Cyber Crime - PowerPoint PPT Presentation

About This Presentation
Title:

Cyber Crime

Description:

Cyber Crime Special Thanks to Special Agent Martin McBride for sharing most of this information in his talk at Siena last semester Criminal Activity Today has shifted ... – PowerPoint PPT presentation

Number of Views:594
Avg rating:3.0/5.0
Slides: 65
Provided by: csSienaE
Category:
Tags: brother | crime | cyber | martin | my

less

Transcript and Presenter's Notes

Title: Cyber Crime


1
Cyber Crime
  • Special Thanks to
  • Special Agent Martin McBridefor sharing most of
    this information in his talk at Siena last
    semester

2
Criminal Activity Today
  • has shifted to the Internet

3
Canadian Lottery Scam
  • A call from Canada
  • Youve won the Canadian Lotto
  • Well protect your winnings from US capital gains
    taxes (i.e., Canadian Bank)
  • Just pay the Canadian Lotto tax 0.5 and well
    set everything up
  • You say
  • You mean I just have to pay you 5000 and youll
    put 1,000,000 in my own Canadian Bank Account.
    Sounds great!

4
Canadian Lottery Scam
  • Its estimated that over 10,000,000 has been
    scammed off people in just the US.
  • The scammer are so sophisticated that they get
    Direct Mailing/Marketing List and target specific
    demographics (homeowners over 65).
  • http//www.experian.com/products/listlink_express.
    html
  • Thank you Experian!

5
Canadian Lottery Scam
  • The scammer use cloned cell phones
  • Checks sent to Mailboxes Etc.
  • set up using a stolen identity
  • The FBI and RCMP have developed counter-measures
  • Thus, the Scammers have retreated to the
    Internet, where they have greater reach and less
    risk.

6
Criminal Activity Today
  • Phishing
  • Nigerian Letters Fraud
  • Internet Sales Fraud
  • Carding
  • Intrusions
  • Viruses Worms

7
Criminal Activity Today-continued-
  • Distributed Denial of Service (DDOS)
  • Spam Attack/DDOS
  • Intellectual Property Theft
  • Sabotage

8
Phishing
  • uses spam, spoofed e-mails and fraudulent
    websites to
  • deceive consumers into disclosing credit card
    numbers, bank account information, Social
    Security numbers, passwords, and other sensitive
    information
  • by hijacking the trusted brands of well-known
    banks, online retailers and credit card companies

9
(No Transcript)
10
(No Transcript)
11
(No Transcript)
12
ltTABLE cellSpacing0 cellPadding0 width600
aligncentergt ltTBODYgt ltTRgt ltTDgtltFONT
style"FONT-WEIGHT 400 FONT-SIZE 13px
FONT-FAMILY verdana,arial,helvetica,sans-serif"gtW
e are currently performing regular
maintenance of our security measures. Your
account has been randomly selected for this
maintenance, and you now be taken through
a verification process.ltBRgtltBRgtProtecting the
security of your PayPal account is our
primary concern, and we apologize for any
inconvenience this may cause.ltBRgtltBRgtPlease ltA
href"http//verify.paypal.com.auth23.net4180
/us/cgi-bin/webscr.cmd_verification-run/verify.ht
ml"gtltFONT color0033ccgtclick
herelt/FONTgtlt/Agt and fill in the correct
information to verify your
identity.ltBRgtltBRgtNOTE Failure to complete the
verification process or providing wrong
information will lead to account suspension or
even termination.lt/FONTgtlt/TDgtlt/TRgtlt/TBODYgtlt/TA
BLEgtltBRgtltBRgt
13
Nigerian Letter Fraud
  • Claiming to be
  • Nigerian officials,
  • business people or
  • the surviving spouses of former government
    honchos,
  • con artists offer to transfer millions of dollars
    into your bank account in exchange for a small
    fee.

14
Nigerian Letter Fraud
  • If you respond, you may receive "official
    looking" documents.
  • Typically, you're then asked to
  • provide blank letterhead and
  • your bank account numbers,
  • as well as some money to cover transaction and
    transfer costs and attorney's fees.

15
Nigerian Letter Fraud
  • You may even be encouraged to travel to Nigeria
    or a border country to complete the transaction.
  • Sometimes, the fraudsters will produce trunks of
    dyed or stamped money to verify their claims.
  • Inevitably, though, emergencies come up,
    requiring more of your money and delaying the
    "transfer" of funds to your account
  • in the end, there aren't any profits for you to
    share, and the scam artist has vanished with your
    money.

16
(No Transcript)
17
(No Transcript)
18
Internet Sales Fraud
  • Overpayment scheme (E-bay)
  • A buyer accidentally over pays you
  • 1000 check rather than 100 check
  • Buyer says, My mistake but you owe me 900 if
    you cash that check.
  • Buyer says, Dude man! I need that 900 bucks,
    since this was my mistake, if you wire me 800
    bucks, the check is yours.
  • You get an additional 100 for you trouble, cool!

19
Internet Sales Fraud
  • Did you know that if you deposit a check worth
    10,000 or more at HSBC it can take over 5
    business days for it to clear or to realize its
    fraud.
  • A week gives a scammer a long time to put
    pressure on you to return the over payment.
  • Perhaps the overpayment is 9000.
  • Guess what? If you send a wire transfer or a
    money order out of your account, your account
    balance is immediately reduced (instantaneous at
    the time the order or wire is entered into their
    system).
  • Thank you HSBC for making it easy to scam me!

20
Internet Sales Fraud
  • Alexey Ivanov and others
  • auctioned non-existent items on eBay
  • bid on own items using stolen credit cards
  • as high bidder, paid himself through Paypal

21
Carding
  • Carding" the illegal use of credit card numbers.
    Carders..
  • Acquire valid credit card numbers(not their own)
  • Use them to make purchases
  • Sell them to others
  • Trade them over the Internet

22
Carding
  • Maxus, a Russian, stole 300,000 credit card
    numbers from CDUniverse.com
  • Maxus scheme was broken into 4 basic parts
  • Whole-selling Cards Cards were distributed to
    trusted partners, mainly in lots of 1,000, for 1
    each.
  • Re-selling Cards Cards were then sold by Maxus'
    partners. These "re-sellers" sold card numbers
    mainly in blocks of 50. The price to the "end
    consumer" was around 500.
  • Pure Liquidation Maxus set himself up as an
    online retailer, and used the stolen numbers as
    if they belonged to his customers
  • End Users Individuals would use the cards
    bought from Maxus to conduct their own fraud.

23
Intrusions
  • Unauthorized access into a computer
  • Different types of intruders
  • Hackers create code to exploit vulnerabilities
  • Script-kiddies use code readily available over
    the Internet to exploit vulnerabilities
  • Insiders - former employees whose accounts were
    not disabled upon termination

24
Intrusions
  • Example
  • Bob leaves Experian for Equifax
  • Equifax is a competitor to Experian
  • Bob uses same password at Equifax that he had
    used while at Experian
  • Equifax has to crack Bobs password because no
    one can get into his account to retrieve the work
    he left behind
  • Experian decides to try Bobs password on Equifax
    s e-mail system
  • It worked!
  • Experian attempts to steal customers from Equifax
    by intercepting e-mail sent to Bobs account at
    Equifax.

25
Viruses, Worms, Trojans
  • Viruses are computer code written to degrade the
    health of a computer or computer network
  • Worms are viruses that are written such that they
    can spread themselves to other computers
  • Trojans are viruses that remain dormant or hidden
    until a certain action is taken or a specified
    period of time has elapsed

26
Denial of Service (DOS)
  • An attack in which a large network of compromised
    computers is used to attack a target computer
  • Examples
  • Mafiaboy - Feb 2000
  • Yahoo!, eBay, CNN.com, eTrade, and others
  • DDOS attack against 9 of 13 root servers Oct
    2002

27
Intellectual Property Theft
  • The unauthorized acquisition and/or distribution
    of proprietary computer software or data files

28
Intellectual Property Theft
  • Example
  • Online warez pirates
  • Buy or steal copies of software programs such as
    video games or operating systems
  • Illegally share the programs through FTP servers
    located throughout the world
  • Hundreds and perhaps thousands of organized
    groups exist
  • Many groups contain hundreds of members

29
Sabotage
  • Deliberate destruction of the functionality of a
    computer or computer network

30
Insiders
  • Greatest threat to computer networks
  • Know the system
  • Have access via user accounts
  • Security lapses
  • Easy-to-guess passwords
  • Share accounts/passwords
  • Hostile terminations/revenge

31
Criminal Cyber Crime Techniques
  • Casing the establishment
  • Footprinting
  • Scanning
  • Enumeration
  • Hacking Exposed, Second Edition

32
Casing the Establishment
  • Footprinting
  • Locate a potential target
  • Learn everything about target network
  • Map the network
  • Domain names in use
  • Routable IP address range
  • Services running and versions used
  • Firewalls and Intrusion Detection Systems
  • Hacking Exposed, Second Edition

33
Casing the Establishment
  • Scanning
  • Turning door knobs and seeing if windows are
    locked
  • Search for vulnerabilities
  • Ping sweep
  • Determine what systems are up and running
  • Trace route
  • Port scan
  • ID operating system
  • ID applications running
  • Cheops (does it all)
  • Hacking Exposed, Second Edition

34
Casing the Establishment
  • Enumeration
  • Open the door and look inside (cross the line)
  • Active connection to target is established to
  • ID valid user accounts
  • ID poorly protected resource shares
  • Social Engineering
  • Gain access to inside human resources
  • Dumpster diving go through the trash
  • Hacking Exposed, Second Edition

35
Hacking the Target
  • Directly connect to shared resources
  • Use that access to dig deeper
  • Install backdoors/Trojans
  • Crack passwords for administrator accounts
  • Dictionary and Brute Force
  • L0phtcrack
  • John the Ripper
  • Crack
  • Hacking Exposed, Second Edition

36
Hacking the Target
  • Privilege escalation
  • When you have password for non-admin account
  • Use Trojans to give yourself an admin account
  • e.g. change Dir command so that it adds new user
  • Install and run sniffers
  • Keystroke loggers
  • Hacking Exposed, Second Edition

37
Hiding the Trail
  • Proxy Servers
  • Make Web queries on behalf of inquiring computer
  • Query traces to proxy rather than point of origin
  • Anonymizers
  • E-mail spoofing
  • IP spoofing

38
Proxy 2
Bad Guy
Proxy 1
Destination
39
Cyber Crime Investigations
  • Big Brother is Watching

40
Following the Trail
  • Server logs
  • E-mail headers
  • Whois databases
  • Human resources

41
Critical Concept
  • Internet Protocol (IP) addressing
  • Every computer connected to the Internet has a
    unique IP address assigned while it is connected
  • ... (e.g. 192.168.1.100)
  • Each is 0 to 255
  • 256 possibilities
  • 28 (binary math)
  • 255 1111 1111

42
Critical Concept
  • Static addresses
  • Like telephone numbers
  • Dont change
  • Easy to find day after day
  • Dynamic addresses
  • Different each time you connect
  • Difficult to find from one use to the next

43
Server Logs
  • Domain Controllers
  • Access logs
  • Web Servers
  • FTP Servers
  • E-mail Servers

44
Tracking via Server Logs
  • 192.168.50.165 - - 17/Sep/2002174652 -0500
    "GET /webmail/cgi-bin/sqwebmail/login/Credit_at_credi
    tsite.net.authvchkpw/FAE810691B0001A0D294054EB5B83
    2ED/1032302396?folderINBOXformreadmsgpos15
    HTTP/1.0" 200 18627
  • 192.168.50.165 - - 17/Sep/2002174832 -0500
    "GET /webmail/cgi-bin/sqwebmail/login/Credit_at_credi
    tsite.net.authvchkpw/FAE810691B0001A0D294054EB5B83
    2ED/1032302396?folderINBOXpos9reply1formnew
    msg HTTP/1.0" 200 8020
  • 192.168.50.165 - - 17/Sep/2002174953 -0500
    "POST /webmail/cgi-bin/sqwebmail/login/Credit_at_cred
    itsite.net.authvchkpw/FAE810691B0001A0D294054EB5B8
    32ED/1032302396 HTTP/1.0" 302 426
  • 192.168.50.165 - - 17/Sep/2002175001 -0500
    "GET /webmail/cgi-bin/sqwebmail/login/Credit_at_credi
    tsite.net.authvchkpw/FAE810691B0001A0D294054EB5B83
    2ED/1032302396?folderINBOXformreadmsgpos9
    HTTP/1.0" 200 19721
  • 192.168.50.165 - - 17/Sep/2002175034 -0500
    "GET /webmail/cgi-bin/sqwebmail/login/Credit_at_credi
    tsite.net.authvchkpw/FAE810691B0001A0D294054EB5B83
    2ED/1032302396?folderINBOXpos6reply1formnew
    msg HTTP/1.0" 200 8102

45
Tracking via Server Logs
  • 192.168.50.165 - - 17/Sep/2002174652 -0500
    "GET /webmail/cgi-bin/sqwebmail/login/Credit_at_credi
    tsite.net.authvchkpw/FAE810691B0001A0D294054EB5B83
    2ED/1032302396?folderINBOXformreadmsgpos15
    HTTP/1.0" 200 18627
  • 192.168.50.165 - - 17/Sep/2002174832 -0500
    "GET /webmail/cgi-bin/sqwebmail/login/Credit_at_credi
    tsite.net.authvchkpw/FAE810691B0001A0D294054EB5B83
    2ED/1032302396?folderINBOXpos9reply1formnew
    msg HTTP/1.0" 200 8020
  • 192.168.50.165 - - 17/Sep/2002174953 -0500
    "POST /webmail/cgi-bin/sqwebmail/login/Credit_at_cred
    itsite.net.authvchkpw/FAE810691B0001A0D294054EB5B8
    32ED/1032302396 HTTP/1.0" 302 426
  • 192.168.50.165 - - 17/Sep/2002175001 -0500
    "GET /webmail/cgi-bin/sqwebmail/login/Credit_at_credi
    tsite.net.authvchkpw/FAE810691B0001A0D294054EB5B83
    2ED/1032302396?folderINBOXformreadmsgpos9
    HTTP/1.0" 200 19721
  • 192.168.50.165 - - 17/Sep/2002175034 -0500
    "GET /webmail/cgi-bin/sqwebmail/login/Credit_at_credi
    tsite.net.authvchkpw/FAE810691B0001A0D294054EB5B83
    2ED/1032302396?folderINBOXpos6reply1formnew
    msg HTTP/1.0" 200 8102

46
E-mail Headers
  • Normal Headers
  • To, From, Date, and Subj
  • Full Headers
  • Record of path an e-mail takes from its origin to
    its destination

47
(No Transcript)
48
Return-Path ltebreimer_at_siena.edugt Delivered-To
mmcbride_at_leo.gov Received from
mailscan-a.leo.gov (mailscan-a-pub.leo.gov
172.30.1.101) by mail.leo.gov (Postfix) with
ESMTP id AADAA26E4B for ltmmcbride_at_leo.govgt Thu,
15 Apr 2004 140134 -0400 (EDT) Received from
dell61 (localhost 127.0.0.1) by
mailscan-a.leo.gov (Postfix) with ESMTP id
2ABB838641 for ltmmcbride_at_leo.govgt Thu, 15 Apr
2004 140134 -0400 (EDT) Received from
dmzproxy.leo.gov (4.21.116.65) by dell61
via smtpd (for smtp.leo.gov 172.30.1.100)
with ESMTP Thu, 15 Apr 2004 140153
-0400 Received from internetfw.leo.gov
(internetfw-dmz.leo.gov 4.21.116.126) by
dmzproxy.leo.gov (Postfix) with SMTP id
5C21CAA8AF for ltmmcbride_at_leo.govgt Thu, 15 Apr
2004 140133 -0400 (EDT) Received from
66.194.176.8 by internetfw.leo.gov
via smtpd (for mx.leo.gov 4.21.116.65) with
SMTP Thu, 15 Apr 2004 140133 -0400 Received
FROM exchange2.siena.edu BY claven.siena.edu
Thu Apr 15 140124 2004 -0400 X-MimeOLE
Produced By Microsoft Exchange V6.5.6944.0 Content
-class urncontent-classesmessage MIME-Version
1.0 Content-Type text/plain charset"iso-8859-1
" Content-Transfer-Encoding quoted-printable Subj
ect Radio Interview Date Thu, 15 Apr 2004
140135 -0400 Message-ID lt8DEC59405C543C4D88AF28
B7AAB0F87302A47CC4_at_EXCHANGE2.siena.edugt X-MS-Has-A
ttach X-MS-TNEF-Correlator Thread-Topic
Radio Interview Thread-Index AcQjE7E0Ke2vVSlaR5ml
EdbMSjmvMw From "Breimer, Eric"
ltebreimer_at_siena.edugt To ltmmcbride_at_leo.govgt Cc
ltgrimmcom_at_nycap.rr.comgt X-UIDL
'B?!!L)!ce"!Hf_"!
49
E-mail Headers
  • Received from internetfw.leo.gov
    (internetfw-dmz.leo.gov 4.21.116.126)
  • by dmzproxy.leo.gov (Postfix) with SMTP id
    5C21CAA8AF
  • for ltmmcbride_at_leo.govgt Thu, 15 Apr 2004
    140133 -0400 (EDT)
  • Received from 66.194.176.8 by
    internetfw.leo.gov
  • via smtpd (for mx.leo.gov
    4.21.116.65) with SMTP Thu, 15 Apr 2004
    140133 -0400
  • Received FROM exchange2.siena.edu BY
    claven.siena.edu Thu Apr 15 140124 2004 -0400
  • X-MimeOLE Produced By Microsoft Exchange
    V6.5.6944.0
  • Content-class urncontent-classesmessage
  • MIME-Version 1.0

50
Whois Databases
  • Contain registration information for the Domain
    Name System and IP addresses
  • Examples
  • www.dnsstuff.com
  • www.arin.net
  • www.samspade.org
  • www.networksolutions.com

51
(No Transcript)
52
(No Transcript)
53
(No Transcript)
54
(No Transcript)
55
Human Resources
  • Easiest way to find a criminal
  • Find someone that knows what happened and is
    willing to tell what they know
  • Find someone that has inside access to the type
    of hacking you are investigating and enlist their
    assistance

56
InfraGard
57
What Is InfraGard?
  • A Cooperative Undertaking/Partnership
  • U.S. Government (led by the FBI)
  • Association of
  • Businesses
  • Academic institutions
  • State and local law enforcement agencies
  • Other participants
  • Dedicated to increasing the security of United
    States critical infrastructures

58
What Is A Critical Infrastructure?
Services so vital that their incapacity or
destruction would have a debilitating impact on
the defense or economic security of the United
States. Executive Order 13010
59
(No Transcript)
60
Why Partner?
  • Our businesses, our country, and our world depend
    on functional infrastructures
  • Industries and infrastructures are interdependent
  • More than 80 percent of U.S. infrastructures are
    owned and operated by the private sector
  • Government has resources that are critical to
    successfully protecting all infrastructures
  • Only by working together can the Nations
    infrastructures be properly protected
  • InfraGard is a critical entity in bringing all
    the right players to the same table

61
How Did InfraGard Get Started?
  • National InfraGard Program
  • Pilot project in 1996
  • Cleveland FBI Field Office asked local computer
    professionals to assist the FBI in determining
    how to better protect critical information
    systems in the public and private sectors
  • First InfraGard Chapter was formed

62
What is the Cost?
  • InfraGard is a not-for-profit membership
    organization
  • There are no dues
  • Cost is your time energy

63
Who Should Join InfraGard?
  • Infrastructure stakeholders
  • Infrastructure providers
  • Infrastructure end users (everyone?)
  • Individuals with organizational skills
  • Accountants
  • Lawyers
  • Managers
  • Marketing Experts
  • Etc.

64
Infrastructure Protection
  • Infrastructure protection is everyones problem.
  • Dont get complacent! Get involved!
Write a Comment
User Comments (0)
About PowerShow.com