Organized Cybercrime Simple Nomad nomad mobile research centre “With just a few keystrokes, cybercriminals around the world can disrupt our economy.” - Ralph Basham, Director of the U.S. Secret Service at RSA 2005. “With just a few keystrokes, pundits can disrupt our freedoms.” - Daaih Liuh, NMRC, 2005 “With just a few keystrokes, I can turn those pundits off and watch porn instead.” – jrandom, NMRC, 2005 Outline • • • • The Players The Weapons Precision Tactics Examples The Players The Players • • • • • • Former Soviet Military Russian Mafia Professional Hackers Spammers Traditional Mafia Basic Cybercrime Organizations Former Soviet Military • Military industrial complex in Soviet Russia was even more corrupt than their USA counterparts • With the collapse of communism, many upper military personnel in Russia had few skills that paid well – Good at money laundering – Good at moving goods across borders – Connections with international crime Russian Mafia Sergei Mikhailov, head of the Moscow-based Solntsevskaya Organization, with 5000+ members worldwide. Starting with extortion, counterfeiting, drug trafficking, and blackmail, his own organization eventually graduated to arms dealing, money laundering, and infiltration of government and legitimate business. Mikhailov’s Solntsevskaya Organization owns banks, casinos, car dealerships, and even an airport. Solntsevskaya is believed to be behind many cyber-related online crime ventures. Russian Mafia Dolgopruadnanskaya is the second-largest gang operating out of Russia. They are considered ruthless and also are believed to be behind numerous current cybercrime activities, in addition to numerous other standard criminal ventures. They are believed to be behind a rash of bank robberies conducted over the Internet in 2001 against banks using vulnerable Windows NT web servers. Russian Mafia • Cybercrime elements are considered “divisions” – The actual hackers themselves are kept compartmentalized • Due to protection from a corrupt Russian government, most “big cases” do not net the big players, e.g. Operation Firewall • There are thousands of organized crime gangs operating out of Russia, although most are not involved in cybercrime. • When new hacking talent is needed, they will force hackers to work for them (or kill them and/or their families) Professional Hackers • Paid per the job, usually flat rates • State-side hackers can earn up to $200K a year • The work is usually writing tools for others to use, developing/finding new exploits, and coding up malware • Occasionally they will do a black bag job, but these are rare, unless they are simply looking for “loot” on easy targets Spammers • They earn millions per year selling their direct mail services • They are not picky and do not consider the person doing the selling is committing fraud, including the Russia Mafia • After years of jumping from ISP to ISP, it is much easier to lease “capacity” from hacker botnets or develop their own • They are the main employer of professional hackers Traditional Mafia • They are currently leaving most of the “work” to others • Online ventures are sticking close to such things as pr0n, online gambling, etc • They are taking advantage of technology, using computers heavily, and using reliable encryption Basic Cybercrime Organizations • Fluid and change members frequently • Will form and disband on a “per project” basis • Rife with amateurs, take a lot of risk considering the small payoffs • Although the most troublesome, they are considered the bottom feeders – Think criminal script kiddies – This is usually who the Feds get, not the big guys The Weapons The Weapons • Botnets – Average size is 5000 computers, some have been as large as 500,000 computers – New command and control software allows botnet capacity leasing of subsections of the botnet • Phishing – You guys *do* know what phishing is, right? • Targeted Viruses – Used to create quick one-time-use botnets – Also used when specifically targeting a single site or organization • The usual Internet attack tools – Metasploit, etc Precision Tactics Precision Tactics - Hotel • Hacking the PC in the hotel room – Can do remote – Will check into the same hotel as target if need be – Will resort to wiretaps, closed circuit video cameras, and other physical penetration attempts • Known times when the target is out of the room are especially dangerous – Speakers and trainers are especially vulnerable, since they have to be in their talks, other do not • Law enforcement regularly bugs hotel rooms at security conferences – Hotels (especially Vegas, Atlantic City) will comply to avoid LE looking at their computers • Organized crime outfits *do* attend conferences Precision Tactics – Office • Posing as regular office personnel • Planting network-based or hardware-based sniffing devices • Conventional listening devices (bugs) are not uncommon Precision Tactics – Infiltration • Will pose as script kiddies, and “gain skills” fairly quickly, rising in status in various IRC channels • Will join and form hacking groups • Will direct attacks for the group to perform, usually directing blame toward the kiddies rather than themselves • This is not a new technique – it is in use today by some governments, most notably French Intelligence Examples Examples – Internet Black Market Pricing Guide • Exploit code for known flaw - $100-$500 if no exploit code exists – Price drops to $0 after exploit code is “public” • Exploit code for unknown flaw - $1000-$5000 – Buyers include iDefense, Russian Mafia, Chinese and French governments, etc • List of 5000 IP addresses of computers infected with spyware/trojan for remote control - $150-$500 • List of 1000 working credit card numbers - $500-$5000 – Price has increased since Operation Firewall • Annual salary of a top-end skilled black hat hacker working for spammers - $100K-$200K Q&A Fin Images © 2005 NMRC www.nmrc.org