1 / 56

Menace 2 the Wires: Advances in Cyber Criminal Business Models

Explore different cyber criminal profiles, new schemes, and the business models behind them. Raise awareness in the public and industry.

wilburl
Download Presentation

Menace 2 the Wires: Advances in Cyber Criminal Business Models

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Menace 2 the WiresAdvances in the Business Models of Cyber Criminals-Guillaume Lovet

  2. Presentation Objectives • Recall different Cyber Criminals profiles • Recognize new cyber criminal schemes and understand where they originate from • Identify and quantify the business models behind • Raise public and industry awareness

  3. Agenda • Quick reminders: • Cyber criminals profiles • Cybercrime Marketplace • Cybercrime Currency • Mass Injections: from harmless defacements to MPack • Threats 2.0: from the desktop to online applications • Auction Fraud: from your account to your door

  4. Introduction • Cybercrime: criminal activity in which computers or networks are involved • Cybercrime profits (World): $50 billionto $100 billionper annum

  5. Introduction (II) • Awareness increase • How do Cyber criminals sustain their profits? • Our habits evolve, blurring the online/real life line • Cybercrime evolves accordingly

  6. Quick RemindersCyber criminals:Profiles, Marketplace, Currencies

  7. Cyber criminals profiles • Coders the skilled • Kids the workforce • Mob the puppet masters? • Drops the mules

  8. Cybercrime Marketplace

  9. Cybercrime Currency • e-gold • Anonymity • Irreversibility • Independence • Wired cash • Irreversible • Crosses borders instantly • Fairly anonymous

  10. E-gold feedback

  11. Hey Doug, Still Baffled?

  12. E-gold indictment charges

  13. Mass Injections…from harmless defacements to MPack

  14. A bit of history • Defacing: Replacing the victim’s web server index page • Mainstream in the early 2000s • Moderately destructive • Common Characteristics: • Custom, usually dark gfx • Patriotism • Leet speech • Admin taunting • Linux preaching/ Microsoft bashing

  15. Defaced Page Paradigm

  16. What for ?! • Mass-defacements highly regarded • But motivation was not financial gain • Rarely carries a real political message • So why?

  17. For that! • Based on the common characteristics, defacing expresses a need to: • assert one’s belonging to a group • assert one’s national identity (wider group) • assert one’s competences / capacities • do something “forbidden” • compete with others • In a nutshell: Defacers = Teenagers growing

  18. Another, more recent example (2007)

  19. The Mpack case: Taking over Italy • Mpack is a web-application serving malicious content to visitors • The malicious content exploits several flaws in various browsers, making it a “drive by install” tool (No user interaction is needed from the victim) • Mpack is sold by a gang of Russian “coders” for about $700

  20. Mpack Case: What happened in June 2007? • Thousands of Italian websites compromised • 90% of those sites were hosted by Aruba.it • Possible flaw exploited in the server hosting all those sites • Still under investigation • A malicious Iframe was injected in each hacked site • silently led visitors to a Mpack server, infecting thousands of them

  21. Mpack Case: a snippet of compromised sites

  22. Mpack Case: Stats Server

  23. Mpack Case: the business model behind • Costs • Mpack software: $700 • Compromising a host company server hosting thousands of sites: $10,000 (assuming 0day) • Script inserting IFrames into each page: little skill, or about $50

  24. Mpack Case: the business model behind • Profits • Using each one of the 10,000 infected computers as a spam relay (“one shot” operation) • Assuming: • Sending 100K emails before being blacklisted • Advertisers pay 0.03 cents per email: 10,000 x 100K x $0.0003 = $300,000 • Using each one of the 10,000 infected computers for Adware planting: • $32,000 (monthly)

  25. Mpack case: the business model behind • Total Costs: $10,750 • Total Profits (first month): $332,000 • Gain (first month):$321,259 • Productivity index (Profits/Costs): 31

  26. Threats 2.0…from the desktop to online applications

  27. Web 2.0 • Detailed inputs about the "Web 2.0" concept -> outside ofour scope • A quote that puts Web 2.0 in a nutshell: “seemingly every aspect of our data [is] moving toward online apps and away from the traditional desktop model“ (Wired Magazine)

  28. Consequences on the Threat Landscape • Raise in online identity theft attacks • Impersonating a user on an online app allows for: • Retrieving the victim’s personal data • Performing actions on the victim’s behalf • Arsenal: • Phisher Worms • XSS / CSRF • Plain old client-side trojaning

  29. Phisher Worm / Social WormExample

  30. Rogue Login Page

  31. Phisher Worm outlines • Combines Phishing and Automation • Malicious code sits on the server, not on the victim’s computer • Advanced Phisher Worms exist, resorting to tricky user-provided HTML, redirectors and mind-tricks • Spreads exponentially fast: the average user has about 100 friends

  32. XSS / CSRF Worms • Cross Site Scripting (XSS) exploits the trust that the client has for the vulnerable website • Typically used to steal cookies and hijack sessions on the vulnerable site • Cross Site Request Forgery (CSRF) exploits the trust that the vulnerable website has for the user • Typically used to execute actions on behalf of the victim on the vulnerable site (eg: send a message, modify some personal settings, etc…)

  33. XSS / CSRF Worms (continued) • In 2005: Sammy’s worm (for fun) => over one million friends within 20 hours • In Dec. 2006: Quickspace worm (for profit): • viewing = getting infected • Being infected = infecting others + having a banner on your profile • It did happen and it will likely happen again (XSS/CSRFhard to spot) • Main Question: What is the point ?!

  34. The Business Logic BehindExample

  35. The Business Logic BehindExample

  36. The Business Logic Behind: Model (Costs) Costs • Assuming: • Target: Posting an ad every week (so that it is always on the front page) for a month to 60,000 individual profiles • Price to pay for each posted ad: Equals 10 times the average price to pay a bot herder for sending out one spam email (~ $0.003) • Renting the services of a social networking site phisher: 60,000 x $0.003 x 4 = $720 per month

  37. The Business Logic Behind: Model(Profits) Profits • Assuming: • Each ad is viewed on average 30 times per day (equals the average daily page views per profile on MySpace) • Posted ads click-through rate: 5% • Pay per click rate: $0.05 • Pay per click affiliate program monthly revenue: 60,000 ads x 30 daily views x 30 days x 5% x $0.05 = $135,000 per month

  38. The Business Logic Behind: Model(Summary) • Summary • Total Costs: $720 • Total Profits: $135,000 • Gain: $134,280 • Productivity index (Profits/Costs): 187 • Bottom line? • more or less masqueraded spam is flourishing on social networking sites • may seem innocuous at first sight • But very organized and yields outstanding profitability figures

  39. Auction Fraud…from your account to your door

  40. “eBaying” • The term “eBaying” has two meanings… • eBaying guides sold on IRC • As old as eBay itself • Evolution over the past two years: • Automation • Risk taking

  41. Plain Bogus Item • One of the easiest and quickest way to make money on the internet: • Choose an item with high buzz factor, or a real bargain • Create an account and set up a bogus auction • Use low-ball to obtain payment via WU / MG • Cash in (possibly via a drop) and vanish • GOTO 1 • Gives raise to amusing situations

  42. Plain Bogus Item: The Magic Pen

  43. Bogus Item with User Feedback • Used to work well, but with user awareness increase: difficult selling from accounts with no feedback • To sustain productivity: Need to find a way to get a hold of an account with good feedback at will • There are really only two solutions: • Steal It • Craft it

  44. Steal It: Costs • Costs (covering the actual Phishing operation) • Phishing Kit: Scam letter + scam page: $5 • Fresh spam list: $8 • php-mailers to spam out 100K emails for 6 hours: $30 • Hacked site for hosting scam page for a couple of days: $10 • Valid cc to register domain name: $10

  45. Steal It: Profits • Profits Assuming: • A phishing success rate of 0.0001 • Half of the hooked accounts suitable for bogus auction • An average price of $4,000 for the items sold 10 x 0.5 x $4,000 = $20,000

  46. Steal It: Summary • Summary • Total costs: $63 • Total profits: $20,000 • Productivity Index (Profits/Costs): 317 • Notes: • Raw profits not impressive, but P.I. is outstanding • Selling more valued items may boost P.I. but increase risks and decrease robustness

  47. Craft It: Broker Bots • Many "buy it now" items at the price of 1 cent with no delivery cost (usually eBooks, pictures, wallpapers, etc.)

  48. Spot The Seven Differences

  49. Craft It: Recollection • Someone is massively creating randomly named, ”spider” user accounts • Spiders seek & buy 1-cent "buy it now" items • The seller script is emailing the spider with the item, and posts its standard feedback on his profile • The spider automatically responds with a standard feedback comment on the seller’s profile In a nutshell: two bots are talking – and doing business

  50. Craft It: Model • Costs: • Building 100 accounts with 15 positive feedback messages each: $0.1 x 100 x 15 = $15 • Profits: Assuming • A moderate scam success rate of ¼ • Moderately priced bogus items (about $100) 100 x 1/4 x $100 = $2,500

More Related