Cyber Crime

• Special Thanks to– Special Agent Martin McBride

for sharing most of this information in his talk at Siena last semester

Criminal Activity Today

has shifted to the Internet

Canadian Lottery Scam

• A call from Canada:– You’ve won the Canadian Lotto– We’ll protect your winnings from US capital gains

taxes (i.e., Canadian Bank)– Just pay the Canadian Lotto tax 0.5% and we’ll set

everything up

• You say:– You mean I just have to pay you $5000 and you’ll

put $1,000,000 in my own Canadian Bank Account. Sounds great!

Canadian Lottery Scam

• Its estimated that over $10,000,000 has been scammed off people in just the US.

• The scammer are so sophisticated that they get Direct Mailing/Marketing List and target specific demographics (homeowners over 65).

• http://www.experian.com/products/listlink_express.html

• Thank you Experian!

Canadian Lottery Scam

• The scammer use cloned cell phones • Checks sent to “Mailboxes Etc.”

– set up using a stolen identity

• The FBI and RCMP have developed counter-measures

• Thus, the Scammers have retreated to the Internet, where they have greater reach and less risk.

Criminal Activity Today

• Phishing

• Nigerian Letters Fraud

• Internet Sales Fraud

• Carding

• Intrusions

• Viruses & Worms

Criminal Activity Today-continued-

• Distributed Denial of Service (DDOS)

• Spam Attack/DDOS

• Intellectual Property Theft

• Sabotage

Phishing

• uses spam, spoofed e-mails and fraudulent websites to

• deceive consumers into disclosing credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive information

• by hijacking the trusted brands of well-known banks, online retailers and credit card companies

<TABLE cellSpacing=0 cellPadding=0 width=600 align=center> <TBODY> <TR> <TD><FONT style="FONT-WEIGHT: 400; FONT-SIZE: 13px; FONT-FAMILY: verdana,arial,helvetica,sans-serif">We are currently performing regular maintenance of our security measures. Your account has been randomly selected for this maintenance, and you now be taken through a verification process.<BR><BR>Protecting the security of your PayPal account is our primary concern, and we apologize for any inconvenience this may cause.<BR><BR>Please <A href="http://verify.paypal.com.auth23.net:4180/us/cgi-bin/webscr.cmd=_verification-run/verify.html"><FONT color=#0033cc>click here</FONT></A> and fill in the correct information to verify your identity.<BR><BR>NOTE: Failure to complete the verification process or providing wrong information will lead to account suspension or even termination.</FONT></TD></TR></TBODY></TABLE><BR><BR>

Nigerian Letter Fraud

• Claiming to be – Nigerian officials, – business people or – the surviving spouses of former government

honchos,

• con artists offer to transfer millions of dollars into your bank account in exchange for a small fee.

Nigerian Letter Fraud

– If you respond, you may receive "official looking" documents.

• Typically, you're then asked to • provide blank letterhead and • your bank account numbers, • as well as some money to cover transaction and

transfer costs and attorney's fees.

Nigerian Letter Fraud

– You may even be encouraged to travel to Nigeria or a border country to complete the transaction.

– Sometimes, the fraudsters will produce trunks of dyed or stamped money to verify their claims.

– Inevitably, though, emergencies come up, requiring more of your money and delaying the "transfer" of funds to your account;

– in the end, there aren't any profits for you to share, and the scam artist has vanished with your money.

Internet Sales Fraud• Overpayment scheme (E-bay)

– A buyer accidentally over pays you• $1000 check rather than $100 check

– Buyer says, “My mistake but you owe me $900 if you cash that check.”

– Buyer says, “Dude man! I need that $900 bucks, since this was my mistake, if you wire me $800 bucks, the check is yours.”

– You get an additional $100 for you trouble, cool!

Internet Sales Fraud

• Did you know that if you deposit a check worth $10,000 or more at HSBC it can take over 5 business days for it to clear or to realize its fraud.

• A week gives a scammer a long time to put pressure on you to return the over payment.

• Perhaps the overpayment is $9000.• Guess what? If you send a wire transfer or a money

order out of your account, your account balance is immediately reduced (instantaneous at the time the order or wire is entered into their system).

• Thank you HSBC for making it easy to scam me!

Internet Sales Fraud• Alexey Ivanov and others

– auctioned non-existent items on eBay– bid on own items using stolen credit cards– as high bidder, paid himself through Paypal

Carding

• “Carding" the illegal use of credit card numbers. Carders..– Acquire valid credit card numbers

(not their own)– Use them to make purchases– Sell them to others– Trade them over the Internet

Carding• Maxus, a Russian, stole 300,000 credit card numbers

from CDUniverse.com• Maxus’ scheme was broken into 4 basic parts:

• Whole-selling Cards — Cards were distributed to trusted partners, mainly in lots of 1,000, for $1 each.

• Re-selling Cards — Cards were then sold by Maxus' partners. These "re-sellers" sold card numbers mainly in blocks of 50. The price to the "end consumer" was around $500.

• Pure Liquidation — Maxus set himself up as an online retailer, and used the stolen numbers as if they belonged to his customers

• End Users — Individuals would use the cards bought from

Maxus to conduct their own fraud.

Intrusions• Unauthorized access into a computer• Different types of intruders

– Hackers – create code to exploit vulnerabilities– Script-kiddies – use code readily available over the

Internet to exploit vulnerabilities– Insiders - former employees whose accounts were

not disabled upon termination

Intrusions• Example

– Bob leaves Experian for Equifax– Equifax is a competitor to Experian – Bob uses same password at Equifax that he had used while

at Experian– Equifax has to crack Bob’s password because no one can get

into his account to retrieve the work he left behind– Experian decides to try Bob’s password on Equifax ’s e-mail

system• It worked!

– Experian attempts to steal customers from Equifax by intercepting e-mail sent to Bob’s account at Equifax.

Viruses, Worms, & Trojans• Viruses are computer code written to degrade

the health of a computer or computer network• Worms are viruses that are written such that

they can spread themselves to other computers

• Trojans are viruses that remain dormant or hidden until a certain action is taken or a specified period of time has elapsed

Denial of Service (DOS)• An attack in which a large network of

compromised computers is used to attack a target computer

• Examples– Mafiaboy - Feb 2000

• Yahoo!, eBay, CNN.com, eTrade, and others

– DDOS attack against 9 of 13 root servers – Oct 2002

Intellectual Property Theft

• The unauthorized acquisition and/or distribution of proprietary computer software or data files

Intellectual Property Theft

• Example– Online warez pirates

• Buy or steal copies of software programs such as video games or operating systems

• Illegally share the programs through FTP servers located throughout the world

• Hundreds and perhaps thousands of organized groups exist

– Many groups contain hundreds of members

Sabotage

• Deliberate destruction of the functionality of a computer or computer network

Insiders• Greatest threat to computer networks

– Know the system– Have access via user accounts– Security lapses

• Easy-to-guess passwords• Share accounts/passwords

– Hostile terminations/revenge

Criminal Cyber Crime Techniques

• Casing the establishment– Footprinting– Scanning– Enumeration

Hacking Exposed, Second Edition

Casing the Establishment

• Footprinting– Locate a potential target– Learn everything about target network

• Map the network• Domain names in use• Routable IP address range• Services running and versions used• Firewalls and Intrusion Detection Systems

Hacking Exposed, Second Edition

Casing the Establishment• Scanning

– Turning door knobs and seeing if windows are locked– Search for vulnerabilities

• Ping sweep– Determine what systems are up and running

• Trace route• Port scan

– ID operating system– ID applications running

• Cheops (does it all)Hacking Exposed, Second Edition

Casing the Establishment

• Enumeration– Open the door and look inside (cross the line)– Active connection to target is established to

• ID valid user accounts• ID poorly protected resource shares

– Social Engineering• Gain access to inside human resources• “Dumpster diving” – go through the trash

Hacking Exposed, Second Edition

Hacking the Target

• Directly connect to shared resources– Use that access to dig deeper

• Install backdoors/Trojans• Crack passwords for administrator accounts

– Dictionary and Brute Force• L0phtcrack• John the Ripper• Crack• Hacking Exposed, Second Edition

Hacking the Target• Privilege escalation

– When you have password for non-admin account

• Use Trojans to give yourself an admin account– e.g. change Dir command so that it adds new user

• Install and run sniffers– Keystroke loggers

Hacking Exposed, Second Edition

Hiding the Trail

• Proxy Servers– Make Web queries on behalf of inquiring

computer• Query traces to proxy rather than point of origin

• Anonymizers– E-mail spoofing– IP spoofing

Bad GuyBad Guy Proxy 1Proxy 1 DestinationDestination

Proxy 2Proxy 2

Cyber Crime Investigations

Big Brother is Watching

Following the Trail

• Server logs

• E-mail headers

• Whois databases

• Human resources

Critical Concept• Internet Protocol (IP) addressing

– Every computer connected to the Internet has a unique IP address assigned while it is connected

• #.#.#.# (e.g. 192.168.1.100)– Each # is 0 to 255

» 256 possibilities

» 28 (binary math)

» 255 = 1111 1111

Critical Concept• Static addresses

– Like telephone numbers• Don’t change• Easy to find day after day

• Dynamic addresses– Different each time you connect– Difficult to find from one use to the

next

Server Logs

• Domain Controllers– Access logs

• Web Servers

• FTP Servers

• E-mail Servers

Tracking via Server Logs192.168.50.165 - - [17/Sep/2002:17:46:52 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=15 HTTP/1.0" 200 18627192.168.50.165 - - [17/Sep/2002:17:48:32 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=9&reply=1&form=newmsg HTTP/1.0" 200 8020192.168.50.165 - - [17/Sep/2002:17:49:53 -0500] "POST /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396 HTTP/1.0" 302 426192.168.50.165 - - [17/Sep/2002:17:50:01 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=9 HTTP/1.0" 200 19721192.168.50.165 - - [17/Sep/2002:17:50:34 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=6&reply=1&form=newmsg HTTP/1.0" 200 8102

Tracking via Server Logs

192.168.50.165 - - [17/Sep/2002:17:46:52 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=15 HTTP/1.0" 200 18627192.168.50.165 - - [17/Sep/2002:17:48:32 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=9&reply=1&form=newmsg HTTP/1.0" 200 8020192.168.50.165 - - [17/Sep/2002:17:49:53 -0500] "POST /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396 HTTP/1.0" 302 426192.168.50.165 - - [17/Sep/2002:17:50:01 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=9 HTTP/1.0" 200 19721192.168.50.165 - - [17/Sep/2002:17:50:34 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=6&reply=1&form=newmsg HTTP/1.0" 200 8102

E-mail Headers

• Normal Headers– To:, From:, Date:, and Subj:

• Full Headers– Record of path an e-mail takes from its

origin to its destination

Return-Path: <ebreimer@siena.edu>Delivered-To: mmcbride@leo.govReceived: from mailscan-a.leo.gov (mailscan-a-pub.leo.gov [172.30.1.101])

by mail.leo.gov (Postfix) with ESMTP id AADAA26E4Bfor <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:34 -0400 (EDT)

Received: from dell61 (localhost [127.0.0.1])by mailscan-a.leo.gov (Postfix) with ESMTP id 2ABB838641for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:34 -0400 (EDT)

Received: from dmzproxy.leo.gov ([4.21.116.65]) by dell61 via smtpd (for smtp.leo.gov [172.30.1.100]) with ESMTP; Thu, 15 Apr 2004 14:01:53 -0400Received: from internetfw.leo.gov (internetfw-dmz.leo.gov [4.21.116.126])

by dmzproxy.leo.gov (Postfix) with SMTP id 5C21CAA8AFfor <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:33 -0400 (EDT)

Received: from [66.194.176.8] by internetfw.leo.gov via smtpd (for mx.leo.gov [4.21.116.65]) with SMTP; Thu, 15 Apr 2004 14:01:33 -0400Received: FROM exchange2.siena.edu BY claven.siena.edu ; Thu Apr 15 14:01:24 2004 -0400X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0Content-class: urn:content-classes:messageMIME-Version: 1.0Content-Type: text/plain;

charset="iso-8859-1"Content-Transfer-Encoding: quoted-printableSubject: Radio InterviewDate: Thu, 15 Apr 2004 14:01:35 -0400Message-ID: <8DEC59405C543C4D88AF28B7AAB0F87302A47CC4@EXCHANGE2.siena.edu>X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Radio InterviewThread-Index: AcQjE7E0Ke2vVSlaR5mlEdbMSjmvMw==From: "Breimer, Eric" <ebreimer@siena.edu>To: <mmcbride@leo.gov>Cc: <grimmcom@nycap.rr.com>X-UIDL: 'B?!!L^)#!ce^"!Hf_"!

E-mail Headers

Received: from internetfw.leo.gov (internetfw-dmz.leo.gov [4.21.116.126])by dmzproxy.leo.gov (Postfix) with SMTP id 5C21CAA8AFfor <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:33 -0400 (EDT)

Received: from [66.194.176.8] by internetfw.leo.gov via smtpd (for mx.leo.gov [4.21.116.65]) with SMTP; Thu, 15 Apr 2004

14:01:33 -0400Received: FROM exchange2.siena.edu BY claven.siena.edu ; Thu Apr 15 14:01:24

2004 -0400X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0Content-class: urn:content-classes:messageMIME-Version: 1.0

Whois Databases

• Contain registration information for the Domain Name System and IP addresses– Examples

• www.dnsstuff.com• www.arin.net• www.samspade.org• www.networksolutions.com

Human Resources

• Easiest way to find a criminal– Find someone that knows what happened

and is willing to tell what they know– Find someone that has inside access to the

type of hacking you are investigating and enlist their assistance

InfraGard

• A Cooperative Undertaking/Partnership– U.S. Government (led by the FBI)– Association of

• Businesses• Academic institutions• State and local law enforcement agencies• Other participants

• Dedicated to increasing the security of United States’ critical infrastructures

What Is InfraGard?

What Is A Critical Infrastructure?

Services so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States.

Executive Order 13010

Why Partner?• Our businesses, our country, and our world

depend on functional infrastructures– Industries and infrastructures are interdependent– More than 80 percent of U.S. infrastructures are owned

and operated by the private sector– Government has resources that are critical to successfully

protecting all infrastructures

• Only by working together can the Nation’s infrastructures be properly protected– InfraGard is a critical entity in bringing all the right players

to the same table

• National InfraGard Program– Pilot project in 1996

• Cleveland FBI Field Office asked local computer professionals to assist the FBI in determining how to better protect critical information systems in the public and private sectors

• First InfraGard Chapter was formed

How Did InfraGard Get Started?

• InfraGard is a not-for-profit membership organization– There are no dues– Cost is your time & energy

What is the Cost?

Who Should Join InfraGard?• Infrastructure stakeholders

– Infrastructure providers– Infrastructure end users (everyone?)

• Individuals with organizational skills– Accountants– Lawyers– Managers– Marketing Experts– Etc.

Infrastructure Protection

• Infrastructure protection is everyone’s problem.

• Don’t get complacent! Get involved!