Computer Crime. COEN 1. Classification. Computers as an instrument of crime Check forgery Child pornography e-auction fraud, identity theft Phishing most criminal activity Computers as a target of a crime Intrusion botnets for spamming Identity theft Alteration of websites.
Computer Crime COEN 1
Classification • Computers as an instrument of crime • Check forgery • Child pornography • e-auction fraud, identity theft • Phishing • most criminal activity • Computers as a target of a crime • Intrusion • botnets for spamming • Identity theft • Alteration of websites
Email Investigations: Overview • Email has become a primary means of communication. • Email can easily be forged. • Email can be abused • Spam • Aid in committing a crime … • Threatening email, …
Email Investigations: Overview • Email evidence: • Is in the email itself • Header • Contents • In logs: • Left behind as the email travels from sender to recipient. • Law enforcement uses subpoenas to follow the trace. • System ads have some logs under their control. • Notice: All fakemailing that you will be learning can be easily traced.
Email Fundamentals • Email travels from originating computer to the receiving computer through email servers. • All email servers add to the header. • Use important internet services to interpret and verify data in a header.
Email Fundamentals • Typical path of an email message: Mail Server Client Mail Server Client Mail Server
Email Protocols: • Email program such as outlook or groupwise are a client application. • Needs to interact with an email server: • Post Office Protocol (POP) • Internet Message Access Protocol (IMAP) • Microsoft’s Mail API (MAPI) • Web-based email uses a web-page as an interface with an email server.
Email Protocols: • A mail server stores incoming mail and distributes it to the appropriate mail box. • Behavior afterwards depends on type of protocol. • Accordingly, investigation needs to be done at server or at the workstation.
Email Protocols: SMTP • Neither IMAP or POP are involved relaying messages between servers. • Simple Mail Transfer Protocol: SMTP • Easy. • Has several additions. • Can be spoofed: • By using an unsecured or undersecured email server. • By setting up your own smtp server.
Email Protocols: SMTPHow to spoof email telnet endor.engr.scu.edu 25 220 endor.engr.scu.edu ESMTP Sendmail 8.13.5/8.13.5; Wed, 28 Dec 2005 14:58:49 - 0800 helo 184.108.40.206 250 server8.engr.scu.edu Hello dhcp-19-198.engr.scu.edu [220.127.116.11], please d to meet you mail from: firstname.lastname@example.org 250 2.1.0 email@example.com... Sender ok rcpt to: firstname.lastname@example.org 250 2.1.5 email@example.com... Recipient ok data 354 Enter mail, end with "." on a line by itself This is a spoofed message. . 250 2.0.0 jBSMwnTd023057 Message accepted for delivery quit 221 2.0.0 endor.engr.scu.edu closing connection
Email Protocols: SMTP Return-path: <firstname.lastname@example.org> Received: from MGW2.scu.edu [18.104.22.168] by gwcl-22.scu.edu; Wed, 28 Dec 2005 15:00:29 -0800 Received: from endor.engr.scu.edu (unverified [22.214.171.124]) by MGW2.scu.edu (Vircom SMTPRS 4.2.425.10) with ESMTP id <C0066443608@MGW2.scu.edu> for <email@example.com>; Wed, 28 Dec 2005 15:00:29 -0800 X-Modus-BlackList: 126.96.36.199=OK;firstname.lastname@example.org=OK X-Modus-Trusted: 188.8.131.52=NO Received: from bobadilla.engr.scu.edu (bobadilla.engr.scu.edu [184.108.40.206]) by endor.engr.scu.edu (8.13.5/8.13.5) with SMTP id jBSMwnTd023057 for email@example.com; Wed, 28 Dec 2005 15:00:54 -0800 Date: Wed, 28 Dec 2005 14:58:49 -0800 From: JoAnne Holliday <firstname.lastname@example.org> Message-Id: <200512282300.jBSMwnTd023057@endor.engr.scu.edu> this is a spoofed message. This looks very convincing. Only hint: received line gives the name of my machine. If I were to use a machine without a fixed IP, then you can determine the DHCP address from the DHCP logs.
Email Protocols: SMTPHow to spoof email • Endor will only relay messages from machines that have properly authenticated themselves within the last five minutes. • Subject lines etc. are part of the data segment. However, any misspelling will put them into the body of the message.
Email Protocols: SMTPHow to spoof email telnet endor.engr.scu.edu 25 220 endor.engr.scu.edu ESMTP Sendmail 8.13.5/8.13.5; Wed, 28 Dec 2005 15:36:13 - 0800 mail from: email@example.com 250 2.1.0 firstname.lastname@example.org... Sender ok rcpt to: email@example.com 250 2.1.5 firstname.lastname@example.org... Recipient ok data 354 Enter mail, end with "." on a line by itself Date: 23 Dec 05 11:22:33 From: email@example.com To: firstname.lastname@example.org Subject: Congrats You are hrby appointed the next president of Santa Clara University, effectively immediately. Best, Paul . 250 2.0.0 jBSNaDlu023813 Message accepted for delivery quit
Email Protocols: SMTP • Things are even easier with Windows XP. • Turn on the SMTP service that each WinXP machine runs. • Create a file that follows the SMTP protocol. • Place the file in Inetpub/mailroot/Pickup
Email Protocols: SMTP To: email@example.com From: HolyFather@vatican.va This is a spoofed message. From HolyFather@vatican.va Tue Dec 23 17:25:50 2003 Return-Path: <HolyFather@vatican.va> Received: from Xavier (dhcp-19-226.engr.scu.edu [220.127.116.11]) by server4.engr.scu.edu (8.12.10/8.12.10) with ESMTP id hBO1Plpv027244 for <firstname.lastname@example.org>; Tue, 23 Dec 2003 17:25:50 -0800 Received: from mail pickup service by Xavier with Microsoft SMTPSVC; Tue, 23 Dec 2003 17:25:33 -0800 To: email@example.com From: HolyFather@vatican.va Message-ID: <XAVIERZRTHEQXHcJcKJ00000001@Xavier> X-OriginalArrivalTime: 24 Dec 2003 01:25:33.0942 (UTC) FILETIME=[D3B56160:01C3C9 BC] Date: 23 Dec 2003 17:25:33 -0800 X-Spam-Checker-Version: SpamAssassin 2.60-rc3 (1.202-2003-08-29-exp) on server4.engr.scu.edu X-Spam-Level: X-Spam-Status: No, hits=0.3 required=5.0 tests=NO_REAL_NAME autolearn=no version=2.60-rc3 This is a spoofed message.
Email Protocols: SMTP • SMTP Headers: • Each mail-server adds to headers. • Additions are being made at the top of the list. • Therefore, read the header from the bottom. • To read headers, you usually have to enable them in your mail client.
URL Obscuring • Internet based criminal activity that subverts web technology: • Phishing (fraud) • Traffic redirection • Hosting of illegal sites • Child pornography
URL Obscuring • Internet based fraud is gaining quickly in importance. • Phishing: The practice of enticing victims with spoofed email to visit a fraudulent webpage. http://www.antiphishing.org/
URL Obscuring • Technical Subterfuge: • Plants crimeware onto PCs. • Example: Vulnerable web browser executes remote script at a criminal website. • Just staying away from porn no longer protects you. • Payload: • Use Trojan keylogger spyware. • Search for financial data and send it to an untraceable email address
URL Obscuring • Social Engineering: • Target receives e-mail pretending to be from an institution inviting to go to the institutions website. • Following the link leads to a spoofed website, which gathers data. • It is possible to establish a web-presence without any links: • Establish website with stolen / gift credit card. • Use email to send harvested information to an untraceable account, etc. • Connect through public networks.
URL Obscuring: Phishing Example Visible Link: https://www.usa.visa.com/personal/secure_with_visa/index.html?t=h1_/index.html Actual Link: http://www.verified-web-us.com/Visa%20USA%20%20Personal%20%20Protect%20Your%20Card.htm Actual website IP: 18.104.22.168 Uses Java program to overwrite the visible address bar in the window:
URL Basics • Phishs can use obscure features of URL. • URL consists of three parts: • Service • Address of server • Location of resource. http://www.cse.scu.edu/~tschwarz/coen252_03/Lectures/URLObscuring.html
URL Basics • Scheme, colon double forward slash. • An optional user name and password. • The internet domain name • RCF1037 format • IP address as a set of four decimal digits. • Port number in decimal notation. (Optional) • Path + communication data. http://tschwarz:firstname.lastname@example.org/~tschwarz/coen252_03/Lectures/URLObscuring.html http://www.google.com/search?hl=en&ie=UTF-8&q=phishing
Obscuring URL Addresses • Embed URL in other documents • Use features in those documents to not show complete URL http://email@example.com/~tschwarz/coen252_03/index.html URL rules interpret this as a userid. Hide this portion of the URL.
Obscuring URL Addresses • Use the password field. • www.scu.edu has IP address 22.214.171.124. • Some browsers accept the decimal value 129*256**3 + 210*256**2 + 2*256 + 1 = 2178023937 for the IP address. • http://www.usfca.edu@2178023937 • Works as a link. • Does not work directly in later versions of IE
'Enroll your card with Verified By Visa program' • 2004 Phish sends SPAM consisting of a single image:
'Enroll your card with Verified By Visa program' • The whole text is a single image, linked to the correct citi URL. • If the mouse hovers over the image, it displays the correct citi URL. • But surrounded by an HTML box that leads to the phishing website.
'Enroll your card with Verified By Visa program' • Target webpage has an address bar that is overwritten with a picture with a different URL. • Go to www.antiphishing.org .
Phishing • Phishers now use bogus https techniques. • Exploiting browser flaws to display secure icon. • Hacking legitimate sites or frames from these sites directly. • Purchase and present certificates for sites that are named in resemblance of the target sites. • The SSL lock icon is no longer a guarantee for a legitimate site.
Hiding Hosts • Name Look-Up: • OS checks HOST file first. • Can use HOST file to block out certain sites • adservers • Affects a single machine.
Subverting IP Look-Up • In general, not used for phishing. • Economic Damage • Hillary for Senate campaign attack. • Hiding illegal websites. (Kiddie Porn) • DNS Server Sabotage • IP Forwarding
Subverting IP Look-Up • Port Forwarding • URLs allow port numbers. • Legitimate business at default port number. • Illegitimate at an obscure port number. • Screen clicks • Embed small picture. • Single pixel. • Forward from picture to the illegitimate site. • Easily detected in HTML source code. • Password screens • Depending on access control, access to different sites.
Phisher-Finder • Carefully investigate the message to find the URL. • Do not expect this to be successful unless the phisher is low-tech. • Capture network traffic with Ethereal to find the actual URL / IP address. • Use Sam Spade or similar tools to collect data about the IP address.
Phisher-Finder • Capture network traffic with Ethereal when going to the site. • This could be dangerous. • Disable active webpages. • Do not use IE (too popular). • Look at the http messages actually transmitted. • Expect some cgi etc. script.
Phisher-Finder • Investigation now needs to find the person that has access to the website. • This is were you can expect to loose the trace. • The data entered can be transmitted in various forms, such as anonymous email. • For example, they can be sent to a free email account. • IPS usually has the IP data of the computer from which the account was set up and from which the account was recently accessed. • Perpetrator can use publicly available computers and / or unencrypted wireless access points. • Investigator is usually left with vague geographical data.
Email Investigation • Email investigations derive evidence from: • Internal data; • Headers. • Contents. • External data; • Server logs. • Sending machine itself • As we will see.
Email Investigation • Header Analysis: • Most recent entries are on the top of the header. • Resolve all inconsistencies of information. • Resolve all IP addresses. • Create timeline. • Allow for clock drift between different sites. • Compare entries generated (allegedly) by known servers with previous ones.
Email Investigation • Law Enforcement (LE) can use subpoenas for investigation of log files. • The same is true for private entities through the use of John Doe lawsuits.
Phishing Investigation • Find the true URL to identify the server with which a potential victim interacts. • Difficult since phishers change sites frequently. • Using network tracer when accessing a website can speed things up. • Use subpoena process to obtain • log records of email • Contact infos for web-sites, redirection services, etc. • Try to obtain information amicably as often as possible. • Outside of US. • To guard volatile information
Case Examples:1. A Kornblum, Microsoft • A. Kornblum: Searching for John Doe: Finding Spammers and Phishers • Used John Doe lawsuit to obtain sub-poenas for phisher that became active in September 2003.
Case Examples:1. A Kornblum, Microsoft • Originating emails • Traced ultimately to ISP in India, from where not enough data could be obtained. • Traced websites: • At each round, a subpoena request would yield the IP address of a controlling website. • Hosting company in San Francisco. • Another hosting company in San Francisco. • Redirection Server in Austria. • Owner did not like spammers and handed out record voluntarily. • IP controlled by Quest. • 69 year old quest customer in Davenport, Iowa. • Who had grandson Jayson Harris living with him. • MS involved FBI who raided household and obtained three machines. • MS sued Jayson Harris and obtained a 3M$ default judgment against him. • Criminal charges are pending.
Case Examples:2. Highschool Death Threads • Blog sites allow comments by anonymous friends. • Death threads were made on a high-school related blog anonymously. • XPD (name altered) was informed by principal.
Case Examples:2. Highschool Death Threads • XPD contacted blog site, but owner/operator did not have valid contact data. • However, blog site operator gave out the IP address from which the comment originated. • XPD went to ISP to obtain the address of the computer to which the IP was assigned at the time of the thread. • XPD obtained a search warrant for the premises of the owner of the address. • The owner was a respectable, older community member. • XPD assumed that there was a grandson involved.