIE.MPG? I’ll ask the
other supernodes.
One of my nodes has it.
August 2010
USDOJ-CCIPSOEA-REMJA
P2P today: Gigatribe and DarknetsP2P today: Gigatribe and Darknets
Small, private communities sharing files
23
Difficult to find and enter
August 2010
USDOJ-CCIPSOEA-REMJA
P2P today: BitTorrentP2P today: BitTorrent
Efficient technology for a huge number of people to share huge files
24
Tracker: knows which computer has which
pieces of the file
Leacher: peer still downloading
Seeder: Peeroffering all pieces
To join, get a .torrent file that identifies the
tracker.
August 2010
USDOJ-CCIPSOEA-REMJA
Anonymizing Network: TorAnonymizing Network: Tor
Client = computer using Tor for anonymityOnion Router (OR) = computer that forwards data and anonymizes it (currently about 1200)Circuit = path taken by data through ORs
Client OR Web ServerOR OR
Tor = The Onion Router, an anonymity network that routes communication through multiple proxies, each with an independent layer of encryption (like an onion)
25August 2010
Computer Crime andIntellectual Property Section
BotnetsBotnets
August 2010 26
USDOJ-CCIPSOEA-REMJA
What is a Botnet?What is a Botnet?
A network of robots (bots)Robot :an automatic machine that can be programmed to perform specific tasks
Also known as ‘Zombies’
Thousands of computers controlled
A powerful network at “no cost”
27August 2010
USDOJ-CCIPSOEA-REMJA
Purpose of a BotnetPurpose of a BotnetDistributed denial of service attacksAdvertising – spammingSniffing trafficKeyloggingSpreading new malwareInstalling advertisementsAttacking IRC networksManipulating online polls or gamesMass identity theft
28August 2010
USDOJ-CCIPSOEA-REMJA
IRC BotnetsIRC Botnets
Earlier Botnets controlled by Command and Control (C2) server
Botnet user
29August 2010
USDOJ-CCIPSOEA-REMJA
IRC BotnetsIRC Botnets
Newer Botnets distribute and have redundant C2 servers
Botnet user
30August 2010
USDOJ-CCIPSOEA-REMJA
P2P BotnetsP2P Botnets
Distributed control
31August 2010
USDOJ-CCIPSOEA-REMJA
P2P BotnetsP2P Botnets
Hard to Disable
32August 2010
Computer Crime andIntellectual Property Section
CardingCarding
August 2010 33
USDOJ-CCIPSOEA-REMJA
What is Carding?What is Carding?
Carding: large-scale fraudulent use of stolen credit or debit card information
Carding forums: websites and bulletin boards dedicated to carding
Data usually comes from phishing/spamming or data breaches, rather than “real world” thefts
Bulk transactions (“dumps”) are the norm
Credit card data can be encoded on plastic cards for card-present transactions
August 2010 34
USDOJ-CCIPSOEA-REMJA
What do Carding Forums Offer?What do Carding Forums Offer?
Identity documents
Stolen financial information
User names and passwords
“Full info” – package of data on victim
Card-making equipment and blanks
Tutorials on how to be a carder or hacker
August 2010 35
USDOJ-CCIPSOEA-REMJA
36August 2010
Computer Crime andIntellectual Property Section
Digital CurrencyDigital Currency
August 2010 37
USDOJ-CCIPSOEA-REMJA
38August 2010
USDOJ-CCIPSOEA-REMJA
Characteristics of Digital CurrencyCharacteristics of Digital Currency
Often “backed” by a precious metal such as goldMay involve both an issuer and an exchangerCan be transferred to other digital currencyPopular with cyber-criminals
August 2010 39
USDOJ-CCIPSOEA-REMJA
Example:Example:
WebMoney Transfer (www.wmtransfer.com)
Based in Russia
Open account by downloading WebMoney client and providing name, address, and e-mail address
Accepts bank transfers, credit cards, money orders, and cash
Can transfer funds from one account to another
August 2010 40
USDOJ-CCIPSOEA-REMJA
SummarySummary
Globalization of crime
Some vexing problems
AnonymityBotnetsCardingDigital currency
August 2010 41
Computer Crime andIntellectual Property Section
August 2010 42
REMJA Working Group on Cybercrimewww.oas.org/juridico/spanish/www.oas.org/juridico/english/
REMJA Working Group on Cybercrimewww.oas.org/juridico/spanish/www.oas.org/juridico/english/
[email protected]+1 (202) 514-1026
Computer Crime and Intellectual Property Sectionwww.cybercrime.gov