Cybercrime: dallhacking allUnderground Economy Francesca Bosco Project Officer Interregional Crime and Justice Research Institute (UNICRI) 31 Marzo 2011 Università degli Studi di Milano Bicocca
Agenda• Definitions,Trends & Statistics: why the topic is relevant• The Underground Economy and Cybercrime• Business models applied to Cybercrime• Social Network and How to Protect Yourself• Who are the criminals: Two case studies
Every new technology opens the doors to new criminal approaches 3
What is cybercrime? Many possible definitions - no widely accepted definitionAny conduct proscribed by legislation and/or jurisprudence that(a) is directed at computing and communications technologies themselves;(b) involves the use of digital technologies in the commission of the offence; or(c) involves the incidental use of computers with respect to the commission of other crimesForms• crimes against the confidentiality, integrity or availability of computer systems (e.g. theft of computer services)• crimes associated with the modification of data (e.g. theft of data)• content-related crimes (e.g. dissemination of illegal and harmful material, child pornography)• relation between terrorism and the Internet (e.g. terrorist propaganda, recruitment for terrorist organizations) 6
What is cybercrime?The Convention on Cybercrime - Budapest,23.XI.2001- defines cybercrime in Articles 2-10 onsubstantive criminal law in four different categories:(1)offences against the confidentiality,integrity and availability of computer data andsystems;(2)computer-related offences;(3)content-related offences;(4)offences related to infringements ofcopyright and related rights. 7
DefinitionAccording to the European Convention on Cybercrime,cybercrimes are defined as“offences against the confidentiality, integrity and availabilityof computer data and systems”, thus considering asoffences:“Illegal access” (art.2),“Illegal interception”(art.3),“Data & System Interference” (artt.4-5),“Misuse of devices”(art.6),“Computer-related fraud and forgery” (artt-7-8)“Offences related to child pornography”(art.9)“Offences related to infringements of copyright and relatedrights” (art.10).
Attempt to categorize: Types of cybercrimeFinancial - crimes which abuse businesses ability to conduct e-commerce (or electronic commerce).Piracy - the act of copying copyrighted material. The personal computer and the Internet both offer newmediums for committing an old crime. Online theft is defined as any type of piracy that involves the use ofthe Internet to market or distribute creative works protected by copyright.Hacking - the act of gaining unauthorized access to a computer system or network and in some casesmaking unauthorized use of this access. Hacking is also the act by which other forms of cyber-crime(e.g., fraud, terrorism, etc.) are committed.Cyber-terrorism - the effect of acts of hacking designed to cause terror. Like conventional terrorism,e-terrorism is classified as such if the result of hacking is to cause violence against persons or property, or atleast cause enough harm to generate fear.Online Pornography - There are laws against possessing or distributing child pornography.Distributing pornography of any form to a minor is illegal. The Internet is merely a new medium for this ‘old‘crime, but how best to regulate this global medium of communication across international boundaries and agegroups has sparked a great deal of controversy and debate.FinancialPublic confidence in the security of information processed and stored on computer networks and apredictable environment of strong deterrence for computer crime is critical to the development of e- commerce,or commercial transactions online. Companies ability to participate in e-commerce depends heavily on theirability to minimize e-risk.Risks in the world of electronic transactions online include viruses, cyber attacks (distributed denial of Service(DDOS) attacks) such as those which were able to bring Yahoo, eBay and other websites to a halt in February2000, and e-forgery. There also have been other highly publicized problems of e-fraud and theft of proprietaryinformation and in some cases even for ransom (e-extortion). 9
VIDEOIs there any difference between Hackers and Cybercriminals?
What is Hacking ?• The act of gaining unauthorized access to computer systems for the purpose of stealing and corrupting data. -Types Of Hackers:• Black Hats - Malicious hackers• White Hats - Ethical hackers• Grey Hats - Ambiguous
What is interesting for cybercriminals?Data is more valuable than money. Once spent, money is gone, but data canbe used and reused to produce more money or for further leverage.The ability to reuse data to access on-line banking applications, authorize andactivate credit cards, or access organization networks has enabled cybercriminals to create an extensive archive of data for ongoing illicit activities.Intellectual property: keep in mind a database of credit cards = easy tomonetize, a database of PII = more difficult, monetizing stolen IP is muchharder and also much more lucrative if done correctly Outcomes of cyberattacks and reactionsSeveral computer security consulting firms produce estimates of total worldwide lossesattributable to virus and worm attacks and to hostile digital acts in general. The reliabilityof these estimates is often challenged; the underlying methodology is basically anecdotal.A central issue, in both public and private sectors, is whether or not we are devotingenough resources to information security.Part of the answer must come from economic analysis. Investigations into the stock priceimpact of cyber-attacks show that identified target firms suffer losses of 1%-5% in thedays after an attack.Organizations of all sizes and industries have suffered losses at the hands ofcybercriminals – though only a low percentage report such incidents.Concomitantly, cybercrimes offer high financial yields and can often be performed in amanner that incurs only modest risks because of the anonymity it presents. The lack ofincident reporting and the ease of access to electronically stored data have led experts topredict that cybercrime will continue to increase in the years to come. Accurate andstatistically comprehensive data on the incidence and costs of cyber-attacks are 13critical to the analysis of information security.
The Underground Economy• “Underground Economy” has historically been used to denote business that occurs outside of regulatory channels. Around the turn of the 21st century, Team Cymru adapted the term to the cyber locations and individuals who buy, sell, and trade criminal goods and services.• Today the Underground Economy can be found in IRC(6) networks, HTTP forums (web boards), various Instant Messaging services, and any other communications platform that lends itself to anonymous collaboration.• The Underground Economy is comprised of criminals who typically specialize in a specific criminal commodity. A few of the more common commodities include credit/debit cards, personal identities, hacked servers, hacked network equipment, malware (malicious code), Internet vulnerability scanners, e-mail spam lists, fictitious identification documents, and fraudulent money movement services• The higher levels of the Underground Economy involve technically talented actors who work with other criminals through private communication methods often involving encryption. The public criminal market place is contracting, but the criminal activity itself is increasing in both volume and sophistication The State of Cybercrimes- FreedomFromFear , March 28, 2011
The day money became the focus of malware is the day the Internet changed. Graham Ingram, AusCERT GM
New Malware StatisticsTop Malware Source Countries Top Attack Sectors Source: Symantec, Kaspersky, McAfee, Sophos Malware: Hostile, intrusive, or annoying software or program code designed to infiltrate a computer system (virus/worms/Trojans/rootkit/backdoors/spyware). Botnets: Software agents/bots that run autonomously and automatically under a common command-and-control structure and perform malicious activities. Phishing: Fraudulent process of attempting to acquire sensitive information by masquerading as a trustworthy entity in an electronic communication. Spamming: Abuse of electronic messaging systems to send unsolicited bulk messages indiscriminately in the form of e-mail, instant messaging etc . SQL injection: Code injection technique that exploits vulnerability in the database of an application resulting in unexpected execution of code.
Top 20 countries withthe highest rate of cybercrime attacks
Damages, fraud, crime estimates Worldwide direct damage due to malware in 2006: $13.2 bn (Computer Economics) Decline from $17.5 bn in 2004 Effects of anti-malware efforts and shift from direct to indirect costs U.S. Federal Bureau of Investigation estimated cost of computer crime to U.S. economy in 2005 to $67.2 bn (upper ceiling, not all malware-related) Global cost of spam in 2007: $100 bn, of which $ 35 bn U.S. (Ferris Research) Cost of spam management to U.S. businesses in 2007: $71 bn (Nucleus Research) Direct costs to U.S. consumers in 2007: $7.1 bn (Consumer Reports) Range of estimates on online consumer fraud $240-340 million for U.S. £33.6 for financial fraud in UK Cost of click fraud in 2007: $1 bn (Click Forensics)
Complaints of online crime, 2010at the Internet Crime Complaint Center (USA) YEAR COMPLAINTS US$ LOSS RECEIVED 2010 303,809 - million 2009 336,655 560 million 2008 275,284 265 million 2007 206,884 239 million 2006 207,492 198 million
OC activities shiftOriginal Activity Modern VersionLocal numbers gambling Internet gambling (international sites)Heroin, cocaine trafficking Synthetic drugs (less vulnerable to supply problem)Street prostitution Internet prostitution and trafficking in human beings.Extortion of local businesses Extortion of corporations, for protection kidnappings.Loansharking Money laundering, precious stones, commodities.Fencing stolen property Theft of intellectual property.
Trends of organized crime: Transnational, Adaptive, MultifacetedA. Drug traffickingB. Illicit arms tradeC. Trafficking and smuggling of human beingsD. Traffic of human organsE. CounterfeitingF. Environmental-related crimesG. Maritime piracyH. Cyber crimeI. Financial crimes: corruption, money laundering. 23
Why has Cybercrime become so pervasive?– Extremely profitable– Very low infrastructure cost and readily available attack tools– Barriers to prosecution combined with weak laws and sentencing– Anonymity and financial lure has made cyber-crime more attractive– Separation between the physical and virtual world– Organized cybercrime groups can conduct operations without ever making physical contact with each other
UE Business ModelOrganised crime borrows and copies business models from the legitimate economysector. Cyber-criminals employ models similar to the B2B (business-to-business) fortheir operations, such as the highly sophisticated C2C (criminal-to-criminal) models,which use very effective crime tools available through digital networks.
Let’s go shopping... how much do they cost? Credit card number with PINChange of billing data, including account number, billing address, SSN, name, address and birth date Drivers license number Birth certificate Social security card Credit card number with security code and expiration date Paypal account ID and password
Items for sale A sampling of items for sale in typical cybercrime forums:$1000 – 5000 Trojan program to steal online account information $500 Credit card number with PIN $80-300 Change of billing data, including account number, billing address, SSN, name, address and birth date $150 Drivers license number $150 Birth certificate $100 Social security card $7-25 Credit card number with security code and expiration date
•In 2009, 60 percent of identities exposedwere compromised by hacking attacks.•75 percent of enterprises surveyed,experienced some form of cyber attack in2009 (From Symantec State of theEnterprise Report 2010)•The top Web-based attacks observed in2009 primarily targeted vulnerabilities inInternet Explorer and applications thatprocess PDF files•Mozilla Firefox had the most reportedvulnerabilities in 2009, with 169, whileInternet Explorer had just 45, yet InternetExplorer was still the most attackedbrowser.•The United States was the top country oforigin for Web-based attacks in 2009,accounting for 34 percent of the worldwidetotal.•In 2009, botnets were responsible forsending approximately 85 percent of allspam email.•There were 321 browser plug-invulnerabilities identified in 2009, fewerthan the 410 identified in 2008.•ActiveX technologies still constituted themajority of new browser plug-invulnerabilities, with 134; however, this is a53 percent decrease from the 287 ActiveXvulnerabilities identified in 2008
TRENDING COMMODITIES INUNDERGROUND MARKETS•In 2009 black market shift where emailaccounts were the third most availablevirtual good for sale.•Online credentials are composed ofusername/ password combinations inorder to gain access to different Internetapplications:•Online banking service – thecredentials allow the attacker to transferfunds from the victim’s account toaccounts controlled by the criminal•Health-care providers – stolenaccounts may be used for prescriptiondrug trading or for health informationcompromise•Webmail applications – a hackedwebmail account allows the hacker toscrape the victim’s address book anduse those addresses in spam lists. Thecriminal can then send the phishingmessages from the compromisedaccount, making the message all themore credible.•Social networks – the inherent viralnature of social networks, together withreal-time updates in search engines,make stolen social network accountsmost valuable. The price of thesecredentials varies according to thepopularity of the application.
Malware/spam and the underground economy Players in the underground economy include (see slide 19): Malware writers and distributors (trojans, spyware, keyloggers, adware, riskware, …) Spammers, botnet owners, drops Various middlemen Emergence of institutional arrangements to enhance “trust” in the underground economy Service level agreements, warranties, etc. Steady stream of new attacks E.g.: spear-phishing, chained exploits, exploitation of social media.
Example of some of the possible financial flows 1: Extortion payments, click fraud, compensated costs of ID theft and phishing Hardware, 2: software Uncompensated costs of ID theft and phishing, click through, pump and dump 4 5 schemes, Nigerian 419 scams, and other 7 6 forms of consumer fraud 3, 4, 5, 6: 8 Security 9 Hardware purchases by criminals, Individual corporate and individual users Business service users 7, 8, 9, 10: users providers Security service purchases by hardware manufacturers, corporate and 10 14 individual users, ISPs 11, 12, 13: 11 12 ISP services purchased by corporate and ISPs individual users, criminals 14: Payments to compensate consumers for 13 3 damages from ID theft (if provided) 2 1 Fraudsters, Legal financial flows criminals Potentially illegal financial flows GovernmentSociety at large Society at large
Financial aspects of malware and spam Cost of prevention, adaptation + - +Benefits of Damage done, +cybercrime fraud, Total, crime Malware + + direct and - economy indirect + Cost of law + cost Costs of - enforcementcybercrime + - + Indirect cost to society
Data Theft(what data are we talking about?)Personally Identifiable Information (PII):Identifying information means any name ornumber that may be used alone or withother information to identify a specificperson:Name, social security number, date ofbirth, official State or government issueddriver’s license or identification number,alien registration number, governmentpassport number, employer or taxpayeridentification number, biometric data, etc.Likely one of the most valuable assets thatwe have and one that businesses need toprotect. Why? Information is exponentialand reusable. Information can be sold tomultiple buyers and be can be used inmany profitable ways.
Credit card thefts, 2009 Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth levelSource: Kaspersky Lab Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, June 10th, 2009 Event details (title, place) Moscow, January 28-31, 2010
ID Theft is the fastest growing crime in the world.• Over 9 million victims a year on average worldwide• Only Top consumer complain to Police or the Federal Trade Commission• Studies on the total cost of identity theft vary. One study indicates that identity theft cost U.S. businesses and consumers $50 to $60 billion dollars a year• Individual victims lose an average of $1,500.00 each in out of pocket expenses and require tens or hundreds of hours to recover – some never do.
ID Theft• Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another persons personal data in some way that involves fraud or deception, typically for economic gain.• Types of identity theft include, among others:• Account take over• Financial fraud – credit card or bank account (most common• New account• Social Security Number (SSN) identity theft. Someone steals your SSN and obtains employment in your name. The thiefs employer reports wages earned to the IRS under your SSN leaving you to pay income taxes on these earnings.• Medical identity theft. Someone steals your identity and either obtains medical insurance in your name or uses your current medical insurance policy to obtain treatment or prescriptions.• Drivers license identity theft. Someone commits traffic related offenses in your name. When the identity thief fails to appear in court, warrants are issued in your name.
Phishing• Use of email to trick someone into providing information or to go to a malicious Web sites by falsely claiming to be from a known entity. These attacks are becoming more and more sophisticated. Use of social networking sites will become an issue.
Botnets "At its peak in 2010, the total number of unique botnet victims grew by 654 percent, with an average incremental growth of eight percent per week" Danballa Report 2010.Of the top 10 largest botnets in 2010, six did not exist in 2009. Only one (Monkif) was present, ranked among the 10 largest botnets of 2009. The top 10 largest botnets in 2010 accounted for approximately 47 % of all botnet compromised victims -- down from 2009, when the top 10 botnets accounted for 81% of all victims.
Botnet DefinitionA Botnet is a network of compromised machines(bots) remotely controlled by an attacker. B Attacks Commands B Key U B ot Attacker Attacks B Commands U ncompromised Host U B
Social network malware: distribution 2009 Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth levelSource: Kaspersky Lab Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”, June 10th, 2009 Event details (title, place) Moscow, January 28-31, 2010
Cost depends on how many followers do you have and howcommercial your name is
Who are the criminals? Three case-studies• Are financially-motivated cyber-criminals actively working with traditional organized crime groups? Or are they opportunistically organizing among themselves? Or, still, are they simply passively working with O.C. groups for support tasks eg: money laundering?• Three case studies 53
Case Study: Innovative Marketing Ukraine• Formed circa 2002.• 2008 revenue estimated at $180 million.• Estimated to employ 200-500 staff (HR, call center operators to dissuade victims and avoid credit complaints, malware & scareware developers, etc…) in Ukraine, India, and the United States.• Criminal activities: Scareware (or “Ransomware”, meant to frighten users into providing their credit card data in order not to lose their data), Adware, Credit Card Fraud (Reselling of the credit cards “customers” were ransomed into providing to IMU). Early activities included the selling of pirated media (music, pornography) and software as well as pharmaceuticals such as Viagra.• 2010: F.T.C. persuades a U.S. federal judge to fine IMU and two associated individuals $163 million USD. 54
Case Study: GlavMed • Registered in 2006 • Revenue estimated at 150 $ million• Glavmed is the public-facing affiliate program which sponsors spammers to promote what are generally known to be illegal pharmacy websites. It appears to be a cover for the real sponsor organization behind all of these sites: Spamit. These include Canadian Pharmacy, one of the most-spammed properties (2006-2008). • In September 2010, Russian authorities announced a criminal investigation. Around that same time, SpamIt.com was closed down. Consequently, the volume of spam flowing into inboxes around the world fell precipitously, likely because SpamIt.com affiliates fell into a period of transitioning to other partner networks. Meanwhile, Glavmed remains open for business, and is still paying affiliates to promote pharma sites. 55
Case Study: Russian Business Network• Based in St-Petersburg (RU). Operated as a host or Internet Service Provider for illicit services such as child pornography, malware distribution, etc…• Domain names registered in 2006.• 2006-2007 revenue estimated at $150 million.• Criminal activities: Spam (estimated to have been actively involved with up to 50% of worldwide spam distribution at their height), malware, phishing scams (estimated to have been behind up to 50% of phishing spams throughout 2007), all the while providing hosting services for other criminal activities such as the dissemination of child pornography, identity theft, credit card fraud, etc...• Alleged to have dispersed (but not suspended) its activities as of 2008, due to increasing attention from international security vendors, media, and law enforcement. 56
What we can do 10 golden rules• Use a modern browser with anti-phishing protection• Isolate and regularly change key passwords• Use regularly updated anti-virus• Use a firewall• Update your operating system regularly• Check your bank statements regularly• Subscribe to a Credit Protection service• Use 2 factor authentication when you can• Be highly suspicious of anyone asking for personal info via email or any web 2.0 medium, even folks myou know as they may have had their own account compromised.• Be highly suspicious of anything that you receive electronically that is unsolicited.
Protect Yourself at Public Wi-Fi Hotspots• Any data transferred between a user and a Website using an HTTPS address and SSL encryption, such as online banking sites, is just as secure on a hotspot as it would be on a private secured network. Wi-Fi hackers or eavesdroppers sitting around the hotspot cannot capture a user’s login credentials or see any information from these secured sites.• Your risks increase, however, if you must login to sites that aren’t secured. Even if the site isnt all that sensitive, such as a discussion forum, eavesdroppers can capture your login credentials, which they may also use for other more important sites. That’s why it’s important to use unique usernames and passwords for every site• To secure any unencrypted Internet traffic thats sensitive (such as e-mail) on hotspots, the most simple, affordable solution is to implement a Virtual Private Network (VPN). Connecting to a VPN server or service would encrypt all of your Internet traffic, so local Wi-Fi eavesdroppers can’t capture it.• Practice defensive computing: use a VPN, vary your usernames and passwords, learn how to adjust the sharing and privacy settings on your device, and don’t enter login information if you’re unprotected at a public hotspot.
BRIGHTBRIGHT is the first online magazine entirely focused on transnational organizedcrime and is run by FLARE, an international research network (Fight, Learn, Act,Report, Explore).Get your own, FREE copy of the special issue of BRIGHT on “Digital Mafia: into theCybercrime World”.Articles: Preface Cybercrime: reasons, evolution of the players and an analysis of their modus operandi Cybercrime & underground economy: operating and business model The power of networking: an insight on the Russian Business Network International cybercrime Innovative cybercrime: made in Ukraine? UNICRI : knowledge and information on emerging threatsDownload:http://www.flarenetwork.org/report/enquiries/article/digital_mafia_into_the_cybercrime_world.htm
FREE copy of “F3” (Freedom from Fear,the UNICRI magazine) issue #7, totallyfocused on Cybercrimes!DOWNLOAD:www.FreedomFromFearMagazine.org
Ms. Francesca BoscoProject officer on cybercrimeEmerging Crimes UnitE-mail: email@example.com www.unicri.it Thank you for your attention 63