cybercrime: from kudos to profit
DESCRIPTION
Cybercrime: From Kudos to Profit. Gerhard Eschelbeck, CTO Sophos. What do these businesses have in common ?. Interpol. - PowerPoint PPT PresentationTRANSCRIPT
Cybercrime: From Kudos to ProfitGerhard Eschelbeck, CTO Sophos
2
What do these businesses have in common ?
Interpol
“In the past, cybercrime has been committed by individuals or small groups of individuals. However, we are now seeing an emerging trend with traditional organized crime syndicates and criminally minded technology professionals working together and pooling their resources and expertise.
This approach has been very effective for the criminals involved. In 2007 and 2008 the cost of cybercrime worldwide was estimated at approximately USD 8 billion. As for corporate cyber espionage, cyber criminals have stolen intellectual property from businesses worldwide worth up to USD 1 trillion.”
FBIMasses of resources, details of activity. Most wanted page!
Cybercrime as a “Business”
An Interconnected Economy
Source: ENISA
Malware central to Cybercrime
“...individuals, normally working with others, with the capability to commit serious crime on a continuing basis, which includes elements of planning, control and coordination, and benefits those involved. The motivation is often, but not always, financial gain.”
SOCA
Organised crime
Malware was „Easy“ in the Early Days
The Michelangelo Virus
Current threat landscapeIn 1 slide
Ransomware• Ransomware
• Pay ransom to access locked/encrypted files
Simple• Password
protected archives
Medium• XOR• shift
Complex• RC4• Public key crypto
Recover data?
Ransomware (cont’d)Reveton: family of ransomware that locks users out of their machine
http://www.youtube.com/watch?feature=player_embedded&v=-qR3D-Jx6FQ
GEOIP lookup – locale specific lock pages
Ransomware (cont’d)Additional tricks to socially engineer victim. Fear factor.
13
PoS Malware - Troj/Trackr
• Umbrella detection name for all Point of Sale (PoS) RAM scraping malware. Includes: Alina, Dexter, VSkimmer, Kaptoxa, Chewbacca, etc.
• Troj/Trackr-* steals payment data from the RAM of PoS systems.
• Adds socially-engineered filenames, network functionality, bots, packed etc.
• Installed DLL version – malicious DLL is registered as a service and performs the RAM scraping.
14
Who does Troj/Trackr- target?
What about Mobile ?
Mobile malware growth accelerating
2011-12 2012-01 2012-02 2012-03 2012-04 2012-05 2012-06 2012-07 2012-08 2012-09 2012-10 2012-11 2012-12 2013-01 2013-02 2013-030
20000
40000
60000
80000
100000
120000
140000
160000
180000
200000
Total Unique Samples
Anatomy of a hacked device
Crimeware kits‘Monetization’ : the bulk of today’s threats are automated, coordinated & professional
It’s all about traffic• Stolen FTP credentials
• Use sFTP! (should be enforced)• Vulnerable software on site
• Wordpress plugins• Image gallery• -> upload PHP shell/kit
• Vulnerable server• Patched?
• 0wned server• e.g. Darkleech
Compromised sites used to drive traffic. 85% of all bad stuff.
Drive-by downloads
“Monetization”
Crimeware in Action
A Global Challenge
Reporting a crimeYES. See NakedSecurity articles for links to advice.