Menace 2 the wires advances in the business models of cyber criminals guillaume lovet
1 / 56

Menace 2 the Wires - PowerPoint PPT Presentation

  • Uploaded on

Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet. Presentation Objectives. Recall different Cyber Criminals profiles Recognize new cyber criminal schemes and understand where they originate from Identify and quantify the business models behind

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Menace 2 the Wires' - victoria

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Menace 2 the wires advances in the business models of cyber criminals guillaume lovet l.jpg

Menace 2 the WiresAdvances in the Business Models of Cyber Criminals-Guillaume Lovet

Presentation objectives l.jpg
Presentation Objectives

  • Recall different Cyber Criminals profiles

  • Recognize new cyber criminal schemes and understand where they originate from

  • Identify and quantify the business models behind

  • Raise public and industry awareness

Agenda l.jpg

  • Quick reminders:

    • Cyber criminals profiles

    • Cybercrime Marketplace

    • Cybercrime Currency

  • Mass Injections: from harmless defacements to MPack

  • Threats 2.0: from the desktop to online applications

  • Auction Fraud: from your account to your door

Introduction l.jpg

  • Cybercrime: criminal activity in which computers or networks are involved

  • Cybercrime profits (World): $50 billionto $100 billionper annum

Introduction ii l.jpg
Introduction (II)

  • Awareness increase

  • How do Cyber criminals sustain their profits?

  • Our habits evolve, blurring the online/real life line

  • Cybercrime evolves accordingly

Quick reminders cyber criminals profiles marketplace currencies l.jpg

Quick RemindersCyber criminals:Profiles, Marketplace, Currencies

Cyber criminals profiles l.jpg
Cyber criminals profiles

  • Coders

    the skilled

  • Kids

    the workforce

  • Mob

    the puppet masters?

  • Drops

    the mules

Cybercrime currency l.jpg
Cybercrime Currency

  • e-gold

    • Anonymity

    • Irreversibility

    • Independence

  • Wired cash

    • Irreversible

    • Crosses borders instantly

    • Fairly anonymous

Mass injections from harmless defacements to mpack l.jpg

Mass Injections…from harmless defacements to MPack

A bit of history l.jpg
A bit of history

  • Defacing: Replacing the victim’s web server index page

  • Mainstream in the early 2000s

  • Moderately destructive

  • Common Characteristics:

    • Custom, usually dark gfx

    • Patriotism

    • Leet speech

    • Admin taunting

    • Linux preaching/ Microsoft bashing

What for l.jpg
What for ?!

  • Mass-defacements highly regarded

  • But motivation was not financial gain

  • Rarely carries a real political message

  • So why?

For that l.jpg
For that!

  • Based on the common characteristics, defacing expresses a need to:

    • assert one’s belonging to a group

    • assert one’s national identity (wider group)

    • assert one’s competences / capacities

    • do something “forbidden”

    • compete with others

  • In a nutshell: Defacers = Teenagers growing

The mpack case taking over italy l.jpg
The Mpack case: Taking over Italy

  • Mpack is a web-application serving malicious content to visitors

  • The malicious content exploits several flaws in various browsers, making it a “drive by install” tool (No user interaction is needed from the victim)

  • Mpack is sold by a gang of Russian “coders” for about $700

Mpack case what happened in june 2007 l.jpg
Mpack Case: What happened in June 2007?

  • Thousands of Italian websites compromised

  • 90% of those sites were hosted by

    • Possible flaw exploited in the server hosting all those sites

    • Still under investigation

  • A malicious Iframe was injected in each hacked site

  • silently led visitors to a Mpack server, infecting thousands of them

Mpack case the business model behind l.jpg
Mpack Case: the business model behind

  • Costs

    • Mpack software: $700

    • Compromising a host company server hosting thousands of sites: $10,000 (assuming 0day)

    • Script inserting IFrames into each page: little skill, or about $50

Mpack case the business model behind24 l.jpg
Mpack Case: the business model behind

  • Profits

    • Using each one of the 10,000 infected computers as a spam relay (“one shot” operation)

      • Assuming:

        • Sending 100K emails before being blacklisted

        • Advertisers pay 0.03 cents per email:


x 100K

x $0.0003

= $300,000

  • Using each one of the 10,000 infected computers for Adware planting:

  • $32,000 (monthly)

Mpack case the business model behind25 l.jpg
Mpack case: the business model behind

  • Total Costs: $10,750

  • Total Profits (first month): $332,000

  • Gain (first month):$321,259

  • Productivity index (Profits/Costs): 31

Threats 2 0 from the desktop to online applications l.jpg

Threats 2.0…from the desktop to online applications

Web 2 0 l.jpg
Web 2.0

  • Detailed inputs about the "Web 2.0" concept

    -> outside ofour scope

  • A quote that puts Web 2.0 in a nutshell:

    “seemingly every aspect of our data [is] moving toward online apps and away from the traditional desktop model“

    (Wired Magazine)

Consequences on the threat landscape l.jpg
Consequences on the Threat Landscape

  • Raise in online identity theft attacks

  • Impersonating a user on an online app allows for:

    • Retrieving the victim’s personal data

    • Performing actions on the victim’s behalf

  • Arsenal:

    • Phisher Worms

    • XSS / CSRF

    • Plain old client-side trojaning

Phisher worm outlines l.jpg
Phisher Worm outlines

  • Combines Phishing and Automation

  • Malicious code sits on the server, not on the victim’s computer

  • Advanced Phisher Worms exist, resorting to tricky user-provided HTML, redirectors and mind-tricks

  • Spreads exponentially fast: the average user has about 100 friends

Xss csrf worms l.jpg
XSS / CSRF Worms

  • Cross Site Scripting (XSS) exploits the trust that the client has for the vulnerable website

    • Typically used to steal cookies and hijack sessions on the vulnerable site

  • Cross Site Request Forgery (CSRF) exploits the trust that the vulnerable website has for the user

    • Typically used to execute actions on behalf of the victim on the vulnerable site (eg: send a message, modify some personal settings, etc…)

Xss csrf worms continued l.jpg
XSS / CSRF Worms (continued)

  • In 2005: Sammy’s worm (for fun) => over one million friends within 20 hours

  • In Dec. 2006: Quickspace worm (for profit):

    • viewing = getting infected

    • Being infected = infecting others + having a banner on your profile

  • It did happen and it will likely happen again (XSS/CSRFhard to spot)

  • Main Question: What is the point ?!

The business logic behind model costs l.jpg
The Business Logic Behind: Model (Costs)


  • Assuming:

    • Target: Posting an ad every week (so that it is always on the front page) for a month to 60,000 individual profiles

    • Price to pay for each posted ad: Equals 10 times the average price to pay a bot herder for sending out one spam email (~ $0.003)

  • Renting the services of a social networking site phisher:

    60,000 x $0.003 x 4 = $720 per month

The business logic behind model profits l.jpg
The Business Logic Behind: Model(Profits)


  • Assuming:

    • Each ad is viewed on average 30 times per day (equals the average daily page views per profile on MySpace)

    • Posted ads click-through rate: 5%

    • Pay per click rate: $0.05

  • Pay per click affiliate program monthly revenue:

60,000 ads

x 30 daily views

x 30 days

x 5%

x $0.05

= $135,000 per month

The business logic behind model summary l.jpg
The Business Logic Behind: Model(Summary)

  • Summary

    • Total Costs: $720

    • Total Profits: $135,000

    • Gain: $134,280

    • Productivity index (Profits/Costs): 187

  • Bottom line?

    • more or less masqueraded spam is flourishing on social networking sites

    • may seem innocuous at first sight

    • But very organized and yields outstanding profitability figures

Auction fraud from your account to your door l.jpg

Auction Fraud…from your account to your door

Ebaying l.jpg

  • The term “eBaying” has two meanings…

  • eBaying guides sold on IRC

  • As old as eBay itself

  • Evolution over the past two years:

    • Automation

    • Risk taking

Plain bogus item l.jpg
Plain Bogus Item

  • One of the easiest and quickest way to make money on the internet:

    • Choose an item with high buzz factor, or a real bargain

    • Create an account and set up a bogus auction

    • Use low-ball to obtain payment via WU / MG

    • Cash in (possibly via a drop) and vanish

    • GOTO 1

  • Gives raise to amusing situations

  • Bogus item with user feedback l.jpg
    Bogus Item with User Feedback

    • Used to work well, but with user awareness increase: difficult selling from accounts with no feedback

    • To sustain productivity: Need to find a way to get a hold of an account with good feedback at will

    • There are really only two solutions:

      • Steal It

      • Craft it

    Steal it costs l.jpg
    Steal It: Costs

    • Costs (covering the actual Phishing operation)

    • Phishing Kit: Scam letter + scam page: $5

    • Fresh spam list: $8

    • php-mailers to spam out 100K emails for 6 hours: $30

    • Hacked site for hosting scam page for a couple of days: $10

    • Valid cc to register domain name: $10

    Steal it profits l.jpg
    Steal It: Profits

    • Profits


      • A phishing success rate of 0.0001

      • Half of the hooked accounts suitable for bogus auction

      • An average price of $4,000 for the items sold


    x 0.5

    x $4,000

    = $20,000

    Steal it summary l.jpg
    Steal It: Summary

    • Summary

      • Total costs: $63

      • Total profits: $20,000

      • Productivity Index (Profits/Costs): 317

    • Notes:

      • Raw profits not impressive, but P.I. is outstanding

      • Selling more valued items may boost P.I. but increase risks and decrease robustness

    Craft it broker bots l.jpg
    Craft It: Broker Bots

    • Many "buy it now" items at the price of 1 cent with no delivery cost (usually eBooks, pictures, wallpapers, etc.)

    Craft it recollection l.jpg
    Craft It: Recollection

    • Someone is massively creating randomly named, ”spider” user accounts

    • Spiders seek & buy 1-cent "buy it now" items

    • The seller script is emailing the spider with the item, and posts its standard feedback on his profile

    • The spider automatically responds with a standard feedback comment on the seller’s profile

      In a nutshell: two bots are talking – and doing business

    Craft it model l.jpg
    Craft It: Model

    • Costs:

      • Building 100 accounts with 15 positive feedback messages each: $0.1 x 100 x 15 = $15

    • Profits:


      • A moderate scam success rate of ¼

      • Moderately priced bogus items (about $100)


    x 1/4

    x $100

    = $2,500

    Craft it summary l.jpg
    Craft It: Summary

    • Total costs: $15

    • Total profits: $2,500

    • Gain: $2,475

    • Productivity Index (Profits/Costs): 166

    The pay on delivery scam l.jpg
    The pay-on-delivery scam

    • Pay on delivery (aka Cash on Delivery, or “COD”) earns buyers confidence

      => Easier to sell bogus items

    • But then, how can cyber criminals make money with that?

    The pay on delivery scam cont l.jpg
    The pay-on-delivery scam (cont)

    • On IRC, a “lead” = someone willing to buy something somewhere, with payment on delivery

    • Leads can be sold on IRC (via e-gold, WU, MG…)

    • Lead buyer:

      • dress as TNT guy

      • show up at the victim’s door

      • deliver a box full of turds

      • cash the payment

      • Leave

    • Is it Cybercrime, plain crime, or a mix of both?

    • Cyber criminals are willing to take more risks to get richer, faster

    Conclusion l.jpg

    • New cyber criminal schemes still:

      • Highly profitable

      • Relatively easy to implement

      • Involve abnormally low risks, given the odds

    • Thus tremendously tempting

    • Issues

      • The Internet is borderless

      • The police in emerging countries focuses on criminal activity that produces corpses

    Questions no i still do not drive a mercedes 600sl l.jpg

    Questions? Models(No, I still do not drive a Mercedes 600SL)