Microsoft Confidential

Microsoft Digital Crimes Unit (DCU) – Fight Against Cybercrime

Marja LaitinenSenior AttorneyMicrosoft Digital Crimes Unit Central and Eastern Europe

Microsoft Confidential

Cybersecurity is a Boardroom-level Issue

160MData records compromised

from top 8 breaches in 2015

556Mvictims of cybercrime

per year

$400Bcost of cyberattacks to

companies each year

71%of companies admit they

fell victim to a successful

cyber attack the prior year

$3 Trillionestimated cost in economic

value from cybercrime

industry by 2020

140+Median # of days between

infiltration and detection

Our Unique Approach

Microsoft Confidential

Our Unique Perspective

300B user authentications each month

1B Windows devices updated

200B emails analyzed for spam and malware

Microsoft Confidential

A Layered Approach to Security

Helping to protect our customers, our company, and our world

Growing threats demand a coordinated response:

• Cyber Security Services Engineering

• Digital Crimes Unit

• Information Security & Risk Management

• Microsoft Azure

• Microsoft Security Response Center

• Microsoft Threat Intelligence Center

• Office 365

• Windows & Devices Group

Cyber Defense Operations Center

Digital Crimes Unit (DCU)

The Microsoft Digital Crimes Unit is committed to fighting cybercrime around the globe.

We use our expertise in data analytics, cyberforensics, and law to strategically partner with

public and private organizations, law enforcement, and our customers – to protect the world from

digital harm.

In our work we focus on protecting vulnerable populations, and fighting malware and

reducing digital risk.

Microsoft Confidential

Protecting Vulnerable Populations

The Scheme:

• Fraudsters pose online and on phone as

tech support from high tech companies

including Microsoft

• A victim is often asked for remote

access and charged for unnecessary

technical services, and they may lose

money, personal information or be exposed

to malware

• DCU investigates tech fraud cases globally

building evidence to take action, and runs

Education programs through media,

Microsoft Retail Stores, and the Cybercrime

Center

www.support.microsoft.com/reportascam

Technical Support Scams

Microsoft Confidential

Protecting Vulnerable Populations

PhotoDNA has helped detect

millions of illegal images online

www.microsoft.com/photodna

Free cloud-based service

PhotoDNA

Over 100 organizations use the

technology to keep their

platforms safe

Illegal images are reported to

the National Center for Missing

and Exploited Children and other

appropriate authorities

Microsoft Confidential

Malware

DisruptionsDCU identifies targets,

investigates, and

orchestrates global

partnerships to take action

A Botnet is a network of

infected computers controlled by

a distance by cybercriminals.

This allows criminals to control

those computers remotely.

With a single botnet,

cybercriminals can commit

billions of illegal acts in a single

day.

Working with Law Enforcement and others to disrupt the criminal infrastructure

Trespass to Chattels

OPERATIONConficker

Botnet Takedowns and Malware Disruption Operations OPERATION

WaledacOPERATION

RustockOPERATION

KelihosOPERATION

ZeusOPERATION

NitolOPERATION

BamitalOPERATION

CitadelOPERATION

Sirefef

OPERATIONGame over

Zeus

OPERATIONBladabindi &

Jenxcus

OPERATIONSimda

OPERATIONRamnit

OPERATIONCaphaw

OPERATIONDorkbot

Feb 2010First MS takedown operation, proving the model of industry-led effortsDisconnected70,000-90,000 infected devices from the botnet

Botnet Worm sending SPAM

March 2011Supported by stakeholders across industry sectorsInvolved USand Dutch law enforcement, and CN-CERT

SPAM, in average 192 spam messages per compromised machine per minute

Sep 2011Partnership between Microsoft and security software vendorsFirst operation with named defendant

SPAM, Bitcoin Mining, DDoS attacks

March 2012Cross-sector partnership with financial servicesFocused on disruption because of technical complexity

Identity Theft / Financial Fraud

Sep 2012Nitol was introduced in the supply chain relied on by Chinese consumerssettled with operator of malicious domain

Malware Spreading, DDoS attacks

Feb 2013Bamital hijacked people’s search results, took victims to dangerous sitesTakedown in collaboration with Symantec, proactive notification and cleanup process

Advertising Click Fraud

June 2013Citadel committed online financial fraud responsible for more than $500Min lossesCoordinated disruption with public-private sector

Identity Theft / Financial Fraud

Dec 2013ZeroAccesshijacked search results, taking victims to dangerous sitesIt cost online advertisers upwards of $2.7 million each month

Advertising Click Fraud

June 2014Malware using Dynamic DNS for command. It involved password and identity theft, webcam, etc.Over 200 different types of malware impacted.

Identity Theft / Financial Fraud / Privacy Invasion

June 2014GameoverZeus(GOZ) was a banking Trojan

Worked in partnership with LE providing Technical Remediation

Identity Theft / Financial Fraud

July 2014Caphaw was focused on online financial fraud responsible for more than $250M in losses

Coordinated disruption with public-private sector

Identity Theft / Financial Fraud

Feb 2010Microsoft-lead model of industry-wide efforts to counter the threat

Botnet Worm sending SPAM and attempting to steal confidential data and passwords

Feb 2015Malware stealing credential information from banking websites. Configured to hide itself.

Credential Information Theft/Disabling Security Defenses

April 2015

Theft of personal information, including banking passwords, as well as installing and spreading other malicious malware.

Theft personal data/Install and spread other malware

December 2015

Used for Cybercriminal activities such as credential harvesting for financial fraud DDoS attacks and the downloading of malicious payloads.

Financial Fraud, DDoS Attacks

Microsoft Confidential

Actionable Intelligence from Malware Disruptions

Dorkbot659 991

Used for cyber criminal

activities such as credential

harvesting for financial fraud,

DDoS attacks, and the

downloading of malicious

payloads. Disrupted in

cooperation with FBI and

international law

enforcement.

June 2014

Malware using Dynamic DNS

for command. It involved

password and identity theft,

webcam and other privacy

invasions.

Over 200 different types of

malware impacted by the take

down.

Identity Theft /

Financial Fraud /

Privacy Invasion

Bladabindi & Jenxcus452 515

Conficker682 897

February 2010

Botnet Worm

Ramnit114 062

February 2015

Credential Information

Theft/Disable Security

Defenses

Most Common Malware Threats in CEE 1-30 September 2016

Top Countries per Threat 1-30 September 2016

Conficker

Distinct IPs/

Country:

Russia 258 426

Ukraine 76 341

Romania 57 507

Hungary 40 757

Serbia 29 635

68%From CEE Conficker

infections

The top 5 countries

represent the

Dorkbot

Distinct IPs/

Country:

Russia 341 281

Ukraine 65 426

Belarus 59 713

Kazakhstan 58 899

Romania 28 715

83%From CEE Dorkbot

infections

The top 5 countries

represent the

Top Countries per Threat 1-30 September 2016

Top Countries per Threat 1-30 September 2016

B106

Distinct IPs/

Country:

Russia 111 586

Kazakhstan 74 574

Romania 52 328

Poland 24 313

Serbia 21 592

63%From CEE B106

infections

The top 5 countries

represent the

Top CEE Countries per Threat 1-30 September 2016

Ramnit

Distinct IPs/

Country:

Romania 53 752

Azerbaijan 23 014

Poland 12 820

Russia 9 211

Mongolia 7 137

93%From CEE Ramnit

infections

The top 5 countries

represent the

Microsoft Confidential

Microsoft is committed to building trust with governments and sharing security information

Government Security

Program objectives

Help protect

governments and their

citizens

Build trust and

transparency

Strengthen public-

private partnerships

Direct access to Microsoft

product and security resources

Access to Transparency Centers

to work with source code

Remote access to online source

code

Technical data, including

Microsoft Azure and O365

Information sharing about

threats and vulnerabilities

leveraging CTIP

Microsoft Confidential

The Microsoft SECURITY PLATFORM

Advanced Threat Protection

Anti-Spam / Anti-Malware

Message Encryption

Customer Lockbox

Data Loss Prevention

Windows Trust Boot

Device Guard

Credential Guard

Microsoft Passport

Windows Hello

Windows Defender ATP

Windows Update for Business

Enterprise Data Protection

Azure Active Directory

Azure Active Directory Premium

Azure Security Center

Azure Secure Store

Azure Key Vault

Advanced Threat Analytics

Cloud App Security

Intune

Windows Server 2016

SQL Server 2016

Microsoft Confidential

Protect Your Environment

Best practices

Invest in your platform Invest in your

instrumentation

Invest in your people

Maintain a well-

documented inventory of

your assets

Acquire/build the tools

needed to fully monitor

your network, hosts, and

logs

Establish relationships and

communication between

incident response team

and other groups

Define your security policy

with clear

standards and guidance

Proactively maintain

controls and measures,

and regularly test them for

accuracy and effectiveness

Adopt least privilege

admin principles; eliminate

persistent

admin rights

Use proper hygiene—

most attacks can be

prevented with timely

patches and antivirus

Maintain tight control over

change

management policies

Use the lessons learned to

gain value from every

major incident

Employ multi-factor

authentication to

strengthen protection of

accounts and devices

Monitor for abnormal

account and credential

activity to prevent abuse

Educate, empower, and

enlist users to recognize

likely threats and their

role in protecting business

data

Additional Information

marjal@microsoft.com

• DCU Fact Sheet (http://news.microsoft.com/download/presskits/DCU/docs/dcuFS_160115.pdf)

• DCU on YouTube (https://www.youtube.com/user/DCUMicrosoft )

• DCU on Twitter (https://twitter.com/microsoftdcu)

• Avoiding Tech Support Scams (PDF) Brochure

https://ncmedia.azureedge.net/ncmedia/2016/03/TechSupportScams.pdf

• Microsoft on the Issues Blog (http://blogs.microsoft.com/on-the-issues/2015/09/30/microsoft-hosts-

renowned-id-theft-expert-to-kick-off-expanded-aarp-partnership-to-stop-tech-

scams/#sm.00012obcpy1ccqfgyxshvwqfatq4j)

• PhotoDNA Cloud Service (https://www.microsoft.com/en-us/PhotoDNA)

• PhotoDNA Fact Sheet

(https://ncmedia.azureedge.net/ncmedia/2016/08/PhotoDNAFactSheet1608221.pdf)

• Learn about Your and Your Family’s Online Safety

(https://www.microsoft.com/about/philanthropies/youthspark/youthsparkhub/programs/onlinesafety/)

• Install and Run Free Malicious Software Removal Tool (https://www.microsoft.com/en-

us/download/malicious-software-removal-tool-details.aspx?id=16)

Learn and Test

More on DCU

Useful Links