560 likes | 574 Views
Explore different cyber criminal profiles, new schemes, and the business models behind them. Raise awareness in the public and industry.
E N D
Menace 2 the WiresAdvances in the Business Models of Cyber Criminals-Guillaume Lovet
Presentation Objectives • Recall different Cyber Criminals profiles • Recognize new cyber criminal schemes and understand where they originate from • Identify and quantify the business models behind • Raise public and industry awareness
Agenda • Quick reminders: • Cyber criminals profiles • Cybercrime Marketplace • Cybercrime Currency • Mass Injections: from harmless defacements to MPack • Threats 2.0: from the desktop to online applications • Auction Fraud: from your account to your door
Introduction • Cybercrime: criminal activity in which computers or networks are involved • Cybercrime profits (World): $50 billionto $100 billionper annum
Introduction (II) • Awareness increase • How do Cyber criminals sustain their profits? • Our habits evolve, blurring the online/real life line • Cybercrime evolves accordingly
Quick RemindersCyber criminals:Profiles, Marketplace, Currencies
Cyber criminals profiles • Coders the skilled • Kids the workforce • Mob the puppet masters? • Drops the mules
Cybercrime Currency • e-gold • Anonymity • Irreversibility • Independence • Wired cash • Irreversible • Crosses borders instantly • Fairly anonymous
A bit of history • Defacing: Replacing the victim’s web server index page • Mainstream in the early 2000s • Moderately destructive • Common Characteristics: • Custom, usually dark gfx • Patriotism • Leet speech • Admin taunting • Linux preaching/ Microsoft bashing
What for ?! • Mass-defacements highly regarded • But motivation was not financial gain • Rarely carries a real political message • So why?
For that! • Based on the common characteristics, defacing expresses a need to: • assert one’s belonging to a group • assert one’s national identity (wider group) • assert one’s competences / capacities • do something “forbidden” • compete with others • In a nutshell: Defacers = Teenagers growing
The Mpack case: Taking over Italy • Mpack is a web-application serving malicious content to visitors • The malicious content exploits several flaws in various browsers, making it a “drive by install” tool (No user interaction is needed from the victim) • Mpack is sold by a gang of Russian “coders” for about $700
Mpack Case: What happened in June 2007? • Thousands of Italian websites compromised • 90% of those sites were hosted by Aruba.it • Possible flaw exploited in the server hosting all those sites • Still under investigation • A malicious Iframe was injected in each hacked site • silently led visitors to a Mpack server, infecting thousands of them
Mpack Case: the business model behind • Costs • Mpack software: $700 • Compromising a host company server hosting thousands of sites: $10,000 (assuming 0day) • Script inserting IFrames into each page: little skill, or about $50
Mpack Case: the business model behind • Profits • Using each one of the 10,000 infected computers as a spam relay (“one shot” operation) • Assuming: • Sending 100K emails before being blacklisted • Advertisers pay 0.03 cents per email: 10,000 x 100K x $0.0003 = $300,000 • Using each one of the 10,000 infected computers for Adware planting: • $32,000 (monthly)
Mpack case: the business model behind • Total Costs: $10,750 • Total Profits (first month): $332,000 • Gain (first month):$321,259 • Productivity index (Profits/Costs): 31
Web 2.0 • Detailed inputs about the "Web 2.0" concept -> outside ofour scope • A quote that puts Web 2.0 in a nutshell: “seemingly every aspect of our data [is] moving toward online apps and away from the traditional desktop model“ (Wired Magazine)
Consequences on the Threat Landscape • Raise in online identity theft attacks • Impersonating a user on an online app allows for: • Retrieving the victim’s personal data • Performing actions on the victim’s behalf • Arsenal: • Phisher Worms • XSS / CSRF • Plain old client-side trojaning
Phisher Worm outlines • Combines Phishing and Automation • Malicious code sits on the server, not on the victim’s computer • Advanced Phisher Worms exist, resorting to tricky user-provided HTML, redirectors and mind-tricks • Spreads exponentially fast: the average user has about 100 friends
XSS / CSRF Worms • Cross Site Scripting (XSS) exploits the trust that the client has for the vulnerable website • Typically used to steal cookies and hijack sessions on the vulnerable site • Cross Site Request Forgery (CSRF) exploits the trust that the vulnerable website has for the user • Typically used to execute actions on behalf of the victim on the vulnerable site (eg: send a message, modify some personal settings, etc…)
XSS / CSRF Worms (continued) • In 2005: Sammy’s worm (for fun) => over one million friends within 20 hours • In Dec. 2006: Quickspace worm (for profit): • viewing = getting infected • Being infected = infecting others + having a banner on your profile • It did happen and it will likely happen again (XSS/CSRFhard to spot) • Main Question: What is the point ?!
The Business Logic Behind: Model (Costs) Costs • Assuming: • Target: Posting an ad every week (so that it is always on the front page) for a month to 60,000 individual profiles • Price to pay for each posted ad: Equals 10 times the average price to pay a bot herder for sending out one spam email (~ $0.003) • Renting the services of a social networking site phisher: 60,000 x $0.003 x 4 = $720 per month
The Business Logic Behind: Model(Profits) Profits • Assuming: • Each ad is viewed on average 30 times per day (equals the average daily page views per profile on MySpace) • Posted ads click-through rate: 5% • Pay per click rate: $0.05 • Pay per click affiliate program monthly revenue: 60,000 ads x 30 daily views x 30 days x 5% x $0.05 = $135,000 per month
The Business Logic Behind: Model(Summary) • Summary • Total Costs: $720 • Total Profits: $135,000 • Gain: $134,280 • Productivity index (Profits/Costs): 187 • Bottom line? • more or less masqueraded spam is flourishing on social networking sites • may seem innocuous at first sight • But very organized and yields outstanding profitability figures
“eBaying” • The term “eBaying” has two meanings… • eBaying guides sold on IRC • As old as eBay itself • Evolution over the past two years: • Automation • Risk taking
Plain Bogus Item • One of the easiest and quickest way to make money on the internet: • Choose an item with high buzz factor, or a real bargain • Create an account and set up a bogus auction • Use low-ball to obtain payment via WU / MG • Cash in (possibly via a drop) and vanish • GOTO 1 • Gives raise to amusing situations
Bogus Item with User Feedback • Used to work well, but with user awareness increase: difficult selling from accounts with no feedback • To sustain productivity: Need to find a way to get a hold of an account with good feedback at will • There are really only two solutions: • Steal It • Craft it
Steal It: Costs • Costs (covering the actual Phishing operation) • Phishing Kit: Scam letter + scam page: $5 • Fresh spam list: $8 • php-mailers to spam out 100K emails for 6 hours: $30 • Hacked site for hosting scam page for a couple of days: $10 • Valid cc to register domain name: $10
Steal It: Profits • Profits Assuming: • A phishing success rate of 0.0001 • Half of the hooked accounts suitable for bogus auction • An average price of $4,000 for the items sold 10 x 0.5 x $4,000 = $20,000
Steal It: Summary • Summary • Total costs: $63 • Total profits: $20,000 • Productivity Index (Profits/Costs): 317 • Notes: • Raw profits not impressive, but P.I. is outstanding • Selling more valued items may boost P.I. but increase risks and decrease robustness
Craft It: Broker Bots • Many "buy it now" items at the price of 1 cent with no delivery cost (usually eBooks, pictures, wallpapers, etc.)
Craft It: Recollection • Someone is massively creating randomly named, ”spider” user accounts • Spiders seek & buy 1-cent "buy it now" items • The seller script is emailing the spider with the item, and posts its standard feedback on his profile • The spider automatically responds with a standard feedback comment on the seller’s profile In a nutshell: two bots are talking – and doing business
Craft It: Model • Costs: • Building 100 accounts with 15 positive feedback messages each: $0.1 x 100 x 15 = $15 • Profits: Assuming • A moderate scam success rate of ¼ • Moderately priced bogus items (about $100) 100 x 1/4 x $100 = $2,500