Computer Crime and Intellectual Property Section
Large-Scale Internet Crimes Global Reach, Vast Numbers, and Anonymity
Albert Rees Computer Crime and Intellectual Property Section (CCIPS) Criminal Division, United States Department of Justice
Junio 2010 1 Computer Crime and Intellectual Property Section
REMJA Working Group on Cybercrime www.oas.org/juridico/spanish/ www.oas.org/juridico/english/
Computer Crime and Intellectual Property Section www.cybercrime.gov
[email protected] +1 (202) 514-1026
Junio 2010 2 OEA-REMJA USDOJ-CCIPS Agenda
. Globalization of crime
. Some vexing problems
Anonymity Botnets Carding Digital currency
Junio 2010 3 Computer Crime and Intellectual Property Section
Globalization of Crime
Junio 2010 4 OEA-REMJA USDOJ-CCIPS Globalization of Crime
. The Internet knows no borders
. Criminals exploit the Internet
Global reach Anonymity Safe havens Mass targets
Junio 2010 5 OEA-REMJA USDOJ-CCIPS Global Cybercrime Snapshots – 2009
. Botnets*
6.8 million bot-infected computers 47,000 active each day 17,000 new command and control servers
*Symantec Internet Security Threat Report, Vol. XV, April 2010 Junio 2010 6 OEA-REMJA USDOJ-CCIPS
Geographic distribution of infected computers in a single ZeuS botnet.
Junio 2010 7 OEA-REMJA USDOJ-CCIPS
Symantec Internet Security Threat Report, Regional Data Sheet – Latin America , April 2010 Junio 2010 8 OEA-REMJA USDOJ-CCIPS Global Cybercrime Snapshots – 2009
. 2.9 million new malicious code threats*
. Data breaches from hacking – examples**
160,000 health insurance and medical records – university 530,000 social security numbers – government agency 570,000 credit card records – business 750,000 customer records – mobile telephone service provider
130,000,000 credit card numbers – credit card processor
*Symantec Internet Security Threat Report, Vol. XV, April 2010 **Open Security Foundation, Dataloss Database, 2009 Junio 2010 9 OEA-REMJA USDOJ-CCIPS
Symantec Internet Security Threat Report, Regional Data Sheet – Latin America , April 2010 Junio 2010 10 OEA-REMJA USDOJ-CCIPS Online Underground Economy
Symantec Internet Security Threat Report, Vol. XV, April 2010 Junio 2010 11 OEA-REMJA USDOJ-CCIPS The Players
. Cyber-economy crime organizations . Traditional organized crime – drugs, guns, goods, people . Gangs . Extremists – terrorist organizations
. Professional hackers . Spammers . Cybercrime organizations
Junio 2010 12 OEA-REMJA USDOJ-CCIPS
Junio 2010 13 OEA-REMJA USDOJ-CCIPS Some Vexing Problems
. Anonymity
. Botnets
. Carding Forums
. Digital Currency
Junio 2010 14 Computer Crime and Intellectual Property Section
Anonymity
Junio 2010 15 OEA-REMJA USDOJ-CCIPS Attribution is Difficult…Impossible?
. Savvy online criminals know how to hide
. False identification Domain name registration Stolen credit cards Services that do not verify user information
. Online tools Proxies Anonymizing network Peer-to-peer
Decentralized – Segmented – Redundant – Resilient
Junio 2010 16 OEA-REMJA USDOJ-CCIPS Web Proxy
. Sits between ISP and web server . ISP and web server no longer talk to each other directly . Result: user anonymity from web server
WEB PROXY
USER ISP WEB SERVER
Junio 2010 17 OEA-REMJA USDOJ-CCIPS
Web Proxies
Type in the site you want
Junio 2010 18 OEA-REMJA USDOJ-CCIPS Web-Based Proxies
The proxy gets the You are still site and passes it to communicating with you the proxy
Junio 2010 19 OEA-REMJA USDOJ-CCIPS Peer-to-Peer file sharing (P2P)
. Sharing files, using servers as little as possible
20Junio 2010 OEA-REMJA USDOJ-CCIPS Old style P2P
. Relied on a server to keep track of the peers
Who has KIDDIE.MPG?
Second computer from the right. 21Junio 2010 OEA-REMJA USDOJ-CCIPS Newer style P2P
. Uses “supernodes” instead of central servers
Who has KIDDIE.MPG? One of my I’ll ask the nodes has it. other supernodes.
Junio 2010 22 OEA-REMJA USDOJ-CCIPS P2P today: Gigatribe and Darknets
. Small, private communities sharing files
Difficult to find and enter
23Junio 2010 OEA-REMJA USDOJ-CCIPS P2P today: BitTorrent
. Efficient technology for a huge number of people to share huge files
Tracker: knows which To join, get a .torrent computer has which file that identifies the pieces of the file t ra c ke r.
Leacher: peer still downloading
Seeder: Peer offering all pieces
24Junio 2010 OEA-REMJA USDOJ-CCIPS Anonymizing Network: Tor
. Tor = The Onion Router, an anonymity network that routes communication through multiple proxies, each with an independent layer of encryption (like an onion)
. Client = computer using Tor for anonymity . Onion Router (OR) = computer that forwards data and anonymizes it (currently about 1200) . Circuit = path taken by data through ORs
Client OR OR OR Web Server
Junio 2010 25 Computer Crime and Intellectual Property Section
Botnets
Junio 2010 26 OEA-REMJA USDOJ-CCIPS What is a Botnet?
. A network of robots (bots) Robot : an automatic machine that can be programmed to perform specific tasks
. Also known as ‘Zombies’
. Thousands of computers controlled
. A powerful network at “no cost”
Junio 2010 27 OEA-REMJA USDOJ-CCIPS Purpose of a Botnet
. Distributed denial of service attacks . Advertising – spamming . Sniffing traffic . Keylogging . Spreading new malware . Installing advertisements . Attacking IRC networks . Manipulating online polls or games . Mass identity theft
Junio 2010 28 OEA-REMJA USDOJ-CCIPS IRC Botnets
. Earlier Botnets controlled by Command and Control (C2) server
Botnet user
Junio 2010 29 OEA-REMJA USDOJ-CCIPS IRC Botnets
. Newer Botnets distribute and have redundant C2 servers
Botnet user
Junio 2010 30 OEA-REMJA USDOJ-CCIPS P2P Botnets
. Distributed control
Junio 2010 31 OEA-REMJA USDOJ-CCIPS P2P Botnets
. Hard to Disable
Junio 2010 32 Computer Crime and Intellectual Property Section
Carding
Junio 2010 33 OEA-REMJA USDOJ-CCIPS What is Carding?
. Carding: large-scale fraudulent use of stolen credit or debit card information
. Carding forums: websites and bulletin boards dedicated to carding
. Data usually comes from phishing/spamming or data breaches, rather than “real world” thefts
. Bulk transactions (“dumps”) are the norm
. Credit card data can be encoded on plastic cards for card-present transactions
Junio 2010 34 OEA-REMJA USDOJ-CCIPS What do Carding Forums Offer?
. Identity documents
. Stolen financial information
. User names and passwords
. “Full info” – package of data on victim
. Card-making equipment and blanks
. Tutorials on how to be a carder or hacker
Junio 2010 35 OEA-REMJA USDOJ-CCIPS
Junio 2010 36 Computer Crime and Intellectual Property Section
Digital Currency
Junio 2010 37 OEA-REMJA USDOJ-CCIPS
Junio 2010 38 OEA-REMJA USDOJ-CCIPS Characteristics of Digital Currency
. Often “backed” by a precious metal such as gold . May involve both an issuer and an exchanger . Can be transferred to other digital currency . Popular with cyber-criminals
Junio 2010 39 OEA-REMJA USDOJ-CCIPS Example:
. WebMoney Transfer (www.wmtransfer.com)
. Based in Russia
. Open account by downloading WebMoney client and providing name, address, and e-mail address
. Accepts bank transfers, credit cards, money orders, and cash
. Can transfer funds from one account to another
Junio 2010 40 OEA-REMJA USDOJ-CCIPS Summary
. Globalization of crime
. Some vexing problems
Anonymity Botnets Carding Digital currency
Junio 2010 41 Computer Crime and Intellectual Property Section
REMJA Working Group on Cybercrime www.oas.org/juridico/spanish/ www.oas.org/juridico/english/
Computer Crime and Intellectual Property Section www.cybercrime.gov
[email protected] +1 (202) 514-1026
Junio 2010 42