Notes Cybercrime Part I Tyler Moore Computer Science & Engineering Department, SMU, Dallas, TX Lecture 11 Characteristics of cybercrime Cybercrime supply chains Defining cybercrime How is cybercrime different? Primary vs. infrastructure cybercrimes Notes Defining cybercrime We (mainly) adopt the European Commission’s proposed definition: 1 2 3 traditional forms of crime such as fraud or forgery, though committed over electronic communication networks and information systems; the publication of illegal content over electronic media (e.g., child sexual abuse material or incitement to racial hatred); crimes unique to electronic networks, e.g., attacks against information systems, denial of service and hacking. For this part of the course, we are mainly concerned with cybercrimes that are profit-motivated, not so much crimes fitting the second component of the definition The boundary between traditional and cybercrimes is fluid 3 / 28 Characteristics of cybercrime Cybercrime supply chains Defining cybercrime How is cybercrime different? Primary vs. infrastructure cybercrimes Notes Distinguishing between types of cybercrime Online banking fraud Fake antivirus ‘Stranded traveler’ scams ‘Fake escrow’ scams ‘Genuine’ cybercrime Advanced fee fraud Infringing pharmaceuticals Copyright-infringing software Copyright-infringing music and video Online payment card fraud In-person payment card fraud Transitional cybercrime PABX fraud Industrial cyber-espionage and extortion Welfare fraud Traditional crime becoming ‘cyber’ Tax and tax filing fraud 4 / 28 Characteristics of cybercrime Cybercrime supply chains Defining cybercrime How is cybercrime different? Primary vs. infrastructure cybercrimes Notes How does cybercrime differ from traditional crime? 1 Scale – a single attack can make little money and be unsuccessful most of the time, yet still be hugely profitable if it is replicated easily for almost no cost 2 Global adddressability – pool of available targets remains practically infinite 3 Distributed control – stakeholders have competing interests and limited visibility across networks, which hampers ability to defend against attacks 4 International nature – makes law enforcement more difficult 5 / 28 Characteristics of cybercrime Cybercrime supply chains Defining cybercrime How is cybercrime different? Primary vs. infrastructure cybercrimes Notes Distinguishing between ‘primary’ cybercrimes and infrastructure crimes ‘Primary’ cybercrimes perpetrate a particular scam (e.g., phishing steals bank credentials, illicit pharmaceutical programs sell prescription drugs without prescription) Yet these primary cybercrimes rely on a criminal infrastructure common to most scams 1 2 3 4 Exploits: offer a way to compromise computers so that unauthorized software can be executed Botnets: provide anonymity to criminals and a resource for exploitation Email spam: advertises scams to unsuspecting victims Search-engine poisoning: exposes unsuspecting victims to scams 6 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Notes Supply chains and the division of labor Adam Smith on pin production (1776): One man draws out the wire, another straights it, a third cuts it, a fourth points it, a fifth grinds it at the top for receiving the head: to make the head requires two or three distinct operations: to put it on is a particular business, to whiten the pins is another ... and the important business of making a pin is, in this manner, divided into about eighteen distinct operations, which in some manufactories are all performed by distinct hands, though in others the same man will sometime perform two or three of them. 8 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains The underground economy: division of labor in cybercrime Notes Advertisement i have boa wells and barclays bank logins.... have hacked hosts, mail lists, php mailer send to all inbox i need 1 mastercard i give 1 linux hacked root i have verified paypal accounts with good balance... and i can cashout paypals Source: http://www.cs.cmu. edu/~jfrankli/acmccs07/ ccs07_franklin_eCrime.pdf 9 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Notes Credit card #s for sale on underground Source: http://www.cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdf 10 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Notes Services on offer on underground Source: http://www.cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdf 11 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Notes Some advertised prices on the underground Source: http://press.pandasecurity.com/wp-content/uploads/2011/01/The-Cyber-Crime-Black-Market.pdf 12 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Notes Cybercrime supply chains traffic host hook monetization cash out 13 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Notes Phishing supply chain step 1: traffic (email spam) 14 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Notes Phishing supply chain step 2: host (compromise server) 15 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Notes Phishing supply chain step 3: hook (phishing kit) 16 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Notes Phishing supply chain step 4: monetize (bank transfer) 17 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Notes Phishing supply chain step 5: cash out (hire mules) 18 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Notes Illicit online pharmacies What do illicit online pharmacies have to do with phishing? Both make use of a similar criminal supply chain 1 2 3 4 5 Traffic: hijack web search results (or send email spam) Host: compromise a high-ranking server to redirect to pharmacy Hook: affiliate programs let criminals set up website front-ends to sell drugs Monetize: sell drugs ordered by consumers Cash out: no need to hire mules, just take credit cards! For more: http://lyle.smu.edu/~tylerm/usenix11.pdf 20 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Notes Abusing dynamic search terms 21 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Notes At best you may encounter ad-filled sites 22 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Notes At worst you may encounter malware 23 / 28 The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Characteristics of cybercrime Cybercrime supply chains Notes Abusing search-engine results Once again the criminal supply chain is similar Traffic: hijack unrelated web search results Host: compromise a high-ranking server Hook: install an exploit (for fake AV), or fill with auto-generated content (for ad sites) Monetize: peddle fake AV or load page with ads Cash out: credit cards or hire mules (fake AV), or get paid by ad platforms 1 2 3 4 5 For more: http://lyle.smu.edu/~tylerm/ccs11.pdf 24 / 28 The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Characteristics of cybercrime Cybercrime supply chains Notes Cybercrime supply chains: common mode of operation Cybercrime Traffic Host Hook Monetization Cash out Phishing (bank) Phishing (email acct.) Phishing (email acct.) Phishing (social net.) Phishing (social net.) Illicit pharma Illicit pharma Fake antivirus Fake antivirus Ad-laden sites Typosquatting ‘Stranded traveler’ ‘Fake escrow’ scams Industrial espionage email spam email spam email spam email spam email spam email spam web poisoning web poisoning web poisoning web poisoning user error social net. takeover auction buyers email spam hacked server hacked server hacked server hacked server hacked server hacked server hacked server hacked server hacked server own server own server own server own server website kit website kit website kit website kit website kit website frontend website frontend exploit install exploit install deceptive msg. deceptive msg. exploit install ACH transfer ‘stranded traveler’ malware ‘stranded traveler’ malware payments payments payments e-currency PPC ads PPC ads wire transfer wire transfer exfiltrate data money mule money mules ad platform ad platform - 25 / 28 The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Characteristics of cybercrime Cybercrime supply chains Notes Market for crimeware buys bu sel ls ys bu ys Option 1: underground market as pin factory Attacker Alice Bob Charlie David Mules traffic host hook monetization cash out 26 / 28 The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Characteristics of cybercrime Cybercrime supply chains Notes Market for crimeware Option 1: underground market as pin factory Phisherman server buy comp. pa ys den it yk bu l cr e bu m sel tia ls hires Alice Bob Charlie David Mules traffic host hook monetization cash out 26 / 28 The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Characteristics of cybercrime Cybercrime supply chains Notes Market for crimeware hire server ys pa te lia affi bu be m Option 1: underground market as pin factory Counterfeit drugs salesman complete sale Alice Bob Charlie David traffic host hook monetization cash out 26 / 28 The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Characteristics of cybercrime Cybercrime supply chains Notes Market for crimeware ffic Option 2: traffic brokers Attacker bu ys tra mon etize Alice Bob Charlie David traffic host hook monetization cash out 26 / 28 The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Characteristics of cybercrime Cybercrime supply chains Notes Market for crimeware Option 2: traffic brokers Attacker ffic adve bu ys tra rtisin g fra ud Alice Bob Charlie David traffic host hook monetization cash out 26 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Notes Market for crimeware Option 2: traffic brokers Attacker bu ys tra ffic infec t wit hm alwa re Alice Bob Charlie David traffic host hook monetization cash out More info: http://iseclab.org/papers/weis2010.pdf 26 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Notes Market for crimeware Option 3: exploit-as-a-service Attacker provide traffic, buy EaaS traffic install malware host monetization hook cash out More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf 26 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Notes Market for crimeware Option 4: pay-per-install Attacker order PPI use compromised machines (e.g., show fake AV, steal credentials, launch DoS) traffic host hook monetization cash out More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf 26 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Notes Vertical integration of supply chains traffic host hook monetization cash out While underground forums, pay-per-installs and exploit-as-a-service attracts the most attention, some criminals vertically integrate Why? better defense against ‘rippers’ (see http://research.microsoft.com/pubs/80034/ nobodysellsgoldforthepriceofsilver.pdf) Some EaaS and PPI suites are not for sale, but instead used exclusively by particular gangs (e.g., Carberp) 27 / 28 Characteristics of cybercrime Cybercrime supply chains The underground economy Sample cybercrimes Strategies for integrating criminal supply chains Notes Vertical integration in phishing: rock-phish gang ‘Rock-phish’ gang used vertical integration to carry out phishing attacks At 2007-08 peak, accounted for half of phishing attacks 1 2 3 4 5 Purchase several innocuous-sounding domains (e.g., lof80.info) Send out phishing email with URL http: //www.volksbank.de.netw.oid3614061.lof80.info/vr Gang-hosted DNS server resolves domain to IP address of one of several compromised machines Compromised machines run a proxy to a back-end server Server loaded with many fake websites (around 20), all of which can be accessed from any domain or compromised machine 28 / 28