This document summarizes a presentation on cybercrime. It defines cybercrime and discusses the underground economy where cybercriminals buy and sell stolen data and hacking tools. It provides statistics on the top countries and sectors targeted by cyberattacks. Examples of cybercriminal business models are given, showing how they mimic legitimate business models. The types of stolen data for sale in cybercrime forums are listed, along with their typical price ranges.
1. Cybercrime: dall'hacking all'Underground
Economy
Francesca Bosco
Project Officer
Interregional Crime and Justice Research Institute (UNICRI)
31 Marzo 2011
Università degli Studi di Milano Bicocca
2. Agenda
• Definitions,Trends & Statistics: why
the topic is relevant
• The Underground Economy and
Cybercrime
• Business models applied to
Cybercrime
• Social Network and How to Protect
Yourself
• Who are the criminals: Two case
studies
6. What is cybercrime?
Many possible definitions - no widely accepted definition
Any conduct proscribed by legislation and/or jurisprudence that
(a) is directed at computing and communications technologies
themselves;
(b) involves the use of digital technologies in the commission of the
offence; or
(c) involves the incidental use of computers with respect to the
commission of other crimes
Forms
• crimes against the confidentiality, integrity or availability of
computer systems (e.g. theft of computer services)
• crimes associated with the modification of data (e.g. theft of data)
• content-related crimes (e.g. dissemination of illegal and harmful
material, child pornography)
• relation between terrorism and the Internet (e.g. terrorist
propaganda, recruitment for terrorist organizations)
6
7. What is cybercrime?
The Convention on Cybercrime - Budapest,
23.XI.2001- defines cybercrime in Articles 2-10 on
substantive criminal law in four different categories:
(1)offences against the confidentiality,
integrity and availability of computer data and
systems;
(2)computer-related offences;
(3)content-related offences;
(4)offences related to infringements of
copyright and related rights.
7
8. Definition
According to the European Convention on Cybercrime,
cybercrimes are defined as
“offences against the confidentiality, integrity and availability
of computer data and systems”, thus considering as
offences:
“Illegal access” (art.2),
“Illegal interception”(art.3),
“Data & System Interference” (artt.4-5),
“Misuse of devices”(art.6),
“Computer-related fraud and forgery” (artt-7-8)
“Offences related to child pornography”(art.9)
“Offences related to infringements of copyright and related
rights” (art.10).
9. Attempt to categorize:
Types of cybercrime
Financial - crimes which abuse businesses' ability to conduct 'e-commerce' (or electronic commerce).
Piracy - the act of copying copyrighted material. The personal computer and the Internet both offer new
mediums for committing an 'old' crime. Online theft is defined as any type of 'piracy' that involves the use of
the Internet to market or distribute creative works protected by copyright.
Hacking - the act of gaining unauthorized access to a computer system or network and in some cases
making unauthorized use of this access. Hacking is also the act by which other forms of cyber-crime
(e.g., fraud, terrorism, etc.) are committed.
Cyber-terrorism - the effect of acts of hacking designed to cause terror. Like conventional terrorism,
e-terrorism' is classified as such if the result of hacking is to cause violence against persons or property, or at
least cause enough harm to generate fear.
Online Pornography - There are laws against possessing or distributing child pornography.
Distributing pornography of any form to a minor is illegal. The Internet is merely a new medium for this ‘old‘
crime, but how best to regulate this global medium of communication across international boundaries and age
groups has sparked a great deal of controversy and debate.
Financial
Public confidence in the security of information processed and stored on computer networks and a
predictable environment of strong deterrence for computer crime is critical to the development of e- commerce,
or commercial transactions online. Companies' ability to participate in e-commerce depends heavily on their
ability to minimize e-risk.
Risks in the world of electronic transactions online include viruses, cyber attacks (distributed denial of Service
(DDOS) attacks) such as those which were able to bring Yahoo, eBay and other websites to a halt in February
2000, and e-forgery. There also have been other highly publicized problems of 'e-fraud' and theft of proprietary
information and in some cases even for ransom ('e-extortion'). 9
11. What is Hacking ?
• The act of gaining unauthorized
access to computer systems for
the purpose of stealing and
corrupting data.
-
Types Of Hackers:
• Black Hats - Malicious hackers
• White Hats - Ethical hackers
• Grey Hats - Ambiguous
13. What is interesting for cybercriminals?
Data is more valuable than money. Once spent, money is gone, but data can
be used and reused to produce more money or for further leverage.
The ability to reuse data to access on-line banking applications, authorize and
activate credit cards, or access organization networks has enabled cyber
criminals to create an extensive archive of data for ongoing illicit activities.
Intellectual property: keep in mind a database of credit cards = easy to
monetize, a database of PII = more difficult, monetizing stolen IP is much
harder and also much more lucrative if done correctly
Outcomes of cyberattacks and reactions
Several computer security consulting firms produce estimates of total worldwide losses
attributable to virus and worm attacks and to hostile digital acts in general. The reliability
of these estimates is often challenged; the underlying methodology is basically anecdotal.
A central issue, in both public and private sectors, is whether or not we are devoting
enough resources to information security.
Part of the answer must come from economic analysis. Investigations into the stock price
impact of cyber-attacks show that identified target firms suffer losses of 1%-5% in the
days after an attack.
Organizations of all sizes and industries have suffered losses at the hands of
cybercriminals – though only a low percentage report such incidents.
Concomitantly, cybercrimes offer high financial yields and can often be performed in a
manner that incurs only modest risks because of the anonymity it presents. The lack of
incident reporting and the ease of access to electronically stored data have led experts to
predict that cybercrime will continue to increase in the years to come. Accurate and
statistically comprehensive data on the incidence and costs of cyber-attacks are
13
critical to the analysis of information security.
14. The Underground Economy
• “Underground Economy” has historically been used to denote business that occurs outside
of regulatory channels. Around the turn of the 21st century, Team Cymru adapted the term to
the cyber locations and individuals who buy, sell, and trade criminal goods and services.
• Today the Underground Economy can be found in IRC(6) networks, HTTP forums (web
boards), various Instant Messaging services, and any other communications platform that
lends itself to anonymous collaboration.
• The Underground Economy is comprised of criminals who typically specialize in a specific
criminal commodity. A few of the more common commodities include credit/debit cards,
personal identities, hacked servers, hacked network equipment, malware (malicious code),
Internet vulnerability scanners, e-mail spam lists, fictitious identification documents, and
fraudulent money movement services
• The higher levels of the Underground Economy involve technically talented actors who work
with other criminals through private communication methods often involving encryption.
The public criminal market place is contracting, but the criminal activity itself is increasing
in both volume and sophistication
The State of Cybercrimes- FreedomFromFear , March 28, 2011
15. The day money became the focus of malware is the day
the Internet changed.
Graham Ingram, AusCERT GM
17. New Malware Statistics
Top Malware Source Countries Top Attack Sectors
Source: Symantec, Kaspersky, McAfee, Sophos
Malware: Hostile, intrusive, or annoying software or program code designed to infiltrate a computer system (virus/worms/Trojans/rootkit/backdoors/spyware).
Botnets: Software agents/bots that run autonomously and automatically under a common command-and-control structure and perform malicious activities.
Phishing: Fraudulent process of attempting to acquire sensitive information by masquerading as a trustworthy entity in an electronic communication.
Spamming: Abuse of electronic messaging systems to send unsolicited bulk messages indiscriminately in the form of e-mail, instant messaging etc .
SQL injection: Code injection technique that exploits vulnerability in the database of an application resulting in unexpected execution of code.
20. Damages, fraud, crime estimates
Worldwide direct damage due to malware in 2006: $13.2 bn (Computer
Economics)
Decline from $17.5 bn in 2004
Effects of anti-malware efforts and shift from direct to indirect costs
U.S. Federal Bureau of Investigation estimated cost of computer crime to U.S.
economy in 2005 to $67.2 bn (upper ceiling, not all malware-related)
Global cost of spam in 2007: $100 bn, of which $ 35 bn U.S. (Ferris Research)
Cost of spam management to U.S. businesses in 2007: $71 bn (Nucleus
Research)
Direct costs to U.S. consumers in 2007: $7.1 bn (Consumer Reports)
Range of estimates on online consumer fraud
$240-340 million for U.S.
£33.6 for financial fraud in UK
Cost of click fraud in 2007: $1 bn
(Click Forensics)
21. Complaints of online crime, 2010
at the Internet Crime Complaint Center (USA)
YEAR COMPLAINTS US$ LOSS
RECEIVED
2010 303,809 - million
2009 336,655 560 million
2008 275,284 265 million
2007 206,884 239 million
2006 207,492 198 million
22. OC activities shift
Original Activity Modern Version
Local numbers gambling Internet gambling (international
sites)
Heroin, cocaine trafficking Synthetic drugs (less vulnerable
to supply problem)
Street prostitution Internet prostitution and
trafficking in human beings.
Extortion of local businesses Extortion of corporations,
for protection kidnappings.
Loansharking Money laundering, precious
stones, commodities.
Fencing stolen property Theft of intellectual property.
23. Trends of organized crime:
Transnational, Adaptive,
Multifaceted
A. Drug trafficking
B. Illicit arms trade
C. Trafficking and smuggling of human beings
D. Traffic of human organs
E. Counterfeiting
F. Environmental-related crimes
G. Maritime piracy
H. Cyber crime
I. Financial crimes: corruption, money laundering.
23
24. Why has Cybercrime become so pervasive?
– Extremely profitable
– Very low infrastructure cost and readily available attack tools
– Barriers to prosecution combined with weak laws and sentencing
– Anonymity and financial lure has made cyber-crime more
attractive
– Separation between the physical and virtual world
– Organized cybercrime groups can conduct operations without
ever making physical contact with each other
29. UE Business Model
Organised crime borrows and copies business models from the legitimate economy
sector. Cyber-criminals employ models similar to the B2B (business-to-business) for
their operations, such as the highly sophisticated C2C (criminal-to-criminal) models,
which use very effective crime tools available through digital networks.
30. Let’s go shopping...
how much do they cost?
Credit card number with PIN
Change of billing data, including account number, billing address, SSN, name,
address and birth date
Driver's license number
Birth certificate
Social security card
Credit card number with security code and expiration date
Paypal account ID and password
31. Items for sale
A sampling of items for sale in typical cybercrime forums:
$1000 – 5000 Trojan program to steal online account information
$500 Credit card number with PIN
$80-300 Change of billing data, including account number,
billing address, SSN, name, address and birth date
$150 Driver's license number
$150 Birth certificate
$100 Social security card
$7-25 Credit card number with security code and expiration
date
33. •In 2009, 60 percent of identities exposed
were compromised by hacking attacks.
•75 percent of enterprises surveyed,
experienced some form of cyber attack in
2009 (From Symantec State of the
Enterprise Report 2010)
•The top Web-based attacks observed in
2009 primarily targeted vulnerabilities in
Internet Explorer and applications that
process PDF files
•Mozilla Firefox had the most reported
vulnerabilities in 2009, with 169, while
Internet Explorer had just 45, yet Internet
Explorer was still the most attacked
browser.
•The United States was the top country of
origin for Web-based attacks in 2009,
accounting for 34 percent of the worldwide
total.
•In 2009, botnets were responsible for
sending approximately 85 percent of all
spam email.
•There were 321 browser plug-in
vulnerabilities identified in 2009, fewer
than the 410 identified in 2008.
•ActiveX technologies still constituted the
majority of new browser plug-in
vulnerabilities, with 134; however, this is a
53 percent decrease from the 287 ActiveX
vulnerabilities identified in 2008
34. TRENDING COMMODITIES IN
UNDERGROUND MARKETS
•In 2009 black market shift where email
accounts were the third most available
virtual good for sale.
•Online credentials are composed of
username/ password combinations in
order to gain access to different Internet
applications:
•Online banking service – the
credentials allow the attacker to transfer
funds from the victim’s account to
accounts controlled by the criminal
•Health-care providers – stolen
accounts may be used for prescription
drug trading or for health information
compromise
•Webmail applications – a hacked
webmail account allows the hacker to
scrape the victim’s address book and
use those addresses in spam lists. The
criminal can then send the phishing
messages from the compromised
account, making the message all the
more credible.
•Social networks – the inherent viral
nature of social networks, together with
real-time updates in search engines,
make stolen social network accounts
most valuable. The price of these
credentials varies according to the
popularity of the application.
36. Malware/spam and the underground economy
Players in the underground economy include (see slide 19):
Malware writers and distributors (trojans, spyware,
keyloggers, adware, riskware, …)
Spammers, botnet owners, drops
Various middlemen
Emergence of institutional arrangements to enhance “trust”
in the underground economy
Service level agreements, warranties, etc.
Steady stream of new attacks
E.g.: spear-phishing, chained exploits, exploitation of
social media.
37. Example of some of the possible
financial flows
1:
Extortion payments, click fraud,
compensated costs of ID theft and phishing
Hardware, 2:
software Uncompensated costs of ID theft and
phishing, click through, pump and dump
4 5 schemes, Nigerian 419 scams, and other
7 6 forms of consumer fraud
3, 4, 5, 6:
8 Security 9 Hardware purchases by criminals,
Individual corporate and individual users
Business service
users 7, 8, 9, 10:
users providers
Security service purchases by hardware
manufacturers, corporate and
10 14 individual users, ISPs
11, 12, 13:
11 12 ISP services purchased by corporate and
ISPs individual users, criminals
14:
Payments to compensate consumers for
13 3 damages from ID theft (if provided)
2
1 Fraudsters,
Legal financial flows
criminals
Potentially illegal financial flows
Government
Society at large Society at large
38. Financial aspects of malware and spam
Cost of
prevention,
adaptation
+ - +
Benefits of Damage done,
+
cybercrime fraud,
Total,
crime
Malware + + direct and
-
economy indirect
+ Cost of law + cost
Costs of - enforcement
cybercrime
+ - +
Indirect
cost to
society
39. Data Theft
(what data are we talking about?)
Personally Identifiable Information (PII):
Identifying information means any name or
number that may be used alone or with
other information to identify a specific
person:
Name, social security number, date of
birth, official State or government issued
driver’s license or identification number,
alien registration number, government
passport number, employer or taxpayer
identification number, biometric data, etc.
Likely one of the most valuable assets that
we have and one that businesses need to
protect. Why? Information is exponential
and reusable. Information can be sold to
multiple buyers and be can be used in
many profitable ways.
40. Credit card thefts, 2009
Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Source: Kaspersky Lab
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”,
June 10th, 2009 Event details (title, place)
Moscow, January 28-31, 2010
41. ID Theft is the fastest growing crime
in the world.
• Over 9 million victims a year on
average worldwide
• Only Top consumer complain to
Police or the Federal Trade
Commission
• Studies on the total cost of identity
theft vary. One study indicates that
identity theft cost U.S. businesses and
consumers $50 to $60 billion dollars a
year
• Individual victims lose an average of
$1,500.00 each in out of pocket
expenses and require tens or
hundreds of hours to recover – some
never do.
42. ID Theft
• Identity theft and identity fraud are terms used to refer to all types of crime in
which someone wrongfully obtains and uses another person's personal data in
some way that involves fraud or deception, typically for economic gain.
• Types of identity theft include, among others:
• Account take over
• Financial fraud – credit card or bank account (most common
• New account
• Social Security Number (SSN) identity theft. Someone steals your SSN and
obtains employment in your name. The thief's employer reports wages earned to
the IRS under your SSN leaving you to pay income taxes on these earnings.
• Medical identity theft. Someone steals your identity and either obtains medical
insurance in your name or uses your current medical insurance policy to obtain
treatment or prescriptions.
• Driver's license identity theft. Someone commits traffic related offenses in your
name. When the identity thief fails to appear in court, warrants are issued in your
name.
43. Phishing
• Use of email to trick someone
into providing information or
to go to a malicious Web
sites by falsely claiming to be
from a known entity. These
attacks are becoming more
and more sophisticated. Use
of social networking sites will
become an issue.
44. Botnets
"At its peak in 2010, the total number
of unique botnet victims
grew by 654 percent,
with an average incremental
growth of eight percent per week"
Danballa Report 2010.
Of the top 10 largest botnets in 2010, six did not exist in 2009. Only one (Monkif)
was present, ranked among the 10 largest botnets of 2009. The top 10 largest
botnets in 2010 accounted for approximately 47 % of all botnet compromised
victims -- down from 2009, when the top 10 botnets accounted for 81% of all
victims.
45. Botnet Definition
A Botnet is a network of compromised machines
(bots) remotely controlled by an attacker.
B
Attacks
Commands B Key
U
B ot
Attacker
Attacks
B
Commands U ncompromised Host
U
B
51. Social network malware: distribution 2009
Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
» Fifth level
Source: Kaspersky Lab
Kaspersky Lab International Press Tour “Cyberthreat Landscape 2009: Outcomes, Trends and Forecasts”,
June 10th, 2009 Event details (title, place)
Moscow, January 28-31, 2010
52. Cost depends on how many followers do you have and how
commercial your name is
53. Who are the criminals?
Three case-studies
• Are financially-motivated cyber-criminals actively
working with traditional organized crime groups?
Or are they opportunistically organizing among
themselves? Or, still, are they simply passively
working with O.C. groups for support tasks eg:
money laundering?
• Three case studies
53
54. Case Study:
Innovative Marketing Ukraine
• Formed circa 2002.
• 2008 revenue estimated at $180 million.
• Estimated to employ 200-500 staff (HR, call center operators to
dissuade victims and avoid credit complaints, malware & scareware
developers, etc…) in Ukraine, India, and the United States.
• Criminal activities: Scareware (or “Ransomware”, meant to frighten
users into providing their credit card data in order not to lose their
data), Adware, Credit Card Fraud (Reselling of the credit cards
“customers” were ransomed into providing to IMU). Early activities
included the selling of pirated media (music, pornography) and
software as well as pharmaceuticals such as Viagra.
• 2010: F.T.C. persuades a U.S. federal judge to fine IMU and two
associated individuals $163 million USD.
54
55. Case Study:
GlavMed
• Registered in 2006
• Revenue estimated at 150 $ million
• Glavmed is the public-facing affiliate
program which sponsors spammers
to promote what are generally known
to be illegal pharmacy websites. It appears to be a cover for the real
sponsor organization behind all of these sites: Spamit. These include
Canadian Pharmacy, one of the most-spammed properties (2006-2008).
• In September 2010, Russian authorities announced a criminal
investigation. Around that same time, SpamIt.com was closed down.
Consequently, the volume of spam flowing into inboxes around the
world fell precipitously, likely because SpamIt.com affiliates fell into a
period of transitioning to other partner networks. Meanwhile, Glavmed
remains open for business, and is still paying affiliates to promote
pharma sites.
55
56. Case Study:
Russian Business Network
• Based in St-Petersburg (RU). Operated as a host or Internet Service
Provider for illicit services such as child pornography, malware
distribution, etc…
• Domain names registered in 2006.
• 2006-2007 revenue estimated at $150 million.
• Criminal activities: Spam (estimated to have been actively involved
with up to 50% of worldwide spam distribution at their height),
malware, phishing scams (estimated to have been behind up to 50%
of phishing spams throughout 2007), all the while providing hosting
services for other criminal activities such as the dissemination of
child pornography, identity theft, credit card fraud, etc...
• Alleged to have dispersed (but not suspended) its activities as of
2008, due to increasing attention from international security
vendors, media, and law enforcement.
56
59. What we can do
10 golden rules
• Use a modern browser with anti-phishing protection
• Isolate and regularly change key passwords
• Use regularly updated anti-virus
• Use a firewall
• Update your operating system regularly
• Check your bank statements regularly
• Subscribe to a Credit Protection service
• Use 2 factor authentication when you can
• Be highly suspicious of anyone asking for personal info
via email or any web 2.0 medium, even folks myou know
as they may have had their own account compromised.
• Be highly suspicious of anything that you receive
electronically that is unsolicited.
60. Protect Yourself at Public Wi-Fi Hotspots
• Any data transferred between a user and a Website using an
HTTPS address and SSL encryption, such as online banking
sites, is just as secure on a hotspot as it would be on a
private secured network. Wi-Fi hackers or eavesdroppers
sitting around the hotspot cannot capture a user’s login
credentials or see any information from these secured sites.
• Your risks increase, however, if you must login to sites that
aren’t secured. Even if the site isn't all that sensitive, such
as a discussion forum, eavesdroppers can capture your
login credentials, which they may also use for other more
important sites. That’s why it’s important to use unique
usernames and passwords for every site
• To secure any unencrypted Internet traffic that's sensitive
(such as e-mail) on hotspots, the most simple, affordable
solution is to implement a Virtual Private Network (VPN).
Connecting to a VPN server or service would encrypt all of
your Internet traffic, so local Wi-Fi eavesdroppers can’t
capture it.
• Practice defensive computing: use a VPN, vary your
usernames and passwords, learn how to adjust the sharing
and privacy settings on your device, and don’t enter login
information if you’re unprotected at a public hotspot.
61. BRIGHT
BRIGHT is the first online magazine entirely focused on transnational organized
crime and is run by FLARE, an international research network (Fight, Learn, Act,
Report, Explore).
Get your own, FREE copy of the special issue of BRIGHT on “Digital Mafia: into the
Cybercrime World”.
Articles:
Preface
Cybercrime: reasons, evolution of the players and an analysis of their modus operandi
Cybercrime & underground economy: operating and business model
The power of networking: an insight on the Russian Business Network
International cybercrime
Innovative cybercrime: made in Ukraine?
UNICRI : knowledge and information on emerging threats
Download:
http://www.flarenetwork.org/report/enquiries/article/digital_mafia_into_the_cyber
crime_world.htm
62. FREE copy of “F3” (Freedom from Fear,
the UNICRI magazine) issue #7, totally
focused on Cybercrimes!
DOWNLOAD:
www.FreedomFromFearMagazine.org
63. Ms. Francesca Bosco
Project officer on cybercrime
Emerging Crimes Unit
E-mail: bosco@unicri.it
www.unicri.it
Thank you
for your attention
63