650 likes | 762 Views
Cyber Crime. Special Thanks to Special Agent Martin McBride for sharing most of this information in his talk at Siena last semester. Criminal Activity Today. has shifted to the Internet. Canadian Lottery Scam. A call from Canada: You’ve won the Canadian Lotto
E N D
Cyber Crime • Special Thanks to • Special Agent Martin McBridefor sharing most of this information in his talk at Siena last semester
Criminal Activity Today has shifted to the Internet
Canadian Lottery Scam • A call from Canada: • You’ve won the Canadian Lotto • We’ll protect your winnings from US capital gains taxes (i.e., Canadian Bank) • Just pay the Canadian Lotto tax 0.5% and we’ll set everything up • You say: • You mean I just have to pay you $5000 and you’ll put $1,000,000 in my own Canadian Bank Account. Sounds great!
Canadian Lottery Scam • Its estimated that over $10,000,000 has been scammed off people in just the US. • The scammer are so sophisticated that they get Direct Mailing/Marketing List and target specific demographics (homeowners over 65). • http://www.experian.com/products/listlink_express.html • Thank you Experian!
Canadian Lottery Scam • The scammer use cloned cell phones • Checks sent to “Mailboxes Etc.” • set up using a stolen identity • The FBI and RCMP have developed counter-measures • Thus, the Scammers have retreated to the Internet, where they have greater reach and less risk.
Criminal Activity Today • Phishing • Nigerian Letters Fraud • Internet Sales Fraud • Carding • Intrusions • Viruses & Worms
Criminal Activity Today-continued- • Distributed Denial of Service (DDOS) • Spam Attack/DDOS • Intellectual Property Theft • Sabotage
Phishing • uses spam, spoofed e-mails and fraudulent websites to • deceive consumers into disclosing credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive information • by hijacking the trusted brands of well-known banks, online retailers and credit card companies
<TABLE cellSpacing=0 cellPadding=0 width=600 align=center> <TBODY> <TR> <TD><FONT style="FONT-WEIGHT: 400; FONT-SIZE: 13px; FONT-FAMILY: verdana,arial,helvetica,sans-serif">We are currently performing regular maintenance of our security measures. Your account has been randomly selected for this maintenance, and you now be taken through a verification process.<BR><BR>Protecting the security of your PayPal account is our primary concern, and we apologize for any inconvenience this may cause.<BR><BR>Please <A href="http://verify.paypal.com.auth23.net:4180/us/cgi-bin/webscr.cmd=_verification-run/verify.html"><FONT color=#0033cc>click here</FONT></A> and fill in the correct information to verify your identity.<BR><BR>NOTE: Failure to complete the verification process or providing wrong information will lead to account suspension or even termination.</FONT></TD></TR></TBODY></TABLE><BR><BR>
Nigerian Letter Fraud • Claiming to be • Nigerian officials, • business people or • the surviving spouses of former government honchos, • con artists offer to transfer millions of dollars into your bank account in exchange for a small fee.
Nigerian Letter Fraud • If you respond, you may receive "official looking" documents. • Typically, you're then asked to • provide blank letterhead and • your bank account numbers, • as well as some money to cover transaction and transfer costs and attorney's fees.
Nigerian Letter Fraud • You may even be encouraged to travel to Nigeria or a border country to complete the transaction. • Sometimes, the fraudsters will produce trunks of dyed or stamped money to verify their claims. • Inevitably, though, emergencies come up, requiring more of your money and delaying the "transfer" of funds to your account; • in the end, there aren't any profits for you to share, and the scam artist has vanished with your money.
Internet Sales Fraud • Overpayment scheme (E-bay) • A buyer accidentally over pays you • $1000 check rather than $100 check • Buyer says, “My mistake but you owe me $900 if you cash that check.” • Buyer says, “Dude man! I need that $900 bucks, since this was my mistake, if you wire me $800 bucks, the check is yours.” • You get an additional $100 for you trouble, cool!
Internet Sales Fraud • Did you know that if you deposit a check worth $10,000 or more at HSBC it can take over 5 business days for it to clear or to realize its fraud. • A week gives a scammer a long time to put pressure on you to return the over payment. • Perhaps the overpayment is $9000. • Guess what? If you send a wire transfer or a money order out of your account, your account balance is immediately reduced (instantaneous at the time the order or wire is entered into their system). • Thank you HSBC for making it easy to scam me!
Internet Sales Fraud • Alexey Ivanov and others • auctioned non-existent items on eBay • bid on own items using stolen credit cards • as high bidder, paid himself through Paypal
Carding • “Carding" the illegal use of credit card numbers. Carders.. • Acquire valid credit card numbers(not their own) • Use them to make purchases • Sell them to others • Trade them over the Internet
Carding • Maxus, a Russian, stole 300,000 credit card numbers from CDUniverse.com • Maxus’ scheme was broken into 4 basic parts: • Whole-selling Cards — Cards were distributed to trusted partners, mainly in lots of 1,000, for $1 each. • Re-selling Cards — Cards were then sold by Maxus' partners. These "re-sellers" sold card numbers mainly in blocks of 50. The price to the "end consumer" was around $500. • Pure Liquidation — Maxus set himself up as an online retailer, and used the stolen numbers as if they belonged to his customers • End Users — Individuals would use the cards bought from Maxus to conduct their own fraud.
Intrusions • Unauthorized access into a computer • Different types of intruders • Hackers – create code to exploit vulnerabilities • Script-kiddies – use code readily available over the Internet to exploit vulnerabilities • Insiders - former employees whose accounts were not disabled upon termination
Intrusions • Example • Bob leaves Experian for Equifax • Equifax is a competitor to Experian • Bob uses same password at Equifax that he had used while at Experian • Equifax has to crack Bob’s password because no one can get into his account to retrieve the work he left behind • Experian decides to try Bob’s password on Equifax ’s e-mail system • It worked! • Experian attempts to steal customers from Equifax by intercepting e-mail sent to Bob’s account at Equifax.
Viruses, Worms, & Trojans • Viruses are computer code written to degrade the health of a computer or computer network • Worms are viruses that are written such that they can spread themselves to other computers • Trojans are viruses that remain dormant or hidden until a certain action is taken or a specified period of time has elapsed
Denial of Service (DOS) • An attack in which a large network of compromised computers is used to attack a target computer • Examples • Mafiaboy - Feb 2000 • Yahoo!, eBay, CNN.com, eTrade, and others • DDOS attack against 9 of 13 root servers – Oct 2002
Intellectual Property Theft • The unauthorized acquisition and/or distribution of proprietary computer software or data files
Intellectual Property Theft • Example • Online warez pirates • Buy or steal copies of software programs such as video games or operating systems • Illegally share the programs through FTP servers located throughout the world • Hundreds and perhaps thousands of organized groups exist • Many groups contain hundreds of members
Sabotage • Deliberate destruction of the functionality of a computer or computer network
Insiders • Greatest threat to computer networks • Know the system • Have access via user accounts • Security lapses • Easy-to-guess passwords • Share accounts/passwords • Hostile terminations/revenge
Criminal Cyber Crime Techniques • Casing the establishment • Footprinting • Scanning • Enumeration Hacking Exposed, Second Edition
Casing the Establishment • Footprinting • Locate a potential target • Learn everything about target network • Map the network • Domain names in use • Routable IP address range • Services running and versions used • Firewalls and Intrusion Detection Systems Hacking Exposed, Second Edition
Casing the Establishment • Scanning • Turning door knobs and seeing if windows are locked • Search for vulnerabilities • Ping sweep • Determine what systems are up and running • Trace route • Port scan • ID operating system • ID applications running • Cheops (does it all) Hacking Exposed, Second Edition
Casing the Establishment • Enumeration • Open the door and look inside (cross the line) • Active connection to target is established to • ID valid user accounts • ID poorly protected resource shares • Social Engineering • Gain access to inside human resources • “Dumpster diving” – go through the trash Hacking Exposed, Second Edition
Hacking the Target • Directly connect to shared resources • Use that access to dig deeper • Install backdoors/Trojans • Crack passwords for administrator accounts • Dictionary and Brute Force • L0phtcrack • John the Ripper • Crack • Hacking Exposed, Second Edition
Hacking the Target • Privilege escalation • When you have password for non-admin account • Use Trojans to give yourself an admin account • e.g. change Dir command so that it adds new user • Install and run sniffers • Keystroke loggers Hacking Exposed, Second Edition
Hiding the Trail • Proxy Servers • Make Web queries on behalf of inquiring computer • Query traces to proxy rather than point of origin • Anonymizers • E-mail spoofing • IP spoofing
Proxy 2 Bad Guy Proxy 1 Destination
Cyber Crime Investigations Big Brother is Watching
Following the Trail • Server logs • E-mail headers • Whois databases • Human resources
Critical Concept • Internet Protocol (IP) addressing • Every computer connected to the Internet has a unique IP address assigned while it is connected • #.#.#.# (e.g. 192.168.1.100) • Each # is 0 to 255 • 256 possibilities • 28 (binary math) • 255 = 1111 1111
Critical Concept • Static addresses • Like telephone numbers • Don’t change • Easy to find day after day • Dynamic addresses • Different each time you connect • Difficult to find from one use to the next
Server Logs • Domain Controllers • Access logs • Web Servers • FTP Servers • E-mail Servers
Tracking via Server Logs 192.168.50.165 - - [17/Sep/2002:17:46:52 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=15 HTTP/1.0" 200 18627 192.168.50.165 - - [17/Sep/2002:17:48:32 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=9&reply=1&form=newmsg HTTP/1.0" 200 8020 192.168.50.165 - - [17/Sep/2002:17:49:53 -0500] "POST /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396 HTTP/1.0" 302 426 192.168.50.165 - - [17/Sep/2002:17:50:01 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=9 HTTP/1.0" 200 19721 192.168.50.165 - - [17/Sep/2002:17:50:34 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=6&reply=1&form=newmsg HTTP/1.0" 200 8102
Tracking via Server Logs 192.168.50.165 - - [17/Sep/2002:17:46:52 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=15 HTTP/1.0" 200 18627 192.168.50.165 - - [17/Sep/2002:17:48:32 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=9&reply=1&form=newmsg HTTP/1.0" 200 8020 192.168.50.165 - - [17/Sep/2002:17:49:53 -0500] "POST /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396 HTTP/1.0" 302 426 192.168.50.165 - - [17/Sep/2002:17:50:01 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=9 HTTP/1.0" 200 19721 192.168.50.165 - - [17/Sep/2002:17:50:34 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=6&reply=1&form=newmsg HTTP/1.0" 200 8102
E-mail Headers • Normal Headers • To:, From:, Date:, and Subj: • Full Headers • Record of path an e-mail takes from its origin to its destination
Return-Path: <ebreimer@siena.edu> Delivered-To: mmcbride@leo.gov Received: from mailscan-a.leo.gov (mailscan-a-pub.leo.gov [172.30.1.101]) by mail.leo.gov (Postfix) with ESMTP id AADAA26E4B for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:34 -0400 (EDT) Received: from dell61 (localhost [127.0.0.1]) by mailscan-a.leo.gov (Postfix) with ESMTP id 2ABB838641 for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:34 -0400 (EDT) Received: from dmzproxy.leo.gov ([4.21.116.65]) by dell61 via smtpd (for smtp.leo.gov [172.30.1.100]) with ESMTP; Thu, 15 Apr 2004 14:01:53 -0400 Received: from internetfw.leo.gov (internetfw-dmz.leo.gov [4.21.116.126]) by dmzproxy.leo.gov (Postfix) with SMTP id 5C21CAA8AF for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:33 -0400 (EDT) Received: from [66.194.176.8] by internetfw.leo.gov via smtpd (for mx.leo.gov [4.21.116.65]) with SMTP; Thu, 15 Apr 2004 14:01:33 -0400 Received: FROM exchange2.siena.edu BY claven.siena.edu ; Thu Apr 15 14:01:24 2004 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: Radio Interview Date: Thu, 15 Apr 2004 14:01:35 -0400 Message-ID: <8DEC59405C543C4D88AF28B7AAB0F87302A47CC4@EXCHANGE2.siena.edu> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Radio Interview Thread-Index: AcQjE7E0Ke2vVSlaR5mlEdbMSjmvMw== From: "Breimer, Eric" <ebreimer@siena.edu> To: <mmcbride@leo.gov> Cc: <grimmcom@nycap.rr.com> X-UIDL: 'B?!!L^)#!ce^"!Hf_"!
E-mail Headers Received: from internetfw.leo.gov (internetfw-dmz.leo.gov [4.21.116.126]) by dmzproxy.leo.gov (Postfix) with SMTP id 5C21CAA8AF for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:33 -0400 (EDT) Received: from [66.194.176.8] by internetfw.leo.gov via smtpd (for mx.leo.gov [4.21.116.65]) with SMTP; Thu, 15 Apr 2004 14:01:33 -0400 Received: FROM exchange2.siena.edu BY claven.siena.edu ; Thu Apr 15 14:01:24 2004 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Content-class: urn:content-classes:message MIME-Version: 1.0
Whois Databases • Contain registration information for the Domain Name System and IP addresses • Examples • www.dnsstuff.com • www.arin.net • www.samspade.org • www.networksolutions.com