20130321 Cybercrime threats on e-commerce online shops

How to survive in an era of
hacktivists, cyber espionnage and
internet fraudsters ?

The need for an integrated approach
to undermine the criminal cyber architecture

Brussels, 21 March 2013
e-Shop Expo

© 2013 Luc Beirens – Federal Computer Crime Unit - Belgian Federal Judicial Police – Direction economical and financial crime

Presentation

 @LucBeirens
Chief Commissioner
Head of the Federal Computer Crime Unit
Belgian Federal Judicial Police
Direction Economical and financial crime

Chairman of the EU Cybercrime task force
representing the organization of heads of
national hightech crime units of the EU

Topics - overview

 An analysis of the eSociety situation
 Who is threating eSociety and how ?
Inside threat / outside threats

 Possible damage to eGov and
eSociety

 Which response to give to this ?

What is there to protect ?

 Your company / public image

 Your market share (even as public service)

 Your business activity / products

 Your existance as such

Cybercrime threats © Belgian Federal Computer Crime Unit

What is there to protect ?

 Data (stored or in transmission)
 Our personal data employees / citizens / customers
 Info on the organisation (policy/functioning/financial)
 Info on your activity, product (price list, patents, source code)
 Our information infrastructure
 Internal / external systems
 Network connexions
 Storage and backup systems

 Privacy law requires measures organisational and
technical to protect personal data

eShop
 Be recognisable to your customers
 Beware of imposters
 Use of certificates / control over domain

 Keep your customers safe
 Data
 Transactions

 Get paid for your services / products

 Don’t become unwillingly a criminal service platform


e-Architecture Externally managed infrastructure Certification
Authority

Externally hosted website

VPN

Internet DNS

Internal network
Firewall

DMZ

own Backup server
webserver Cloud service center

SCADA

End user
Roaming user

Process control
© Luc Beirens

General trends today
 Evolution towards e-society
 replace persons by e-applications
 Interconnecting all systems (admin, industrial, control)
 Mobile systems – Cloud
 Social networks

 IP is common platform offered by many ISPs
integrating telephony / data / VPN & all new apps
=opportunities / Achilles tendon / scattered traces

 Poor security in legacy applications and protocols
(userid+pw)=> identity fraud is easy

 Enduser is not yet educated to act properly

What do criminals want ?

 Become rich / powerfull
rapidly, easily, very big ROI
in an illegal way if needed

 Destabilaze (e-)society
by causing troubles

First conclusions ?

 Society is thus very heavily depending on ICT
 ICT = important vulnerability of modern society
 End user = weakest link => biggest danger

 Need to
 Guarantee continuity of ICT functioning
 Availability and integrity of data

 Data is more and more in the cloud
 Accessible from all over the world
 Outside jurisdiction of your country

Who is threating us ?
 Script kiddies
 Insider ICT guy in your company
 Loosely organized criminals
 Firmly organized criminal groups
 Terrorists / hacktivists
 Foreign states / economical powers
 Nation warfare troups

What are the outside threats ?


Threats in messages
on hackersites
 Wiping away the websites in your state
 Infiltration in servers of the Public Treasury
disrupting tax collection
 Infiltration in bank accounts
 Attacks on media websites
 Attacks on e-commerce websites
 Distribution of personnel data and
credit card information

 Targetting also in the end of the year period

Focus

 On individuals
 On webservers
 On your organization
 On your partner’s organization
 On your infrastructure
 On cyber infrastructure


Hacking webservers
 Motives of criminal :
 Perform defacement
 Use as storage platform for illegal content (childporn)
 Use as intermediate platform for criminal activity
 Get sensitive information and do extortion (idiot tax)
 Get financial information (credit cards)
 To do :
 Updates SW, strong admin access, no pers data on srvr
 Follow up pastebin.com : a hackers drop off


E-Shop risks

 “Forgotten” test environments
 Use of real data
 No logging of
 Applications with debugging procedures
 Data bases with all user data on webserver
instead of inside LAN
 User profiles unencrypted / unsalted ?
 Credit card information in profiles ?
 Use of stolen credit (new payment systems)

Dossier Cybercrime - NVP PNS 2012-2015

Security : encrypted data !

 Infection of workstations and servers in
company LAN
 Using targetted e-mails / social media messages
 Malicious encryption of all user data files
 Ransom to get decryption key
 From those that paid :
some got key some didn’t
 Others had a recent off-line backup !


Intrusions in your LAN
 Intrusion in your system to intercept data that allows
to take away products from your stock
 WIFI interception from parking
 Infection by trojan (e-mail)
 (unreported) burglary in the company to place
 hardware keyloggers
 complete small computer system WIFI intercept 3G transmit
 With valid ticket go fetch cargo
 To Do :
 Encrypt WIFI transmissions
 Patch only active workstation connections


Intrusion in your
trading account
 Carbon dioxide certificates trade
 Open data : contact persons of companies
 Spear phishing mail + phishing website
 Access to trading account
 Millions of € sold in few hours all over EU
 Sold far under price & immediately resold
 To do : Awareness

Intrusion in your partner’s LAN

 Intrusion in LAN of foreign partner (Chinese)
and get information
on your business and invoices to pay
 You get mail with
 Slightly different e-mail adresses
 Change of bank account number to pay
(Due to audit ...)
 To do : verify thouroughly any changes
before paying

Attacking infrastructure

 Remote managed infrastructures in your
buildings
 Central heating
 Elevator
 Creating disruption of this infrastructure
=> leads to high cost
 To do : verify if this applies to you and
your infrastructure managing company

Hacking into cloud accounts
 SME’s that have all their information
in cloud accounts
 Hacking into these account
 Taking over access control
 Sending of SOS-e-mails (Robbed money needed)
 Deleting all contact information in the account
=> preventing warning e-mails
after getting back access to account
 To do :
 enforce strong authentication and second ways to access
the account
 Have backups of these systems

Cyber crime
against cyber infrastructure
 Payment systems
 2010 Wikileaks case : “Anonymous” attack on VISA,
Paypal, Mastercard,...

 DNS – system
create fraudulent routing or use for DDOS
 Certification autorities (Diginotar)
 Data centers (Blocs all servers in it)

Dossier Cybercrime - NVP PNS 2012-2015

Cybercrime focusing
individuals
 Individuals are
 also working in companies / government
 Use social networks / webmail
 Often used to exchange business related info
 Containing access code information
 Hacking of these profiles / webmails
 Abuse to infect people you know
 Get personal information of you and your contacts
 Commit fraud
 Internet fraud of all kinds
 Webcam sex interception to do extortion
Luc Beirens - FCCU -2012

What are the criminals tech
tools to hack and attack ?
 Malware attacks (viruses, worms, trojans, ...)
fast spreading day zero infections
=> no immediate cure => lot of victims
(especially home PC’s – 24 / 365 available)

 Abuse of infected computers to create botnets
(large “armies” of PC’s under control of 1 master)
=> used to make massive attacks on
webservers or network nodes
=> high risk for your critical ICT infrastructure

Webserver / node

Computer
Crash
Hacker

Internet

Info Access line
Cmd
blocked

My IP is x.y.z.z

Command & Botnet attack on a webserver / node
Control Server

Webserver / node

Hacker Knowledge server

Internet

trigger
event MW update

Very frequent MW
update request

Malware update server

Command & Malware update / knowledge transfer
Control Server

Why ? Making money !
 Sometimes still for fun (scriptkiddies)
 Spam distribution via Zombie
 Click generation on banner publicity
 Dialer installation on zombie to make premium rate calls
 Spyware installation

 Espionage => banking details / passwords / keylogging

 Ransom bot => encrypts files => money for password

 Capacity for distributed denial of service attacks DDOS
=> disturb functioning of internet device (server/router)

How big is the problem ?

 Already criminal cases in several countries
 Botnets detected
 Several hundreds of botnets worldwide
 Several thousands of C&C worldwide
 Thousands upto millions of zombie computers
online
 generated huge datatraffic upto 40 Gbps

 Dismantling / crippling botnets

e-Crime underground business

 Underground fora and chatrooms
 Restricted access – on invitation
 Secured by encryption
 Botnets for hire
 Control over bot for spam : 0,04 $ / bot /
day Small scale attack 20 Mbps : 50 –
100 $ / day
 Large scale attack 10Gbps : 1000 $ / day
 Malware development on demand

Important DDOS cases
 UK 2004 : gambling website down (+ hoster + ISP)
 NL 2005 : 2 botnets : millions of zombies
 BE 2005 : DDOS on chatnetwork of Media firms
 BE 2005 : DDOS on Firm (social conflict)
 US 2006 : Blue security firm stops activity
 SE 2006 : Website Gov and Police down
due to DDOS after police raid on P2P
 EE 2007 : Widespread DDOS attack on Estonia
after incidents on moving soldier statue
 Georgia 2008 : cyber war during military conflict
 World 2010 : Wikileaks case : Visa Mastercard paypal
 World 2012 : CIA FBI USDOJ EU Arcelor Mittal ...

Attacks on
eSociety authentication systems
using malware and botnets


Authentication

eService website eService user
Authentication systems
Intercepted userid + pw
user : u123
password : secret123
Give token 15 : Word15
Intercepting 36 sessions
Phishing website 3 x 12

Consultation & Transfers
New authentication systems
One time passwords
Time based
Give OT password : Timedependentcode

Consultation & Transfers
Waiting the authentication
Afterwards perform transaction
Challenge based

Calculate OTP with challenge 12345678

Calculated OTP Consultation & Transfers
Waiting the authentication
Need for user cooperation ????

If technical security is ok ...

 They are informed of webactivity over the botnet
 They know you ! (knowledge base & social networks)
 They will switch to social engineering
They will make you believe they are someone else
to make you do something they want / need
 Abusing expected “normal user behaviour”
 Fear of or willingness to help or coope with hierarchy
security services / helpdesk / vendors / (business) partners
 Love for (new) friends
 Greed

Activity spying
Keylogging 5
4 Local
6 storage

trying to surf on the real website
Bank site eBank user
10
Bank account transfer 8
9
Authentication
Money transfer order Authentication

Fake site

3 Hackers
Knowledge
database 7
Money Mule

Trojan
Proxy 2 Use of 1 distribution
intermediate campain
systems
Spam to control network

Fake Company
11

12 Money collector 13
Money Mule

Latest malware developments
 Stuxnet : very complex and elaborated trojan
 Several replication vectors :
 Networks
 USB keys
 Connects to C&C botnet server
 Focused on industrial control system
 Searches for systems with this control system
 Collects information on Siemens PLC systems
 Changes process logic on infected machines
 Duqu based upon Stuxnet : spying purposes
© Luc Beirens

Biggest threat ? Criminal’s
Knowledge database
 SQL (standard query language) databases
 Several backup servers
 Content
 Keylogging (everything also userids, passwords)
 Screenshots (of all opened windows, websites,...)
 URL
 IP-addresses
 Base for reverse R&D to counter new security


Cases ?

 e-Banking fraud

 Hacking of large institutions / firms
 Long time unaware of hacking
 Keylogging
 Encrypted files on PC
 Internal botnet
 Intermediate step to other networks
 Often no complaint

And the victims ?
 Who ?
 Transactional websites
 Communication networks
 ISPs and all other clients

 Reaction
 Unaware of incidents going on
 ISPs try to solve it themselves
 Nearly no complaints made – even if asked ...

 Result ? The hackers go on developing botnets

Combined threat

 What if abused by terrorists ?
... simultaniously with a real world attack?

 How will you handle the crisis ?
Your telephone system is not working !


Risks

 Economical disaster
 Large scale : critical infrastructure
 Small scale : enterprise

 Individual data

 Loss of trust in e-society


Who investigates ICT crime ?
 Prosecutors / Examining Judges
 Specialised police forces (nat’l & Internat’l)
 Legal expert witnesses
 Specialised forensic units of consulting firms
 Associations defending commercial interests

 Security firms => vulnerabilities
 Activist groups => publish info on « truth »
© Luc Beirens

E-Police organisation and tasks
Integrated police
Federal 1 Federal Computer Crime Unit
Police
24 / 7 (inter)national contact
National Policy Operations : Intelligence
Level Internet & ePayment fraude
Training Forensic ICT analysis Cybercrime
33 persons Equipment ICT Crime combating www.ecops.be hotline
FCCU Network
Internat internet ID requests
Federal Police 25 Regionale Computer Crime Units (1 – 2 Arrondissementen)
Regional
level Assistance for housesearches, Investigations of ICT crime case
180 persons forensic analysis of ICT, taking (assisted by FCCU)
statements, internet investigations

Local Level First line police
Federal Police “Freezing” the situation until the arrival of CCU or FCCU
Local Police Selecting and safeguarding of digital evidence
© 2013 - Luc Beirens - FCCU - Belgian Federal Police

Our services

 Help to take a complaint
 Descend on the scene of crime
 Make drawing of architecture of hacked system
 Image backup of hacked system (if possible)
 Internet investigations (Identification, location)
 House searches
 Taking statements of concerned parties
 Forensic analysis of seized machines
 Compile conclusive police report

© Luc Beirens

Investigative problems -
tracking
 Victims : Unfamiliar and fear for “Corporate image”
=> belated complaints – trashed / no more traces
 Rather “unknown” world for police & justice
=> Delay before involvement specialised units
Limited ICT investigation capacity (technical & police skills)
 Multiplication and integration of
services / providers / protocols / devices
 Lack of harmonised international legislation & instruments
 Anonymous / hacked connections – subscriptions - WIFI
 Intermediate systems often cut track to purpetrator

© Luc Beirens

Investigative problems –
evidence gathering

 Delocalisation of evidence : the cloud ?
 Exponential growth of storage capacity
=> time consuming :
 backups & verification processes
 Analysis
 New legislation / jurisprudence imposes more rigorous
procedures for evidence gathering in cyber space

 Bad ICT-security :
give proof of the source and the integrity of evidence

© Luc Beirens

Brussels, we have a problem ...

 Complainer  Politie
 OK
 Hello, can you help ?
 A few questions to start
 We are a Belgian hosting firm our file …
 Who, where, what, when
 We have a problem …
 Our webservers are hacked
 & several websites
of our Belgian customers
have been defaced
© Luc Beirens

Who / where / what
 In the USA
 In Belgium  Hacked webserver
Defaced website
 Hosting firm : 

nothing in Belgium  In the Netherlands
 Hacked server
 Customer :
nothing in Belgium  In the UK
 Hacker ?
 Hacked firm :  In the Luxemburg
nothing in Belgium  Hacker ?

© Luc Beirens

Conclusions ...
 Competence Belgian Justice authorities ? Discussion
 viewpoint Public Prosecutor General : not competent
 viewpoint lawyer victim : competent
 viewpoint suspect’s defence : ????

 If choice was made for storage in foreign country
 Why ? Cost ? Evade regulations & obligations ?
 No (?) protection of Belgian Law
 No (?) intervention of Law Enforcement in Belgium
 Protection by law & LE in country where server is

© Luc Beirens

Preventive
Recommendations
 Draw up a general ICT usage directive (normal usage)
 Awareness program for management & users
ICT security policy is part of the global security policy
 Appoint an ICT security responsible
=> control on application of ICT usage & security policy
 Keep critical systems separate from the Internet if possible !
 Use software from a trusted source
 Install recent Anti-virus and Firewall programms (laptops)
 Synchronize the system clocks regularly
 Activate and monitor log files on firewall, proxy, access
 Make & test backups & keep them safe (generations) !

© Luc Beirens

Recommendations
for victims of ICT crime

 Disconnect from the outside world
 Take note of last internet activities & exact date and time
 Evaluate : damage more important than restart ?
 Restart most important: make full backup before restor
 Damage more important : don’t touch anything

 Safeguard all messages, log files in original state
 Inform ASAP the Federal Judicial Police
and ask for assistance of the Federal or Regional CCU
 Force change all passwords
 Reestablish the connection only if ALL failures patched
© Luc Beirens

Where to make a
complaint ?
 Within a police force …
 Local Police service => not specialised
=> not the right place for ICT-crime (hacking/sabotage/espionage)
=> place to make complaints on Internet fraud
 Federal judicial police (FGP) => better but …
Regional CCU => The right place to be for ICT crime
 Federal Computer Crime Unit => 24/7 contact
Risks on vital or crucial ICT systems => call urgently
 Illegal content (childporn, …) => www.ecops.be

 … or immediately report to a magistrate ?
 Local prosecutor (Procureur) => will send it to police
=> can decide not to prosecute
 Examining Judge => complaint with deposit of a bail
=> obligation to investigate the case
© Luc Beirens

For the sys admin
 Several layers of protection
 Internal firewalls
 Encrypted communications
 Encrypted data bases

 Check active sys admin profiles on svrs

 Log and follow up FW, IDS : IP + port + time
 Certificates should be signed by 2 CA


Contact information
Federal Judicial Police
Direction for Economical and Financial crime
Federal Computer Crime Unit
Notelaarstraat 211 - 1000 Brussels – Belgium

Tel office : +32 2 743 74 74
Fax : +32 2 743 74 19

E-mail : luc.beirens@fccu.be
Twitter : @LucBeirens


20130321 Cybercrime threats on e-commerce online shops

More Related Content

What's hot

Viewers also liked

Similar to 20130321 Cybercrime threats on e-commerce online shops

Recently uploaded

20130321 Cybercrime threats on e-commerce online shops