investigating large-scale internet crimes

Computer Crime andIntellectual Property Section

Junio 2010 1

Large-Scale Internet CrimesGlobal Reach, Vast Numbers, and Anonymity

Albert ReesComputer Crime and Intellectual Property Section (CCIPS)

Criminal Division, United States Department of Justice

Computer Crime andIntellectual Property Section

Junio 2010 2

REMJA Working Group on Cybercrimewww.oas.org/juridico/spanish/www.oas.org/juridico/english/

albert.rees@usdoj.gov+1 (202) 514-1026

Computer Crime and Intellectual Property Sectionwww.cybercrime.gov

USDOJ-CCIPSOEA-REMJA

Agenda

Globalization of crime

Some vexing problems

Anonymity Botnets Carding Digital currency

Junio 2010 3

Computer Crime andIntellectual Property Section

Globalization of Crime

Junio 2010 4

USDOJ-CCIPSOEA-REMJA

Junio 2010 5

Globalization of Crime

The Internet knows no borders

Criminals exploit the Internet

Global reach Anonymity Safe havens Mass targets

USDOJ-CCIPSOEA-REMJA

Junio 2010 6

Global Cybercrime Snapshots – 2009

Botnets*

6.8 million bot-infected computers 47,000 active each day 17,000 new command and control servers

*Symantec Internet Security Threat Report, Vol. XV, April 2010

USDOJ-CCIPSOEA-REMJA

Junio 2010 7

Geographic distribution of infected computers in a single ZeuS botnet.

USDOJ-CCIPSOEA-REMJA

Junio 2010 8

Symantec Internet Security Threat Report, Regional Data Sheet – Latin America , April 2010

USDOJ-CCIPSOEA-REMJA

Junio 2010 9

Global Cybercrime Snapshots – 2009

2.9 million new malicious code threats*

Data breaches from hacking – examples**

160,000 health insurance and medical records – university 530,000 social security numbers – government agency 570,000 credit card records – business 750,000 customer records – mobile telephone service provider

130,000,000 credit card numbers – credit card processor

*Symantec Internet Security Threat Report, Vol. XV, April 2010**Open Security Foundation, Dataloss Database, 2009

USDOJ-CCIPSOEA-REMJA

Junio 2010 10

Symantec Internet Security Threat Report, Regional Data Sheet – Latin America , April 2010

USDOJ-CCIPSOEA-REMJA

Online Underground Economy

Junio 2010 11

Symantec Internet Security Threat Report, Vol. XV, April 2010

USDOJ-CCIPSOEA-REMJA

The Players

Cyber-economy crime organizations Traditional organized crime – drugs, guns, goods, people Gangs Extremists – terrorist organizations

Professional hackers Spammers Cybercrime organizations

12Junio 2010

USDOJ-CCIPSOEA-REMJA

13Junio 2010

USDOJ-CCIPSOEA-REMJA

Some Vexing Problems

Anonymity

Botnets

Carding Forums

Digital Currency

Junio 2010 14

Computer Crime andIntellectual Property Section

Anonymity

Junio 2010 15

USDOJ-CCIPSOEA-REMJA

Attribution is Difficult…Impossible?

Savvy online criminals know how to hide

False identification Domain name registration Stolen credit cards Services that do not verify user information

Online tools Proxies Anonymizing network Peer-to-peer

Junio 2010 16

Decentralized – Segmented – Redundant – Resilient

USDOJ-CCIPSOEA-REMJA

Web Proxy

Sits between ISP and web server ISP and web server no longer talk to each other directly Result: user anonymity from web server

USER ISP WEB SERVER

WEB PROXY

17Junio 2010

USDOJ-CCIPSOEA-REMJA

Web Proxies

Type in the site you want

18Junio 2010

USDOJ-CCIPSOEA-REMJA

Web-Based Proxies

The proxy gets the site and passes it to

you

You are still communicating with

the proxy

19Junio 2010

USDOJ-CCIPSOEA-REMJA

20

Peer-to-Peer file sharing (P2P)

Sharing files, using servers as little as possible

Junio 2010

USDOJ-CCIPSOEA-REMJA

21

Old style P2P

Relied on a server to keep track of the peers

Who has KIDDIE.MPG?

Second computer from the

right.Junio 2010

USDOJ-CCIPSOEA-REMJA

22

Newer style P2P

Uses “supernodes” instead of central servers

Who has KIDDIE.MPG? I’ll ask the

other supernodes.

One of my nodes has it.

Junio 2010

USDOJ-CCIPSOEA-REMJA

P2P today: Gigatribe and Darknets

Small, private communities sharing files

23

Difficult to find and enter

Junio 2010

USDOJ-CCIPSOEA-REMJA

P2P today: BitTorrent

Efficient technology for a huge number of people to share huge files

24

Tracker: knows which computer has which

pieces of the file

Leacher: peer still downloading

Seeder: Peeroffering all pieces

To join, get a .torrent file that identifies the

tracker.

Junio 2010

USDOJ-CCIPSOEA-REMJA

Anonymizing Network: Tor

Client = computer using Tor for anonymity Onion Router (OR) = computer that forwards data and

anonymizes it (currently about 1200) Circuit = path taken by data through ORs

Client OR Web ServerOR OR

Tor = The Onion Router, an anonymity network that routes communication through multiple proxies, each with an independent layer of encryption (like an onion)

25Junio 2010

Computer Crime andIntellectual Property Section

Botnets

Junio 2010 26

USDOJ-CCIPSOEA-REMJA

What is a Botnet?

A network of robots (bots) Robot :

an automatic machine that can be programmed to perform specific tasks

Also known as ‘Zombies’

Thousands of computers controlled

A powerful network at “no cost”

27Junio 2010

USDOJ-CCIPSOEA-REMJA

Purpose of a Botnet Distributed denial of service attacks Advertising – spamming Sniffing traffic Keylogging Spreading new malware Installing advertisements Attacking IRC networks Manipulating online polls or games Mass identity theft

28Junio 2010

USDOJ-CCIPSOEA-REMJA

IRC Botnets

Earlier Botnets controlled by Command and Control (C2) server

Botnet user

29Junio 2010

USDOJ-CCIPSOEA-REMJA

IRC Botnets

Newer Botnets distribute and have redundant C2 servers

Botnet user

30Junio 2010

USDOJ-CCIPSOEA-REMJA

P2P Botnets

Distributed control

31Junio 2010

USDOJ-CCIPSOEA-REMJA

P2P Botnets

Hard to Disable

32Junio 2010

Computer Crime andIntellectual Property Section

Carding

Junio 2010 33

USDOJ-CCIPSOEA-REMJA

What is Carding?

Carding: large-scale fraudulent use of stolen credit or debit card information

Carding forums: websites and bulletin boards dedicated to carding

Data usually comes from phishing/spamming or data breaches, rather than “real world” thefts

Bulk transactions (“dumps”) are the norm

Credit card data can be encoded on plastic cards for card-present transactions

Junio 2010 34

USDOJ-CCIPSOEA-REMJA

What do Carding Forums Offer?

Identity documents

Stolen financial information

User names and passwords

“Full info” – package of data on victim

Card-making equipment and blanks

Tutorials on how to be a carder or hacker

Junio 2010 35

USDOJ-CCIPSOEA-REMJA

36Junio 2010

Computer Crime andIntellectual Property Section

Digital Currency

Junio 2010 37

USDOJ-CCIPSOEA-REMJA

38Junio 2010

USDOJ-CCIPSOEA-REMJA

Characteristics of Digital Currency

Often “backed” by a precious metal such as gold May involve both an issuer and an exchanger Can be transferred to other digital currency Popular with cyber-criminals

Junio 2010 39

USDOJ-CCIPSOEA-REMJA

Example:

WebMoney Transfer (www.wmtransfer.com)

Based in Russia

Open account by downloading WebMoney client and providing name, address, and e-mail address

Accepts bank transfers, credit cards, money orders, and cash

Can transfer funds from one account to another

Junio 2010 40

USDOJ-CCIPSOEA-REMJA

Summary

Globalization of crime

Some vexing problems

Anonymity Botnets Carding Digital currency

Junio 2010 41

Computer Crime andIntellectual Property Section

Junio 2010 42

REMJA Working Group on Cybercrimewww.oas.org/juridico/spanish/www.oas.org/juridico/english/

albert.rees@usdoj.gov+1 (202) 514-1026

Computer Crime and Intellectual Property Sectionwww.cybercrime.gov