1 / 64

Cyber Crime

Cyber Crime. Special Thanks to Special Agent Martin McBride for sharing most of this information in his talk at Siena last semester. Criminal Activity Today. has shifted to the Internet. Canadian Lottery Scam. A call from Canada: You’ve won the Canadian Lotto

isra
Download Presentation

Cyber Crime

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Crime • Special Thanks to • Special Agent Martin McBridefor sharing most of this information in his talk at Siena last semester

  2. Criminal Activity Today has shifted to the Internet

  3. Canadian Lottery Scam • A call from Canada: • You’ve won the Canadian Lotto • We’ll protect your winnings from US capital gains taxes (i.e., Canadian Bank) • Just pay the Canadian Lotto tax 0.5% and we’ll set everything up • You say: • You mean I just have to pay you $5000 and you’ll put $1,000,000 in my own Canadian Bank Account. Sounds great!

  4. Canadian Lottery Scam • Its estimated that over $10,000,000 has been scammed off people in just the US. • The scammer are so sophisticated that they get Direct Mailing/Marketing List and target specific demographics (homeowners over 65). • http://www.experian.com/products/listlink_express.html • Thank you Experian!

  5. Canadian Lottery Scam • The scammer use cloned cell phones • Checks sent to “Mailboxes Etc.” • set up using a stolen identity • The FBI and RCMP have developed counter-measures • Thus, the Scammers have retreated to the Internet, where they have greater reach and less risk.

  6. Criminal Activity Today • Phishing • Nigerian Letters Fraud • Internet Sales Fraud • Carding • Intrusions • Viruses & Worms

  7. Criminal Activity Today-continued- • Distributed Denial of Service (DDOS) • Spam Attack/DDOS • Intellectual Property Theft • Sabotage

  8. Phishing • uses spam, spoofed e-mails and fraudulent websites to • deceive consumers into disclosing credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive information • by hijacking the trusted brands of well-known banks, online retailers and credit card companies

  9. <TABLE cellSpacing=0 cellPadding=0 width=600 align=center> <TBODY> <TR> <TD><FONT style="FONT-WEIGHT: 400; FONT-SIZE: 13px; FONT-FAMILY: verdana,arial,helvetica,sans-serif">We are currently performing regular maintenance of our security measures. Your account has been randomly selected for this maintenance, and you now be taken through a verification process.<BR><BR>Protecting the security of your PayPal account is our primary concern, and we apologize for any inconvenience this may cause.<BR><BR>Please <A href="http://verify.paypal.com.auth23.net:4180/us/cgi-bin/webscr.cmd=_verification-run/verify.html"><FONT color=#0033cc>click here</FONT></A> and fill in the correct information to verify your identity.<BR><BR>NOTE: Failure to complete the verification process or providing wrong information will lead to account suspension or even termination.</FONT></TD></TR></TBODY></TABLE><BR><BR>

  10. Nigerian Letter Fraud • Claiming to be • Nigerian officials, • business people or • the surviving spouses of former government honchos, • con artists offer to transfer millions of dollars into your bank account in exchange for a small fee.

  11. Nigerian Letter Fraud • If you respond, you may receive "official looking" documents. • Typically, you're then asked to • provide blank letterhead and • your bank account numbers, • as well as some money to cover transaction and transfer costs and attorney's fees.

  12. Nigerian Letter Fraud • You may even be encouraged to travel to Nigeria or a border country to complete the transaction. • Sometimes, the fraudsters will produce trunks of dyed or stamped money to verify their claims. • Inevitably, though, emergencies come up, requiring more of your money and delaying the "transfer" of funds to your account; • in the end, there aren't any profits for you to share, and the scam artist has vanished with your money.

  13. Internet Sales Fraud • Overpayment scheme (E-bay) • A buyer accidentally over pays you • $1000 check rather than $100 check • Buyer says, “My mistake but you owe me $900 if you cash that check.” • Buyer says, “Dude man! I need that $900 bucks, since this was my mistake, if you wire me $800 bucks, the check is yours.” • You get an additional $100 for you trouble, cool!

  14. Internet Sales Fraud • Did you know that if you deposit a check worth $10,000 or more at HSBC it can take over 5 business days for it to clear or to realize its fraud. • A week gives a scammer a long time to put pressure on you to return the over payment. • Perhaps the overpayment is $9000. • Guess what? If you send a wire transfer or a money order out of your account, your account balance is immediately reduced (instantaneous at the time the order or wire is entered into their system). • Thank you HSBC for making it easy to scam me!

  15. Internet Sales Fraud • Alexey Ivanov and others • auctioned non-existent items on eBay • bid on own items using stolen credit cards • as high bidder, paid himself through Paypal

  16. Carding • “Carding" the illegal use of credit card numbers. Carders.. • Acquire valid credit card numbers(not their own) • Use them to make purchases • Sell them to others • Trade them over the Internet

  17. Carding • Maxus, a Russian, stole 300,000 credit card numbers from CDUniverse.com • Maxus’ scheme was broken into 4 basic parts: • Whole-selling Cards — Cards were distributed to trusted partners, mainly in lots of 1,000, for $1 each. • Re-selling Cards — Cards were then sold by Maxus' partners. These "re-sellers" sold card numbers mainly in blocks of 50. The price to the "end consumer" was around $500. • Pure Liquidation — Maxus set himself up as an online retailer, and used the stolen numbers as if they belonged to his customers • End Users — Individuals would use the cards bought from Maxus to conduct their own fraud.

  18. Intrusions • Unauthorized access into a computer • Different types of intruders • Hackers – create code to exploit vulnerabilities • Script-kiddies – use code readily available over the Internet to exploit vulnerabilities • Insiders - former employees whose accounts were not disabled upon termination

  19. Intrusions • Example • Bob leaves Experian for Equifax • Equifax is a competitor to Experian • Bob uses same password at Equifax that he had used while at Experian • Equifax has to crack Bob’s password because no one can get into his account to retrieve the work he left behind • Experian decides to try Bob’s password on Equifax ’s e-mail system • It worked! • Experian attempts to steal customers from Equifax by intercepting e-mail sent to Bob’s account at Equifax.

  20. Viruses, Worms, & Trojans • Viruses are computer code written to degrade the health of a computer or computer network • Worms are viruses that are written such that they can spread themselves to other computers • Trojans are viruses that remain dormant or hidden until a certain action is taken or a specified period of time has elapsed

  21. Denial of Service (DOS) • An attack in which a large network of compromised computers is used to attack a target computer • Examples • Mafiaboy - Feb 2000 • Yahoo!, eBay, CNN.com, eTrade, and others • DDOS attack against 9 of 13 root servers – Oct 2002

  22. Intellectual Property Theft • The unauthorized acquisition and/or distribution of proprietary computer software or data files

  23. Intellectual Property Theft • Example • Online warez pirates • Buy or steal copies of software programs such as video games or operating systems • Illegally share the programs through FTP servers located throughout the world • Hundreds and perhaps thousands of organized groups exist • Many groups contain hundreds of members

  24. Sabotage • Deliberate destruction of the functionality of a computer or computer network

  25. Insiders • Greatest threat to computer networks • Know the system • Have access via user accounts • Security lapses • Easy-to-guess passwords • Share accounts/passwords • Hostile terminations/revenge

  26. Criminal Cyber Crime Techniques • Casing the establishment • Footprinting • Scanning • Enumeration Hacking Exposed, Second Edition

  27. Casing the Establishment • Footprinting • Locate a potential target • Learn everything about target network • Map the network • Domain names in use • Routable IP address range • Services running and versions used • Firewalls and Intrusion Detection Systems Hacking Exposed, Second Edition

  28. Casing the Establishment • Scanning • Turning door knobs and seeing if windows are locked • Search for vulnerabilities • Ping sweep • Determine what systems are up and running • Trace route • Port scan • ID operating system • ID applications running • Cheops (does it all) Hacking Exposed, Second Edition

  29. Casing the Establishment • Enumeration • Open the door and look inside (cross the line) • Active connection to target is established to • ID valid user accounts • ID poorly protected resource shares • Social Engineering • Gain access to inside human resources • “Dumpster diving” – go through the trash Hacking Exposed, Second Edition

  30. Hacking the Target • Directly connect to shared resources • Use that access to dig deeper • Install backdoors/Trojans • Crack passwords for administrator accounts • Dictionary and Brute Force • L0phtcrack • John the Ripper • Crack • Hacking Exposed, Second Edition

  31. Hacking the Target • Privilege escalation • When you have password for non-admin account • Use Trojans to give yourself an admin account • e.g. change Dir command so that it adds new user • Install and run sniffers • Keystroke loggers Hacking Exposed, Second Edition

  32. Hiding the Trail • Proxy Servers • Make Web queries on behalf of inquiring computer • Query traces to proxy rather than point of origin • Anonymizers • E-mail spoofing • IP spoofing

  33. Proxy 2 Bad Guy Proxy 1 Destination

  34. Cyber Crime Investigations Big Brother is Watching

  35. Following the Trail • Server logs • E-mail headers • Whois databases • Human resources

  36. Critical Concept • Internet Protocol (IP) addressing • Every computer connected to the Internet has a unique IP address assigned while it is connected • #.#.#.# (e.g. 192.168.1.100) • Each # is 0 to 255 • 256 possibilities • 28 (binary math) • 255 = 1111 1111

  37. Critical Concept • Static addresses • Like telephone numbers • Don’t change • Easy to find day after day • Dynamic addresses • Different each time you connect • Difficult to find from one use to the next

  38. Server Logs • Domain Controllers • Access logs • Web Servers • FTP Servers • E-mail Servers

  39. Tracking via Server Logs 192.168.50.165 - - [17/Sep/2002:17:46:52 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=15 HTTP/1.0" 200 18627 192.168.50.165 - - [17/Sep/2002:17:48:32 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=9&reply=1&form=newmsg HTTP/1.0" 200 8020 192.168.50.165 - - [17/Sep/2002:17:49:53 -0500] "POST /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396 HTTP/1.0" 302 426 192.168.50.165 - - [17/Sep/2002:17:50:01 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=9 HTTP/1.0" 200 19721 192.168.50.165 - - [17/Sep/2002:17:50:34 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=6&reply=1&form=newmsg HTTP/1.0" 200 8102

  40. Tracking via Server Logs 192.168.50.165 - - [17/Sep/2002:17:46:52 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=15 HTTP/1.0" 200 18627 192.168.50.165 - - [17/Sep/2002:17:48:32 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=9&reply=1&form=newmsg HTTP/1.0" 200 8020 192.168.50.165 - - [17/Sep/2002:17:49:53 -0500] "POST /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396 HTTP/1.0" 302 426 192.168.50.165 - - [17/Sep/2002:17:50:01 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=9 HTTP/1.0" 200 19721 192.168.50.165 - - [17/Sep/2002:17:50:34 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=6&reply=1&form=newmsg HTTP/1.0" 200 8102

  41. E-mail Headers • Normal Headers • To:, From:, Date:, and Subj: • Full Headers • Record of path an e-mail takes from its origin to its destination

  42. Return-Path: <ebreimer@siena.edu> Delivered-To: mmcbride@leo.gov Received: from mailscan-a.leo.gov (mailscan-a-pub.leo.gov [172.30.1.101]) by mail.leo.gov (Postfix) with ESMTP id AADAA26E4B for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:34 -0400 (EDT) Received: from dell61 (localhost [127.0.0.1]) by mailscan-a.leo.gov (Postfix) with ESMTP id 2ABB838641 for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:34 -0400 (EDT) Received: from dmzproxy.leo.gov ([4.21.116.65]) by dell61 via smtpd (for smtp.leo.gov [172.30.1.100]) with ESMTP; Thu, 15 Apr 2004 14:01:53 -0400 Received: from internetfw.leo.gov (internetfw-dmz.leo.gov [4.21.116.126]) by dmzproxy.leo.gov (Postfix) with SMTP id 5C21CAA8AF for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:33 -0400 (EDT) Received: from [66.194.176.8] by internetfw.leo.gov via smtpd (for mx.leo.gov [4.21.116.65]) with SMTP; Thu, 15 Apr 2004 14:01:33 -0400 Received: FROM exchange2.siena.edu BY claven.siena.edu ; Thu Apr 15 14:01:24 2004 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: Radio Interview Date: Thu, 15 Apr 2004 14:01:35 -0400 Message-ID: <8DEC59405C543C4D88AF28B7AAB0F87302A47CC4@EXCHANGE2.siena.edu> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Radio Interview Thread-Index: AcQjE7E0Ke2vVSlaR5mlEdbMSjmvMw== From: "Breimer, Eric" <ebreimer@siena.edu> To: <mmcbride@leo.gov> Cc: <grimmcom@nycap.rr.com> X-UIDL: 'B?!!L^)#!ce^"!Hf_"!

  43. E-mail Headers Received: from internetfw.leo.gov (internetfw-dmz.leo.gov [4.21.116.126]) by dmzproxy.leo.gov (Postfix) with SMTP id 5C21CAA8AF for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:33 -0400 (EDT) Received: from [66.194.176.8] by internetfw.leo.gov via smtpd (for mx.leo.gov [4.21.116.65]) with SMTP; Thu, 15 Apr 2004 14:01:33 -0400 Received: FROM exchange2.siena.edu BY claven.siena.edu ; Thu Apr 15 14:01:24 2004 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Content-class: urn:content-classes:message MIME-Version: 1.0

  44. Whois Databases • Contain registration information for the Domain Name System and IP addresses • Examples • www.dnsstuff.com • www.arin.net • www.samspade.org • www.networksolutions.com

More Related