Docstoc

CyberCrime

Document Sample
CyberCrime Powered By Docstoc
					              Cyber Crime
• Special Thanks to
  – Special Agent Martin McBride
    for sharing most of this information
    in his talk at Siena last semester
Criminal Activity Today

  has shifted to the Internet
     Canadian Lottery Scam
• A call from Canada:
  – You’ve won the Canadian Lotto
  – We’ll protect your winnings from US capital gains
    taxes (i.e., Canadian Bank)
  – Just pay the Canadian Lotto tax 0.5% and we’ll set
    everything up
• You say:
  – You mean I just have to pay you $5000 and you’ll
    put $1,000,000 in my own Canadian Bank Account.
    Sounds great!
     Canadian Lottery Scam
• Its estimated that over $10,000,000 has been
  scammed off people in just the US.
• The scammer are so sophisticated that they
  get Direct Mailing/Marketing List and target
  specific demographics (homeowners over 65).
• http://www.experian.com/products/listlink_expr
  ess.html
• Thank you Experian!
     Canadian Lottery Scam
• The scammer use cloned cell phones
• Checks sent to ―Mailboxes Etc.‖
  – set up using a stolen identity
• The FBI and RCMP have developed counter-
  measures
• Thus, the Scammers have retreated to the
  Internet, where they have greater reach and
  less risk.
       Criminal Activity Today
•   Phishing
•   Nigerian Letters Fraud
•   Internet Sales Fraud
•   Carding
•   Intrusions
•   Viruses & Worms
       Criminal Activity Today
            -continued-
•   Distributed Denial of Service (DDOS)
•   Spam Attack/DDOS
•   Intellectual Property Theft
•   Sabotage
                 Phishing
• uses spam, spoofed e-mails and fraudulent
  websites to
• deceive consumers into disclosing credit card
  numbers, bank account information, Social
  Security numbers, passwords, and other
  sensitive information
• by hijacking the trusted brands of well-known
  banks, online retailers and credit card
  companies
<TABLE cellSpacing=0 cellPadding=0 width=600 align=center>
 <TBODY>
 <TR>
  <TD><FONT
    style="FONT-WEIGHT: 400; FONT-SIZE: 13px; FONT-FAMILY:
verdana,arial,helvetica,sans-serif">We
    are currently performing regular maintenance of our security measures.
    Your account has been randomly selected for this maintenance, and you now
    be taken through a verification process.<BR><BR>Protecting the security of
    your PayPal account is our primary concern, and we apologize for any
    inconvenience this may cause.<BR><BR>Please <A
    href="http://verify.paypal.com.auth23.net:4180/us/cgi-bin/webscr.cmd=_verification-
run/verify.html"><FONT
    color=#0033cc>click here</FONT></A> and fill in the correct information to
    verify your identity.<BR><BR>NOTE: Failure to complete the verification
    process or providing wrong information will lead to account suspension or
    even termination.</FONT></TD></TR></TBODY></TABLE><BR><BR>
       Nigerian Letter Fraud
• Claiming to be
  – Nigerian officials,
  – business people or
  – the surviving spouses of former government
    honchos,
• con artists offer to transfer millions of
  dollars into your bank account in
  exchange for a small fee.
      Nigerian Letter Fraud
– If you respond, you may receive "official
  looking" documents.
  •   Typically, you're then asked to
  •   provide blank letterhead and
  •   your bank account numbers,
  •   as well as some money to cover transaction and
      transfer costs and attorney's fees.
     Nigerian Letter Fraud
– You may even be encouraged to travel to Nigeria or
  a border country to complete the transaction.
– Sometimes, the fraudsters will produce trunks of
  dyed or stamped money to verify their claims.
– Inevitably, though, emergencies come up, requiring
  more of your money and delaying the "transfer" of
  funds to your account;
– in the end, there aren't any profits for you to share,
  and the scam artist has vanished with your money.
          Internet Sales Fraud
• Overpayment scheme (E-bay)
  – A buyer accidentally over pays you
     • $1000 check rather than $100 check
  – Buyer says, ―My mistake but you owe me $900 if
    you cash that check.‖
  – Buyer says, ―Dude man! I need that $900 bucks,
    since this was my mistake, if you wire me $800
    bucks, the check is yours.‖
  – You get an additional $100 for you trouble, cool!
           Internet Sales Fraud
• Did you know that if you deposit a check worth
  $10,000 or more at HSBC it can take over 5 business
  days for it to clear or to realize its fraud.
• A week gives a scammer a long time to put pressure
  on you to return the over payment.
• Perhaps the overpayment is $9000.
• Guess what? If you send a wire transfer or a money
  order out of your account, your account balance is
  immediately reduced (instantaneous at the time the
  order or wire is entered into their system).
• Thank you HSBC for making it easy to scam me!
         Internet Sales Fraud
• Alexey Ivanov and others
   – auctioned non-existent items on eBay
   – bid on own items using stolen credit cards
   – as high bidder, paid himself through Paypal
                 Carding
• ―Carding" the illegal use of credit card
  numbers. Carders..
  – Acquire valid credit card numbers
    (not their own)
  – Use them to make purchases
  – Sell them to others
  – Trade them over the Internet
                        Carding
• Maxus, a Russian, stole 300,000 credit card numbers
  from CDUniverse.com
• Maxus’ scheme was broken into 4 basic parts:
   • Whole-selling Cards — Cards were distributed to trusted
     partners, mainly in lots of 1,000, for $1 each.
   • Re-selling Cards — Cards were then sold by Maxus'
     partners. These "re-sellers" sold card numbers mainly in
     blocks of 50. The price to the "end consumer" was around
     $500.
   • Pure Liquidation — Maxus set himself up as an online
     retailer, and used the stolen numbers as if they belonged to
     his customers
   • End Users — Individuals would use the cards bought from
     Maxus to conduct their own fraud.
                  Intrusions
• Unauthorized access into a computer
• Different types of intruders
  – Hackers – create code to exploit vulnerabilities
  – Script-kiddies – use code readily available over the
    Internet to exploit vulnerabilities
  – Insiders - former employees whose accounts were
    not disabled upon termination
                     Intrusions
• Example
  – Bob leaves Experian for Equifax
  – Equifax is a competitor to Experian
  – Bob uses same password at Equifax that he had used while at
    Experian
  – Equifax has to crack Bob’s password because no one can get
    into his account to retrieve the work he left behind
  – Experian decides to try Bob’s password on Equifax ’s e-mail
    system
     • It worked!
  – Experian attempts to steal customers from Equifax by
    intercepting e-mail sent to Bob’s account at Equifax.
   Viruses, Worms, & Trojans
• Viruses are computer code written to degrade
  the health of a computer or computer network
• Worms are viruses that are written such that
  they can spread themselves to other
  computers
• Trojans are viruses that remain dormant or
  hidden until a certain action is taken or a
  specified period of time has elapsed
    Denial of Service (DOS)
• An attack in which a large network of
  compromised computers is used to
  attack a target computer
• Examples
  – Mafiaboy - Feb 2000
     • Yahoo!, eBay, CNN.com, eTrade, and others
  – DDOS attack against 9 of 13 root servers –
    Oct 2002
   Intellectual Property Theft
• The unauthorized acquisition and/or
  distribution of proprietary computer
  software or data files
   Intellectual Property Theft
• Example
  – Online warez pirates
    • Buy or steal copies of software programs such
      as video games or operating systems
    • Illegally share the programs through FTP
      servers located throughout the world
    • Hundreds and perhaps thousands of organized
      groups exist
       – Many groups contain hundreds of members
               Sabotage
• Deliberate destruction of the functionality
  of a computer or computer network
               Insiders
• Greatest threat to computer networks
  – Know the system
  – Have access via user accounts
  – Security lapses
    • Easy-to-guess passwords
    • Share accounts/passwords
  – Hostile terminations/revenge
Criminal Cyber Crime Techniques
• Casing the establishment
  – Footprinting
  – Scanning
  – Enumeration



                             Hacking Exposed, Second Edition
    Casing the Establishment
• Footprinting
  – Locate a potential target
  – Learn everything about target network
     •   Map the network
     •   Domain names in use
     •   Routable IP address range
     •   Services running and versions used
     •   Firewalls and Intrusion Detection Systems
                                              Hacking Exposed, Second Edition
    Casing the Establishment
• Scanning
  – Turning door knobs and seeing if windows are locked
  – Search for vulnerabilities
     • Ping sweep
         – Determine what systems are up and running
     • Trace route
     • Port scan
         – ID operating system
         – ID applications running
     • Cheops (does it all)
                                                  Hacking Exposed, Second Edition
   Casing the Establishment
• Enumeration
  – Open the door and look inside (cross the line)
  – Active connection to target is established to
     • ID valid user accounts
     • ID poorly protected resource shares
  – Social Engineering
     • Gain access to inside human resources
     • ―Dumpster diving‖ – go through the trash
                                             Hacking Exposed, Second Edition
           Hacking the Target
• Directly connect to shared resources
  – Use that access to dig deeper
• Install backdoors/Trojans
• Crack passwords for administrator accounts
  – Dictionary and Brute Force
     •   L0phtcrack
     •   John the Ripper
     •   Crack
     •   Hacking Exposed, Second Edition
          Hacking the Target
• Privilege escalation
   – When you have password for non-admin account
• Use Trojans to give yourself an admin account
   – e.g. change Dir command so that it adds new user
• Install and run sniffers
   – Keystroke loggers

                                   Hacking Exposed, Second Edition
            Hiding the Trail
• Proxy Servers
  – Make Web queries on behalf of inquiring
    computer
    • Query traces to proxy rather than point of origin
• Anonymizers
  – E-mail spoofing
  – IP spoofing
          Proxy 2


Bad Guy   Proxy 1   Destination
Cyber Crime Investigations

    Big Brother is Watching
         Following the Trail
•   Server logs
•   E-mail headers
•   Whois databases
•   Human resources
     Critical Concept
• Internet Protocol (IP) addressing
  – Every computer connected to the
    Internet has a unique IP address
    assigned while it is connected
     • #.#.#.# (e.g. 192.168.1.100)
         – Each # is 0 to 255
             » 256 possibilities
                8
             » 2 (binary math)
             » 255 = 1111 1111
    Critical Concept
• Static addresses
  – Like telephone numbers
     • Don’t change
     • Easy to find day after day
• Dynamic addresses
  – Different each time you connect
  – Difficult to find from one use to the
    next
             Server Logs
• Domain Controllers
  – Access logs
• Web Servers
• FTP Servers
• E-mail Servers
        Tracking via Server Logs
192.168.50.165 - - [17/Sep/2002:17:46:52 -0500] "GET /webmail/cgi-
bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/
1032302396?folder=INBOX&form=readmsg&pos=15 HTTP/1.0" 200 18627
192.168.50.165 - - [17/Sep/2002:17:48:32 -0500] "GET /webmail/cgi-
bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/
1032302396?folder=INBOX&pos=9&reply=1&form=newmsg HTTP/1.0" 200 8020
192.168.50.165 - - [17/Sep/2002:17:49:53 -0500] "POST /webmail/cgi-
bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/
1032302396 HTTP/1.0" 302 426
192.168.50.165 - - [17/Sep/2002:17:50:01 -0500] "GET /webmail/cgi-
bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/
1032302396?folder=INBOX&form=readmsg&pos=9 HTTP/1.0" 200 19721
192.168.50.165 - - [17/Sep/2002:17:50:34 -0500] "GET /webmail/cgi-
bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/
1032302396?folder=INBOX&pos=6&reply=1&form=newmsg HTTP/1.0" 200 8102
        Tracking via Server Logs
192.168.50.165 - - [17/Sep/2002:17:46:52 -0500] "GET /webmail/cgi-
bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/
1032302396?folder=INBOX&form=readmsg&pos=15 HTTP/1.0" 200 18627
192.168.50.165 - - [17/Sep/2002:17:48:32 -0500] "GET /webmail/cgi-
bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/
1032302396?folder=INBOX&pos=9&reply=1&form=newmsg HTTP/1.0" 200 8020
192.168.50.165 - - [17/Sep/2002:17:49:53 -0500] "POST /webmail/cgi-
bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/
1032302396 HTTP/1.0" 302 426
192.168.50.165 - - [17/Sep/2002:17:50:01 -0500] "GET /webmail/cgi-
bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/
1032302396?folder=INBOX&form=readmsg&pos=9 HTTP/1.0" 200 19721
192.168.50.165 - - [17/Sep/2002:17:50:34 -0500] "GET /webmail/cgi-
bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/
1032302396?folder=INBOX&pos=6&reply=1&form=newmsg HTTP/1.0" 200 8102
           E-mail Headers
• Normal Headers
  – To:, From:, Date:, and Subj:
• Full Headers
  – Record of path an e-mail takes from its
    origin to its destination
Return-Path: <ebreimer@siena.edu>
Delivered-To: mmcbride@leo.gov
Received: from mailscan-a.leo.gov (mailscan-a-pub.leo.gov [172.30.1.101])
             by mail.leo.gov (Postfix) with ESMTP id AADAA26E4B
             for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:34 -0400 (EDT)
Received: from dell61 (localhost [127.0.0.1])
             by mailscan-a.leo.gov (Postfix) with ESMTP id 2ABB838641
             for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:34 -0400 (EDT)
Received: from dmzproxy.leo.gov ([4.21.116.65]) by dell61
      via smtpd (for smtp.leo.gov [172.30.1.100]) with ESMTP; Thu, 15 Apr 2004 14:01:53 -0400
Received: from internetfw.leo.gov (internetfw-dmz.leo.gov [4.21.116.126])
             by dmzproxy.leo.gov (Postfix) with SMTP id 5C21CAA8AF
             for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:33 -0400 (EDT)
Received: from [66.194.176.8] by internetfw.leo.gov
      via smtpd (for mx.leo.gov [4.21.116.65]) with SMTP; Thu, 15 Apr 2004 14:01:33 -0400
Received: FROM exchange2.siena.edu BY claven.siena.edu ; Thu Apr 15 14:01:24 2004 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
             charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Radio Interview
Date: Thu, 15 Apr 2004 14:01:35 -0400
Message-ID: <8DEC59405C543C4D88AF28B7AAB0F87302A47CC4@EXCHANGE2.siena.edu>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Radio Interview
Thread-Index: AcQjE7E0Ke2vVSlaR5mlEdbMSjmvMw==
From: "Breimer, Eric" <ebreimer@siena.edu>
To: <mmcbride@leo.gov>
Cc: <grimmcom@nycap.rr.com>
X-UIDL: 'B?!!L^)#!ce^"!Hf_"!
                   E-mail Headers
Received: from internetfw.leo.gov (internetfw-dmz.leo.gov [4.21.116.126])
   by dmzproxy.leo.gov (Postfix) with SMTP id 5C21CAA8AF
   for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:33 -0400 (EDT)
Received: from [66.194.176.8] by internetfw.leo.gov
      via smtpd (for mx.leo.gov [4.21.116.65]) with SMTP; Thu, 15 Apr 2004
   14:01:33 -0400
Received: FROM exchange2.siena.edu BY claven.siena.edu ; Thu Apr 15 14:01:24
   2004 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
            Whois Databases
• Contain registration information for the
  Domain Name System and IP addresses
  – Examples
     •   www.dnsstuff.com
     •   www.arin.net
     •   www.samspade.org
     •   www.networksolutions.com
         Human Resources
• Easiest way to find a criminal
  – Find someone that knows what happened
    and is willing to tell what they know
  – Find someone that has inside access to the
    type of hacking you are investigating and
    enlist their assistance
InfraGard
            What Is InfraGard?
• A Cooperative Undertaking/Partnership
  – U.S. Government (led by the FBI)
  – Association of
     •   Businesses
     •   Academic institutions
     •   State and local law enforcement agencies
     •   Other participants
• Dedicated to increasing the security of United
  States’ critical infrastructures
What Is A Critical Infrastructure?
 Services so vital that their
 incapacity or destruction would
 have a debilitating impact on the
 defense or economic security of
 the United States.

         Executive Order 13010
                 Why Partner?
• Our businesses, our country, and our world
  depend on functional infrastructures
  – Industries and infrastructures are interdependent
  – More than 80 percent of U.S. infrastructures are owned
    and operated by the private sector
  – Government has resources that are critical to successfully
    protecting all infrastructures
• Only by working together can the Nation’s
  infrastructures be properly protected
  – InfraGard is a critical entity in bringing all the right players
    to the same table
How Did InfraGard Get Started?
• National InfraGard Program
  – Pilot project in 1996
     • Cleveland FBI Field Office asked local computer
       professionals to assist the FBI in determining
       how to better protect critical information systems
       in the public and private sectors
     • First InfraGard Chapter was formed
         What is the Cost?
• InfraGard is a not-for-profit membership
  organization
  – There are no dues
  – Cost is your time & energy
Who Should Join InfraGard?
• Infrastructure stakeholders
   – Infrastructure providers
   – Infrastructure end users (everyone?)
• Individuals with organizational skills
   –   Accountants
   –   Lawyers
   –   Managers
   –   Marketing Experts
   –   Etc.
    Infrastructure Protection
• Infrastructure protection is
  everyone’s problem.
• Don’t get complacent! Get
  involved!