Get documents about "Masque CLUSIF
Document Sample
An overview of cyber-crime
2003
Cyber-crime in 2003
Overview objectives
To assess the emergence of new risks and
determine current trends in existing risks.
To put into perspective those incidents which
have gained a certain degree of notoriety.
To look on hi-tech crime in the same light as
more traditional felonies.
Selection made by a mixed workgroup
(insurance agent, lawyer, consultant, journalist,
law-enforcement officers, information security
officer).
clusif@clusif.asso.fr 01/13/2004 2
CLUSIF >
Cyber-crime in 2003
Choice of media events
Illustration
of an emergence,
of a trend,
of a volume of incidents.
Individual case
Impact or stakes,
Textbook example.
All photographs are copyrighted.
All information used herein has come from open sources. A list of URL references can be found after each section.
Some companies are cited out of concern for accuracy and because their names have already appeared in the media.
clusif@clusif.asso.fr 01/13/2004 3
CLUSIF >
Cyber-crime in 2003
Recap of the 2002 overview
-Electronic voting
- Hacking into specialized corporate networks (e-voting)
- www.cnn.com/2003/TECH/biztech/12/29/voting.hack.ap/index.
html
- http://www.msnbc.msn.com/id/3825143/
-Personal data – identity theft - fraud
- Large-scale theft of files
- http://news.bbc.co.uk/1/hi/uk/3228040.stm
- http://news.zdnet.co.uk/internet/0,39020369,2137915,00.htm
- http://news.zdnet.co.uk/internet/0,39020369,2131593,00.htm
clusif@clusif.asso.fr 01/13/2004 4
CLUSIF >
Cyber-crime in 2003
Recap of the 2002 overview
-
Blackmail and extortion
- Extortion and arrest, South Pole Station
- http://www.southpolestation.com/news/news.html
- http://www.thepoles.com/story/HackAttackontheSouthPoleStat
ionOct192003.shtml
- http://www.mail-
archive.com/isn@attrition.org/msg01811.html
-The dangers of wireless networks
- Intrusion via hot spots
- http://cryptome.org/att-spam.htm
- http://www.theregister.com/content/69/34144.html
- Yescard 2G
- Use of a a bearer’s Signature Value
- AFP, 06/11/03, Créteil
- AFP, 2/12/03, Mulhouse
clusif@clusif.asso.fr 01/13/2004 5
CLUSIF >
Cyber-crime in 2003
Recap of the 2002 overview
Bank card fraud has taken
on a new international and
technological dimension :
fake slot to read the card’s
magnetic strip, camera to
record the keying in of the
PIN code…
clusif@clusif.asso.fr 01/13/2004 6
CLUSIF >
Cyber-crime in 2003
Recap of the 2002 overview
Some references
AFP, 17/02/03, Nîmes
AFP, 09/04/03, Nice
AFP, 19/12/03, Meaux
clusif@clusif.asso.fr 01/13/2004 7
CLUSIF >
Cyber-crime in 2003
2003 overview
Free Software : Just how secure is it?
Illicit downloads : the risks for the company
Viruses : professionalization and a search for
gain
Legal responses : a strategy of deterrence
The fight against spam gains momentum
Phishing : Three deceptions in one
New hi-tech spying opportunities
clusif@clusif.asso.fr 01/13/2004 8
CLUSIF >
Cyber-crime in 2003
Free Software : Just how secure is it?
The Facts
Several events in 2003 seem to have undermined the
reputed security of Open-Source operating systems:
- Vulnerability of the CVS manager server.
- Trojan horse on an FTP GNU server.
- Debian server vulnerabilities.
- Identification of vulnerabilities in different kernels
during Defcon11 (hackers conference in Las Vegas).
- Attempt to corrupt the new version 2.6 of Linux.
clusif@clusif.asso.fr 01/13/2004 9
CLUSIF >
Cyber-crime in 2003
Free Software : Just how secure is it?
Timeline and details
01/21/2003 : discovery of vulnerabilities in the CVS
(concurrent versions system) versions manager used by
the majority of Open-Source projects. Such a flaw in the
CVS server enables a hacker to obtain privileges (root
privileges depending on the state of the server). The
hacker can then alter data (and thus the source versions)
stored on the server.
Late July 2003 : a Trojan horse is discovered on an FTP
root server of the GNU project. The attack exploits a
vulnerability in the p-trace call system (enabling a parent
process to control the execution of an offspring process,
used notably for debugging). The Trojan horse was
introduced at the end of March 2003. The project
managers advise that the integrity of all downloaded
sources be systematically verified.
clusif@clusif.asso.fr 01/13/2004 10
CLUSIF >
Cyber-crime in 2003
Free Software : Just how secure is it?
Timeline and details
01 to 03 August 2003 : During the defcon11 hacker’s
conference in LAS VEGAS, a code audit conducted on
numerous OpenSource operating systems (Linux,
FreeBSD, NetBSD, OpenBSD) highlighted the presence
of several vulnerabilities. The presentation indicated
that a 3 month audit was able to identify over a
hundred vulnerabilities and integer overflows affecting
the drivers and the system calls in the OS sources.
According to the author, these vulnerabilities may be
exploited without too much difficulty – something
which runs contrary to what is generally perceived for
these type of systems.
clusif@clusif.asso.fr 01/13/2004 11
CLUSIF >
Cyber-crime in 2003
Free Software : Just how secure is it?
Timeline and details
11/06/2003 : An attempt is made to corrupt the new
version of the Linux kernel (version 2.6). By usurping
the identity of a developer, a hacker was able to access
the platform managing the source versions of the
future Linux and install a Trojan horse. The objective
was to give the hacker root access on all the machines
which would have run the kernel! The problem was
quickly detected and eradicated during an audit to
verify the integrity of the data.
November 2003 : the DEBIAN project falls victim to an
intrusion (compromising 4 servers). The attack
exploited a vulnerability in the kernel (version 2.4.22)
discovered in September 2003 : integer overflow in the
do_brk() function which enabled a local user to gain
elevated (or root) privileges.
clusif@clusif.asso.fr 01/13/2004 12
CLUSIF >
Cyber-crime in 2003
Free Software : Just how secure is it?
Stakes and consequences
The issue of security vis-à-vis the OpenSource
projects, has never been more important bearing in
mind the increasing success of Open Source operating
systems, notably in the professional sector: servers,
embedded systems…
- The potential problem of seeing an intentional
vulnerability introduced into the OS sources: either
from the outside by a hacker with no direct links to the
project, or from within by a malevolent developer
participating in the project. Someone wishing to exploit
this vulnerability would be able to take control of the
machine on which the operating system runs.
Could the increase in the number of
projects and the growing interest for Open Source, in
itself undermine the security of the systems?
clusif@clusif.asso.fr 01/13/2004 13
CLUSIF >
Cyber-crime in 2003
Free Software : Just how secure is it?
Stakes and consequences
- The arguments that were often used to explain why
the OpenSource OS was more secure now seem less
convincing : OpenSource operating systems are not
necessarily written by security experts. Indeed, they
contain vulnerabilities (often related to integer
overflow) which may be exploited relatively easily(?)
thus allowing a hacker to take control of the machines
running the OS.
Is there a tendency to overestimate the security
of the OpenSource OS?
clusif@clusif.asso.fr 01/13/2004 14
CLUSIF >
Cyber-crime in 2003
Free Software : Just how secure is it?
Stakes and consequences
The task of managing vulnerabilities and the patches to
correct them is becoming increasingly difficult for a
company’s administrative teams to handle. Such a task
has become a major issue for the security of
information systems. The OpenSource operating
systems cannot escape such logic.
Can the task of managing the corrective patches
become a key factor in the spread of free OS?
clusif@clusif.asso.fr 01/13/2004 15
CLUSIF >
Cyber-crime in 2003
Free Software : Just how secure is it?
References
- http://www.cert.org/advisories/CA-2003-02.html
- http://www.cert.org/advisories/CA-2003-21.html
- http://computerworld.com/securitytopics/security/hacking/story/
0,10801,87516,00.html
- http://www.kb.cert.org/vuls/id/301156
- http://www.defcon.org/html/links/defcon-media-
archives.html#defcon-11
- http://www.newsfactor.com/perl/story/22748.html
- http://www.zdnet.fr/actualites/technologie/0,39020809,3912900
6,00.htm
clusif@clusif.asso.fr 01/13/2004 16
CLUSIF >
Cyber-crime in 2003
Illicit downloads : the risks for the company
The facts
The misuse of a company’s IT capabilities for illegal
ends and the legal responsibilities of companies in
relation to their employees continued to make news
throughout 2003 : The prosecution of Lucent
Technologies ; the French Council of State’s decision
following the abusive use of a professional e-mail
address ; and an appeals court verdict in a case
involving the use of diskettes to justify an employee’s
dismissal.
clusif@clusif.asso.fr 01/13/2004 17
CLUSIF >
Cyber-crime in 2003
Illicit downloads : the risks for the company
Timeline and details
Marseille High Court Verdict, 06/11/03 : An employee of
Lucent Technologies created his own web site denouncing
(what he perceived as) the abuses of the company Escota.
He put the site online from his work computer. The
Marseille High Court found not just the creator of the site
guilty but also his company given that the misdemeanor
was committed while he was at work (French civil code,
article 1384).
Council of State decision, 10/15/03 : France’s Council of
State upheld the suspension of a technical research
assistant. The employee in question had used the e-mail
address of his laboratory director to communicate on the
web site of a religious cult. The company learned of the
problem through another employee, without having taken
into consideration the content of the emails.
clusif@clusif.asso.fr 01/13/2004 18
CLUSIF >
Cyber-crime in 2003
Illicit downloads : the risks for the company
Timeline and details
Bordeaux Appeals Court verdict, 10/29/03 : A
company dismissed an employee for gross misconduct
by using the contents of several diskettes to prove that
the employee had been engaged in parallel activities
during working hours. The court deemed the evidence
to be admissible and rejected the employee’s argument
that his privacy had been violated since there was
nothing to indicate the personal nature of the diskettes
in question.
clusif@clusif.asso.fr 01/13/2004 19
CLUSIF >
Cyber-crime in 2003
Illicit downloads : the risks for the company
Context
- Employees become criminally responsible when they
illicitly use the company’s IT systems. Responsible vis-
à-vis royalties and trademarks, for downloading pirated
software, audio files or films (MP3, DIVX…) ;
responsible in terms of the Godfrain Law (French penal
code: 323.1, 323.2 and 323.3) for attempting to
intrude and impair a system.
- The civil responsibility of a company may also be
established if the courts consider that the employee at
fault was in the process “of exercising his functions” in
the company. See article 1384 of the French civil code
(or responsibilities of the principal for the acts of a
subordinate).
clusif@clusif.asso.fr 01/13/2004 20
CLUSIF >
Cyber-crime in 2003
Illicit downloads : the risks for the company
Stakes and consequences
- Employee surveillance : companies are caught
between the desire to exert control over the use of the
IT systems they make available to employees and the
need to respect employee privacy (as confirmed by a
French Appeals Court in its 10/02/2001 ruling of the
NIKON case). What means (charters) can be used to
protect the company?
- Civil responsibility of the company : in the event of an
employee using a company’s IT systems for illicit
purposes, at what point does the company become
responsible?
- Could such trends lead to a situation in which
employees have reduced access to IT systems
resources?
clusif@clusif.asso.fr 01/13/2004 21
CLUSIF >
Cyber-crime in 2003
Illicit downloads : the risks for the company
- References
- www.legalis.net/jnet/2003/actualite_07_2003.htm
clusif@clusif.asso.fr 01/13/2004 22
CLUSIF >
Cyber-crime in 2003
Viruses : professionalization
and the search for gain
Technological objectives
• Ability to update itself:
• W95/Babylonia@M (1999)
• W32/Hybris@MM (2000)
• W32/Sobig@MM (2003)
• Breaking free from the user to become faster, smaller:
• W32/CodeRed.worm (2001)
• W32/SQLSlammer.worm (2003)
• Adopting multiple techniques of propagation, targeting the
individual and the company:
• W32/Nimda@MM (2001)
• W32/Cayam.worm!p2p (2003)
• Remaining anonymous, appealing to the user or breaking free:
• W32/BugBear@MM (2003)
• W32/Sobig@MM (2003)
• Taking advantage of the many vulnerabilities found:
• W32/Lovsan.A.worm (2003)
clusif@clusif.asso.fr 01/13/2004 23
CLUSIF >
Cyber-crime in 2003
Viruses : professionalization
and the search for gain
• Pragmatic, targeted and functional objectives:
• To open the way for other forms of attack :
• W32/Sobig@MM (2003)
• To set up a back door :
• W32/Bugbear.B@MM (2003)
• To undermine confidentiality :
• W32/Sircam@MM (2001)
• W32/Klez.H@MM (2002)
• To amass passwords and information :
• W32/Bugbear@MM (2003)
• W32/Mimail.I@MM (2003)
• To set up proxy servers to facilitate the sending of spam :
• W32/Sobig@MM (2003)
clusif@clusif.asso.fr 01/13/2004 24
CLUSIF >
Cyber-crime in 2003
Viruses : professionalization
and the search for gain
W32/BUGBEAR.B@MM banquepopulaire.fr
• The virus contains an EXTENSIVE list of banking bics.fr
bpic.fr
domain names (France, Britain, Germany, Australia, bpnord.fr
Italy, Greece, Denmark, New Zealand, Spain, Brazil, bred.fr
Romania, Poland, Argentina, Switzerland, Finland, ca-alpesprovence.fr
ca-alsace-vosges.fr
Taiwan, Turkey, Iceland, Slovakia, South Korea, ca-midi.fr
United States, South Africa, The Baltic Republics, ca-normand.fr ccbonline.com
Austria, Hungary, Norway, the Czech Republic). ccf.fr
cin.fr
• When the machine boots up, if it belongs to one of covefi.fr
the target domains, the registry key responsible for cpr.fr
the automatic telephone dialing process is credit-agricole.fr
credit-du-nord.fr
deactivated. creditlyonnais.fr
• The virus looks for passwords in the cache memory creditmutuel.fr
and sends them to a pre-defined address chosen at -epargne.fr
eurocardmastercard.tm.fr
random from a list. nxbp.fr
• Once the task has been completed, the virus smc.fr
restores the registry key. transat.tm.fr
clusif@clusif.asso.fr 01/13/2004 25
CLUSIF >
Cyber-crime in 2003
Viruses : professionalization
and the search for gain
W32/BUGBEAR.B@MM (list of banking domain
names)
1natbanker.com 1nationalbank.com 1stbk.com 1stfed.com 1stfederal.com 1stnatbank.com
1stnationalbank.com 1stnb.com 1stnewrichmond.com 1stsecuritybank.com 1stsource.com
365online.com 53.com abbeynational.co.uk abbybank.com abingtonbank.com abnamro.be
abramsbank.com abtbank.com accbank.ie acommunitybk.com adirondacktrust.com advance.com.au
advance-bank.de advancefinancial.com aea-bank.com afbank.com affinbank.com.my agfirst.com
agrobresciano.it ahli.com aib.ie aibusa.com aigprivatebank.com ain.hangseng.com
alettibank.it allbank.com allbank.de allegiantbank.com alliancebank.com alliance-bank.com
alpbank.com alpha.gr alpinebank.com altapd.it amagerbanken.dk ambfinancial.com amcore.com
ameribank.com american-bank.com americanbankmn.com americanbankmontana.com
americanexpress.com americanfsb.com americannationalbank.com americantrust.com amgb.com
amsouth.com anb.com.sa anb.portalvault.com anbcleveland.com anbfinancial.com anbnet.com
anchorbank.com anchornetbank.com antonveneta.it anz.com.au arabank.com arjil-associes.com
arvest.com asbbank.co.nz asbonline.com ashefederal.com askbm.co.uk assbank.it assocbank.com
atlanticcentral.com auburndalecoop.com avbpgh.com avsb.com axa.be azzoaglio.it ba-ca.com
baldwinfnb.com baltcosavings.com balticbankinggroup.com banamex.com bancaakros.webank.it
bancadibologna.it bancadipiacenza.it bancadirimini.it bancadisassari.it bancaetruria.it
bancaintesa.it bancamarch.es bancamediolanum.it bancaprofilo.it bancaucb.com bancavalle.it
bancfirst.com bancoatlantico.es bancobrascan.com.br bancocuscatlan.com bancodisicilia.it
Etc., etc., etc.
clusif@clusif.asso.fr 01/13/2004 26
CLUSIF >
Cyber-crime in 2003
Viruses : professionalization
and the search for gain
The W32/SOBIG@MM family
• Different events which don’t interfere with each other.
• Through a series of complex mechanisms, Sobig installs
itself on the target machines with keystroke loggers, back
doors and mini proxy servers.
VARIANT DATE OF PROGRAMMED END OF LIFE DATE AND
DISCOVERY COMMENTS
Discovery of the August 2002
existence of strange
proxy servers.
W32/Sobig.A 9 January 2003 Automatic once the Trojan horse is installed
B 18 May 2003 31 May 2003 (linked to the PC’s internal clock)
C 31 May 2003 8 June 2003 (linked to the NTP servers)
D 18 June 2003 2 July 2003
End of the Geocities dependence. The hidden servers
are behind the cable modems. Even if the IP address
is not fixed, it is retained long enough to do what is
intended.
E 25 June 2003 14 July 2003 // before the date via the Trojan horse
F 18 August 2003 10 September 2003
The “SOBIG strategy” was a failure before it was
updated. The author will have to change tactics.
clusif@clusif.asso.fr 01/13/2004 27
CLUSIF >
Cyber-crime in 2003
Viruses : professionalization
and the search for gain
How W32/SOBIG@MM helped develop spam
• Before :
• The throwaway dial-up account opened on the Friday and
abandoned by Monday. Drawback : It left a trail with the ISP
(credit card).
• Use of open SMTP relay servers. Drawback : it left a trail meaning
a spammer could end up being blacklisted.
• The technique of tunelling STMP connections through HTTP/SOCKS
proxies. Drawback : the TCP or UDP ports could be blacklisted.
• Sobig arrives on the scene :
• Distribution of hidden proxy servers using non-standard ports
(Wingate: a legitimate -- albeit diverted -- proxy server).
• The configuration changes with each new version (ports used).
• Currently, 2/3 of all spam is passed on through proxy servers created
by the virus (source : MessageLabs).
clusif@clusif.asso.fr 01/13/2004 28
CLUSIF >
Cyber-crime in 2003
Viruses : professionalization
and the search for gain
W32/SOBIG@MM targets the banking sector
• if specific character chains are detected on Internet Explorer a
keystroke logger is activated :
• W32/Sobig.A@MM (Lala.A)
• PayPal, paypal, iFriend, E-Bullion, EZCardinc, gold,
Gold, Account Access, orders, Nettler, Chase, Evocash,
Intimate Friends Network, Bank, My eBay, WebMoney,
Washington Mutual, LloydsTSB online, My Online
Accounts, Web Money, Rekeningnummer,
rekeningnumber, bank
• W32/Sobig.E@MM (Lala.E)
• E-gold Account Access, Account Access, Bank, My
eBay, Online Service, bank, E*TRADE Financial, PayPal
– Log In
• The corresponding cookies are captured
• The captured data is sent to the virus writer.
clusif@clusif.asso.fr 01/13/2004 29
CLUSIF >
Cyber-crime in 2003
Viruses : professionalization
and the search for gain Step 1: The author pushes out
initial infected e-mail using
existing proxy network.
The W32/SOBIG@MM strategy Step 2: Unwitting
AUTHOR users click on the
SPAM PROXY attachment and infect
NETWORK themselves, spreading
to all e-mail addresses
Stage 3: When the time found in .TXT and
comes (trigger set to the .HTML files.
NTP servers), the infected
computers contact the
hidden IP addresses and
download the second stage
Trojan and the list of Stage 4: If the user
Trojan web servers. Outside tries to log on to a
the specific time window banking site, the
and if interrogated, the Trojan is activated,
servers send back erroneous sending the user’s
information. INTERNET USERS data back to the
Trojan web server and
the author.
HIDDEN TROJAN
SERVERS WEBSERVER
Stage 5: The infected systems are now fully assimilated into the network of hidden proxy
From the LURHQ report
servers. The author and other spammers can now utilize them to send their spam. At the
appointed time, a new version of Sobig is released and the process is repeated.
clusif@clusif.asso.fr 01/13/2004 30
CLUSIF >
Cyber-crime in 2003
Viruses : professionalization
and the search for gain
W32/MIMAIL.I@MM
W32/MIMAIL.J@MM
The recreation of
secure authorization
windows and the
subsequent transfer
of the collected data
to third parties.
clusif@clusif.asso.fr 01/13/2004 31
CLUSIF >
Cyber-crime in 2003
Viruses : professionalization
and the search for gain
W32/MIMAIL.I@MM
W32/MIMAIL.J@MM
The recreation of
secure authorization
windows and the
subsequent transfer
of the collected data
to third parties.
clusif@clusif.asso.fr 01/13/2004 32
CLUSIF >
Cyber-crime in 2003
Viruses : professionalization
and the search for gain Subject: Verify your eBay account information
W32/CAYAM.worm!p2p Message text:
Dear Ebay user,
Dear valued eBay member, It has come to our
The recreation of secure
attention that your eBay Billing Information records
are out of date. That requires you to update the
authorization windows and Billing Information If you could please take 5-10
minutes out of your online experience and update
the subsequent transfer of your billing records, you will not run into any future
problems with eBay's online service. However,
the collected data to third failure to update your records will result in account
parties. termination. Please update your records in
maximum 24 hours. Once you have updated your
account records, your eBay session will not be
interrupted and will continue as normal. Failure to
update will result in cancellation of service, Terms
of Service (TOS) violations or future billing
problems.
Please open attachment to update your billing
records.
Thank you for your time!
Marry Kimmel,
Attachment: eBayVerify.exe
clusif@clusif.asso.fr 01/13/2004 33
CLUSIF >
Cyber-crime in 2003
Viruses : professionalization
and the search for gain
W32/CAYAM.worm!p2p
The recreation of
secure authorization
windows and the
subsequent transfer
of the collected data
to third parties.
clusif@clusif.asso.fr 01/13/2004 34
CLUSIF >
Cyber-crime in 2003
Viruses : professionalization
and the search for gain
Recent events seem to suggest a new future for the
virus
• The goal of the virus is no longer the gratuitous and massive
destruction of data, its aim is far more intelligent.
• The virus carries the necessary tools to perform dishonest
and fraudulent tasks.
• Links have been established between virus writers and
computer criminals.
• It is no longer out of the question to imagine that in the
medium term some viruses will be used for criminal ends in
association with a totalitarian ideology or organized white-
collar crime.
• Bugbear, Sobig, Mimail and Cayam all target the financial
sectors.
• Certain countries no longer hide their desire to develop and
use new technologies in a hostile context.
clusif@clusif.asso.fr 01/13/2004 35
CLUSIF >
Cyber-crime in 2003
Viruses : professionalization
and the search for gain
References
• Mail proxies / Open proxies:
http://www.easynet.fr/support/netiquette/relais.asp
• The details on Sobig :
http://www.lurhq.com/sobig.html
http://www.lurhq.com/sobig-e.html
http://www.lurhq.com/sobig-f.html
• Spam and Viruses Hit All Time Highs in 2003
http://www.messagelabs.com/news/virusnews/detail/default.asp?contentItemId=613&r
egion=emea
• Banking domain names linked to W32/Bugbear.B@MM
http://vil.nai.com/vil/content/v_100358.htm
http://www.f-secure.com/v-descs/bugbear_b.shtml
• The W32/Mimail@MM virus (variants I and J)
http://vil.nai.com/vil/content/v_100822.htm
http://vil.nai.com/vil/content/v_100825.htm
• The W32/Cayam.worm!p2p virus
http://vil.nai.com/vil/content/v_100903.htm
clusif@clusif.asso.fr 01/13/2004 36
CLUSIF >
Cyber-crime in 2003
Virus 2003 : Will the Internet worm
usurp the “mass-mailer”?
W32/SQLSlammer.worm
• 25th January 2003
• The lessons learned were never digested. The necessary
patch to block the vulnerability was known in July 2002 but
it was never applied.
• “The fastest spreading worm in history.“
clusif@clusif.asso.fr 01/13/2004 37
CLUSIF >
Cyber-crime in 2003
Virus 2003 : Will the Internet worm
usurp the “mass-mailer”?
W32/SQLSlammer.worm
• “The fastest spreading worm in history”
• In 3 minutes, the worm attained its maximum level of activity. It
carried out 55 million scans per second. In less than 10 minutes, 90%
of the vulnerable hosts were affected.
• The speed at which it propagated was also a crucial element. The
propagation rate of the Slammer worm doubled every 8.5 seconds. In
July 2001, CodeRed’s propagation rate doubled every 37 minutes and
the majority of its potential targets were affected in 20 hours.
(Slammer took just 10 minutes).
• This can be explained by the different ways in which they worked:
• CodeRed transmitted TCP-SYN packets: its propagation was
limited by the required idle time prior to the arrival of the targets’
responses.
• Slammer only transmitted a single UDP (*) packet without
requiring anything in return. It was the available bandwidth which
limited its speed of propagation. (*) no room for a payload
clusif@clusif.asso.fr 01/13/2004 38
CLUSIF >
Cyber-crime in 2003
Virus 2003 : Will the Internet worm
usurp the “mass-mailer”?
W32/LOVSAN.A.worm: Another text book example!
6
1. Discovery by LSD, private
distribution “Day Zero”
2. Publication of alerts MS03-26
and patch
3. First public Exploit appearance
4 5 4.
5.
The anti-virus COs fight back
Lovsan worm and massive
2 3 exploitation
1 6. Application of the patches
>?
AI 3
Based on an idea by Nicolas Grégoire (Exaprobe)
3
03
3
( N 08/ 0
/0
/0
8/
7
7
)
/0
/0
/0
/
06
20
11
16
clusif@clusif.asso.fr 01/13/2004 39
CLUSIF >
Cyber-crime in 2003
Virus 2003 : Will the Internet worm
usurp the “mass-mailer”?
The vast majority of viruses that have come to our attention
since 2000 have been mass-mailers. A change in the trend in
favor of worms is not yet detectable. Nevertheless, it seems
that it is only a question of time. After CodeRed in 2001,
examples have followed, namely Slammer, Lovsan and Nachi.
VIRUSES HAVING YEAR 1999 2000 2001 2002 2003
PROVOKED A MAJOR Q1-2-3
ALERT
MASS-MAILERS MACRO-VIRUS 4 1
SCRIPT VIRUS 1 5 3
VIRUS PRG (W95/W32) 3 3 8 10 14
.WORM 1 2 2 3
OTHERS Non mass-mailer, non 12 1 4 1
.worm
clusif@clusif.asso.fr 01/13/2004 40
CLUSIF >
Cyber-crime in 2003
Virus 2003 : Will the Internet worm
usurp the “mass-mailer”?
References
• CAIDA Analysis of Code-Red
http://www.caida.org/analysis/security/code-red/
• Analysis of the Sapphire Worm - A joint effort of CAIDA, ICSI,
Silicon Defense, UC Berkeley EECS and UC San Diego CSE
http://www.caida.org/analysis/security/sapphire/
• Will the Internet worm usurp the mass-mailer?
Table compiled from those viruses that provoked a “medium” or
“High” level of alert at Network Associates
clusif@clusif.asso.fr 01/13/2004 41
CLUSIF >
Cyber-crime in 2003
Legal responses : a strategy of deterrence
2003 was marked by several high-profile court cases
which at least showed a willingness to act.
Such actions have a demonstrative value :
They send a strong signal to criminals, delinquents and
fraudsters on the Net, be they companies or
individuals.
In addition, new legislation is being signed into law
but...
clusif@clusif.asso.fr 01/13/2004 42
CLUSIF >
Cyber-crime in 2003
Legal responses : a strategy of deterrence
Legislation
2003 : France continued to examine proposed laws to
regulate the digital economy.
France’s National Assembly and Senate have both
agreed on the need for stiffer sentences and a doubling
of the fines for pirating.
July 2003 : California passes an anti-spam law.
October 2003 : The EU Directive on individual privacy
and electronic communications takes effect. All the
EU’s member states are obliged to adopt it.
December 2003 : State anti-spam laws are expanded
to cover the entire United States.
clusif@clusif.asso.fr 01/13/2004 43
CLUSIF >
Cyber-crime in 2003
Legal responses : a strategy of deterrence
Actions against virus propagators
January 2003 : 23-year-old Simon Vallor, a.k.a
“Gobo”, creator of the GOKAR, REDESI and ADMIRER
worms, is given a 2-year jail term in Great Britain.
June 2003 : The FBI opens an investigation into the
BUGBEAR.B worm. In its code, the worm carries a list
of over a thousand banks.
August 2003 : 18-year-old Jeffrey Lee Parson is
arrested in Minneapolis, Minnesota (USA). He is
charged with having encoded and propagated a variant
of the BLASTER worm : BLASTER.B.
clusif@clusif.asso.fr 01/13/2004 44
CLUSIF >
Cyber-crime in 2003
Legal responses : a strategy of deterrence
September 2003 : second arrest in connection with the
spread of a BLASTER variant : RPCSDBOT. The individual
in question is a minor (under the age of 18). The FBI has
declined to release his name or the place of his arrest.
September 2003 : a young man of 24, is suspected by
Romanian police to be the author of another variant of
the BLASTER worm : BLASTER.F. Clues left in the worm’s
code – the man’s pseudonym "Enbiei" and a message in
Romanian about one of his former teachers - tipped off
investigators.
clusif@clusif.asso.fr 01/13/2004 45
CLUSIF >
Cyber-crime in 2003
Legal responses : a strategy of deterrence
November 2003 : Microsoft announces that it will offer a
reward to anyone who can provide information leading to the
arrest and conviction of any virus writer. The company sets
aside five million dollars for the international program :
250,000 dollars for the arrest of the author of BLASTER.A (alias
LOVESAN), and 250,000 dollars for the author of SOBIG.
The FBI, the Secret Service and INTERPOL are all involved with
the program.
November 2003 : The presumed author of the RALEKA worm is
arrested in Spain. The 23-year-old man with the pseudonym
“900K” is also suspected of being the leader of the AKELARRE
“phreakers” group.
clusif@clusif.asso.fr 01/13/2004 46
CLUSIF >
Cyber-crime in 2003
Legal responses : a strategy of deterrence
Internet fraud : major operations
With consumer complaints against Internet fraud steadily
increasing, the authorities are beginning to act.
Anti-fraud swoop to protect online auction sites :
April 30th 2003 – A vast operation is launched across
several US States at the request of the Federal Trade
Commission following a flood of complaints from
consumers who fell prey to fraud while visiting an online
auction site. The FTC received over 51,000 complaints
prior to the sweep.
clusif@clusif.asso.fr 01/13/2004 47
CLUSIF >
Cyber-crime in 2003
Legal responses : a strategy of deterrence
Operation E-Con
16th May 2003 – 130 people are arrested and 17
million dollars seized in a vast operation conducted by
the FBI in several US states against a variety of frauds,
scams and other Internet-based crimes : the
defrauding of internet auction sites, fake dating sites
pirating of software etc.
Operation Cyber-Sweep
1st October 2003 : Operation “Cyber-Sweep,” billed as
the largest FBI operation ever undertaken against
Internet fraud is launched. The operation targets credit
card scams and the sale of counterfeit products, etc.
clusif@clusif.asso.fr 01/13/2004 48
CLUSIF >
Cyber-crime in 2003
Legal responses : a strategy of deterrence
According to figures provided by the Internet Fraud
Complaint Center (an autonomous offshoot of the FBI
and the National White-Collar Crime Center), in the
first nine months of 2003, before the start of Operation
Cyber Sweep, there were 53,392 complaints against
Internet fraud compared with a total of 48,000 for the
twelve months of 2002).
The fight against spam
December 2003 : Jeremy Jaynes, N°.8 on the list of
the world’s most prolific spammers, is arrested and
charged with fraud in the US State of Virginia for
sending unsolicited e-mails.
clusif@clusif.asso.fr 01/13/2004 49
CLUSIF >
Cyber-crime in 2003
Legal responses : a strategy of deterrence
Major actions undertaken at the request
of professional organizations
Corporations, the representative organizations of
music, film, and broadcasting producers as well as
artists’ associations have filed suit to defend
intellectual property rights and copyrights.
The suits are targeting professional software-publishing
companies, commercial sites, and ordinary individuals.
clusif@clusif.asso.fr 01/13/2004 50
CLUSIF >
Cyber-crime in 2003
Legal responses : a strategy of deterrence
Music: the RIAA files suit against
individuals
On September 8th 2003, the Recording Industry
Association of America announced that it was filing suit
against 261 individuals for swapping an average of
1,000 music files via the Peer-To-Peer exchange
network in flagrant violation of the rights of the record
labels and the artists.
It was the first time that the record industry had
targeted individuals directly to defend the intellectual
property rights of the labels and the artists.
clusif@clusif.asso.fr 01/13/2004 51
CLUSIF >
Cyber-crime in 2003
Legal responses : a strategy of deterrence
Films, CDs and DVDs : arrests and
prosecutions in France and Spain
On January 18th 2003, in a swoop billed as the largest
operation of its type in Europe, 40 people were
arrested in Madrid, Spain. The police seized 250,000
CDs and the necessary equipment to reproduce over
60 million DVDs and CDs a year.
Great Britain, January 2003 : the cybercafé chain
EasyInternet Café is found guilty for allowing its
customers to download music files and burn them onto
CDs.
clusif@clusif.asso.fr 01/13/2004 52
CLUSIF >
Cyber-crime in 2003
Legal responses : a strategy of deterrence
France - February 2003 : A young man in the Paris
area is arrested following a complaint from the Film
Distributors’ Federation. He is accused of selling 630
pirated films on the Internet, some of which are not
yet available on the market.
Spain - July 2003 : a law firm announces it will initiate
legal proceedings against 4,000 web surfers for
swapping copyright-protected films, music and
software.
France - November 2003 : Some 15 people are
arrested following a complaint by SACEM, France’s
music copyright organization. At issue, a series of
dummy companies selling CDs and DVDs from Asia
on the Internet at bargain-basement prices without
paying the legally required surcharge to SACEM.
clusif@clusif.asso.fr 01/13/2004 53
CLUSIF >
Cyber-crime in 2003
Legal responses : a strategy of deterrence
In December 2003, ALPA, a French anti-pirating
association, announced the closure of the STPBEAM
web site. Three people were brought in for questioning
in Rennes, Strasbourg and Mulhouse.
The site allowed people to download from a constantly
updated list of 2,000 recent films on the Peer-to-Peer
exchange network. Over 600 films on CD-R were also
seized in the homes of those questioned.
clusif@clusif.asso.fr 01/13/2004 54
CLUSIF >
Cyber-crime in 2003
Legal responses : a strategy of deterrence
Peer-To-Peer file-sharing software
Late April 2003 : A joint suit filed by several major
companies in the film and music industries is thrown
out by California’s Central District Court. The court
rules that the Australian company Streamcast
Networks which has been using Peer-To-Peer Grokster
and Streamcast (Morpheus) software can not be held
responsible for the acts of its users.
DVD Protection
December 2003 : The Motion Picture Association of
America loses its legal battle with Jon Lech Johansen in
the Norwegian Court of Appeals. Johansen was sued
for creating DeCSS, a program to enable users to read
DVDs on Linux. It also enabled him to bypass the
scrambling codes of Apple’s I-Tune music files.
clusif@clusif.asso.fr 01/13/2004 55
CLUSIF >
Cyber-crime in 2003
The fight against spam gains momentum
Spam does not just concern e-mails. It affects SMS text
messages too.
2003 was marked by :
- A significant rise in the volume of spam and an
increase in the costs associated with it,
- A growing SPAM + PHISHING + WORM convergence,
- A fight between spammers and their virus-writing
allies and anti-spammers,
- The enacting of legislative measures in the United
States and Europe,
- The arrest and conviction of spammers.
clusif@clusif.asso.fr 01/13/2004 56
CLUSIF >
Cyber-crime in 2003
The fight against spam gains momentum
The use of spam to promote products and services:
Viagra, Zyban, Xanax… “Improve your sex life…”
“Get out of debt…” Earn your degree on line…” “Work at
home…” “XXX…”, “porn...”
When spam does not come from reputable companies,
spammers use methods to falsify sender e-mail
addresses and insert fake message subjects to catch
unwitting users off guard.
Then there are the messages with innocuous titles like
“Did you see my mother?” or “new cartoons” that
when opened display highly explicit pornographic
images.
clusif@clusif.asso.fr 01/13/2004 57
CLUSIF >
Cyber-crime in 2003
The fight against spam gains momentum
Using spam for malicious ends
December 2003 : In Britain, numerous people received an
e-mail from the company Huntington Mail Order informing
them that the sum of £399 had just been debited from
their credit cards for the purchase of an IPOD. The
message also contained a telephone number to call in the
event that the recipient wished to contest the purchase.
In reality, there was no such company as Huntington Mail
Order and as for the telephone number, it connected to a
police station. As a result, the station’s switchboard was
inundated with calls. At one point, the station was
receiving 500 calls per hour. A few hours later, a 21-year-
old man was arrested in connection with the incident.
clusif@clusif.asso.fr 01/13/2004 58
CLUSIF >
Cyber-crime in 2003
The fight against spam gains momentum
November 2003 : a Frenchman is given a 10-month
suspended sentence and ordered to pay more than
34,000 euros in damages for having sent 700,000
messages to the directors and employees of the
pharmaceutical group Smith & Nephew (S&N).
For more than two years, his disparaging messages
claimed that the company’s products were defective or
lethal and its directors corrupt.
To send his many e-mails, he adopted a particular
mode of operation : The messages were sent from a
multitude of web sites web with a “send this article to a
friend“ option. By usurping addresses he found the
means to send up to 10,000 messages per hour.
clusif@clusif.asso.fr 01/13/2004 59
CLUSIF >
Cyber-crime in 2003
The fight against spam gains momentum
Spam as a prelude to fraud (phishing)
The sending of unsolicited e-mails for the sole intention
of committing fraud.
(see below - Overview of Cyber-crime: Phishing).
Spam initiated by computer worms to be relays
and/or to attack anti-spam sites
2003: Spam + phishing + worm convergence.
(see below - Overview of Cyber-crime: Virus).
clusif@clusif.asso.fr 01/13/2004 60
CLUSIF >
Cyber-crime in 2003
The fight against spam gains momentum
Spam for commercial ends
- October 2003 : The company PW Marketing and its two
directors were ordered by a California court to pay a two-
million-dollar fine for having sent millions of advertising e-
mails using fictitious names. The spam was sent to
promote a spam guide...
- December 2003 : In the US state of Virginia, Jeremy
Jaynes, N° 8 on the list of the world’s most prolific
spammers, is arrested and charged with fraud for trying to
send unsolicited e-mails.
clusif@clusif.asso.fr 01/13/2004 61
CLUSIF >
Cyber-crime in 2003
The fight against spam gains momentum
Spam – the stakes and the costs
- Spam has become a serious problem (inconvenience,
nuisance, added costs, possibility of malicious acts).
- AOL says it filtered 500 billion spam messages in
2003
- Spam costs businesses a lot of money.
- According to Ferris Research, spam in 2003 cost
Europe’s businesses an estimated 2.5 billion and
American businesses 8,9 billion. To that must be added
the 500 million dollars invested by service providers to
try to block spam.
clusif@clusif.asso.fr 01/13/2004 62
CLUSIF >
Cyber-crime in 2003
The fight against spam gains momentum
Security
- Prevention against virus-carrying spam, raising public
awareness to the risks, etc.
- Invasion of privacy (gathering and using e-mail
addresses) the risk of fraud.
- Illicit content
- Protection of minors (pornography etc.)
- Collateral effects : hindering the rights of others, namely,
the abusive use of domain names by spammers who usurp
e-mail addresses to send spam : the sender address is
placed on a blacklist and the legitimate owners of the
usurped e-mail addresses can no longer send their own
messages.
clusif@clusif.asso.fr 01/13/2004 63
CLUSIF >
Cyber-crime in 2003
The fight against spam gains momentum
Spammers
- The recipients of spam are the ones who bear the greatest
costs since spam costs relatively little to spammers.
- For those who send it, spam is big business : Out of the
hundreds of thousands of messages dispatched, just a tiny
percentage of orders can prove to be highly profitable.
-For spammers, the investment is practically zero. Indeed,
e-mail address lists are cheap to come by : 25 million
addresses for 25 euros or a CD offering over 100 million
addresses for less than 100 euros.
clusif@clusif.asso.fr 01/13/2004 64
CLUSIF >
Cyber-crime in 2003
The fight against spam gains momentum
Spam has its professionals
Some 200 people are responsible for 90% of all spam.
It can come from individuals or companies who have
found a way to make large profits quickly.
For some, who operate under false names, it opens the
possibility to use all the resources of the Internet and
remain undetectable.
However, it is not impossible for the authorities to
identify them and act.
clusif@clusif.asso.fr 01/13/2004 65
CLUSIF >
Cyber-crime in 2003
The fight against spam gains momentum
The anti-spam backlash
- Individual initiatives :
Russia, July 2003 : Andrei Korotkov, Russia’s Deputy
Communications Minister endorses a government initiative
to persuade the public to use the Internet and becomes the
target of about forty spam messages a day from the
American Language Center in Moscow. Despite asking the
spammer to stop the messages continued, so he decided to
retaliate by spamming the spammer. With an automatic
telephone call system, he called the school 1,000 times in
one morning and played a pre-recorded message asking
them to desist. In return, he received an e-mail telling him
that the school’s telephone lines were down but that the
school could be reached via ICQ.
clusif@clusif.asso.fr 01/13/2004 66
CLUSIF >
Cyber-crime in 2003
The fight against spam gains momentum
- User-associations fight back:
The anti-spam site Caspam publishes a blacklist of
spammer e-mail addresses.
Late December 2003, the web site of the anti-spam
association Spamhaus publishes a blacklist of the
world’s most prolific spammers : the N°1 on the list
holds the record of sending 70 million e-mails in a
single day. Spamhaus also publishes a list of the worst
spam ISPs, and the countries where they are located.
The site also identifies the technical means used by the
spammers.
clusif@clusif.asso.fr 01/13/2004 67
CLUSIF >
Cyber-crime in 2003
The fight against spam gains momentum
Source : spamhaus.org
clusif@clusif.asso.fr 01/13/2004 68
CLUSIF >
Cyber-crime in 2003
The fight against spam gains momentum
Source : spamhaus.org
clusif@clusif.asso.fr 01/13/2004 69
CLUSIF >
Cyber-crime in 2003
The fight against spam gains momentum
Resorting to legal action
Companies are beginning to seek recourse in the
courts.
Several internet service providers including AOL and
EarthLink, have filed suit against spammers.
The United States - May 2003 : Howard Carmack, the
“Buffalo spammer” is ordered to pay $16,4 million in
damages to EarthLink for having sent 825 million
unsolicited e-mails.
December 2003 : Microsoft Corp. files suit against
several companies and individuals for sending billions
of spam messages. Among them, the companies
Synergy6, and Optinrealbig, which alone are
responsible for sending 250 million spam messages a
day.
clusif@clusif.asso.fr 01/13/2004 70
CLUSIF >
Cyber-crime in 2003
The fight against spam gains momentum
The authorities tighten the law
- Europe, October 2003 : A European Union directive on privacy
and electronic communications takes effect. All member states of
the EU must pass it into law.
- Spam : Aside from those communications which fall within the
limited context of existing customer-supplier relations, canvassing
by e-mail henceforth only becomes permissible if recipients have
given their prior consent (Opt-In). The directive also covers SMS
messages and other electronic messages sent to cell phones and
fixed lines.
The directive also makes it illegal to hide the identity of the sender
or to display an invalid sender’s address.
Member states are also given the right to prohibit the sending of
unsolicited e-mails to businesses.
clusif@clusif.asso.fr 01/13/2004 71
CLUSIF >
Cyber-crime in 2003
The fight against spam gains momentum
December 2003 : In the United States, the first
Federal anti-spam law is promulgated. It prohibits
some types of junk mail and provides for prison terms
and multi-million dollar fines for offenders. Some
states already had laws and California and Virginia
passed anti-spam legislation in 2003.
The Federal anti-spam law still allows companies to
send messages to anyone with an e-mail address, as
long as the companies clearly identify themselves and
on condition that they stop soliciting the consumers
who don’t wish to be solicited (Opt-Out system).
clusif@clusif.asso.fr 01/13/2004 72
CLUSIF >
Cyber-crime in 2003
The fight against spam gains momentum
References
Magazine Expertises.
Agence France Presse , Reuters, Associated Press, Virus Informatique
http://spamhaus.org
http://caspam.org
http://pourriel.ca
http://caspam.org/docs/spam_telus.pdf
http://www.caspam.org/cas_blacklist.php
http://europa.eu.int/information_society
http://www.zdnet.fr/actualites/technologie/0,39020809,39115493,00.htm?
feed
http://www.zdnet.fr/actualites/technologie/0,39020809,39135585,00.htm
http://www.foruminternet.org/texte/actualites/lire.phtml?id=574&
http://vnunet.com/News/1151399
clusif@clusif.asso.fr 01/13/2004 73
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
Personal data, particularly an individual’s banking data
is exactly the kind of information that criminals covet.
Such information can be obtained by bribing company
employees or hacking into a database.
However, there is another way of gathering the same
information directly from the individual.
That method is called PHISHING.
The incidence of PHISHING increased greatly in 2003
leaving thousands defrauded.
clusif@clusif.asso.fr 01/13/2004 74
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
Phishing: meaning “fishing” but written in hacker’s
jargon with a “ph” (as in “phreaking”).
Phishing is a scam which involves casting a net –
usually via the mass mailing of spam and the creation
of fake web sites– to go fishing for personal data.
The aim : to obtain bank account information, credit
card numbers and other personal data from web
surfers in order to commit identity theft and financial
fraud.
The lure : financial gain.
clusif@clusif.asso.fr 01/13/2004 75
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
Modus operandi and the strategy used
PHISHING plays on illusion and appearances.
In short, it is three deceptions in one.
First deception : pretending to be something one is not (a
known company) to gather the coveted data from internet
users.
Second deception : presenting fake pages similar to the
original (pretexts, fake links, fake web pages, etc.)
Third deception : using the data to assume the identity of
the defrauded user to procure goods or services (money,
merchandise, identity papers and other administrative
documents).
clusif@clusif.asso.fr 01/13/2004 76
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
Casting the net
More often than not, phishing is carried out via spam,
namely, the mass mailing of unsolicited e-mails.
Computer worms are often used too…
As are fake web sites purposely created for the occasion.
Deceiving the victims
Deception as to the sender of the e-mails: Fake or
usurped sender names and the hijacking of known
company names.
clusif@clusif.asso.fr 01/13/2004 77
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
Deception as to the sender
As the primary motive is financial gain, the e-mails are
often made to look like they come from known
companies, particularly banks :
EBAY, YAHOO, MSN, HOTMAIL, EARTHLINK and
financial institutions such as PAYBAL, BARCLAYS,
LLYODS TSB, CITIBANK, VISA, BANK OF ENGLAND,
HALIFAX, NATWEST, NATIONWIDE, WESTPAC etc.
Deception as to the e-mail’s subject :
‘Security update’, ‘change your password’, ‘user
information’, ‘confirm your personal information’,
‘reactivate your account’, etc.
clusif@clusif.asso.fr 01/13/2004 78
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
Deception in terms of content
Phishing plays on pretexts and appearances to convince
unwitting recipients to give out the all the necessary
information to the fraudsters.
And backed up with forged web pages
Fraudulent e-mails are often used in combination with
fake web pages that take on the appearance of the real
sites they are trying to emulate : the same graphics, the
same logos, the same typography and the same interface.
URL cloaking : the URL shown may seem identical to the
original web site, but in reality it is fraudulent (by
exploiting the Microsoft IE6 “input validation error”
vulnerability of December 2003.
clusif@clusif.asso.fr 01/13/2004 79
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
The growing role of worms and Trojans
Improved in 2002 with the FISHLET.A worm, 2003 has
shown that worms and Trojans are increasingly playing
a role in the activities of spam and phishing.
Gathering e-mail addresses, localizing specific targets
such as financial institutions, using infected machines
as proxies, displaying fake data-gathering windows in
virus-borne e-mails… Taken together it indicates a
convergence between virus writers, phishers and
spammers.
clusif@clusif.asso.fr 01/13/2004 80
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
Spam as a prelude to fraud (phishing)
The use of fraudulent, unsolicited e-mails which usurp
the identity of known companies, usually banks or
online auction sites, to collect sensitive personal data
with the aim of committing fraud.
There were numerous incidences of spam being used
for phishing in 2003, and numerous victims left in its
wake.
(cf. infra Overview of Cyber-crime 2003: Spam).
clusif@clusif.asso.fr 01/13/2004 81
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
Computer worms used to relay spam
and / or attack anti-spam sites
2003 : Spam + phishing + worm + Trojan Convergence.
- The MIMAIL worm confirms a supposed order for
pornographic photos. Users are advised that they may
contest the order by sending an e-mail to the customer
complaints department. The address provided happens to
be that of an anti-spam web site. The web site is
paralyzed as a result.
- Other variants of MIMAIL, MIMAIL E and MIMAIL-L
attack and flood several anti-spam sites: Spamhaus.org,
SpamCop.net, Spews.org.
(See infra Overview of Cyber-crime: Virus 2003)
clusif@clusif.asso.fr 01/13/2004 82
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
Computer worms used to relay spam
and / or attack anti-spam sites
2003 : Spam + phishing + worm +Trojan Convergence.
-SOBIG.F uses infected computers as proxy servers for
spam.
-MIMAIL.I and J contain a fake PAYPAL window to collect
sensitive data for fraudulent use.
-CAYAM displays a fake EBAY window. The MIGMAF and
QHOST Trojans can transform compromised computers
into proxies for fraudulent web sites.
(See infra: Overview of Cyber-crime - Virus 2003)
clusif@clusif.asso.fr 01/13/2004 83
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
Organization
The web page displayed to the user may be hosted in the
same country or abroad.
The domain names are registered under false names and
addresses.
Or the fake web page is displayed via a server which has
been specially hijacked for the occasion.
In February 2003, a hacker used a server from the University
of North Carolina to send fraudulent e-mails. The e-mail,
purportedly from EBAY, asked users to confirm their personal
information. As a result, the hacker was able to gather
personal data and credit card details for over two hours
before the University’s technicians noticed something
abnormal in the system and shut the server down.
clusif@clusif.asso.fr 01/13/2004 84
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
Victims’ computers may also be used as proxy servers
or reverse proxy servers without their knowledge, for
example if they have previously been compromised by
the MIGMAF or QHOST Trojans. By launching a
traceroute to verify the location of the fraudulent web
page, the search will be directed to one location. A few
seconds later, the same search criteria will lead to a
different location and so on. In this way, the searcher
is lead back and forth through an endless labyrinth.
Such methods enable the fraudsters to evade detection
and stymie investigations.
To keep the authorities at bay, the fraudsters play
against time by closing down the fake web site fairly
quickly only to bring it back online from another
address, and so on and so forth.
clusif@clusif.asso.fr 01/13/2004 85
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
Throughout 2003, a large number of fraudulent e-mails
pretending to be from EBAY made the rounds : Over sixty
in all.
During some months, a different version was appearing
every two days!
These fraudulent e-mails bore titles like :
ACCOUNT UPDATE
SECURITY UPDATE
SECURITY MEASURES
OFFICIAL NOTICE
USER ACCOUNT PROTECTION
CONTACT INFORMATION VERIFICATION
UPDATE REGISTRATION INFORMATION
YOUR ACCOUNT WILL BE SUSPENDED
YOUR CREDIT CARD HAS BEEN CHARGED
CHANGE YOUR PASSWORD
CONFIRM YOUR REGISTRATION INFORMATION
clusif@clusif.asso.fr 01/13/2004 86
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
When the scam isn’t presented directly in the e-mail
itself, a link will connect the recipient to a window
supposedly run by EBAY, PAYPAL or some other
financial institution. A number of e-mails redirected
recipients to a forged web page that emulated an EBAY
authorization form.
A version of this scam surfaced in Early October. On
the pretext of preventing fraud, the e-mail in question
asked users to log onto an EBAY web page which in
reality was a fake. Recipients who did log on found a
form which was identical to the real one used by EBAY.
Recipients were then asked to enter their personal
data.
clusif@clusif.asso.fr 01/13/2004 87
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
clusif@clusif.asso.fr 01/13/2004 88
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
clusif@clusif.asso.fr 01/13/2004 89
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
clusif@clusif.asso.fr 01/13/2004 90
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
In one fraudulent e-mail, the URL which appeared in
the address bar when the forged site was visited did
not belong to EBAY, but rather, it was registered under
the name of a person from Plaquemine, Louisiana and
hosted by YAHOO.COM.
Contrary to what some specialists say, it is not always
easy for people to realize that the URL in question is
fake.
clusif@clusif.asso.fr 01/13/2004 91
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
December 2003 :
An e-mail, supposedly from Llyods TSB bank, asked
recipients to log in and update their account
information due to a recent change in security
procedures.
The e-mail carried a hyperlink which redirected users
to a forged web page made to look like the bank’s site.
In reality, the server which hosted the forged site was
located in Japan.
clusif@clusif.asso.fr 01/13/2004 92
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
clusif@clusif.asso.fr 01/13/2004 93
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
Late October 2003 :
A particularly deceitful scam :
A “Verification” e-mail supposedly from Barclay’s Bank :
Under the pretext of wanting to verify the customer’s e-
mail address, the message contained a doctored link that
led to the real Barclays site. At that point, a forged pop-
up screen appeared over the bank’s legitimate site
requesting the user’s membership number and password.
When the unwitting recipient filled out and confirmed the
data in the pop-up window, the data was sent to the
fraudster’s e-mail account which was managed by a
server in Russia.
In other cases, the data was sent to another server
address in the United States.
clusif@clusif.asso.fr 01/13/2004 94
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
clusif@clusif.asso.fr 01/13/2004 95
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
The same method was used in November 2003 for e-
mails purporting to come from CITIBANK :
clusif@clusif.asso.fr 01/13/2004 96
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
clusif@clusif.asso.fr 01/13/2004 97
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
November 2003 :
Fraudulent e-mails supposedly from MSN and
HOTMAIL :
To prod recipients into giving out their personal data,
the e-mail claims that someone has tried to corrupt the
recipient’s user account. The user is then asked to
reenter the necessary personal information again by
filling out a form at a link provided in the e-mail.
clusif@clusif.asso.fr 01/13/2004 98
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
clusif@clusif.asso.fr 01/13/2004 99
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
The link in question connected to the following URL :
http:// beam.to/MSNSecurity
A forged MSN page hosted by servers in China.
The page displays what seems to be an MSN form.
If the users do as the message requests, they will give
their names, addresses, credit card numbers, social
security numbers, mother’s maiden name, and driver
license information etc.
The collected data is then passed on to the fraudsters
via the e-mail service neveru.nl.
Meanwhile, the user is redirected back to an authentic
MSN or HOTMAIL page.
clusif@clusif.asso.fr 01/13/2004 100
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
December 2003 : an e-mail, purportedly from VISA
INTERNATIONAL Service, announces that VISA has
set up a new security system “to help prevent
fraudulent transactions.” The message asks users to
click on a link to “reactivate” their accounts.
The link seemingly directs the user to the address of
the official site of VISA INTERNATIONAL.
In reality though, the carefully coded link opens onto a
page that does not belong to VISA. The fraudulent site
has since been shut down but it is likely to resurface in
another guise somewhere else sometime in the future.
clusif@clusif.asso.fr 01/13/2004 101
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
PHISHING : an increasingly common form of fraud
Phishing as a crime is becoming more and more common. It
is also causing major problems.
Identity theft is fast becoming endemic : Some sources talk
of 17 million cases of identity theft in the United States
alone.
The convergence of SPAM+ PHISHING + WORMS + TROJANS
only serves to increase the potential risks.
The fraudulent e-mails used for PHISHING look convincing
and convey credible messages that are likely to fool large
numbers of people.
40% of the people that received a fake CITIBANK e-mail fell
into the trap.
clusif@clusif.asso.fr 01/13/2004 102
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
Phishing also raises the issue of responsibility since it is
the user who unwittingly gives out the information and
is defrauded as a result.
In Australia and New Zealand, the WESTPAC bank,
targeted by a phishing operation in December 2003,
issued a communiqué announcing that the victims
were themselves responsible since it was they who had
given out their personal information.
Phishing is costly for the victims irrespective of
whether they be individuals or banks.
In October 2003, the HALIFAX Bank was forced to
suspend all activities on its web site because of a
phishing operation targeting its clients. HALIFAX
apparently traced the replica page to a web site in
Russia.
clusif@clusif.asso.fr 01/13/2004 103
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
- Phishing is a profitable business for fraudsters : of
the millions of e-mails sent, only a tiny proportion of
web surfers need to fall into the trap to make the
operation worthwhile.
- Phishing is relatively easy for fraudsters to set up.
They have all the resources of the Internet to operate.
- Phishing is built on deception and it is usually a
prelude to further deceit and fraud.
- Phishing relies on the gullibility of web surfers.
- It exploits the technical possibilities of the internet to
deceive and evade detection.
clusif@clusif.asso.fr 01/13/2004 104
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
- In terms of prevention, the most important thing is to
raise public awareness as to the risks.
- It is necessary to report the attempted fraud or theft
as quickly as possible, preferably by keeping the hoax
e-mails and all the technical information therein.
- The Bank of America Corporation, victim of a
phishing operation in May 2003, reacted quickly by
informing its customers of a vulnerability on its own
site. Hoax e-mails asked users to connect to a fake site
similar to the original.
The fraudulent site was shut down 13 hours after its
discovery and only a small number of accounts were
affected in the operation.
clusif@clusif.asso.fr 01/13/2004 105
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
- In July 2003, a 17-year-old male was arrested in
Washington for conducting a phishing operation in
which he was suspected of having procured the
personal data of others. His method of choice : a bogus
request from AOL asking its users to update their
account information.
- In September 2003, a man was arrested in Romania
for fraud after a phishing episode which cost EBAY
account holders 500,000 dollars.
- The FBI says it receives 9,000 complaints a month
over fraudulent e-mails and fake web sites.
clusif@clusif.asso.fr 01/13/2004 106
CLUSIF >
Cyber-crime in 2003
Phishing : Three deceptions in one
References
Agence France Presse, Reuters
http://www.millersmiles.co.uk/identitytheft/spoof-
email-hoax-scam-archive-1.php
clusif@clusif.asso.fr 01/13/2004 107
CLUSIF >
Cyber-crime in 2003
New hi-tech opportunities for espionage
The hard disks of photocopiers
- December 2003 : a Norwegian company specializing in
data retrieval published a report which underscored the
vulnerability of information stored on copiers and
multifunctional machines. The affair began when a
dishonest employee retrieved information from a
digital copier and passed it on to a competing
company.
Copiers are increasingly vulnerable. Even so, different
solutions are available : removable disks, deletion of
data (not overwrite) after photocopying or digitization,
use of proprietary algorithms (but not necessarily
encryption…) etc.
clusif@clusif.asso.fr 01/13/2004 108
CLUSIF >
Cyber-crime in 2003
New hi-tech opportunities for espionage
Extension of the problem : the security of
external devices (printers, photocopiers) :
- January 2003 : an MIT report highlights the risks of failing
to erase information stored on disk drives that are resold
second hand. With a budget of 1,000 dollars, researchers
bought second-hand equipment on a popular auction site.
Out of the 158 hard disks they acquired, only 12 had been
correctly sanitized. One hard disk, apparently used in an
automatic teller machine in Illinois, contained over 5,000
credit card numbers.
clusif@clusif.asso.fr 01/13/2004 109
CLUSIF >
Cyber-crime in 2003
New hi-tech opportunities for espionage
Extension of the problem : the security of
external devices (printers, photocopiers) :
- Hackers are specializing in attacking embedded systems.
The Phenoelit group regularly gives presentations and
demonstrations that spotlight the opportunities of
compromising printers and other digital devices.
On the one hand for the accessible information and on the
other, for the opportunities of exploiting the TCP/IP
resources of a network device.
Several viruses, including CodeRed, have used such
resources to ensure their propagation.
clusif@clusif.asso.fr 01/13/2004 110
CLUSIF >
Cyber-crime in 2003
New hi-tech opportunities for espionage
Portable memory devices (USB key, iPOD,
MP3 player) :
- February 2002 : an adolescent used his iPOD to “suck
up” Office software for MacOS X at a store in Dallas,
Texas. Thanks to FireWire technology, he was able to
make his copy in just a few minutes.
The transmission speed on a USB key is lower but the
use of such equipment has already been evoked at
hackers’ conferences as a means to install programs
or retrieve information.
clusif@clusif.asso.fr 01/13/2004 111
CLUSIF >
Cyber-crime in 2003
New hi-tech opportunities for espionage
GSM-cameras
- July 2003 : the new generation of GSM phones
allow users to take photos and send them
digitally.
- This raises an issue of confidentiality either in a
professional context or in terms of individual
privacy (gyms, schools, museums, newsstands
etc.).
Several solutions have been evoked to counter
such a threat : banning their use in certain areas
(of the company), even by employees ; devices
which emit a specific sound when a photo is
taken.
clusif@clusif.asso.fr 01/13/2004 112
CLUSIF >
Cyber-crime in 2003
New hi-tech opportunities for espionage
Conclusions
It is normal to want to use a resource (especially a powerful
one). However, without wanting to cry doom it is always
worthwhile to take into account the specificity of the equipment.
Every new resource can (and will) be used for malevolent
purposes (misuse, secondary effects)…
Every new resource carries an intrinsic risk
For example, vis-à-vis electronic mail:
Loss of hierarchy
Risk of bombing (e-mail saturation or denial of service)
Accidental disclosure (CC and reply-to, M. Lewinsky
affair ).
clusif@clusif.asso.fr 01/13/2004 113
CLUSIF >
Cyber-crime in 2003
New hi-tech opportunities for espionage
References
http://www.01net.com/article/224701.html
http://www.zdnet.fr/actualites/technologie/0,39020809,39133986,00
.htm
http://web.mit.edu/newsoffice/nr/2003/diskdrives.html
http://www.silicon.fr/getaricle.asp?ID=1752
http://www2.canoe.com/techno/nouvelles/archives/2003/12/2003122
9-095518.html
http://www.defcon.org/html/links/defcon-media-
archives.html#defcon-11
clusif@clusif.asso.fr 01/13/2004 114
CLUSIF >
Cyber-crime in 2003
And finally
We would also like to mention…
The new varieties of extortion
The economic impact of the attacks
against NGage
Cyber-terrorism, and what it means…
clusif@clusif.asso.fr 01/13/2004 115
CLUSIF >
