menace 2 the wires advances in the business models of cyber criminals guillaume lovet l.
Skip this Video
Loading SlideShow in 5 Seconds..
Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet PowerPoint Presentation
Download Presentation
Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet

Loading in 2 Seconds...

play fullscreen
1 / 56

Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet - PowerPoint PPT Presentation

  • Uploaded on

Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet. Presentation Objectives. Recall different Cyber Criminals profiles Recognize new cyber criminal schemes and understand where they originate from Identify and quantify the business models behind

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet' - victoria

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
presentation objectives
Presentation Objectives
  • Recall different Cyber Criminals profiles
  • Recognize new cyber criminal schemes and understand where they originate from
  • Identify and quantify the business models behind
  • Raise public and industry awareness
  • Quick reminders:
    • Cyber criminals profiles
    • Cybercrime Marketplace
    • Cybercrime Currency
  • Mass Injections: from harmless defacements to MPack
  • Threats 2.0: from the desktop to online applications
  • Auction Fraud: from your account to your door
  • Cybercrime: criminal activity in which computers or networks are involved
  • Cybercrime profits (World): $50 billionto $100 billionper annum
introduction ii
Introduction (II)
  • Awareness increase
  • How do Cyber criminals sustain their profits?
  • Our habits evolve, blurring the online/real life line
  • Cybercrime evolves accordingly
cyber criminals profiles
Cyber criminals profiles
  • Coders

the skilled

  • Kids

the workforce

  • Mob

the puppet masters?

  • Drops

the mules

cybercrime currency
Cybercrime Currency
  • e-gold
    • Anonymity
    • Irreversibility
    • Independence
  • Wired cash
    • Irreversible
    • Crosses borders instantly
    • Fairly anonymous
a bit of history
A bit of history
  • Defacing: Replacing the victim’s web server index page
  • Mainstream in the early 2000s
  • Moderately destructive
  • Common Characteristics:
    • Custom, usually dark gfx
    • Patriotism
    • Leet speech
    • Admin taunting
    • Linux preaching/ Microsoft bashing
what for
What for ?!
  • Mass-defacements highly regarded
  • But motivation was not financial gain
  • Rarely carries a real political message
  • So why?
for that
For that!
  • Based on the common characteristics, defacing expresses a need to:
    • assert one’s belonging to a group
    • assert one’s national identity (wider group)
    • assert one’s competences / capacities
    • do something “forbidden”
    • compete with others
  • In a nutshell: Defacers = Teenagers growing
the mpack case taking over italy
The Mpack case: Taking over Italy
  • Mpack is a web-application serving malicious content to visitors
  • The malicious content exploits several flaws in various browsers, making it a “drive by install” tool (No user interaction is needed from the victim)
  • Mpack is sold by a gang of Russian “coders” for about $700
mpack case what happened in june 2007
Mpack Case: What happened in June 2007?
  • Thousands of Italian websites compromised
  • 90% of those sites were hosted by
    • Possible flaw exploited in the server hosting all those sites
    • Still under investigation
  • A malicious Iframe was injected in each hacked site
  • silently led visitors to a Mpack server, infecting thousands of them
mpack case the business model behind
Mpack Case: the business model behind
  • Costs
    • Mpack software: $700
    • Compromising a host company server hosting thousands of sites: $10,000 (assuming 0day)
    • Script inserting IFrames into each page: little skill, or about $50
mpack case the business model behind24
Mpack Case: the business model behind
  • Profits
    • Using each one of the 10,000 infected computers as a spam relay (“one shot” operation)
      • Assuming:
        • Sending 100K emails before being blacklisted
        • Advertisers pay 0.03 cents per email:


x 100K

x $0.0003

= $300,000

  • Using each one of the 10,000 infected computers for Adware planting:
  • $32,000 (monthly)
mpack case the business model behind25
Mpack case: the business model behind
  • Total Costs: $10,750
  • Total Profits (first month): $332,000
  • Gain (first month):$321,259
  • Productivity index (Profits/Costs): 31
web 2 0
Web 2.0
  • Detailed inputs about the "Web 2.0" concept

-> outside ofour scope

  • A quote that puts Web 2.0 in a nutshell:

“seemingly every aspect of our data [is] moving toward online apps and away from the traditional desktop model“

(Wired Magazine)

consequences on the threat landscape
Consequences on the Threat Landscape
  • Raise in online identity theft attacks
  • Impersonating a user on an online app allows for:
    • Retrieving the victim’s personal data
    • Performing actions on the victim’s behalf
  • Arsenal:
    • Phisher Worms
    • XSS / CSRF
    • Plain old client-side trojaning
phisher worm outlines
Phisher Worm outlines
  • Combines Phishing and Automation
  • Malicious code sits on the server, not on the victim’s computer
  • Advanced Phisher Worms exist, resorting to tricky user-provided HTML, redirectors and mind-tricks
  • Spreads exponentially fast: the average user has about 100 friends
xss csrf worms
XSS / CSRF Worms
  • Cross Site Scripting (XSS) exploits the trust that the client has for the vulnerable website
    • Typically used to steal cookies and hijack sessions on the vulnerable site
  • Cross Site Request Forgery (CSRF) exploits the trust that the vulnerable website has for the user
    • Typically used to execute actions on behalf of the victim on the vulnerable site (eg: send a message, modify some personal settings, etc…)
xss csrf worms continued
XSS / CSRF Worms (continued)
  • In 2005: Sammy’s worm (for fun) => over one million friends within 20 hours
  • In Dec. 2006: Quickspace worm (for profit):
    • viewing = getting infected
    • Being infected = infecting others + having a banner on your profile
  • It did happen and it will likely happen again (XSS/CSRFhard to spot)
  • Main Question: What is the point ?!
the business logic behind model costs
The Business Logic Behind: Model (Costs)


  • Assuming:
    • Target: Posting an ad every week (so that it is always on the front page) for a month to 60,000 individual profiles
    • Price to pay for each posted ad: Equals 10 times the average price to pay a bot herder for sending out one spam email (~ $0.003)
  • Renting the services of a social networking site phisher:

60,000 x $0.003 x 4 = $720 per month

the business logic behind model profits
The Business Logic Behind: Model(Profits)


  • Assuming:
    • Each ad is viewed on average 30 times per day (equals the average daily page views per profile on MySpace)
    • Posted ads click-through rate: 5%
    • Pay per click rate: $0.05
  • Pay per click affiliate program monthly revenue:

60,000 ads

x 30 daily views

x 30 days

x 5%

x $0.05

= $135,000 per month

the business logic behind model summary
The Business Logic Behind: Model(Summary)
  • Summary
    • Total Costs: $720
    • Total Profits: $135,000
    • Gain: $134,280
    • Productivity index (Profits/Costs): 187
  • Bottom line?
    • more or less masqueraded spam is flourishing on social networking sites
    • may seem innocuous at first sight
    • But very organized and yields outstanding profitability figures
  • The term “eBaying” has two meanings…
  • eBaying guides sold on IRC
  • As old as eBay itself
  • Evolution over the past two years:
    • Automation
    • Risk taking
plain bogus item
Plain Bogus Item
  • One of the easiest and quickest way to make money on the internet:
      • Choose an item with high buzz factor, or a real bargain
      • Create an account and set up a bogus auction
      • Use low-ball to obtain payment via WU / MG
      • Cash in (possibly via a drop) and vanish
      • GOTO 1
  • Gives raise to amusing situations
bogus item with user feedback
Bogus Item with User Feedback
  • Used to work well, but with user awareness increase: difficult selling from accounts with no feedback
  • To sustain productivity: Need to find a way to get a hold of an account with good feedback at will
  • There are really only two solutions:
    • Steal It
    • Craft it
steal it costs
Steal It: Costs
  • Costs (covering the actual Phishing operation)
  • Phishing Kit: Scam letter + scam page: $5
  • Fresh spam list: $8
  • php-mailers to spam out 100K emails for 6 hours: $30
  • Hacked site for hosting scam page for a couple of days: $10
  • Valid cc to register domain name: $10
steal it profits
Steal It: Profits
  • Profits


    • A phishing success rate of 0.0001
    • Half of the hooked accounts suitable for bogus auction
    • An average price of $4,000 for the items sold


x 0.5

x $4,000

= $20,000

steal it summary
Steal It: Summary
  • Summary
    • Total costs: $63
    • Total profits: $20,000
    • Productivity Index (Profits/Costs): 317
  • Notes:
    • Raw profits not impressive, but P.I. is outstanding
    • Selling more valued items may boost P.I. but increase risks and decrease robustness
craft it broker bots
Craft It: Broker Bots
  • Many "buy it now" items at the price of 1 cent with no delivery cost (usually eBooks, pictures, wallpapers, etc.)
craft it recollection
Craft It: Recollection
  • Someone is massively creating randomly named, ”spider” user accounts
  • Spiders seek & buy 1-cent "buy it now" items
  • The seller script is emailing the spider with the item, and posts its standard feedback on his profile
  • The spider automatically responds with a standard feedback comment on the seller’s profile

In a nutshell: two bots are talking – and doing business

craft it model
Craft It: Model
  • Costs:
    • Building 100 accounts with 15 positive feedback messages each: $0.1 x 100 x 15 = $15
  • Profits:


    • A moderate scam success rate of ¼
    • Moderately priced bogus items (about $100)


x 1/4

x $100

= $2,500

craft it summary
Craft It: Summary
  • Total costs: $15
  • Total profits: $2,500
  • Gain: $2,475
  • Productivity Index (Profits/Costs): 166
the pay on delivery scam
The pay-on-delivery scam
  • Pay on delivery (aka Cash on Delivery, or “COD”) earns buyers confidence

=> Easier to sell bogus items

  • But then, how can cyber criminals make money with that?
the pay on delivery scam cont
The pay-on-delivery scam (cont)
  • On IRC, a “lead” = someone willing to buy something somewhere, with payment on delivery
  • Leads can be sold on IRC (via e-gold, WU, MG…)
  • Lead buyer:
    • dress as TNT guy
    • show up at the victim’s door
    • deliver a box full of turds
    • cash the payment
    • Leave
  • Is it Cybercrime, plain crime, or a mix of both?
  • Cyber criminals are willing to take more risks to get richer, faster
  • New cyber criminal schemes still:
    • Highly profitable
    • Relatively easy to implement
    • Involve abnormally low risks, given the odds
  • Thus tremendously tempting
  • Issues
    • The Internet is borderless
    • The police in emerging countries focuses on criminal activity that produces corpses