cyber crime n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Cyber Crime PowerPoint Presentation
Download Presentation
Cyber Crime

Loading in 2 Seconds...

play fullscreen
1 / 64

Cyber Crime - PowerPoint PPT Presentation


  • 231 Views
  • Uploaded on

Cyber Crime. Special Thanks to Special Agent Martin McBride for sharing most of this information in his talk at Siena last semester. Criminal Activity Today. has shifted to the Internet. Canadian Lottery Scam. A call from Canada: You’ve won the Canadian Lotto

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Cyber Crime' - isra


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cyber crime
Cyber Crime
  • Special Thanks to
    • Special Agent Martin McBridefor sharing most of this information in his talk at Siena last semester
criminal activity today

Criminal Activity Today

has shifted to the Internet

canadian lottery scam
Canadian Lottery Scam
  • A call from Canada:
    • You’ve won the Canadian Lotto
    • We’ll protect your winnings from US capital gains taxes (i.e., Canadian Bank)
    • Just pay the Canadian Lotto tax 0.5% and we’ll set everything up
  • You say:
    • You mean I just have to pay you $5000 and you’ll put $1,000,000 in my own Canadian Bank Account. Sounds great!
canadian lottery scam1
Canadian Lottery Scam
  • Its estimated that over $10,000,000 has been scammed off people in just the US.
  • The scammer are so sophisticated that they get Direct Mailing/Marketing List and target specific demographics (homeowners over 65).
  • http://www.experian.com/products/listlink_express.html
  • Thank you Experian!
canadian lottery scam2
Canadian Lottery Scam
  • The scammer use cloned cell phones
  • Checks sent to “Mailboxes Etc.”
    • set up using a stolen identity
  • The FBI and RCMP have developed counter-measures
  • Thus, the Scammers have retreated to the Internet, where they have greater reach and less risk.
criminal activity today1
Criminal Activity Today
  • Phishing
  • Nigerian Letters Fraud
  • Internet Sales Fraud
  • Carding
  • Intrusions
  • Viruses & Worms
criminal activity today continued
Criminal Activity Today-continued-
  • Distributed Denial of Service (DDOS)
  • Spam Attack/DDOS
  • Intellectual Property Theft
  • Sabotage
phishing
Phishing
  • uses spam, spoofed e-mails and fraudulent websites to
  • deceive consumers into disclosing credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive information
  • by hijacking the trusted brands of well-known banks, online retailers and credit card companies
slide12

<TABLE cellSpacing=0 cellPadding=0 width=600 align=center>

<TBODY>

<TR>

<TD><FONT

style="FONT-WEIGHT: 400; FONT-SIZE: 13px; FONT-FAMILY: verdana,arial,helvetica,sans-serif">We

are currently performing regular maintenance of our security measures.

Your account has been randomly selected for this maintenance, and you now

be taken through a verification process.<BR><BR>Protecting the security of

your PayPal account is our primary concern, and we apologize for any

inconvenience this may cause.<BR><BR>Please <A

href="http://verify.paypal.com.auth23.net:4180/us/cgi-bin/webscr.cmd=_verification-run/verify.html"><FONT

color=#0033cc>click here</FONT></A> and fill in the correct information to

verify your identity.<BR><BR>NOTE: Failure to complete the verification

process or providing wrong information will lead to account suspension or

even termination.</FONT></TD></TR></TBODY></TABLE><BR><BR>

nigerian letter fraud
Nigerian Letter Fraud
  • Claiming to be
    • Nigerian officials,
    • business people or
    • the surviving spouses of former government honchos,
  • con artists offer to transfer millions of dollars into your bank account in exchange for a small fee.
nigerian letter fraud1
Nigerian Letter Fraud
  • If you respond, you may receive "official looking" documents.
    • Typically, you're then asked to
    • provide blank letterhead and
    • your bank account numbers,
    • as well as some money to cover transaction and transfer costs and attorney's fees.
nigerian letter fraud2
Nigerian Letter Fraud
  • You may even be encouraged to travel to Nigeria or a border country to complete the transaction.
  • Sometimes, the fraudsters will produce trunks of dyed or stamped money to verify their claims.
  • Inevitably, though, emergencies come up, requiring more of your money and delaying the "transfer" of funds to your account;
  • in the end, there aren't any profits for you to share, and the scam artist has vanished with your money.
internet sales fraud
Internet Sales Fraud
  • Overpayment scheme (E-bay)
    • A buyer accidentally over pays you
      • $1000 check rather than $100 check
    • Buyer says, “My mistake but you owe me $900 if you cash that check.”
    • Buyer says, “Dude man! I need that $900 bucks, since this was my mistake, if you wire me $800 bucks, the check is yours.”
    • You get an additional $100 for you trouble, cool!
internet sales fraud1
Internet Sales Fraud
  • Did you know that if you deposit a check worth $10,000 or more at HSBC it can take over 5 business days for it to clear or to realize its fraud.
  • A week gives a scammer a long time to put pressure on you to return the over payment.
  • Perhaps the overpayment is $9000.
  • Guess what? If you send a wire transfer or a money order out of your account, your account balance is immediately reduced (instantaneous at the time the order or wire is entered into their system).
  • Thank you HSBC for making it easy to scam me!
internet sales fraud2
Internet Sales Fraud
  • Alexey Ivanov and others
    • auctioned non-existent items on eBay
    • bid on own items using stolen credit cards
    • as high bidder, paid himself through Paypal
carding
Carding
  • “Carding" the illegal use of credit card numbers. Carders..
    • Acquire valid credit card numbers(not their own)
    • Use them to make purchases
    • Sell them to others
    • Trade them over the Internet
carding1
Carding
  • Maxus, a Russian, stole 300,000 credit card numbers from CDUniverse.com
  • Maxus’ scheme was broken into 4 basic parts:
    • Whole-selling Cards — Cards were distributed to trusted partners, mainly in lots of 1,000, for $1 each.
    • Re-selling Cards — Cards were then sold by Maxus' partners. These "re-sellers" sold card numbers mainly in blocks of 50. The price to the "end consumer" was around $500.
    • Pure Liquidation — Maxus set himself up as an online retailer, and used the stolen numbers as if they belonged to his customers
    • End Users — Individuals would use the cards bought from Maxus to conduct their own fraud.
intrusions
Intrusions
  • Unauthorized access into a computer
  • Different types of intruders
    • Hackers – create code to exploit vulnerabilities
    • Script-kiddies – use code readily available over the Internet to exploit vulnerabilities
    • Insiders - former employees whose accounts were not disabled upon termination
intrusions1
Intrusions
  • Example
    • Bob leaves Experian for Equifax
    • Equifax is a competitor to Experian
    • Bob uses same password at Equifax that he had used while at Experian
    • Equifax has to crack Bob’s password because no one can get into his account to retrieve the work he left behind
    • Experian decides to try Bob’s password on Equifax ’s e-mail system
      • It worked!
    • Experian attempts to steal customers from Equifax by intercepting e-mail sent to Bob’s account at Equifax.
viruses worms trojans
Viruses, Worms, & Trojans
  • Viruses are computer code written to degrade the health of a computer or computer network
  • Worms are viruses that are written such that they can spread themselves to other computers
  • Trojans are viruses that remain dormant or hidden until a certain action is taken or a specified period of time has elapsed
denial of service dos
Denial of Service (DOS)
  • An attack in which a large network of compromised computers is used to attack a target computer
  • Examples
    • Mafiaboy - Feb 2000
      • Yahoo!, eBay, CNN.com, eTrade, and others
    • DDOS attack against 9 of 13 root servers – Oct 2002
intellectual property theft
Intellectual Property Theft
  • The unauthorized acquisition and/or distribution of proprietary computer software or data files
intellectual property theft1
Intellectual Property Theft
  • Example
    • Online warez pirates
      • Buy or steal copies of software programs such as video games or operating systems
      • Illegally share the programs through FTP servers located throughout the world
      • Hundreds and perhaps thousands of organized groups exist
        • Many groups contain hundreds of members
sabotage
Sabotage
  • Deliberate destruction of the functionality of a computer or computer network
insiders
Insiders
  • Greatest threat to computer networks
    • Know the system
    • Have access via user accounts
    • Security lapses
      • Easy-to-guess passwords
      • Share accounts/passwords
    • Hostile terminations/revenge
criminal cyber crime techniques
Criminal Cyber Crime Techniques
  • Casing the establishment
    • Footprinting
    • Scanning
    • Enumeration

Hacking Exposed, Second Edition

casing the establishment
Casing the Establishment
  • Footprinting
    • Locate a potential target
    • Learn everything about target network
      • Map the network
      • Domain names in use
      • Routable IP address range
      • Services running and versions used
      • Firewalls and Intrusion Detection Systems

Hacking Exposed, Second Edition

casing the establishment1
Casing the Establishment
  • Scanning
    • Turning door knobs and seeing if windows are locked
    • Search for vulnerabilities
      • Ping sweep
        • Determine what systems are up and running
      • Trace route
      • Port scan
        • ID operating system
        • ID applications running
      • Cheops (does it all)

Hacking Exposed, Second Edition

casing the establishment2
Casing the Establishment
  • Enumeration
    • Open the door and look inside (cross the line)
    • Active connection to target is established to
      • ID valid user accounts
      • ID poorly protected resource shares
    • Social Engineering
      • Gain access to inside human resources
      • “Dumpster diving” – go through the trash

Hacking Exposed, Second Edition

hacking the target
Hacking the Target
  • Directly connect to shared resources
    • Use that access to dig deeper
  • Install backdoors/Trojans
  • Crack passwords for administrator accounts
    • Dictionary and Brute Force
      • L0phtcrack
      • John the Ripper
      • Crack
      • Hacking Exposed, Second Edition
hacking the target1
Hacking the Target
  • Privilege escalation
    • When you have password for non-admin account
  • Use Trojans to give yourself an admin account
    • e.g. change Dir command so that it adds new user
  • Install and run sniffers
    • Keystroke loggers

Hacking Exposed, Second Edition

hiding the trail
Hiding the Trail
  • Proxy Servers
    • Make Web queries on behalf of inquiring computer
      • Query traces to proxy rather than point of origin
  • Anonymizers
    • E-mail spoofing
    • IP spoofing
slide38

Proxy 2

Bad Guy

Proxy 1

Destination

cyber crime investigations

Cyber Crime Investigations

Big Brother is Watching

following the trail
Following the Trail
  • Server logs
  • E-mail headers
  • Whois databases
  • Human resources
critical concept
Critical Concept
  • Internet Protocol (IP) addressing
    • Every computer connected to the Internet has a unique IP address assigned while it is connected
      • #.#.#.# (e.g. 192.168.1.100)
        • Each # is 0 to 255
          • 256 possibilities
          • 28 (binary math)
          • 255 = 1111 1111
critical concept1
Critical Concept
  • Static addresses
    • Like telephone numbers
      • Don’t change
      • Easy to find day after day
  • Dynamic addresses
    • Different each time you connect
    • Difficult to find from one use to the next
server logs
Server Logs
  • Domain Controllers
    • Access logs
  • Web Servers
  • FTP Servers
  • E-mail Servers
tracking via server logs
Tracking via Server Logs

192.168.50.165 - - [17/Sep/2002:17:46:52 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=15 HTTP/1.0" 200 18627

192.168.50.165 - - [17/Sep/2002:17:48:32 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=9&reply=1&form=newmsg HTTP/1.0" 200 8020

192.168.50.165 - - [17/Sep/2002:17:49:53 -0500] "POST /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396 HTTP/1.0" 302 426

192.168.50.165 - - [17/Sep/2002:17:50:01 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=9 HTTP/1.0" 200 19721

192.168.50.165 - - [17/Sep/2002:17:50:34 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=6&reply=1&form=newmsg HTTP/1.0" 200 8102

tracking via server logs1
Tracking via Server Logs

192.168.50.165 - - [17/Sep/2002:17:46:52 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=15 HTTP/1.0" 200 18627

192.168.50.165 - - [17/Sep/2002:17:48:32 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=9&reply=1&form=newmsg HTTP/1.0" 200 8020

192.168.50.165 - - [17/Sep/2002:17:49:53 -0500] "POST /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396 HTTP/1.0" 302 426

192.168.50.165 - - [17/Sep/2002:17:50:01 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=9 HTTP/1.0" 200 19721

192.168.50.165 - - [17/Sep/2002:17:50:34 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=6&reply=1&form=newmsg HTTP/1.0" 200 8102

e mail headers
E-mail Headers
  • Normal Headers
    • To:, From:, Date:, and Subj:
  • Full Headers
    • Record of path an e-mail takes from its origin to its destination
slide48

Return-Path: <ebreimer@siena.edu>

Delivered-To: mmcbride@leo.gov

Received: from mailscan-a.leo.gov (mailscan-a-pub.leo.gov [172.30.1.101])

by mail.leo.gov (Postfix) with ESMTP id AADAA26E4B

for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:34 -0400 (EDT)

Received: from dell61 (localhost [127.0.0.1])

by mailscan-a.leo.gov (Postfix) with ESMTP id 2ABB838641

for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:34 -0400 (EDT)

Received: from dmzproxy.leo.gov ([4.21.116.65]) by dell61

via smtpd (for smtp.leo.gov [172.30.1.100]) with ESMTP; Thu, 15 Apr 2004 14:01:53 -0400

Received: from internetfw.leo.gov (internetfw-dmz.leo.gov [4.21.116.126])

by dmzproxy.leo.gov (Postfix) with SMTP id 5C21CAA8AF

for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:33 -0400 (EDT)

Received: from [66.194.176.8] by internetfw.leo.gov

via smtpd (for mx.leo.gov [4.21.116.65]) with SMTP; Thu, 15 Apr 2004 14:01:33 -0400

Received: FROM exchange2.siena.edu BY claven.siena.edu ; Thu Apr 15 14:01:24 2004 -0400

X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0

Content-class: urn:content-classes:message

MIME-Version: 1.0

Content-Type: text/plain;

charset="iso-8859-1"

Content-Transfer-Encoding: quoted-printable

Subject: Radio Interview

Date: Thu, 15 Apr 2004 14:01:35 -0400

Message-ID: <8DEC59405C543C4D88AF28B7AAB0F87302A47CC4@EXCHANGE2.siena.edu>

X-MS-Has-Attach:

X-MS-TNEF-Correlator:

Thread-Topic: Radio Interview

Thread-Index: AcQjE7E0Ke2vVSlaR5mlEdbMSjmvMw==

From: "Breimer, Eric" <ebreimer@siena.edu>

To: <mmcbride@leo.gov>

Cc: <grimmcom@nycap.rr.com>

X-UIDL: 'B?!!L^)#!ce^"!Hf_"!

e mail headers1
E-mail Headers

Received: from internetfw.leo.gov (internetfw-dmz.leo.gov [4.21.116.126])

by dmzproxy.leo.gov (Postfix) with SMTP id 5C21CAA8AF

for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:33 -0400 (EDT)

Received: from [66.194.176.8] by internetfw.leo.gov

via smtpd (for mx.leo.gov [4.21.116.65]) with SMTP; Thu, 15 Apr 2004 14:01:33 -0400

Received: FROM exchange2.siena.edu BY claven.siena.edu ; Thu Apr 15 14:01:24 2004 -0400

X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0

Content-class: urn:content-classes:message

MIME-Version: 1.0

whois databases
Whois Databases
  • Contain registration information for the Domain Name System and IP addresses
    • Examples
      • www.dnsstuff.com
      • www.arin.net
      • www.samspade.org
      • www.networksolutions.com
human resources
Human Resources
  • Easiest way to find a criminal
    • Find someone that knows what happened and is willing to tell what they know
    • Find someone that has inside access to the type of hacking you are investigating and enlist their assistance
slide57

What Is InfraGard?

  • A Cooperative Undertaking/Partnership
    • U.S. Government (led by the FBI)
    • Association of
      • Businesses
      • Academic institutions
      • State and local law enforcement agencies
      • Other participants
  • Dedicated to increasing the security of United States’ critical infrastructures
what is a critical infrastructure
What Is A Critical Infrastructure?

Services so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States.

Executive Order 13010

why partner
Why Partner?
  • Our businesses, our country, and our world depend on functional infrastructures
    • Industries and infrastructures are interdependent
    • More than 80 percent of U.S. infrastructures are owned and operated by the private sector
    • Government has resources that are critical to successfully protecting all infrastructures
  • Only by working together can the Nation’s infrastructures be properly protected
    • InfraGard is a critical entity in bringing all the right players to the same table
slide61

How Did InfraGard Get Started?

  • National InfraGard Program
    • Pilot project in 1996
      • Cleveland FBI Field Office asked local computer professionals to assist the FBI in determining how to better protect critical information systems in the public and private sectors
      • First InfraGard Chapter was formed
what is the cost
What is the Cost?
  • InfraGard is a not-for-profit membership organization
    • There are no dues
    • Cost is your time & energy
who should join infragard
Who Should Join InfraGard?
  • Infrastructure stakeholders
    • Infrastructure providers
    • Infrastructure end users (everyone?)
  • Individuals with organizational skills
    • Accountants
    • Lawyers
    • Managers
    • Marketing Experts
    • Etc.
infrastructure protection
Infrastructure Protection
  • Infrastructure protection is everyone’s problem.
  • Don’t get complacent! Get involved!