1 / 77

Computer Crime

Computer Crime. COEN 1. Classification. Computers as an instrument of crime Check forgery Child pornography e-auction fraud, identity theft Phishing most criminal activity Computers as a target of a crime Intrusion botnets for spamming Identity theft Alteration of websites.

joylyn
Download Presentation

Computer Crime

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Crime COEN 1

  2. Classification • Computers as an instrument of crime • Check forgery • Child pornography • e-auction fraud, identity theft • Phishing • most criminal activity • Computers as a target of a crime • Intrusion • botnets for spamming • Identity theft • Alteration of websites

  3. Email Investigations: Overview • Email has become a primary means of communication. • Email can easily be forged. • Email can be abused • Spam • Aid in committing a crime … • Threatening email, …

  4. Email Investigations: Overview • Email evidence: • Is in the email itself • Header • Contents • In logs: • Left behind as the email travels from sender to recipient. • Law enforcement uses subpoenas to follow the trace. • System ads have some logs under their control. • Notice: All fakemailing that you will be learning can be easily traced.

  5. Email Fundamentals • Email travels from originating computer to the receiving computer through email servers. • All email servers add to the header. • Use important internet services to interpret and verify data in a header.

  6. Email Fundamentals • Typical path of an email message: Mail Server Client Mail Server Client Mail Server

  7. Email Protocols: • Email program such as outlook or groupwise are a client application. • Needs to interact with an email server: • Post Office Protocol (POP) • Internet Message Access Protocol (IMAP) • Microsoft’s Mail API (MAPI) • Web-based email uses a web-page as an interface with an email server.

  8. Email Protocols: • A mail server stores incoming mail and distributes it to the appropriate mail box. • Behavior afterwards depends on type of protocol. • Accordingly, investigation needs to be done at server or at the workstation.

  9. Email Protocols:

  10. Email Protocols: SMTP • Neither IMAP or POP are involved relaying messages between servers. • Simple Mail Transfer Protocol: SMTP • Easy. • Has several additions. • Can be spoofed: • By using an unsecured or undersecured email server. • By setting up your own smtp server.

  11. Email Protocols: SMTPHow to spoof email telnet endor.engr.scu.edu 25 220 endor.engr.scu.edu ESMTP Sendmail 8.13.5/8.13.5; Wed, 28 Dec 2005 14:58:49 - 0800 helo 129.210.16.8 250 server8.engr.scu.edu Hello dhcp-19-198.engr.scu.edu [129.210.19.198], please d to meet you mail from: jholliday@engr.scu.edu 250 2.1.0 jholliday@engr.scu.edu... Sender ok rcpt to: tschwarz@scu.edu 250 2.1.5 tschwarz@scu.edu... Recipient ok data 354 Enter mail, end with "." on a line by itself This is a spoofed message. . 250 2.0.0 jBSMwnTd023057 Message accepted for delivery quit 221 2.0.0 endor.engr.scu.edu closing connection

  12. Email Protocols: SMTP Return-path: <jholliday@engr.scu.edu> Received: from MGW2.scu.edu [129.210.251.18] by gwcl-22.scu.edu; Wed, 28 Dec 2005 15:00:29 -0800 Received: from endor.engr.scu.edu (unverified [129.210.16.1]) by MGW2.scu.edu (Vircom SMTPRS 4.2.425.10) with ESMTP id <C0066443608@MGW2.scu.edu> for <tjschwarz@scu.edu>; Wed, 28 Dec 2005 15:00:29 -0800 X-Modus-BlackList: 129.210.16.1=OK;jholliday@engr.scu.edu=OK X-Modus-Trusted: 129.210.16.1=NO Received: from bobadilla.engr.scu.edu (bobadilla.engr.scu.edu [129.210.18.34]) by endor.engr.scu.edu (8.13.5/8.13.5) with SMTP id jBSMwnTd023057 for tjschwarz@scu.edu; Wed, 28 Dec 2005 15:00:54 -0800 Date: Wed, 28 Dec 2005 14:58:49 -0800 From: JoAnne Holliday <jholliday@engr.scu.edu> Message-Id: <200512282300.jBSMwnTd023057@endor.engr.scu.edu> this is a spoofed message. This looks very convincing. Only hint: received line gives the name of my machine. If I were to use a machine without a fixed IP, then you can determine the DHCP address from the DHCP logs.

  13. Email Protocols: SMTPHow to spoof email • Endor will only relay messages from machines that have properly authenticated themselves within the last five minutes. • Subject lines etc. are part of the data segment. However, any misspelling will put them into the body of the message.

  14. Email Protocols: SMTPHow to spoof email telnet endor.engr.scu.edu 25 220 endor.engr.scu.edu ESMTP Sendmail 8.13.5/8.13.5; Wed, 28 Dec 2005 15:36:13 - 0800 mail from: plocatelli@scu.edu 250 2.1.0 plocatelli@scu.edu... Sender ok rcpt to: tschwarz@scu.edu 250 2.1.5 tschwarz@scu.edu... Recipient ok data 354 Enter mail, end with "." on a line by itself Date: 23 Dec 05 11:22:33 From: plocatelli@scu.edu To: tschwarz@scu.edu Subject: Congrats You are hrby appointed the next president of Santa Clara University, effectively immediately. Best, Paul . 250 2.0.0 jBSNaDlu023813 Message accepted for delivery quit

  15. Email Protocols: SMTPHow to spoof email

  16. Email Protocols: SMTP • Things are even easier with Windows XP. • Turn on the SMTP service that each WinXP machine runs. • Create a file that follows the SMTP protocol. • Place the file in Inetpub/mailroot/Pickup

  17. Email Protocols: SMTP To: tschwarz@engr.scu.edu From: HolyFather@vatican.va This is a spoofed message. From HolyFather@vatican.va Tue Dec 23 17:25:50 2003 Return-Path: <HolyFather@vatican.va> Received: from Xavier (dhcp-19-226.engr.scu.edu [129.210.19.226]) by server4.engr.scu.edu (8.12.10/8.12.10) with ESMTP id hBO1Plpv027244 for <tschwarz@engr.scu.edu>; Tue, 23 Dec 2003 17:25:50 -0800 Received: from mail pickup service by Xavier with Microsoft SMTPSVC; Tue, 23 Dec 2003 17:25:33 -0800 To: tschwarz@engr.scu.edu From: HolyFather@vatican.va Message-ID: <XAVIERZRTHEQXHcJcKJ00000001@Xavier> X-OriginalArrivalTime: 24 Dec 2003 01:25:33.0942 (UTC) FILETIME=[D3B56160:01C3C9 BC] Date: 23 Dec 2003 17:25:33 -0800 X-Spam-Checker-Version: SpamAssassin 2.60-rc3 (1.202-2003-08-29-exp) on server4.engr.scu.edu X-Spam-Level: X-Spam-Status: No, hits=0.3 required=5.0 tests=NO_REAL_NAME autolearn=no version=2.60-rc3 This is a spoofed message.

  18. Email Protocols: SMTP • SMTP Headers: • Each mail-server adds to headers. • Additions are being made at the top of the list. • Therefore, read the header from the bottom. • To read headers, you usually have to enable them in your mail client.

  19. URL Obscuring • Internet based criminal activity that subverts web technology: • Phishing (fraud) • Traffic redirection • Hosting of illegal sites • Child pornography

  20. URL Obscuring • Internet based fraud is gaining quickly in importance. • Phishing: The practice of enticing victims with spoofed email to visit a fraudulent webpage. http://www.antiphishing.org/

  21. URL Obscuring • Technical Subterfuge: • Plants crimeware onto PCs. • Example: Vulnerable web browser executes remote script at a criminal website. • Just staying away from porn no longer protects you. • Payload: • Use Trojan keylogger spyware. • Search for financial data and send it to an untraceable email address

  22. URL Obscuring • Social Engineering: • Target receives e-mail pretending to be from an institution inviting to go to the institutions website. • Following the link leads to a spoofed website, which gathers data. • It is possible to establish a web-presence without any links: • Establish website with stolen / gift credit card. • Use email to send harvested information to an untraceable account, etc. • Connect through public networks.

  23. URL Obscuring: Phishing Example Visible Link: https://www.usa.visa.com/personal/secure_with_visa/index.html?t=h1_/index.html Actual Link: http://www.verified-web-us.com/Visa%20USA%20%20Personal%20%20Protect%20Your%20Card.htm Actual website IP: 209.35.123.41 Uses Java program to overwrite the visible address bar in the window:

  24. URL Obscuring:Phishing Example

  25. URL Obscuring • Phishs need to hide web-servers • URL Obscuring • Javascript or other active web-technology overwrites URL field • no longer possible in latest browsers • Other techniques to hide web-server address • Use hosts file • Hiding illegal web-server at legal site • Hijacking site to host pages.

  26. URL Basics • Phishs can use obscure features of URL. • URL consists of three parts: • Service • Address of server • Location of resource. http://www.cse.scu.edu/~tschwarz/coen252_03/Lectures/URLObscuring.html

  27. URL Basics • Scheme, colon double forward slash. • An optional user name and password. • The internet domain name • RCF1037 format • IP address as a set of four decimal digits. • Port number in decimal notation. (Optional) • Path + communication data. http://tschwarz:fiddlesticks@www.cse.scu.edu/~tschwarz/coen252_03/Lectures/URLObscuring.html http://www.google.com/search?hl=en&ie=UTF-8&q=phishing

  28. Obscuring URL Addresses • Embed URL in other documents • Use features in those documents to not show complete URL http://www.usfca.edu@www.cse.scu.edu/~tschwarz/coen252_03/index.html URL rules interpret this as a userid. Hide this portion of the URL.

  29. Obscuring URL Addresses • Use the password field. • www.scu.edu has IP address 129.210.2.1. • Some browsers accept the decimal value 129*256**3 + 210*256**2 + 2*256 + 1 = 2178023937 for the IP address. • http://www.usfca.edu@2178023937 • Works as a link. • Does not work directly in later versions of IE

  30. Obscuring URL Addresses • http://www.usfca.edu@129.210.2.1 works. • Hide the ASCI encoding of @: • http://www.usfca.edu%40129.210.2.1 • Or just break up the name: • http://www.usfca.edu%40%127%167w.scu.edu • Or use active page technologies (javascript, …) to create fake links.

  31. 'Enroll your card with Verified By Visa program' • 2004 Phish sends SPAM consisting of a single image:

  32. 'Enroll your card with Verified By Visa program' • The whole text is a single image, linked to the correct citi URL. • If the mouse hovers over the image, it displays the correct citi URL. • But surrounded by an HTML box that leads to the phishing website.

  33. 'Enroll your card with Verified By Visa program' • Target webpage has an address bar that is overwritten with a picture with a different URL. • Go to www.antiphishing.org .

  34. Phishing • Phishers now use bogus https techniques. • Exploiting browser flaws to display secure icon. • Hacking legitimate sites or frames from these sites directly. • Purchase and present certificates for sites that are named in resemblance of the target sites. • The SSL lock icon is no longer a guarantee for a legitimate site.

  35. Hiding Hosts • Name Look-Up: • OS checks HOST file first. • Can use HOST file to block out certain sites • adservers • Affects a single machine.

  36. Subverting IP Look-Up • In general, not used for phishing. • Economic Damage • Hillary for Senate campaign attack. • Hiding illegal websites. (Kiddie Porn) • DNS Server Sabotage • IP Forwarding

  37. Subverting IP Look-Up • Port Forwarding • URLs allow port numbers. • Legitimate business at default port number. • Illegitimate at an obscure port number. • Screen clicks • Embed small picture. • Single pixel. • Forward from picture to the illegitimate site. • Easily detected in HTML source code. • Password screens • Depending on access control, access to different sites.

  38. Phisher-Finder • Carefully investigate the message to find the URL. • Do not expect this to be successful unless the phisher is low-tech. • Capture network traffic with Ethereal to find the actual URL / IP address. • Use Sam Spade or similar tools to collect data about the IP address.

  39. Phisher-Finder • Capture network traffic with Ethereal when going to the site. • This could be dangerous. • Disable active webpages. • Do not use IE (too popular). • Look at the http messages actually transmitted. • Expect some cgi etc. script.

  40. Phisher-Finder • Investigation now needs to find the person that has access to the website. • This is were you can expect to loose the trace. • The data entered can be transmitted in various forms, such as anonymous email. • For example, they can be sent to a free email account. • IPS usually has the IP data of the computer from which the account was set up and from which the account was recently accessed. • Perpetrator can use publicly available computers and / or unencrypted wireless access points. • Investigator is usually left with vague geographical data.

  41. Email Investigation • Email investigations derive evidence from: • Internal data; • Headers. • Contents. • External data; • Server logs. • Sending machine itself • As we will see.

  42. Email Investigation • Header Analysis: • Most recent entries are on the top of the header. • Resolve all inconsistencies of information. • Resolve all IP addresses. • Create timeline. • Allow for clock drift between different sites. • Compare entries generated (allegedly) by known servers with previous ones.

  43. Email Investigation • Law Enforcement (LE) can use subpoenas for investigation of log files. • The same is true for private entities through the use of John Doe lawsuits.

  44. Phishing Investigation • Find the true URL to identify the server with which a potential victim interacts. • Difficult since phishers change sites frequently. • Using network tracer when accessing a website can speed things up. • Use subpoena process to obtain • log records of email • Contact infos for web-sites, redirection services, etc. • Try to obtain information amicably as often as possible. • Outside of US. • To guard volatile information

  45. Case Examples:1. A Kornblum, Microsoft • A. Kornblum: Searching for John Doe: Finding Spammers and Phishers • Used John Doe lawsuit to obtain sub-poenas for phisher that became active in September 2003.

  46. Case Examples:1. A Kornblum, Microsoft • Originating emails • Traced ultimately to ISP in India, from where not enough data could be obtained. • Traced websites: • At each round, a subpoena request would yield the IP address of a controlling website. • Hosting company in San Francisco. • Another hosting company in San Francisco. • Redirection Server in Austria. • Owner did not like spammers and handed out record voluntarily. • IP controlled by Quest. • 69 year old quest customer in Davenport, Iowa. • Who had grandson Jayson Harris living with him. • MS involved FBI who raided household and obtained three machines. • MS sued Jayson Harris and obtained a 3M$ default judgment against him. • Criminal charges are pending.

  47. Case Examples:2. Highschool Death Threads • Blog sites allow comments by anonymous friends. • Death threads were made on a high-school related blog anonymously. • XPD (name altered) was informed by principal.

  48. Case Examples:2. Highschool Death Threads • XPD contacted blog site, but owner/operator did not have valid contact data. • However, blog site operator gave out the IP address from which the comment originated. • XPD went to ISP to obtain the address of the computer to which the IP was assigned at the time of the thread. • XPD obtained a search warrant for the premises of the owner of the address. • The owner was a respectable, older community member. • XPD assumed that there was a grandson involved.

More Related