Cyber Crime EMERGING CYBER CRIME TRENDS

March 17, 2006

by Kenneth G. McGuireSupv. Special Agent

FBI

Topic Overview1.Current Security Threats & Cases

2.Cyber Crime Incident Handling

3.Working With Law Enforcement

Security Threats & Cases

1. TYPES OF PERPETRATORS

2. INTERNET FRAUD - Identity Theft, Phishing Schemes, Remailer Schemes

3. COMPUTER INTRUSIONS & DISRUPTIONS – 1. RATs (Remote Access Trojans), 2. Extortion by DDoS (distributed denial of service), 3. “Hacker for Hire” Investigation,4. Wireless Networks Concerns

4. INTELLECTUAL PROPERTY RIGHTS CRIMES – Warez/Movie Servers, P2P

How Severe is the Threat?

THREAT

•Professional Cyber Criminals & Terrorists (hard to detect)

•Disgruntled Employees

•Competitors

•Hacktivists

•Script Kiddies

(Advertises Actions)

Identity Theft

•Growing sophistication of phishing emails

•Exploitation of Banking System

•Keystroke Loggers deployed by worms

•Exploding International Market for Stolen Credit Card Databases and Identity Data

•FTC - $50B lost in Identity Theft in 2003

•300M manhours devoted to repairing damage caused by this theft

Phishing Examples

Phishing Examples

Phishing Examples

MIRRORED WEB SITE

Phishing Examples

MIRRORED WEB SITE

Growing Trends

•Virus/Worm Payloads Used to Facilitate Intrusion/Fraud Schemes

•Mercenary Distributed Denial Of Service Attacks

•Extortion Schemes Fueled by DDOS and Intrusion

•Spamming used to spread malicious payloads, phish, and pay using adware/malware, spyware

•Identity Theft Underpins Most Computer Crime

•Overall increase in sophistication by a geographically diverse criminal element

Example of a Carder Site

Banking and Brokerage Account Compromise

                                                                               

•Internet Worms propagate keystroke logger in payload to steal account usernames & passwords

•U.S. citizens recruited to wire proceeds cashed counterfeit checks for 30% fee

•Internet purchase funds first transmitted to other U.S. accounts, then to the Eastern bloc.

Remailer Schemes

World’s Largest Computer Equipment Supplier

                                                                                                                                                               

•A union of computer intrusion and wire fraud

•Subjects have placed at least $10M in fraudulent orders

•Subjects use work-from-home web sites to recruit unwitting U.S. participants

•11 convictions to date in the U.S., at least a dozen to follow

REMOTE ACCESS TROJANS (RATs)

                                                                               

•HACKER versions – Subseven, Backorifice, Netbus

•Sometimes contained in email or programs downloads, i.e. P2P programs like Kazaa

•COMMERCIAL PROGRAMS – GotomyPC, PC Anywhere, Laplink

•OPERATING SYSTEMS PROGRAMS – Telnet, ftp, Secure Shell (SSH), rlogin

Trojans and RAT’sSub-Seven Screen Capture (1999 version)

Trojans and RAT’sSub-7 v2.2 Gold

Below is a partial list of what Sub7 can do. •Monitor ALL of your online activity (purchases, chat, mail) •Open Web Browser to specified location•Restart Windows•Reverse Mouse buttons•Delete ANY of your files •Put ANY file on your computer •Record your passwords •Record your Keystrokes (on and off-line) •Open/Close your CD-ROM drive •Print Documents Change screen resolution •Change Windows colors•Change Volume•Change Desktop wallpaper•Play sounds files•Play voice (using a Text to Speech engine)•Turn off the speakers•Change time/date•Update itself with a newer version

Trojans and RAT’sSub-Seven Screen Capture

When run, the backdoor copies itself to the Windows directory with the original name of the file it was run from or as SERVER.EXE, KERNEL16.DL, RUNDLL16.COM, SYSTEMTRAYICON!.EXE or WINDOW.EXE (names are different in different versions of SubSeven).

Then it unpacks a single DLL file to the Windows System directory - WATCHING.DLL (some versions don't do this).

Walter WiggsWalter Wiggs

• Former USMC Scout Sniper Instructor

• Violent Criminal History

• Georgia Resident• Software Engineer for

a Manhattan Beach Telecommunications Company

Walter WiggsWalter Wiggs

• Employment Terminated• Disabled

telecommunication systems across the country

• Caused a disruption in the Los Angeles County Child Protective Service Hotline over July 4, 2003

• Arrested in August 2003

Extortion By DDOSExtortion By DDOS

• Hiring hackers to create distributed denial of service (DDOS) attacks

• Look for use of P2P instead of IRCds

CYBERSLAM

ECHOUAFNI

WALKER

Victims

Jeanson James Ancheta, aka ResiLi3nt

Jeanson James Ancheta, aka ResiLi3nt• Hacker pleads guilty to

building, renting attack network

• FBI report estimates viruses, worms & Trojan programs cost U.S. organizations $11.9 billion each year.

• 20-year-old hacker living w/ mother in Downey

• Prev. Criminal larceny conviction

Using a botnet to send spam. 1. A botnet operator sends out viruses or worms,

infecting ordinary users' Windows PCs.2. The PCs log into an IRC server or other

communications medium.3. A spammer purchases access to the botnet from

the operator.4. The spammer sends instructions via the IRC server

to the infected PCs....5. ... causing them to send out spam messages to mail

servers.

Jeanson James Ancheta, aka ResiLi3nt

Jeanson James Ancheta, aka ResiLi3nt

• Sold botnets of 100 to 500 computers for $150 to $500

• Infected >400,000 computers installing toolbars for click fees , made $61,000 as affiliates of Loudcash and Gammacash

• Hacked China Lake Naval Weapons Center computer – Not Classified

• 1/23/06 Pled Guilty to 4 of 17 counts in 11/05 indictment

• Sentencing May 1, 2006

Brian TinneyBrian Tinney

• Professional Burglar• Created fictitious computer

company in Las Vegas• Created fictitious escrow

company in San Francisco• Order $600,000 in high

end computer equipment from suppliers around the U.S.

Steven-William:SutcliffeSteven-William:Sutcliffe

• Global Crossing Employee• Sovereign Citizen Adherent• www.killercop.com• Web Terror Campaign• Posted all employee SSN’s• Home addresses, telephone

numbers, residence maps• Death Threats• Arrested in New Hampshire

“UCC-207” “All Rights Reserved”

CountermeasuresCountermeasures• Practice good computer security• Invest in a personal shredder• Examine your credit report annually• Scrutinize credit card statements• 1-888-5-OPTOUT (1-888-567-8688) • Use caution supplying wire transfer info• Be alert to anomalous personal info requests• http://www.consumer.gov/idtheft/

1) Availability of free WAP detection and logging tools like Netstumbler and Kismet

2) War Driving-where individuals drive (or walk)Around to find unprotected and accessible WAPs

3) Consumer and even system administrators fail to configure their systems adequately

Wireless Security Concerns

1. Uses 128-bit encryption

2. WEP’s poor implementation of the algorithm caused it to be broken which is available to hackers.

3. Replacement for WEP called WiFi Protected Access (WPA) not widely implemented. 4. WEP is not configured out of the box and therefore, not protecting the system.

5. When WEP is configured by owner the default password is used -ADMIN

Wireless Encryption Protocol orWireless Equivalency Protection (WEP)

Wireless Security Measures

Preventing Disgruntled Employee Problems

• Terminating System Access BEFORE TERMINATED EMPLOYEES ARE WALKING OUT THE DOOR

• Well Documented and Proliferated Non-Disclosure and Authorized Activity Agreements/Notifications

• Review Adequate Logging/Tracking• Enforce Your Rules• PRACTICE EXCERCISE – “RED

TEAMING”• BANNER during Log-in of company

computers

CYBER CRIME INCIDENT HANDLING

1. Continuing Operations v. Preservation of Evidence

2. Identify the Incident Manager and Team – usually department heads or officers

3. Assess Systems Impaired and Damages

4. Review Adequate Logging/Tracking

5. Note Unusual Activities By Employees or on Computer Network

WORKING WITH LAW ENFORCEMENT

• Identify your LOSS, HARM, or DAMAGE – lost asset, revenues, expenses, repair cost

• Identify Capture or Quarantine Electronic or Computerized Equipment, Logs and Files

• Maintain a “Chain of Custody” for Evidence• Begin a written chronology of events• Who may have to testify• Identify one or two individuals to be your main

point of contact with LEOs• Alert Your General Counsel or Attorney

WORKING WITH LAW ENFORCEMENT

• CRIMINAL LAWS THAT APPLY:– ECPA (Electronic Communications and

Privacy Act)– 4th Amendment – Search & Seizure– Interception of Communications

(Wiretapping)– Court Orders – FGJ Subpoenas, Search

Warrants, Pen Registers, Trap & Trace Orders, 2703(d) Orders, Title 3 Orders

Prepare for Incident Response

• Have A Disaster Plan for Human-made and Natural Disasters– Need some ideas, try Risk Management

Organizations - NIST.GOV,SANS.ORG

• Practice The Plan!

• Review The Plan Annually!– Include contacts with law enforcement or

disaster officials

SANS Top 7 Management Errors

• #7 Pretend the problem will go away if they ignore it. • #6 Authorize reactive, short-term fixes so problems re-emerge

rapidly • #5 Fail to realize how much money their information and

organizational reputations are worth. • #4 Rely primarily on a firewall. • #3 Fail to deal with the operational aspects of security: make a

few fixes and then not allow the follow through necessary to ensure the problems stay fixed

• #2 Fail to understand the relationship of information security to the business problem -- they understand physical security but do not see the consequences of poor information security.

• #1 Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.

INFRAGARD PROGRAM

ContactINFRAGARD COORDINATOR

Regina Miles-Canales

310-477-6565

ContactCyber Crime Supervisor

Ken McGuire

310.996.3854

kenneth.mcguire@ic.fbi.gov