© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 1
Internet CriminalsWhy?How to fight them
Henrik DavidssonNordic Territory ManagerIronPort, A Cisco Business Unit
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 2
Pop quiz
1978First spam
(Digital marketing rep send email to every ARPANET address)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 3
Why?
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 4
Spam TrendsThrough October, 2007
0
20
40
60
80
100
120
Oct-05 Dec-05 Feb-06 Apr-06 Jun-06 Aug-06 Oct-06 Dec-06 Feb-07 Apr-07 Jun-07 Aug-07 Oct-07
Date
Avg
Dai
ly V
olum
e (b
illio
ns)
Spam volumes up 108% in last four months
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 5
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 6
PDF spam
In top 10 largest outbreaks of 2007
Outbreak represented 9% of all email traffic, or over 5B messages
The outbreak was distributed by over 75K zombies
Recipients of the attack were heavily focused in Europe.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 7
Excel Spam July 21st, 2007
• Spam sent as text inside excel file
• First appeared July 21st, 2007
• Within hours, represented 17% of total spam volumes
OUTBREAK DESCRIPTION EXCEL SPAM EXAMPLE
0%
10%
20%
30%
1-Jun 15-Jun 29-Jun 13-Jul
% o
f Tot
al S
pam
image PDF excel
SPAM VOLUMES BY TYPE
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 8
MP3 Spam OutbreakOctober 17th, 2007
• Spam sent as MP3 audio files
• files named after popular songs / musicians to fool recipients
• files randomized by changing audio speed and content
• represented 1% of spam volumes on day of outbreak
Outbreak Description
IronPort Protection
MP3 Spam Example
Volume & Catch RateStopped MP3 spam within minutes through combination of
several technologies
Reputation Filters: proactively blocked majority of MP3 spam by identifying bots sending spam
IronPort Anti-Spam: issued rules based on file type, file content, message size and other information to catch remaining spam
0
5
10
15
20
25
30
21:00 2:00 7:00 12:00 17:00 22:00Time (GMT)
80%
85%
90%
95%
100%
Volume (thousands) IronPort Catch Rate
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 9
Storm worm
~30% spam 3 weeks ago
Responsible for one of largest Web-based malware attacks
Storm worm every 30 minutes
Est ~10-50 million infections worldwide
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 10
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 11
Botnet Command & Control Page
IP of infected computer connected to C&C node - Real-time list
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 12
What’s stored on the C&C node?
211 MB file…
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 13
Excerpt from 211 MB file
Malware uplogskeystrokes to C&C node
Website passwords
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 14
Crimeware
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 15
What is Phishing?
“Use of 'spoofed' e-mails to lead consumers to counterfeit websites
designed to trick recipients into divulging financial data such as credit card numbers, account
usernames, passwords and social security numbers.”
- Anti-Phishing Working Group (apwg.org)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 16
Facts & Trends
97% of phish attacks target at financial sector brands
33% of phish sites host malware
Phish sites online on average of 3.8 days
US business estimate loss at $2bn per year
12.0 10.014.2
10.1
24.6
37.4 37.4
28.5 27.2
16.520.9
55.6
37.4
0.0
10.0
20.0
30.0
40.0
50.0
60.0
May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May
New
Phi
shin
g S
ites
(thou
sand
s)
211% Increase: May '06 - May '07
Source: APWG
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 17
Typical Phishing attack
SMTP Port 25MAIL FROM
[email protected] TO [email protected]
SMTP Port 25MAIL FROM
[email protected] TO [email protected]
“Bot-net”
2
1 Obtain mailing list (hack/buy)
Build website & register domain
3 Send millions of phish mails to list
44 Wait for account/password details &
remove money
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 18
IKEA
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 19
Targeted & Blended Attack #1
Purported email from US IRS
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 20
Scam Phishing Trojan
BBB Phishing Trojan Highly-targeted attack – aimed at specific executive-level company managers
Steals all interactive data sent from victim's IE browser to remote websites
Uses browser helper object to access form data before it is SSL-encrypted
One stolen data repository located. As of Friday, May 25, there were 1, 500 victims and >150 MB of data in the repository. Approx 70 megabytes of data is being collected daily
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 21
Blended Threat #2
Spam emails with URL links to Malware Sites
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 22
Blended Threat #3 :Social networking
Profiles attract requests
Social engineering - got to my site to contact mePage shows personal details to contact
Site contains malware
2 weeks later
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 23
Phishing
Large rise in phishing attacks in 2007
1/3 phish sites now host malware cocktail
“Single use” Phishing URLs. Redirect after first page visit.
“Rock Phish” Kit
Fast flux dns
Rock Phish ExampleHost mqsul.cd configured for phishing attack. (CD is Congo TLD, server in
China).
Single server hosts 10 attacks:Key Bank: http://accounts.key.com.startsession.mqsul.cd/sc/info.asp/ Bank of America: http://ba-ca.onlinebanking.com.de.mqsul.cd/i/a/index.htmlE*Trade: http://global.etrade.com.memberdirectory.mqsul.cd/member.do/ National Bank: http://ib.national.com.au.confirmationpage.mqsul.cd/sc/isap/custcare/index.asp.htmGerman Bank: http://meine.deutsche-bank.de.webxobjects.mqsul.cd/dbpbc.woa/ German Bank: http://sparkasse.de.redirector.webservices.mqsul.cd/do.asp/ German Bank: http://www.berliner-volksbank.de.navigation.mqsul.cd/i/sBarclays: http://ww4.barclays.co.uk.brccontrol.taskstart.custbase.mqsul.cd/detailsconfirm/ Fifth/Third: http://www.53.com.bankingportal.session.mqsul.cd/sbcbconfirm
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 24
Web site attacks
Legitimate websites hackedSuperbowl site hacked earlier this year
Bank Of India
The Bill…
Even Irish Vasectomies
Current technologies can’t address these attacks in realtime
Web site providers may not be up to date with patches ..easy attack vector
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 25
Cyberterrorism
Phishing/spam for harvesting credit card details
37,00 cards /$ 3.5m in fraudulent charges
Launder money through gambling sitesTrio used stolen credit card accounts to set up a network of communication forums on the net
Sites hosted with tutorials on computer hacking, bomb-making, videos of beheadings and suicide bombings in Iraq
Legal team - "The trouble is I don't understand the language. I don't reallyunderstand what a Web site is"
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 26
The Amateur
$60K from Adware on 400K PCs
Loudcash (now ZangoCash)
– $0.40 per install
“Every day, 7,500-10,000 ZangoCash affiliates distribute our software to users who are then connected with
more than 6,000 MetricsDirect advertisers.”
Jeanson James Ancheta
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 27
The Professional Criminal
Smartbot.Net MalwareOpened CD-ROM tray
“If your cd-rom drive’s open . . .You DESPERATELY NEED to rid your system of spyware pop-ups IMMEDIATELY! Download Spy Wiper NOW!”
Spy Wiper and Spy Deleter sold for $30
$4M FTC judgmentSanford Wallace
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 28
What is the tool you need?
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 29
The IronPort Vision
Internet
EMAILSecurity
Appliance
WEBSecurity
Appliance
Security MANAGEMENT
Appliance
IronPortSenderBase
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 30
Reactive Security
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 31
SenderBase®/ Threat Operations Center
SenderBase TOC
• Data Volume• Message Structure
• Complaints• Blacklists, whitelists
• Off-line data
Reputation Score+ than 90parameters
Reputation Score• URL blacklists & whitelists
• HTML Content• Domain Info
• Known “bad” URLs• Website history…
+than 45parameters
E-Mail Reputation Filters
Web Reputation Filters
• Expert team of skilledanalysts
• Staffed 24 x 7 x 365• 32 languages
spoken • Documented &
verified processes
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 32
Network and Content SecurityBetter Together
Cisco offers a broad suite of highly integrated network & endpoint security solutions across all points in the network
Firewall
Site-to-Site and Remote Access VPN
IDS/IPS
Network Admission Control
Security Management
Ironport expands that end-to-end solution with messaging and web content security services
Internet
EndpointCisco Security Agent
Network Admission Control
Network & PerimeterFirewall, IPS
SSL VPN, Anti-X
Branch OfficeFW, IPS, VPN
Wireless Security Rogue AP, IPS
IPC Security Infrastructure,
Call Management, Applications, Endpoints
Data Center
Content Security
EMAILSecurity
Appliance
WEBSecurity
Appliance
SenderBase
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 33
Conclusion
The Criminal Ecosystem is RealThis analysis is one spam attack over two weeks – a small portion of the real criminal enterprise
The Criminal Ecosystem is ProfitableZombies are the enabler to the attack
Extraordinarily sophisticated and successful spam techniques
A large, mature business operation supports the spam
Profits feed the beastA multi-faceted effort is required to solve this problem.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 34
Thank you
Henrik Davidsson
+46 701 90 11 00
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 35
Please Complete Your Session Evaluation!
© 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession IDPresentation_ID 36