Cybercrime has evolved from traditional crimes moving online through Web 1.0 to new tools enabling organized crime and terrorists through Web 2.0. Botnets are now commonly used to send spam, launch denial of service attacks, enable identity theft, and deliver spyware. Investigating cybercrime faces challenges due to issues determining jurisdiction, collecting and sharing evidence internationally, and limited resources. Effectively addressing cybercrime requires adopting adequate legislation, training law enforcement, partnerships with industry, public awareness, and international cooperation on investigations and prosecution.

1. Lessons learned in fighting
cybercrime and cyber
terrorism
Albena Spasova
International Cyber Investigation
Training Academy

3. Evolution of cybercrime
Web 1.0
Web 2.0
Web 3.0
What’s the future?

5. The dark side of Web 1.0
 Traditional crime moved online

6. Web 1.0 - hacking

7. Web 1.0 - viruses

9. The dark side of Web 2.0
 Traditional and dynamic phishing
 Botnets
 New tools for organized crime groups
 New tactics for terrorist groups

11. Cyber tactic
 1. Espionage
 2. Propaganda
 3. Denial of Service (DoS)
 4. Data interference
 5. Infrastructure manipulation

12. Organized crime?
“Old crimes, new
tools and
new crimes, new
tools”

13. Botnets – What are they?
 Traditionally controlled through Internet
Relay Chat (IRC)

14. Botnets – What are they?

15. Botnets – Chasing New Exploits
 Constantly looking for new
exploits
 New infections before patch
released

16. Botnets – Security Bulletin –
08/08/2006

17. Botnets – DHS Warning –
08/09/2006

18. Botnets – Bot in the Wild by
Weekend

19. Botnets – How are they used?
Sending Spam
Denial of Service Attacks
ID Theft
Spyware Delivery

20. Botnets – How are they used?
ID Theft
 DDoS / SPAM attracted attention –
botnets were shut down
 ISPs and Victims would monitor attacks
to find bots
 Badguys discovered that they could make
$$$$ instead

21. Botnets – How are they used?
Spyware
 Spyware / Adware used for
advertisement delivery
 Popups
 Affiliate programs pay per install
 Bot Herders will install the spyware
on their bots in order to get paid

22. Botnets – How are they used?
Spyware

23. Botnets and eCommerce
 Specificuses of botnets targeted
at abusing eCommerce users
 ID theft combined with proxy
 Dynamic Phishing Sites

24. Cases
 Simple case: mule receives money to a
bank account and moves the money to an
other bank account
 Complex case: mule receives money via
online payment system, transfers the
money via bank to an other account to an
other mule; next mule transfers the money
through online payment system to a
different mule – all actions happen in
different states

25. Example of Fraudulent Scheme
•Fraud groups from set up
spoof sites all over the
world
•They convince victims to
send money/goods to
Spain, Italy, France,
Belgium and more
recently the UK
• Runners or Arrows
collect the money/goods
from around the world
and send it back to
Fraudster
Money flows

26. Investigation – challenges for law
enforcement
 Where did the crime happen?
 Is the crime a crime in the jurisdictions
involved?
 Who will investigate it?
 Who is behind it?
 Tracing back…

27. Tracing………
 While its happening - where is the illegal
activity taking place – who are the parties
involved?
 Using information provided by ISPs and
other communications providers – different
legal requirements
 Encrypted communications

28. Tracing…
 Preservation of data
 Information kept must be sufficient to allow
tracing
 Fast sharing of information

29. Tracing scheme…

30. Sharing electronic evidence
internationally
 How long does it take to share information
between two countries?
 What other challenges we have in the
process?

31. Challenges
 Legislation and jurisdiction
 Sufficient resources and personnel
 Localizing and identifying the “bad guys”
 Collect and share evidence internationally

32. Legal Instruments
 CoE Cybercrime Convention - 2001
 Council Framework Decision
2005/222/JHA on attacks against
information systems;
 Council Framework Decision 2004/68/JHA
on combating the sexual exploitation of
children and child pornography.

33. Legal Challenges
 Definition
 Jurisdiction
 Investigation
 International Cooperation
 Public-private Partnerships
 Prevention

34. 1. Definition of cyber-crime
 Technology is rapidly evolving
 Definition – open, flexible, vague
 Balance between open legal requirements
and national constitutional prohibitions
 Technology neutral language

35. Definition
 CoE Convention – technology neutral
language - Art 1
 Computer system
 Computer data
 Service provider

36. Definition
 No universally accepted definition
 Crimes related to cyberspace: no longer
computer and internet crime
 “Information systems” – any device or a
group of interconnected or related devices
 “Data”
 E.g. Personal digital assistant, modern
car, mobile phone

37. Chapter II, Measures to be taken at
the national level - Substantive
criminal law
 Title I – Offences against the confidentiality,
integrity and availability of data – illegal
access, illegal interception, data interference,
system interference, misuse of devices
 Title II – Computer-related offences – forgery,
fraud;
 Title III - Content-related offences - child
pornography/ Protocol – hate speech
 Title IV – Offences related to the
infringements of copyright and related rights
– copyright and related rights

38. Council Framework Decision 2005/222/JHA
on attacks against information systems
 Approximation of criminal law systems:
 Illegal access to information systems
 Illegal system interference
 Illegal data interference

39. Example – cyber terrorism case
 Large scale attack against information
systems – E.g. terrorist would attack information
systems essential for international capital
markets and break them down
 A computer-related offence – E.g. terrorist
would take over an information system
managing a nuclear facility and trigger a nuclear
meltdown
 A content-related offence – E.g. terrorist
disseminate propaganda/blueprints for bombs

40. Example
Criminal Hate speech: Drafted in one place, transmitted
Through other and uploaded on a server in a third,
viewed by
the whole world
State
B
State State
A C

41. 2. Determining Jurisdiction
 CoE Cybercrime Convention:
 Territoriality principle
 Personality principle
 Protection principle
 Council Framework Decision 2005/222/JHA on attacks against
information systems
 Territoriality principle
 Nationality principle
 When several MS have jurisdiction – decide
 Council Framework Decision 2004/68/JHA on combating the sexual
exploitation of children and child pornography
 Territoriality principle
 Active personality principle
 The offence committed for the benefit of a legal person established in
the territory of that MS

42. Problems
 Dual criminality
 Dual illegality
 Legal harmonization – for extraterritorial or
universal jurisdiction

43. Toben Case – dual
criminality/illegality
Site was viewed by
In 1999 Australian national
Neo-Nazis
Created a website in
Australia, in English
Which included a statement
That Shoa never happened
Auschwitz denial is a crime
In Germany
Under territoriality principle

44. Counter example
Advertisement of beer in Germany
Can be accessed in Islamic countries

45. Counter example
German Internet Blog critical of a dictatorship
In the Far East
Blog is accessible in these countries
Conclusion: Degree of legal harmonization is necessary for legitimate
Extraterritorial or even universal jurisdiction

46. 3. Investigation:
CoE Cybercrime Convention provisions
 Title 2 – Expedited preservation of stored
computer data – “quick freeze”
 Title 3 – Production order
 Title 4 – Search and Seizure of stored
computer data
 Title 5 – Real-time collection of computer
data

47. Observations
 Crimes committed “without right”

48. Problems
 The use of remote forensic software to carry
out remote search procedures, record VOIP
communications, log keystrokes and passwords,
identify IP addresses
 Data retention/data privacy
 Data Retention Directive – telecommunication
service providers - anybodies traffic for up to 6
months
 Production order – produce specific data –
passwords, encryption codes
 Proportional measures

49. 4. International Cooperation
 “Loopholes of jurisdiction”
 Cooperation is necessary:
 Extradition – serious crime offenses
 Mutual legal assistance
 Minimum of harmonization on substantive and
procedural laws
 Private-public partnerships

50. 4. International Cooperation – CoE
Convention
 Cooperation:
 Art. 24 Extradition
 Art. 25 Mutual Legal Assistance
 Art. 26 Spontaneous information
 Coordination:
 which state should do what – points of
contact
 Harmonization:
 Substantive
 Procedural

51. Solutions:
 Adopt adequate legislation
 Assure sufficient law enforcement
personnel with adequate training and
resources
 Partnerships with industry
 Public awareness

52. Crime in a virtual world?
 Should we be concerned? Do worlds
collide?

53. Virtual worlds
 In worlds populations:
 Second Life (with over 16 million)
 Warcraft (12 million paid subscribers)
 Disney Club Penquin (expected to attract over 30 million
participants)
 Together the population of these three virtual worlds
alone exceeds the real- world populations of Canada,
Australia and Ireland combined

54. Life in a virtual world:
What can you do?

55. Life in a virtual world:

57. Interesting stats
 567 mil. $ user to user transactions in 2009
 65% jump from 2008
 770.000 unique users made repeat visits to SL
in December 2009
 Residents cashed 55 mil. $ transferring to
PayPal
 Land barons make 12 mil. $ untidily per year
 Users control IPRs of what they build
 Average price per island is 1000 $

58. Virtual money
 Money launderers can now move illicit cash
through the growing number of virtual reality
role-playing games, and convert that cash
into real currency before withdrawing it from
ATMs worldwide.
 One wonders just how many laundrymen
have tumbled to this cyberlaundering
opportunity.
 Compliance officers at financial institutions
please note that their banks may be guilty of
money laundering if it facilitates deposits or
payments in these virtual worlds, for there is
no functional due diligence on players or
recipients.

59. Scenario
LD$

60. Imagine this scenario
All account with counterfeit identification

61. Policing the virtual world: Real
Police

62. In conclusion…
 EU Regulations are coming
 Take a step at a time
 Thank you!

63. Conclusions
 Prevention: Increase Internet culture
 Protection: people and infrastructures
 Cooperation: law enforcement and judiciary
 Responsibility: national, regional, global
 Financing…

64. Albena Spasova
President of the Management Board,
International Cyber Investigation Training Academy
Sofia, Bulgaria
Associate Professor,
Technical University, Lille – 1, France
www.cybersafetyblog.eu
аspasova@cybercrimeacademy.org
albaadvisors@gmail.com
Teл. 0887 30 32 89