identity theft - australian response - oecd · 2016-03-29 · • smaller local incidents of...
Post on 08-Aug-2020
3 Views
Preview:
TRANSCRIPT
1
Copyright © 2005 AusCERT 1
Identity Theft -Australian Response
Jamie Gillespie jamie@auscert.org.au
Senior Security Analyst, AusCERT
Copyright © 2005 AusCERT 2
Overview
• Scope of Identity Theft in Australia• AusCERT’s Role
– Local IR– International IR– Analysis
• Response Procedures• Trends (Present and Future)
2
Copyright © 2005 AusCERT 3
Scope of Australian ID theft
• Primary instances:– Target: Financial Institutions– Methods: Phishing web sites and Trojan malware– Perpetrators: evidence to suggest non-Australian
based organised crime• Other (incl. Government) systems have been
“collateral damage” in attacks targeting financial institutions
• Smaller local incidents of identity theft• Evidence of more targeted attacks against
Australian (and other) government sites
Copyright © 2005 AusCERT 4
Scope of Australian ID Theft
17
1
134
7 120 5 3
1120
6
67
11
76
5
61
6
71
9
61
13
113
22
85
12
100
24
177
15
112
24
134
50
20
40
60
80
100
120
140
160
180
Apr2004
May2004
Jun2004
Jul2004
Aug2004
Sep2004
Oct2004
Nov2004
Dec2004
Jan2005
Feb2005
Mar2005
Apr2005
May2005
Jun2005
Jul2005
Aug2005
ID Theft Incidents Handled by AusCERT1 April 2004 to 23 August 2005
Trojans Phishes Mules
3
Copyright © 2005 AusCERT 5
• centrelink.gov.au– Government social services
• ebay.com.au• etradeaustralia.com.au• gu.edu.au
– University• iinet.net.au
– ISP• melbourneit.com.au• myob.com.au• optusnet.com.au• qantas.com.au
– Airline• sa.gov.au• thrifty.com.au
– Car rental company
• .gov.au• .gov.uk• .gov• .mil
• “Question for seller”• 8.7 MB of text• Bitmap screenshots• 1652 unique IP addresses• 1130 domains
• Not just the banks…
Scope of Australian ID Theft
Copyright © 2005 AusCERT 6
Scope of Australian ID Theft
Tsunami Trojan: Infections and Logging
0
2000
4000
6000
8000
10000
12000
19/11/2004 24/11/2004 29/11/2004 04/12/2004 09/12/2004 14/12/2004 19/12/2004
Date / time
Logg
ing
site
hits
Data logged Trojan infections
4
Copyright © 2005 AusCERT 7
AusCERT’s Role: Local
• Local response arrangements– Strong co-operation with the Australian High Tech
Crime Centre (AHTCC)– Banking and Financial Sector information sharing
and threat/incident analysis– AusCERT members and the general public– Australian ISPs– Local law enforcement mailing lists (local
forensics groups)
Copyright © 2005 AusCERT 8
AusCERT’s Role: International
• APCERT teams – excellent assistance in the rapid closure of sites within their constituencies
• CERTs, AV vendors and other security researches providing reverse engineering and analysis
• CERT.br (Brazil) – future trends due to advanced local ID theft
• Other national CERTs assisting with site closure
5
Copyright © 2005 AusCERT 9
AusCERT’s Role: International
• APACS and BFK – sharing incident response with AusCERT enabling (limited) 24 hour coverage
• Closed mailing lists: APWG, FIRST, APCERT, AVIEN, others
• ISPs and registrars (e.g. YesNIC)
Copyright © 2005 AusCERT 10
AusCERT’s Role: Analysis
• Analysis– Mailing lists to share information and intelligence
between banks and AusCERT– Crime survey– Threat analysis– Monitoring vulnerabilities, PoCs and exploit
activity
6
Copyright © 2005 AusCERT 11
Scam Reporter• Aus Bank
• UK Bank
• All Bank
Trawlinator
Troj-O-MaticWeb Report
Scanner
Incident Created!
Banking Reporter• Phishing Report Form• Trojan Report Form
AusCERT CC Team
Evil Scammer
Response Procedures
Copyright © 2005 AusCERT 12
Incident
AHTCCTemplate
APACSTemplate
Local CERTTemplate
ISP/RegistrantTemplate
Virus-SubmitTemplate
Scamalizer
APACS
Virus-Submit
Local CERT
ISP/Registrant
Offending Website
DNS/Whoisand Contacts
AusCERT CC Team
Response Procedures
7
Copyright © 2005 AusCERT 13
Questions
Questions or comments ?
top related