Reporte de Seguridad Anual de Cisco 2010


Published on

En un momento crucial del delito cibernético, los estafadores han comenzado a cambiar su foco de las PCs basadas en Windows hacia otros sistemas operativos y plataformas, incluyendo teléfonos inteligentes, Tablet PCs y plataformas móviles en general, de acuerdo con el Reporte de Seguridad Anual de Cisco 2010 Cisco® 2010 Annual Security Report. El reporte también revela que el 2010 fue el primer año de la historia de Internet en el que el Spam se redujo, que los delincuentes cibernéticos están invirtiendo fuerte en “mulas de dinero” y que los usuarios continúan siendo presas de múltiples maneras de explotación de la confianza.

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Reporte de Seguridad Anual de Cisco 2010

  1. 1. Cisco 2010 Annual Security Report Highlighting global security threats and trends
  2. 2. The Cisco® Annual Security Report provides anoverview of the combined security intelligenceof the entire Cisco organization. The reportencompasses threat information and trendscollected between January and December 2010.It also provides a snapshot of the state of securityfor that period, with special attention paid to keysecurity trends expected for 201 1.
  3. 3. ContentsIntroduction 2 Risks and Vulnerabilities: The Tipping Point: Cybercriminals The Most Lucrative Targets 20 Targeting Mobile Platforms 30The Exploitation of Trust: Cybercriminals’ MostPowerful Weapon Advanced Persistent Threats Take Android and Apple Operating Systems Likely Targeted Approach Key Targets in 2011Announcing the 2010 Winners of the CiscoCybercrime Showcase Java and PDFs: Widely in Use, Recent Spike in Exploits Targeting Apple Users Heavily Exploited Adapting to an Open-Source World Criminals Favoring Java Over PDFsThe Cisco Cybercrime Return The “Apps” of Criminals’ Eyeson Investment (CROI) Matrix 5 Spammers Adopt Multivector Strategy Slow Emergence: Cybersecurity Strategy for Building Better Security Into Passwords the Mobile EnterpriseMoney Mules: The Linchpins 2010 Vulnerability and Threat Analysis Mobility and Virtualization Trends Contributingof Cybercrime Networks 8 to Renewed Focus on Data Loss PreventionThe Appeal of Automated Clearing House Transactions Worldwide Government Trends 26for Money Mule Operations The Cisco Global ARMS Race Index 36 United States Government UpdateAn Offer You Should Refuse Cybercriminals in 2011: Compromising Trust, Getting the Word Out on Cybersecurity: Cashing In, and Carrying Out More Complex Missions Private-Public PartnershipSocial Engineering: European Union UpdateTaking Advantage of Trust 14 Cisco Security Intelligence Operations 40 Geopolitical Trends: Cooperate or Separate?Spammers Get Social Global Spam Update: Spam Down Globally,How to Educate the “Problem Users” but on the Rise in EuropeFake Profiles: Enabling Access toPersonal InformationThe Evolution of Koobface: Adapting to theChanging Security LandscapeSocial Engineering: The “Seven DeadlyWeaknesses” That Criminals ExploitAll contents are Copyright © 2010–2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Cisco 2010 Annual Security Report 1
  4. 4. “Miscreants are continuing to find new and creative ways to exploit network, system, and even human vulnerabilities to steal information or do damage. The challenge is that we need to block their exploits 100 percent of the time if we are to protect our networks and information. They can be right once; we have to be right all of the time. We need to be ever-vigilant in our efforts to protect our assets, information, and ourselves online. ” —John N. Stewart, vice president and chief security officer, Cisco
  5. 5. The Exploitation of Trust: the fake profiles as a test to see how many security Another type of exploitation involves “money mules”—Cybercriminals’ Most Powerful Weapon professionals might be fooled by Sage’s persona and individuals who help launder money by accepting and share information with her. About 300 people within transferring funds earned in online scams. Money mulesWhether they’re creating malware that can subvert the United States military and government, as well are sometimes criminals; more often, however, theyindustrial processes or tricking Facebook users into as security companies, connected with “Robin.” If are people in need of money who are tempted into thishanding over login and password information, today’s even sophisticated security experts fail to think twice activity by “work at home” spam. Regardless of whethercybercriminals have a powerful weapon at their disposal: before exposing personal and corporate information to they are willing participants or unsuspecting victims,the exploitation of trust. They have become skilled at strangers, imagine what the average employee might money mules are integral to enabling criminals to profitconvincing users that their infected links and URLs are do with your proprietary data. (Read more about the from their campaigns. Users can limit these operationssafe to click on, and that they are someone the user Robin Sage fake profiles on page 17.) by not becoming unwitting accomplices.knows and trusts. And with stolen security credentials,they can freely interact with legitimate software Hackers are also taking advantage of new opportunities The subject of trust is also in play in the ongoing struggleand systems. to make money. In response to vulnerability exploits of governments to work together to combat cybercrime. in various Windows PC operating systems, Microsoft Governments recognize the need to develop commonWhen trust is exploited, more damage can be done with has improved security in Windows 7 and taken a more standards for security solutions, yet they also wantfewer intrusions—the criminal essentially has been given aggressive approach to patching vulnerabilities. This autonomy over how technology is deployed within theirpermission to wreak havoc on compromised systems makes it tougher for scammers to infiltrate Windows 7 borders. Some countries and companies are leadingand software. “Miscreants are continuing to find new effectively; having reached the Windows vulnerability efforts to expand the reach of these common standards,and creative ways to exploit network, system, and even “tipping point” (see page 30), they have moved on to since they present the best opportunity for improvedhuman vulnerabilities to steal information or do damage,” other operating systems, applications, software services, security and continued product innovation.says John N. Stewart, vice president and chief security and devices such as smartphones, iPads, and iPods.officer for Cisco. “The challenge is that we need to block Apple and its products, including iPhones, iPads, andtheir exploits 100 percent of the time if we are to protect the iTunes media service, have all experienced upticksour networks and information. They can be right once; in exploits. Just as important in driving this trend iswe have to be right all of the time. We need to be ever- the embrace of mobile devices and applications byvigilant in our efforts to protect our assets, information, consumers and enterprises.and ourselves online.” The worldwide adoption of mobile devices presentsPeople by nature are inclined to trust others, and even more opportunities for intrusions and theft. Whilecriminals use this to their advantage again and security researchers have identified many focusedagain. Take the case of the fake social networking scams that target mobile devices, a widespreadprofiles established earlier this year for “Robin Sage,” incident is almost certainly on its way. To date, scamssupposedly a young, attractive woman working in have targeted select groups of mobile users, suchthe national security arena. A security expert created as customers of a specific bank. The massive and relatively new market for mobile applications also offers new markets for criminals. Researchers have detected exploits in which wallpaper apps for Android Market, the app store for the Android mobile operating system, have been collecting mobile subscriber information and sending it to a website owned by a scammer.All contents are Copyright © 2010–2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Cisco 2010 Annual Security Report 3
  6. 6. Announcing the 2010 The Good: ThorsTen holz The eVIl: sTuxneT Winners of the Cisco Ruhr-University Bochum/LastLine Cybercrime Showcase If it weren’t for researchers like Thorsten Holz, an assistant professor The Stuxnet worm, whose earliest versions appear to date to 2009, differs As you read the Cisco 2010 Annual Security Report, at Ruhr-University Bochum in Germany from its malware “cousins” in that it has you’ll find many stories about the bad guys whose and senior threat analyst for security a specific, damaging goal: to traverse craftiness and lack of morals have brought them firm LastLine, we’d all be receiving a lot more spam. to industrial control systems so it can reprogram to new heights of criminality this year. At the same Up until mid-2010, a massive spam botnet known the programmable logic controllers (PLCs), possibly time, the security industry is fortunate to have as Pushdo or Cutwail was responsible for sending disrupting industrial operations. It’s not gathering “superheroes” who work ceaselessly to bring down as much as 10 percent of all spam messages credit card numbers to sell off to the highest bidder, the evildoers and help us understand and combat worldwide. Then, Holz and his associates at and it’s not selling fake pharmaceuticals—it appears to criminal escapades. This year, Cisco is presenting LastLine—professors and graduate students from have been created solely to invade public or private two awards: one for “Good” and one for “Evil.” the technology departments of several leading infrastructure. (For more on Stuxnet, see page 21.) universities—identified the 30 Internet servers used Stuxnet’s cleverness lies in its ability to traverse non- to control Pushdo/Cutwail, contacted the hosting networked systems, which means that even systems “The work of Thorsten Holz and his providers, and urged them to take down the servers.1 unconnected to networks or the Internet are at risk. researchers highlights how vital it is The result: After providers agreed to shut down 20 of Federal News Radio’s website called Stuxnet “the the servers, spam dropped from an average weekday smartest malware ever.” for the academic, corporate, and volume of 350 billion a day to 300 billion a day. legal communities to work together “Stuxnet bears watching in 2011 because it breaks Just as dramatic was the takedown of the Waledac the malware mold,” advises Kurt Grutzmacher, to weaken and flatten online criminal botnet, which at its peak in 2009 was delivering network consulting engineer at Cisco. “Malware that enterprises. This type of private-public 1.5 million spam messages daily. In February 2010, is designed to disrupt industrial control systems in partnership should be nurtured and Holz and several colleagues from academic and critical infrastructure should be a concern for every corporate institutions identified the almost 300 web government.” Fortunately, fixes are already available supported to gain ground against domains controlled by the Waledac perpetrators and for the vulnerabilities exploited by Stuxnet—but increasingly sophisticated online convinced a federal judge to grant an order against Stuxnet is likely just the first in an expected long criminals.” service providers to shut down these domains line of “hypertargeted” malware creations. and transfer their ownership to Microsoft, thereby —Adam Golodner, director of global security crippling the botnet. and technology policy, Cisco1 “Researchers Kneecap ‘Pushdo’ Spam Botnet,” Krebs on Security blog, August 27, 2010, Cisco 2010 Annual Security Report All contents are Copyright © 2010–2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
  7. 7. The Cisco Cybercrime Returnon Investment (CROI) MatrixWhere will most cybercriminals channel their resources in 2011?Cisco security experts offer their predictions based on recent andemerging trends in the shadow economy. 5
  8. 8. The Cisco CROI Matrix made its debut in the Cisco 2009 Annual Security Report and is used to track the performance of cybercrime operations, which increasingly are managed and organized in ways similar The Cisco Cybercrime Return on Investment Matrix to sophisticated, legitimate businesses. Specifically, this matrix highlights the types of aggressive actions High POTENTIAL S RISING STAR S Cisco security experts predict cybercriminals are likely to focus most of their resources toward developing, Web refining, and deploying in the year ahead. Exploits Money Cash Cows: As predicted in 2009, many cybercriminals Laundering were content to sit back and relax during 2010 and let (muling) road-tested techniques, such as scareware and spyware, click fraud, advanced-fee fraud, and pharma spam, help them make a profit. Expect to see these “cash cows” maintain their role as workhorses for cybercriminals Mobile VoIP Data Theft during 2011—although spammers, particularly those Success/Growth Devices Abuse Trojans responsible for high volumes of spam traffic, may need to be more cautious. Law enforcement agencies are taking action to address the global spam epidemic by targeting some of the most egregious offenders. D O GS CASH C O W S Social Dogs: As expected, instant messaging scams have Networking Attacks dropped off the matrix, but now there’s a newcomer among the Dogs: social networking scams, which Click/ ranked in 2010 as a wait-and-see moneymaker in the Redirect Fraud Potentials category. Cisco security experts predict that Spyware/ social networking scams will not be a significant area Scareware for cybercriminals to invest their resources in the Phishing year ahead. It’s not that social networking scams are 1.0 Advanced declining, but they are just a small part of a bigger plan— Fee Fraud Pharma launching web exploits, such as last year’s campaign DDoS Spam to lure users of LinkedIn into downloading the Zeus Low Trojan (see page15). Thus, less up-front research and development are required for social networking scams. Low High Criminals know they work. Scalability/Revenue The Cisco CROI Matrix predicts cybercrime techniques that will be “winners” and “losers” in 2011.6 Cisco 2010 Annual Security Report All contents are Copyright © 2010–2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
  9. 9. Appearing again in the “Dogs” category are phishing being adapted for the mobile platform.4 In late 2009, customizable; as of October 2010, there were hundreds1.0 scams (unsophisticated attempts to steal user SymbOS/Zitmo.Altr appeared; researchers believe it was of different Zeus botnets known to security researchers.credentials and other sensitive information). So, too, designed to intercept confirmation SMS messages sent (See page 15 to learn about the recent Zeus exploitare distributed denial of service (DDoS) attacks, despite by banks to their customers. (Note: “Zitmo” stands for involving fake LinkedIn spam alerts, and page 23 forsome notable incidents this year. For instance, in late “Zeus in the Mobile.”)5 It appears the mobile malware, details on the Zeus-related fake Apple iTunes spamSeptember 2010, a DDoS attack was launched by hacker which users download after falling prey to a social event.) However, the attention Zeus commands iswebsite 4Chan against the Motion Picture Association engineering ploy, is designed to defeat the SMS-based making it easier for other highly sophisticated but lessof America’s (MPAA) webpage. Dubbed “Operation two-factor authentication most banks use to confirm widespread Trojans such as Bugat, Carberp, and SpyEyePayback,” the attack was retribution for the MPAA trying online funds transfers by customers. to avoid detection. Also of note: In October 2010, Brianto halt the activity of websites that distribute copyrighted Krebs, who was spotlighted as a “Cybercrime Hero” incontent and users who download illegal copies of Meanwhile, VoIP abuse has been on the upswing and the Cisco 2009 Cybercrime Showcase, reported in hismovies. Film studios had reportedly paid Indian firm appears poised for further growth. Criminals use brute- Krebs on Security blog that malware developers wereAiplex Software to attack torrent websites in a similar force techniques to hack private branch exchange (PBX) merging the Zeus codebase with that of the SpyEyemanner.2 And even in light of the recent spate of DDoS systems to place fraudulent, long-distance calls—usually Trojan to create an especially potent threat for “a moreattacks against a number of companies that had cut off international. These incidents, often targeting small or exclusive and well-heeled breed of cyber crook.”7services to following the nonprofit media midsize businesses, have resulted in significant financialorganization’s release of confidential U.S. government losses for some companies. VoIP systems are being Cisco security experts anticipate that the real focus ofdocuments on its website, it is unlikely these types of used to support vishing (telephone-based phishing) cybercriminal investment for 2011, however, will be onattacks, which tend to be highly targeted and retaliatory, schemes, which are growing in popularity. In one recent improving the success and expanding the number ofwill be a major investment category for the general vishing scam targeting the Federal Deposit Insurance cash-out services (“money muling” operations). Thesecybercrime community looking to make a profit in 2011. Corporation (FDIC), vishers called U.S. consumers via operations, which have been discussed in previous mobile and land-line phones to inform them they were Cisco security reports, are a vital component of thePotentials: According to research firm IDC, the number delinquent in loan payments that had been applied for cybercrime lifecycle and are becoming more elaborateof mobile devices—from smartphones to tablet PCs— over the Internet or made through a payday lender.6 and international in scope. Zeus is often in the mix here,accessing the Internet by 2013 will surpass 1 billion,3 Criminals were able to collect personal information, as well: See page 11 to read about its central role in acreating more opportunities for cybercrime (see The such as Social Security numbers (SSNs), from victims. complex international money muling scheme operatedTipping Point, page 30). The massively successful by Eastern European gangs that was recently exposedbanking Trojan, Zeus—which, according to the U.S. Rising stars: The Zeus Trojan, and the entire field of by United Kingdom and U.S. law enforcement.Federal Bureau of Investigation (FBI), has played a key lucrative, easy-to-deploy web exploits, like those seenrole in the theft of more than US$70 million from 400 in 2009 and 2010, will continue to receive significantU.S. organizations over the past several years—is already investment from cybercriminals in 2011. The aptly named Zeus, which is powerful, pervasive, and targeting everything from bank accounts to government networks, has become extremely sophisticated and is much more2 “Film studios ‘launch cyberattacks on torrent sites,’” by Emma Woollacott, TG Daily, September 9, 2010, “IDC: 1 Billion Mobile Devices Will Go Online by 2013,” by Agam Shah,, December 9, 2009, Graphic depicting global reach of Zeus: “Zeus Goes Mobile – Targets Online Banking Two-Factor Authentication,” by Mike Lennon, SecurityWeek, September 27, 2010, “Vishing Scam Hits FDIC,”, September 15, 2010, “SpyEye vs. Zeus Rivalry Ends in Quiet Merger,” by Brian Krebs, Krebs on Security blog, October 24, 2010, contents are Copyright © 2010–2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Cisco 2010 Annual Security Report 7
  10. 10. Money Mules: The Linchpinsof Cybercrime NetworksCybercriminals need “hired help” to launder their ill-gottengains—but rounding up new recruits is a never-endingprocess, as most money mules have short-lived careers.
  11. 11. While online scammers have no difficulty stealing However, mules are quite often individuals seeking The more sophisticated cash-out organizations actenough information to use their victims’ credit cards and legitimate employment who end up being lured by as legitimate financial services firms. Individuals whoaccess their online bank accounts, they still need a way too-good-to-be true job offers such as “Earn come in contact with these operations usually haveto get paid in the physical world, and thus, turn to money Thousands Working at Home!” Some ads, designed no idea they are being recruited as money mules, andmules who facilitate money laundering. Money mules are to appeal to people struggling with consumer debt, believe they are dealing with a recruiter for a legitimateindividuals recruited by handlers or “wranglers” to set lure in victims with calls to action like, “Get Out of Debt company. Quite often, they have responded to an adup bank accounts, or even use their own bank accounts, Now!” These offers are often sent via spam, but some on an online employment site for a position with a titleto assist in the transfer of money from a fraud victim’s operations still advertise in the physical world with such as “regional assistant,” “company representative,”account to another location—usually overseas—via a wire posters, flyers, and newspaper ads. People scouring or “payment processor.” The contact the applicanttransfer or automated clearing house (ACH) transaction. employment ads on legitimate, well-known job search interacts with online or by phone plays the role of human sites also have been duped by these scams. And given resources specialist, and when the victim inquires aboutOne major hitch with any type of cash-out operation the challenging economic environment of the past few vacation time, the availability of a 401(k) plan, or whetherinvolving money mules is that there simply aren’t enough years, recruiters for money mules are likely finding their the “company” honors the U.S. Family and Medicalmules in service. Mules typically work only one day inboxes brimming with job application materials from Leave Act, they are provided a satisfying answer. Asbefore they are either abandoned by their handler or potential candidates for hire. part of the “hiring process,” mules are asked to provideare taken into custody by law enforcement. As the sensitive information to the handlers, such as imagescybercriminal economy continues to expand, it will be of their government-issued identification.increasingly challenging for scammers to maintain anadequate supply of these temporary “employees” to Currently, the ratio of stolen Once hired, money mules are expected to work in aprofit fully from their exploits: One money mule expert account credentials to available short time window—usually from around 9 to 11 a.m.—soestimates that the ratio of stolen account credentials that cash can be wired out of their account before ato available mule capacity already could be as high mule capacity could be as financial institution’s security staff are able to respondas 10,000 to 1. high as 10,000 to 1. to an incident of suspected fraud. (Mules also must own a cell phone; in fact, not having one is a deal-breaker.So, what type of people serve as money mules? They They won’t get the job.) Mule operatives instruct mulescan be lower-level criminals willing to engage in a shady Students are often targets for money mule recruiters, to open two bank accounts: one for their “salary” andfinancial transaction to make some quick cash. Someone as are those simply looking for an “easy” way to make another for “funds.” They also tell the mules to providewho is aware of his or her role as a money mule often extra cash. A mule may be promised a monthly base them with the online banking passwords for thosebelieves that he or she is somehow “smarter than the salary, as well as a small commission (for example, accounts so they are able to check the balances. Mulesaverage mule”—and therefore, will never be caught by US$50) per successful transaction. Some mules are are then asked to locate their local Western Union andauthorities. Or, they do not believe what they are doing is told they can keep 5 percent per transaction, minus any Moneygram branches so that the cash-out processthat serious, and think, perhaps, “Well, what’s the worst wire transfer fees. As most mule handlers aim for mules can commence; wire transfers, even though they requirething that could happen?” Not surprisingly, many money to withdraw up to US$10,000 per transaction (amounts a fee to be paid up front by the sender, are typicallymules are caught quickly. Often, they face substantial over that figure trigger a financial institution’s anti- very fast transactions, and don’t require a bank account-fines—even jail time. money laundering controls), the potential “earnings” to-bank account transfer. are attractive. But even if they do make money in the short term, mules often pay a high price for their involvement in facilitating a crime: When a bank detects fraud, the mule, once identified by authorities, is often held responsible for repaying the money that was illegally transferred.All contents are Copyright © 2010–2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Cisco 2010 Annual Security Report 9
  12. 12. It is not unusual for criminals to recruit dozens of money A A Day in the Life of Money Mule Day in the Life of a a Money Mulemules to stage just one large operation, or keep severalon hand for repeat check-cashing and wire-transfer Individual applies toassignments. For example, one money mule recruitment an employment ad (e.g., “Work fromand management website managed more than 4100 Home!”) posted on amules working in the United States during the course job site or sent via spam by a money The money mule recruiter The mule awaitsof a single year. Experts have noted that criminals, for muling operation. responds to the applicant via further instruction. From here, the mulereasons not entirely clear, prefer to hire East Coast email. The charade may include is usually abandoned asking for more detail about theresidents when setting up money muling operations applicant’s experience, and by the handler, and explaining “employment benefits.” may even be arrestedin the United States. (once fraud is detected) and can go to jail and/orThe following are examples of common cash-out be expected to pay back funds illegallysystems that involve money mules: taken from victims’ accounts.Operation 1:Standard money is placed into legitimate in-country The mule reports back to the handler by cellaccounts via wire transfers (for example, Western Union) phone or email. The handler tells the muleor ACH transactions. Mules are recruited to use their to await further Money mule operatorsown accounts. Criminals move stolen money into these instruction. (or other mules) collect the wiredaccounts. As an example, a mule conducts transactions money at overseasat three or four Western Union locations, each time location(s). The funds may be wired again tosending approximately US$3,000 by wire transfer to conceal the true The mule takes the destination(s) foran overseas location. These wire transfers are often the funds. money out of the bank (always less thanredirected after they are posted—using information US$10,000 at a timethe mule provided when he or she entered the mule to help avoid fraud detection), and headsorganization, such as bank account information—so the to a Western Union or similar location tomule doesn’t know the true final destination for the funds. make a wire transfer. The money is wiredOperation 2: The mule is hired and Once the money muling operatives transfer money from victims’ bank overseas to one or more locations. told to work from 9 to 11 accounts and into the “funds”J-1 visa holders who obtain permission to work in the a.m. on the first day account, the handler contacts theUnited States for short periods, such as for seasonal (which is usually the last mule to say the money is ready to day, too). The mule is be withdrawn and, are recruited by money mule operatives in their instructed to open two bank accounts, one forcountry. While in the United States, the J-1 visa “funds” and one forholders/money mules set up bank accounts in major “salary,” and to provide credentials for accessingmetropolitan areas using bogus names and passports the accounts. The mule is also asked to locateprovided by their contacts. Information about money local Western Union and Moneygram locations.10 Cisco 2010 Annual Security Report All contents are Copyright © 2010–2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
  13. 13. muling assignments is spread by word of mouth or Operation 3: Typically, scammers tell their victims that they cannotthrough social networking, which is becoming an ship items they have purchased online directly to their Because banks and credit card companies are becomingincreasingly important tool for cybercriminals looking home or business address in a foreign country due to more adept at deterring fraud, some cybercriminalsto spread their cash-out operations around the globe. some type of “legal” restriction. They ask the victim’s are turning to reshipping scams as a way to cash out. AAn example of a money muling operation that targets permission to send the goods to his or her home, and scammer uses stolen or fake credit card or bank accountJ-1 visa holders is the Russian site “Work & Travel USA,” offer to handle all of the shipping expenses. information to purchase merchandise—usually, popularwhich has a Facebook-like page with more than consumer electronics such as MP3 players, laptops,50,000 “friends.” Once the victim agrees to help, he or she quickly or flat-screen TVs—from e-commerce or auction sites. receives a flood of parcels containing the illegally Since criminals obviously cannot send the goods to theirIn September 2010, the U.S. Attorney’s Office in purchased goods and is asked to repackage and send own address, they rely on “shipping mules” to receiveManhattan announced that it had charged 37 individuals them to one or more locations outside the country. and forward the deliveries to foreign locations.from Russia and Eastern European countries—most of This may go on until the scammer’s specific missionthem in the United States on J-1 nonimmigrant visas— is complete, or until the victim grows suspicious (orfor their participation in a sophisticated scheme involving weary of the reshipping process) or is visited by lawthe Zeus banking Trojan and a team of money mules Social networking is an enforcement and informed that the products being shipped outside the country were paid for with stolenwho stole funds from dozens of U.S. business accounts.The operation, which primarily targeted the bank increasingly important tool or fraudulent credit cards.accounts of small businesses and small municipalities, for cybercriminals lookingwas code-named ACHing Mules because it involvedunauthorized ACH transactions (see sidebar, “The to spread their cash-outAppeal of Automated Clearing House Transactions forMoney Mule Operations” on page 12). operations around the globe.Earlier that same month, U.K. authorities charged 11 Mules participating in reshipping fraud may or mayEastern European citizens in connection with the same not be willing conspirators. But criminals have beenscam.8 According to authorities, at least US$3 million known to prey on those who are looking for personalwas stolen from U.S. accounts from May to September relationships online. They lure victims with overtures2010 through this specific money muling operation. In of friendship or romance communicated via email orthe United Kingdom, as much as US$9.5 million was instant messages—perhaps even sending nominal giftssiphoned from U.K. bank accounts. Money mules used as the “relationship” progresses. Over time, as the victimunits of Bank of America Corp. and TD Bank Financial becomes convinced he or she has found a new bestGroup to open accounts for laundering the money.9 friend or a potential soul mate, the criminal begins to ask for favors.8 “Zeus Trojan bust reveals sophisticated ‘money mules’ operation in U.S.,” by Jaikumar Vijayan, Computerworld, September 30, 2010, “Accounts Raided in Global Bank Hack,” by Chad Bray, Cassell Bryan-Low, and Siobhan Gorman, The Wall Street Journal, October 1, 2010, contents are Copyright © 2010–2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Cisco 2010 Annual Security Report 11
  14. 14. The Appeal of Automated Clearing House Transactions for Money Mule Operations An automated clearing house (ACH) transfer takes The appropriate thing for the bank to do is to keep more time to complete than a wire transfer (a day or retrying with progressively smaller amounts until it more, versus minutes), but because the process is succeeds in recouping at least a portion of the stolen automated, ACH transactions are less expensive. In money. However, many banks are not sophisticated addition, larger amounts of cash can be transferred. enough to do this, and the money is lost. And unlike a wire transfer, the identities of the sender and recipient are not verified, which makes them an That’s not always the end of the story, though. More even more attractive tool for criminals. financial institutions are pursuing money mules after illegal ACH and wire transfers have been detected When an automated clearing house (ACH) transfer and holding them liable for funds lost. Mules often is initiated, all the information is sent in a “batch” to use their own bank accounts to help carry out the a clearing house, which then handles the transaction. fraud, which makes them easy for authorities to When a financial institution attempts to reverse a trace. In addition, in the United States, the federal transfer—which is not a quick and easy process to government is becoming more aggressive about initiate—it is “all or nothing.” tracking down and prosecuting mules—as well as their handlers. For example, if a fraudulent US$100,000 transfer is sent via an ACH transaction to a money mule’s account, when the bank tries to reverse the US$100,000, if there is less than that amount in the account (maybe a mule has already started wiring some of the money overseas), the reversal fails.12 Cisco 2010 Annual Security Report All contents are Copyright © 2010–2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
  15. 15. An Offer You Should Refuse If a money mule recruitment email arrived in your Emails like the one below that are used to attract • You are informed the company needs inbox, would you immediately know it was a scam? money mule candidates feature telltale signs that can protection from taxes associated with Maybe—especially if the email is poorly written and help targets recognize a scam is likely afoot. Burgess international sales remittance tells an outlandish tale. But if you are someone outlined several of these warning signs in his recent • You are asked to spend your money who is eager to make extra (and supposedly easy) blog post11: income, and you have difficulty saying no—particularly • You are requested to open or provide when the person writing to you for help seems so • You are told to “keep this offer secret” any information associated with your friendly—then you might be more likely to believe an bank account(s) • You are asked to “respond to this offer that sounds too good to be true is on the level. offer right now” And you would not be alone. In an October 2010 blog post for The Huffington From: Owen Geven (black out space for email address) Post, Cisco senior security advisor Christopher To: Christopher Burgess (black out space for email address) Burgess shared an example of a money mule Subject: Work Online From Home! solicitation he recently received in his own email __________________________________________________________________________________________________ inbox.10 The “work online from home” offer seeking My name is Owen Geven, a designer and also the Manager of Owen Geven Fabric and Consultant and I a U.S.-based representative/online bookkeeper for live and work here in United Kingdom, Would you like to work online from home and get paid without a U.K. fabric company indicates that the supposed affecting your present job? Actually I need a representative who can be working for the company as online book-keeper. We make lots of supplies to some of our clients in the EUROPE/USA/CANADA, employer, Owen Geven, is willing to pay 10 percent for which I do come to USA/CANADA to receive payment and have it cashed after I supply them raw for every payment from a client that is processed materials. It’s always too expensive and stressful for me to come down and receive such payment through the representative (who apparently needs twice in a month so I therefore decided to contact you. I am willing to pay you 10% for every no bookkeeping experience whatsoever to handle payment receives by you from our clients who make payment through you. Please note you don’t have this important job). to be a book keeper to apply for the job. Kindly get back to me as soon as possible if you are interested in this job offer with you’re: 1. FULL NAMES..................................................... 2. ADDRESS (not ............................. 3. STATE.................. 4. ZIPCODE............................ 5. COUNTRY................ 6. PHONE NUMBER(S).......................7. GENDER........... 8. AGE................................... 9. OCCUPATION................................... PLEASE SEND YOUR REPLY ASAP TO: (a web based email )10 “Use Horse Sense, Don’t Be a Mule,” by Christopher Burgess, The Huffington Post, October 27, 2010: Ibid.All contents are Copyright © 2010–2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Cisco 2010 Annual Security Report 13
  16. 16. Social Engineering:Taking Advantage of TrustCriminals continue to take advantage of the high levels of trust thatusers place in social networking services. They often exploit thistrust by masquerading as someone the user knows.
  17. 17. As discussed in the introduction, exploitation of trust is The scale of this particular spam operation was daunting: steal personal login data.“The LinkedIn spam campaignnow an essential tool across all sectors of cybercrime. On the day the messages were sent, they numbered strongly suggests that its perpetrators are mostNowhere is this tactic more widespread than within in the billions and accounted for 24 percent of spam interested in employees with access to financial systemssocial networking, where it continues to attract victims messages worldwide. While this has been the largest and online commercial bank accounts. According towho are willing to share information with people they outbreak of social networking-related spam to date, it’s the FBI’s Internet Crime Complaints Center, in 2009,believe are known to them. not the first: The Cutwail botnet, which was first detected more than US$100 million was stolen from commercial in 2007, routinely sends emails that try to convince bank accounts using methods like this,” explains NileshOne noticeable shift in social engineering is that recipients that they originate from social networks. Bhandari, product manager at Cisco. “The scammerscriminals are spending more time figuring out how to are targeting the professionals who used LinkedIn,assume someone’s identity, perhaps by generating The LinkedIn spam operation is worth noting and not people who frequent MySpace or Facebook.emails from an individual’s computer or social watching in the future because of the high volume of Organizations should encourage people to be suspiciousnetworking account. A malware-laden email or scam messages delivered, as well as the fact that supposedly of any email that purports to be from a legitimate source,sent by a “trusted person” is more likely to elicit a savvy business users (presumably, higher-value targets) but appears slightly different than they might expect.”clickthrough response than the same message sent were targeted and that Zeus malware was used toby a stranger. Koobface malware, which first appearedon Facebook in 2008, uses this tactic, sendingmessages to friends of an infected Facebook user andconvincing them to download the malware. (See thesidebar on page 18 for more about the evolution of theKoobface botnet.) And in October 2010, a freelance Fake LinkedIn Messages as a Percent of Total Spamweb developer created Firesheep, an extension for theFirefox browser that allows someone on an unsecured 30%wireless network to hijack another wireless user’s 25%Facebook or Twitter account.12 20% Percent of SpamAs Cisco has discussed in previous security reports,users of social networks continue to place high levels 15%of trust in information they (supposedly) receive fromother members of these networks, or what seem to 10%be official messages from these networks. Knowing this 5%weakness, scammers are naturally directing more oftheir spam messages at social network users, employing 0%social engineering tactics to drive necessary clickthroughs Sept 27 10:15 Sept 27 10:30 Sept 27 10:45 Sept 27 12:00 Sept 27 12:15 Sept 27 12:30 Sept 27 12:45 Sept 27 13:00 Sept 27 13:15 Sept 27 13:30 Sept 27 13:45 Sept 27 14:00 Sept 27 14:15 Sept 27 14:30 Sept 27 14:45 Sept 27 15:00 Sept 27 15:15 Sept 27 15:30 Sept 27 15:45 Sept 27 16:00 Sept 27 16:15 Sept 27 16:30 Sept 27 16:45 Sept 27 11:00 Sept 27 11:15 Sept 27 11:30 Sept 27 11:45and malware downloads.In September 2010, spam emails that were purportedlyfrom business social networking service LinkedIn were Day/Timesent worldwide and contained fake reminders. If therecipient clicked through on any links contained in the In September 2010, spam messages lured recipients into clicking on links in fake LinkedInmessage, their computer became infected with Zeus notifications that infected their computers with Zeus malware, which captures personal bankinginformation.12 “Firesheep Firefox extension opens fire on sheep-browsers,”, October 26, 2010, contents are Copyright © 2010–2011 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Cisco 2010 Annual Security Report 15