1 / 48

The Elusive Enemy - Cybercrime

The Elusive Enemy - Cybercrime. Lance Wolrab, CISSP Senior Security Engineer SecureWorks. Cyber Criminals - First Generation Motives. Chen Ing-Hau , 24, Taiwan Arrested September 15, 2000 CIH (Chernobyl) Virus. Jeffrey Lee Parson, 18, USA Arrested August 29, 2003

vinaya
Download Presentation

The Elusive Enemy - Cybercrime

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Elusive Enemy - Cybercrime Lance Wolrab, CISSP Senior Security Engineer SecureWorks

  2. Cyber Criminals - First Generation Motives Chen Ing-Hau, 24, Taiwan Arrested September 15, 2000 CIH (Chernobyl) Virus Jeffrey Lee Parson, 18, USA Arrested August 29, 2003 Blaster Worm ('B' variants only), DDoS Sven Jaschan, 18, Germany Arrested May 7, 2004 NetSky (Sasser) Worm

  3. Cyber Criminals - Second Generation Motives FaridEssebar, 18, Morocco Arrested August 25, 2005 Mytob and Zotob (Bozori) Worms AtillaEkici, 21, Turkey Arrested August 25, 2005 Operating Mytob and Zotobbotnets Jeanson James Ancheta, 24, USA Arrested November 3, 2005 Rxbot zombie networks for hire (spam and DDoS)

  4. Cyber Gangs – Third Generation DDoS attacks on UK bookmakers in October 2003 Extortion ($3 million gross) Nine arrested on July 20 and 21, 2004 In October 2006, three were sent to prison The two gang leaders and masterminds are still at large On the Wanted List of the Federal Security Service (FSB) of the Russian Federation Maria Zarubina and Timur Arutchev

  5. Cyber Crime Goes Big Time London branch of Japan's Sumitomo Mitsui Bank Worked with insiders through Aharon Abu-Hamra, a 35-year-old Tel Aviv resident Injected a Trojan to gather credentials to a transfer system Attempted to transfer £220 million into accounts he controlled around the world £13.9 million to his own business account YaronBolondi, 32, Israel Arrested March 16, 2005

  6. Installs executable with random name in user’s directory Added to registry to run on startup Installed system drivers to hide file and registry key Downloads drop box IP address 4 6 User logs in to web site while being recorded by Gozi Target Downloads index.html and counter.html Counter.html has AJAX code to download and run Gozi 3 Browses to and downloads redirect code Uploads all client certificates and keys stolen from windows protected storage 5 2 User login data posted to hacker website 7 On 1 drop box 3.3 gbytes of stolen data 5200 infected machines 10,000 accounts from over 300 organizations 1 Compromises website and adds redirect code 81.15.146.42 Mazowieckie, Poland www.-----.com Sacramento CA 8 9 Criminal logs in and purchases accounts and steals identity Hacker gets paid

  7. Criminal-to-Criminal Activity – Fourth Generation • Increase in Criminal-to-Criminal activity • Exploit Auction houses (WabiSabiLabi) • Forums and IRC (#Vxers, cybermafia.cc) • Distribution Service (IFRAMES.BIZ) • Botnet Rental (5Socks.net) • Licensing model (storm worm) • Identity Auctions (76service) • Social Networks (Ranking and Escrow)

  8. Losses due to "Traditional" Crimes

  9. Compare to Cyber Crime Losses from a Single Threat

  10. Identity Theft Market Rates Source: Symantec Corporation

  11. Source of Attacks By Country

  12. Symantec Intelligence Quarterly, April - June 2010 Malicious activity by country/region

  13. Attacks / Layer • Rich Ubiquitous Environments • Javascript • Flash • Silverlight • Server Languages • Infrastructure (.NET/J2EE) • Developers • Concepts • Semantic Web • Social Networking • Applications • Vendors • Mashups • Advertisements • Protocols

  14. Vulnerabilities 30% 57% Source: SecureWorks Vulnerability Database

  15. Web Application Vulnerabilities (Oct. 2010) Source: SecureWorks’ Counter Threat Unit

  16. Source: SecureWorks Malware attacks 2010 YTD

  17. Focused Attacks – BBB Attack Old approach: Wide net, shallow data collection phishing attack against one bank, spammed en masse New approach: Narrow net, deep data collection BBB phishing attack Targets selected by high-value/role (CxO, VP) Collected ALL data from interactive web posts Banking data Stock accounts Company intranet logins Webmail accounts (complete with email body) Online shopping history and payment info Online prescription refills All websites visited Social Networking Sites: LinkedIn, Facebook, etc.

  18. Multi Factor Authentication Bypass Many of the proposed defences to phishing attacks are focused on making the authentication phase more secure On-screen keyboards Tokens Certificates Criminals are simply skipping the step altogether Hijack the user's browser with malware Wait for them to log in Automate the web browsing interface to transfer money Win32.Grams Torpig/HiLoad Multi-phase authentication needed to verify transactions

  19. Web Search Index Poisoning

  20. Web Content Providers Delivering Malware

  21. Attack Trends in 2010 • New innovation to displace ZeuS banking Trojan horse • Clod/Sereki, SpyEye, Gozi 2.0, Silon, Bugat... • Telephone DoS to hamper out-of-band verification • Commoditizing of Criminal-to-Criminal (C2C) Activity • Targeted and counterfeiting attacks become more scalable

  22. ZeuS Banking Trojan • One of most prolific and capable banking trojans • “Crimeware” model – ZeuStrojan kits bought and sold widely • Criminal gangs committing large ACH frauds • Example of the kind of threat we track closely ZeuS

  23. Attack Trends in 2010 • New innovation to displace ZeuS banking Trojan horse • Clod/Sereki, SpyEye, Gozi 2.0, Silon, Bugat... • Telephone DoS to hamper out-of-band verification • Commoditizing of Criminal-to-Criminal (C2C) Activity • Targeted and counterfeiting attacks become more scalable

  24. Mature Market for Every Niche Job

  25. C2C Services • Exploit development/commissioning • Bulletin boards, chat and IRC (Internet Relay Chat: #Vxers, dark0de.com) • Distribution Services, Pay-per-Install (Dogma Millions) • Botnet rental and proxy services (AllProxies.com) • Social networks with reputational ranking

  26. Full-Service PPI • Offers to help develop content (unique so far) • News for affiliates on EXE FUD-ing • On-staff, live sales support • Will pay for installs in Russia and former Soviet countries

  27. Mature Market for Every Niche Job

  28. Pay-Per-Install.org: Exploiter’s market Hosts a forum where people come together to talk about the PPI business and how to make money doing it The site has set up affiliate programs Gets referral bonus from affiliates Site provides help guides and tutorials Discusses which programs are currently paying the best and not “shaving” (crediting fewer installations)

  29. Pay-Per-Install.org

  30. Pay-Per-Install.org

  31. Mature Market for Every Niche Job

  32. Pay-Per-Install (PPI) • Google estimates ~10% of websites host active malicious code • > 50% of websites have over last year • Compromised ad servers contribute

  33. Mature Market for Every Niche Job

  34. MyLoader botnet: Command & Control, Reporting • Oficla downloader trojan • CTU TIPS 4/12/2010 • Managed via MyLoader • C2 interface (below) • Reporting interface (right)

  35. Mature Market for Every Niche Job

  36. Malware Tech Support • Selling malware for “research only” • Manuals, translation • Support / User forums • Language-specific • Bargains on mutation engines and packers • Referrals to hosting companies • Generally not illegal • Operate in countries that shield them from civil actions • Makes it easy to enter the cybercrime market

  37. Economic Case Study: earning4u • One typical affiliate had 2875 installs in 5 days: • 575 a day • 4025 per week • 16100 per month • The site claims they have 1000 affiliates. Other affiliates who are not as productive may get around 200 installs a day, and maybe half don’t even install anything (500 affiliates instead of 1000). • This scenario represents 2,800,000 installs per month (infected PCs from one PPI program). • At least a dozen active programs on-line today.

  38. The New Face of C2C Success • Pay-Per-Install.org is maintained by Harro • HaRRo ICQ 191162790 • HaRRo Skype harrioinc • Dave Harrison • Shamrock Court • Belfast • BT6 8HT  • Phone:+44.2890502612 • Email: • harroinc@gmail.com • makecash@ntlworld.com • cs@harroinc.com  • Other associated sites • blackhatworld.com • makecash.org

  39. BigBoss Check Counterfeiting Investigation SecureWorks Proprietary & Confidential

  40. Russian Check Counterfeiting Ring Uncovered by CTU • Investigation started with unusual ZeuS sample analyzed by CTU • Proxy functionality • PPTP VPN tunneling • Analysis of botnet showed large-scale criminal activity • Credential theft • Hacking of check image repositories • Scraping of job sites for email addresses • Money mule job offer spam via webmail SecureWorks Proprietary & Confidential

  41. “BigBoss” Check Counterfeiting Operation SecureWorks Proprietary & Confidential

  42. Point-and-Click Check Counterfeiting SecureWorks Proprietary & Confidential

  43. BigBoss Group Statistics Since 06/2009 • 2,884 Potential money mules • 3,285 transactions (checks printed) • 1,280 accounts counterfeited • Estimated $9M USD in counterfeit checks printed (face value) • Estimated potential income for counterfeiters: ~$1M SecureWorks Proprietary & Confidential

  44. Countermeasures

  45. CTU Strategy • Know the client • Know the enemy • Make a difference – applied research • Innovate in the analysis & classification of security intelligence • Capitalize on our vision across the client base

  46. Advice to FI Customers • Malware can pretend to be you to the bank, and can pretend to be the bank to you • Antivirus is frequently unable to proactively detect the infections • Bottom line – if there is a possibility of your computer being infected, you can’t trust anything you see on screen, and you can’t trust that anything you enter won’t be stolen in real time • Solution – don’t get infected (seriously) • Do not log in to financial portals from any workstation that has been used to casually browse the Internet • Use a dedicated, hardened system (alternative OS if possible) • Disallow all access to the Internet except for specific financial sites and software updates • Isolate from the rest of the Internal network • Disable AutoRun (and Windows LNK icons)

  47. SecureWorks’ Counter Threat UnitSM (CTU) Facts • 30,000 malware specimens / day • Monitor ~20 Botnets • ~40 Vulnerabilities / business day • 1,000’s Security Events of interest / day • 10,000’s intelligence artifacts processed a day • 2,300 clients attacked / day • 1,500 attack types / day • ~3,000,000 IP addresses of attackers detected / year

  48. Questions?info@secureworks.com

More Related