1

2

A High Tech Crime InvestigationLessons learned by the National High Tech Crime Center

Hans Oude Alink, project leader NHTCC

November 2005

3

What is High Tech Crime

• Definition– Criminal activities with the help of (or used

against) ICT or Internet

• Project HTC– Learning by doing– Vital infrastructures– Survey– International– PPP– Information exchange

4

Press release‘Zombie’ network of more than 100,000 hacked computers

Last week, The Dutch National Police arrested three men –members of a group of cyber criminals- suspected of large scale “hacking”. The men set up a worldwide network of over a 100.000 hacked computers. The computers were automatically attacked and infected with a Trojan Horse, a piece of malware that will settle unnoticed in the computer of the victim.

Experts of the National High Tech Crime Centre (NHTCC) assisted in the investigation, lead by the National Prosecutor. The network, a so-called ‘botnet’, was dismantled in co-operation with GOVCERT.NL, the Computer Emergency Response Team of the Dutch government, XS4All Internet and other providers.

With over a 100,000 infected computers, the dismantled network is one of the largest investigated. The botnet existed of hacked servers en PC’s, receiving ‘zombie codes’ through computers all over the world. ‘Zombie’ networks are regarded the biggest threat of the security of the Internet. The government and the industry acknowledge the dangers of networks like these.

5

BOTNET ACTIVITY

Screen capture Spam

MalwareSpyware

Phishing

ID-theftKeylogging

6

Crimes and techniques

• Crimes– Computer intrusion– Phishing– ID-theft– E-bay hacking

• Techniques– Hacking– Botnets– Trojans– Keyloggers– Screen capture– Good coding skills!

7

Modus Operandi

• Cease every opportunity

• Switch easily

• Grow more sophisticated– Use of encryption

• Connected to organized crime– Professionalisation of high tech crime

8

Sources of Information

• Law enforcement– Wanted in the USA;– Information about “virus

gang” in EU;– Intelligence from the UK;– Group known in NL;

• Industry– Report of hack– Virus information– Online auctions– Operational info!– Botnet expertise– “zombie” IPs

9

Disruption!

• Many compromised networks– Impossible to investigate them all

• Only investigation is not enough;

• Technical measures, e.g.;– Block IP’s via CERT networks– Dismantle the botnets;– …;

10

Lessons learned

• Shift from dDoS to on-line fraud;

• Organised Crime discovered the internet;

• To many opportunities for flexible cyber criminals;

• What about disruption?

• LE and industry cooperation

11

Thanks for your attention!

hansoudealink@nhtcc.nl