Computer Crime and Intellectual Property Section

Large-Scale Internet Crimes Global Reach, Vast Numbers, and Anonymity

Albert Rees Computer Crime and Intellectual Property Section (CCIPS) Criminal Division, United States Department of Justice

Junio 2010 1 Computer Crime and Intellectual Property Section

REMJA Working Group on Cybercrime www.oas.org/juridico/spanish/ www.oas.org/juridico/english/

Computer Crime and Intellectual Property Section www.cybercrime.gov

[email protected] +1 (202) 514-1026

Junio 2010 2 OEA-REMJA USDOJ-CCIPS Agenda

. Globalization of crime

. Some vexing problems

 Anonymity  Botnets  Carding  Digital currency

Junio 2010 3 Computer Crime and Intellectual Property Section

Globalization of Crime

Junio 2010 4 OEA-REMJA USDOJ-CCIPS Globalization of Crime

. The Internet knows no borders

. Criminals exploit the Internet

 Global reach  Anonymity  Safe havens  Mass targets

Junio 2010 5 OEA-REMJA USDOJ-CCIPS Global Cybercrime Snapshots – 2009

. Botnets*

 6.8 million bot-infected computers  47,000 active each day  17,000 new command and control servers

*Symantec Internet Security Threat Report, Vol. XV, April 2010 Junio 2010 6 OEA-REMJA USDOJ-CCIPS

Geographic distribution of infected computers in a single ZeuS botnet.

Junio 2010 7 OEA-REMJA USDOJ-CCIPS

Symantec Internet Security Threat Report, Regional Data Sheet – Latin America , April 2010 Junio 2010 8 OEA-REMJA USDOJ-CCIPS Global Cybercrime Snapshots – 2009

. 2.9 million new malicious code threats*

. Data breaches from hacking – examples**

 160,000 health insurance and medical records – university  530,000 social security numbers – government agency  570,000 credit card records – business  750,000 customer records – mobile telephone service provider

 130,000,000 credit card numbers – credit card processor

*Symantec Internet Security Threat Report, Vol. XV, April 2010 **Open Security Foundation, Dataloss Database, 2009 Junio 2010 9 OEA-REMJA USDOJ-CCIPS

Symantec Internet Security Threat Report, Regional Data Sheet – Latin America , April 2010 Junio 2010 10 OEA-REMJA USDOJ-CCIPS Online Underground Economy

Symantec Internet Security Threat Report, Vol. XV, April 2010 Junio 2010 11 OEA-REMJA USDOJ-CCIPS The Players

. Cyber-economy crime organizations . Traditional organized crime – drugs, guns, goods, people . Gangs . Extremists – terrorist organizations

. Professional hackers . Spammers . Cybercrime organizations

Junio 2010 12 OEA-REMJA USDOJ-CCIPS

Junio 2010 13 OEA-REMJA USDOJ-CCIPS Some Vexing Problems

. Anonymity

. Botnets

. Carding Forums

. Digital Currency

Junio 2010 14 Computer Crime and Intellectual Property Section

Anonymity

Junio 2010 15 OEA-REMJA USDOJ-CCIPS Attribution is Difficult…Impossible?

. Savvy online criminals know how to hide

. False identification  Domain name registration  Stolen credit cards  Services that do not verify user information

. Online tools  Proxies  Anonymizing network  Peer-to-peer

Decentralized – Segmented – Redundant – Resilient

Junio 2010 16 OEA-REMJA USDOJ-CCIPS Web Proxy

. Sits between ISP and web server . ISP and web server no longer talk to each other directly . Result: user anonymity from web server

WEB PROXY

USER ISP WEB SERVER

Junio 2010 17 OEA-REMJA USDOJ-CCIPS

Web Proxies

Type in the site you want

Junio 2010 18 OEA-REMJA USDOJ-CCIPS Web-Based Proxies

The proxy gets the You are still site and passes it to communicating with you the proxy

Junio 2010 19 OEA-REMJA USDOJ-CCIPS Peer-to-Peer file sharing (P2P)

. Sharing files, using servers as little as possible

20Junio 2010 OEA-REMJA USDOJ-CCIPS Old style P2P

. Relied on a server to keep track of the peers

Who has KIDDIE.MPG?

Second computer from the right. 21Junio 2010 OEA-REMJA USDOJ-CCIPS Newer style P2P

. Uses “supernodes” instead of central servers

Who has KIDDIE.MPG? One of my I’ll ask the nodes has it. other supernodes.

Junio 2010 22 OEA-REMJA USDOJ-CCIPS P2P today: Gigatribe and Darknets

. Small, private communities sharing files

Difficult to find and enter

23Junio 2010 OEA-REMJA USDOJ-CCIPS P2P today: BitTorrent

. Efficient technology for a huge number of people to share huge files

Tracker: knows which To join, get a .torrent computer has which file that identifies the pieces of the file t ra c ke r.

Leacher: peer still downloading

Seeder: Peer offering all pieces

24Junio 2010 OEA-REMJA USDOJ-CCIPS Anonymizing Network: Tor

. Tor = The Onion Router, an anonymity network that routes communication through multiple proxies, each with an independent layer of encryption (like an onion)

. Client = computer using Tor for anonymity . Onion Router (OR) = computer that forwards data and anonymizes it (currently about 1200) . Circuit = path taken by data through ORs

Client OR OR OR Web Server

Junio 2010 25 Computer Crime and Intellectual Property Section

Botnets

Junio 2010 26 OEA-REMJA USDOJ-CCIPS What is a Botnet?

. A network of robots (bots)  Robot : an automatic machine that can be programmed to perform specific tasks

. Also known as ‘Zombies’

. Thousands of computers controlled

. A powerful network at “no cost”

Junio 2010 27 OEA-REMJA USDOJ-CCIPS Purpose of a Botnet

. Distributed denial of service attacks . Advertising – spamming . Sniffing traffic . Keylogging . Spreading new malware . Installing advertisements . Attacking IRC networks . Manipulating online polls or games . Mass identity theft

Junio 2010 28 OEA-REMJA USDOJ-CCIPS IRC Botnets

. Earlier Botnets controlled by Command and Control (C2) server

Botnet user

Junio 2010 29 OEA-REMJA USDOJ-CCIPS IRC Botnets

. Newer Botnets distribute and have redundant C2 servers

Botnet user

Junio 2010 30 OEA-REMJA USDOJ-CCIPS P2P Botnets

. Distributed control

Junio 2010 31 OEA-REMJA USDOJ-CCIPS P2P Botnets

. Hard to Disable

Junio 2010 32 Computer Crime and Intellectual Property Section

Carding

Junio 2010 33 OEA-REMJA USDOJ-CCIPS What is Carding?

. Carding: large-scale fraudulent use of stolen credit or debit card information

. Carding forums: websites and bulletin boards dedicated to carding

. Data usually comes from phishing/spamming or data breaches, rather than “real world” thefts

. Bulk transactions (“dumps”) are the norm

. Credit card data can be encoded on plastic cards for card-present transactions

Junio 2010 34 OEA-REMJA USDOJ-CCIPS What do Carding Forums Offer?

. Identity documents

. Stolen financial information

. User names and passwords

. “Full info” – package of data on victim

. Card-making equipment and blanks

. Tutorials on how to be a carder or hacker

Junio 2010 35 OEA-REMJA USDOJ-CCIPS

Junio 2010 36 Computer Crime and Intellectual Property Section

Digital Currency

Junio 2010 37 OEA-REMJA USDOJ-CCIPS

Junio 2010 38 OEA-REMJA USDOJ-CCIPS Characteristics of Digital Currency

. Often “backed” by a precious metal such as gold . May involve both an issuer and an exchanger . Can be transferred to other digital currency . Popular with cyber-criminals

Junio 2010 39 OEA-REMJA USDOJ-CCIPS Example:

. WebMoney Transfer (www.wmtransfer.com)

. Based in Russia

. Open account by downloading WebMoney client and providing name, address, and e-mail address

. Accepts bank transfers, credit cards, money orders, and cash

. Can transfer funds from one account to another

Junio 2010 40 OEA-REMJA USDOJ-CCIPS Summary

. Globalization of crime

. Some vexing problems

 Anonymity  Botnets  Carding  Digital currency

Junio 2010 41 Computer Crime and Intellectual Property Section

REMJA Working Group on Cybercrime www.oas.org/juridico/spanish/ www.oas.org/juridico/english/

Computer Crime and Intellectual Property Section www.cybercrime.gov

[email protected] +1 (202) 514-1026

Junio 2010 42