Cyber Crime - PowerPoint PPT Presentation

About This Presentation

Title:

Cyber Crime

Description:

Cyber Crime Special Thanks to Special Agent Martin McBride for sharing most of this information in his talk at Siena last semester Criminal Activity Today has shifted ... – PowerPoint PPT presentation

Number of Views:594

Avg rating:3.0/5.0

Slides: 65

Provided by: csSienaE

Learn more at: http://facultyweb.siena.edu

Category:

more less

Transcript and Presenter's Notes

Title: Cyber Crime

1
Cyber Crime

Special Thanks to
Special Agent Martin McBridefor sharing most of
this information in his talk at Siena last
semester

2
Criminal Activity Today

has shifted to the Internet

3
Canadian Lottery Scam

A call from Canada
Youve won the Canadian Lotto
Well protect your winnings from US capital gains
taxes (i.e., Canadian Bank)
Just pay the Canadian Lotto tax 0.5 and well
set everything up
You say
You mean I just have to pay you 5000 and youll
put 1,000,000 in my own Canadian Bank Account.
Sounds great!

4
Canadian Lottery Scam

Its estimated that over 10,000,000 has been
scammed off people in just the US.
The scammer are so sophisticated that they get
Direct Mailing/Marketing List and target specific
demographics (homeowners over 65).
http//www.experian.com/products/listlink_express.
html
Thank you Experian!

5
Canadian Lottery Scam

The scammer use cloned cell phones
Checks sent to Mailboxes Etc.
set up using a stolen identity
The FBI and RCMP have developed counter-measures
Thus, the Scammers have retreated to the
Internet, where they have greater reach and less
risk.

6
Criminal Activity Today

Phishing
Nigerian Letters Fraud
Internet Sales Fraud
Carding
Intrusions
Viruses Worms

7
Criminal Activity Today-continued-

Distributed Denial of Service (DDOS)
Spam Attack/DDOS
Intellectual Property Theft
Sabotage

8
Phishing

uses spam, spoofed e-mails and fraudulent
websites to
deceive consumers into disclosing credit card
numbers, bank account information, Social
Security numbers, passwords, and other sensitive
information
by hijacking the trusted brands of well-known
banks, online retailers and credit card companies

9
(No Transcript)
10
(No Transcript)
11
(No Transcript)
12
ltTABLE cellSpacing0 cellPadding0 width600
aligncentergt ltTBODYgt ltTRgt ltTDgtltFONT
style"FONT-WEIGHT 400 FONT-SIZE 13px
FONT-FAMILY verdana,arial,helvetica,sans-serif"gtW
e are currently performing regular
maintenance of our security measures. Your
account has been randomly selected for this
maintenance, and you now be taken through
a verification process.ltBRgtltBRgtProtecting the
security of your PayPal account is our
primary concern, and we apologize for any
inconvenience this may cause.ltBRgtltBRgtPlease ltA
href"http//verify.paypal.com.auth23.net4180
/us/cgi-bin/webscr.cmd_verification-run/verify.ht
ml"gtltFONT color0033ccgtclick
herelt/FONTgtlt/Agt and fill in the correct
information to verify your
identity.ltBRgtltBRgtNOTE Failure to complete the
verification process or providing wrong
information will lead to account suspension or
even termination.lt/FONTgtlt/TDgtlt/TRgtlt/TBODYgtlt/TA
BLEgtltBRgtltBRgt
13
Nigerian Letter Fraud

Claiming to be
Nigerian officials,
business people or
the surviving spouses of former government
honchos,
con artists offer to transfer millions of dollars
into your bank account in exchange for a small
fee.

14
Nigerian Letter Fraud

If you respond, you may receive "official
looking" documents.
Typically, you're then asked to
provide blank letterhead and
your bank account numbers,
as well as some money to cover transaction and
transfer costs and attorney's fees.

15
Nigerian Letter Fraud

You may even be encouraged to travel to Nigeria
or a border country to complete the transaction.
Sometimes, the fraudsters will produce trunks of
dyed or stamped money to verify their claims.
Inevitably, though, emergencies come up,
requiring more of your money and delaying the
"transfer" of funds to your account
in the end, there aren't any profits for you to
share, and the scam artist has vanished with your
money.

16
(No Transcript)
17
(No Transcript)
18
Internet Sales Fraud

Overpayment scheme (E-bay)
A buyer accidentally over pays you
1000 check rather than 100 check
Buyer says, My mistake but you owe me 900 if
you cash that check.
Buyer says, Dude man! I need that 900 bucks,
since this was my mistake, if you wire me 800
bucks, the check is yours.
You get an additional 100 for you trouble, cool!

19
Internet Sales Fraud

Did you know that if you deposit a check worth
10,000 or more at HSBC it can take over 5
business days for it to clear or to realize its
fraud.
A week gives a scammer a long time to put
pressure on you to return the over payment.
Perhaps the overpayment is 9000.
Guess what? If you send a wire transfer or a
money order out of your account, your account
balance is immediately reduced (instantaneous at
the time the order or wire is entered into their
system).
Thank you HSBC for making it easy to scam me!

20
Internet Sales Fraud

Alexey Ivanov and others
auctioned non-existent items on eBay
bid on own items using stolen credit cards
as high bidder, paid himself through Paypal

21
Carding

Carding" the illegal use of credit card numbers.
Carders..
Acquire valid credit card numbers(not their own)
Use them to make purchases
Sell them to others
Trade them over the Internet

22
Carding

Maxus, a Russian, stole 300,000 credit card
numbers from CDUniverse.com
Maxus scheme was broken into 4 basic parts
Whole-selling Cards Cards were distributed to
trusted partners, mainly in lots of 1,000, for 1
each.
Re-selling Cards Cards were then sold by Maxus'
partners. These "re-sellers" sold card numbers
mainly in blocks of 50. The price to the "end
consumer" was around 500.
Pure Liquidation Maxus set himself up as an
online retailer, and used the stolen numbers as
if they belonged to his customers
End Users Individuals would use the cards
bought from Maxus to conduct their own fraud.

23
Intrusions

Unauthorized access into a computer
Different types of intruders
Hackers create code to exploit vulnerabilities
Script-kiddies use code readily available over
the Internet to exploit vulnerabilities
Insiders - former employees whose accounts were
not disabled upon termination

24
Intrusions

Example
Bob leaves Experian for Equifax
Equifax is a competitor to Experian
Bob uses same password at Equifax that he had
used while at Experian
Equifax has to crack Bobs password because no
one can get into his account to retrieve the work
he left behind
Experian decides to try Bobs password on Equifax
s e-mail system
It worked!
Experian attempts to steal customers from Equifax
by intercepting e-mail sent to Bobs account at
Equifax.

25
Viruses, Worms, Trojans

Viruses are computer code written to degrade the
health of a computer or computer network
Worms are viruses that are written such that they
can spread themselves to other computers
Trojans are viruses that remain dormant or hidden
until a certain action is taken or a specified
period of time has elapsed

26
Denial of Service (DOS)

An attack in which a large network of compromised
computers is used to attack a target computer
Examples
Mafiaboy - Feb 2000
Yahoo!, eBay, CNN.com, eTrade, and others
DDOS attack against 9 of 13 root servers Oct
2002

27
Intellectual Property Theft

The unauthorized acquisition and/or distribution
of proprietary computer software or data files

28
Intellectual Property Theft

Example
Online warez pirates
Buy or steal copies of software programs such as
video games or operating systems
Illegally share the programs through FTP servers
located throughout the world
Hundreds and perhaps thousands of organized
groups exist
Many groups contain hundreds of members

29
Sabotage

Deliberate destruction of the functionality of a
computer or computer network

30
Insiders

Greatest threat to computer networks
Know the system
Have access via user accounts
Security lapses
Easy-to-guess passwords
Share accounts/passwords
Hostile terminations/revenge

31
Criminal Cyber Crime Techniques

Casing the establishment
Footprinting
Scanning
Enumeration
Hacking Exposed, Second Edition

32
Casing the Establishment

Footprinting
Locate a potential target
Learn everything about target network
Map the network
Domain names in use
Routable IP address range
Services running and versions used
Firewalls and Intrusion Detection Systems
Hacking Exposed, Second Edition

33
Casing the Establishment

Scanning
Turning door knobs and seeing if windows are
locked
Search for vulnerabilities
Ping sweep
Determine what systems are up and running
Trace route
Port scan
ID operating system
ID applications running
Cheops (does it all)
Hacking Exposed, Second Edition

34
Casing the Establishment

Enumeration
Open the door and look inside (cross the line)
Active connection to target is established to
ID valid user accounts
ID poorly protected resource shares
Social Engineering
Gain access to inside human resources
Dumpster diving go through the trash
Hacking Exposed, Second Edition

35
Hacking the Target

Directly connect to shared resources
Use that access to dig deeper
Install backdoors/Trojans
Crack passwords for administrator accounts
Dictionary and Brute Force
L0phtcrack
John the Ripper
Crack
Hacking Exposed, Second Edition

36
Hacking the Target

Privilege escalation
When you have password for non-admin account
Use Trojans to give yourself an admin account
e.g. change Dir command so that it adds new user
Install and run sniffers
Keystroke loggers
Hacking Exposed, Second Edition

37
Hiding the Trail

Proxy Servers
Make Web queries on behalf of inquiring computer
Query traces to proxy rather than point of origin
Anonymizers
E-mail spoofing
IP spoofing

38
Proxy 2
Bad Guy
Proxy 1
Destination
39
Cyber Crime Investigations

Big Brother is Watching

40
Following the Trail

Server logs
E-mail headers
Whois databases
Human resources

41
Critical Concept

Internet Protocol (IP) addressing
Every computer connected to the Internet has a
unique IP address assigned while it is connected
... (e.g. 192.168.1.100)
Each is 0 to 255
256 possibilities
28 (binary math)
255 1111 1111

42
Critical Concept

Static addresses
Like telephone numbers
Dont change
Easy to find day after day
Dynamic addresses
Different each time you connect
Difficult to find from one use to the next

43
Server Logs

Domain Controllers
Access logs
Web Servers
FTP Servers
E-mail Servers

44
Tracking via Server Logs

192.168.50.165 - - 17/Sep/2002174652 -0500
"GET /webmail/cgi-bin/sqwebmail/login/Credit_at_credi
tsite.net.authvchkpw/FAE810691B0001A0D294054EB5B83
2ED/1032302396?folderINBOXformreadmsgpos15
HTTP/1.0" 200 18627
192.168.50.165 - - 17/Sep/2002174832 -0500
"GET /webmail/cgi-bin/sqwebmail/login/Credit_at_credi
tsite.net.authvchkpw/FAE810691B0001A0D294054EB5B83
2ED/1032302396?folderINBOXpos9reply1formnew
msg HTTP/1.0" 200 8020
192.168.50.165 - - 17/Sep/2002174953 -0500
"POST /webmail/cgi-bin/sqwebmail/login/Credit_at_cred
itsite.net.authvchkpw/FAE810691B0001A0D294054EB5B8
32ED/1032302396 HTTP/1.0" 302 426
192.168.50.165 - - 17/Sep/2002175001 -0500
"GET /webmail/cgi-bin/sqwebmail/login/Credit_at_credi
tsite.net.authvchkpw/FAE810691B0001A0D294054EB5B83
2ED/1032302396?folderINBOXformreadmsgpos9
HTTP/1.0" 200 19721
192.168.50.165 - - 17/Sep/2002175034 -0500
"GET /webmail/cgi-bin/sqwebmail/login/Credit_at_credi
tsite.net.authvchkpw/FAE810691B0001A0D294054EB5B83
2ED/1032302396?folderINBOXpos6reply1formnew
msg HTTP/1.0" 200 8102

45
Tracking via Server Logs

192.168.50.165 - - 17/Sep/2002174652 -0500
"GET /webmail/cgi-bin/sqwebmail/login/Credit_at_credi
tsite.net.authvchkpw/FAE810691B0001A0D294054EB5B83
2ED/1032302396?folderINBOXformreadmsgpos15
HTTP/1.0" 200 18627
192.168.50.165 - - 17/Sep/2002174832 -0500
"GET /webmail/cgi-bin/sqwebmail/login/Credit_at_credi
tsite.net.authvchkpw/FAE810691B0001A0D294054EB5B83
2ED/1032302396?folderINBOXpos9reply1formnew
msg HTTP/1.0" 200 8020
192.168.50.165 - - 17/Sep/2002174953 -0500
"POST /webmail/cgi-bin/sqwebmail/login/Credit_at_cred
itsite.net.authvchkpw/FAE810691B0001A0D294054EB5B8
32ED/1032302396 HTTP/1.0" 302 426
192.168.50.165 - - 17/Sep/2002175001 -0500
"GET /webmail/cgi-bin/sqwebmail/login/Credit_at_credi
tsite.net.authvchkpw/FAE810691B0001A0D294054EB5B83
2ED/1032302396?folderINBOXformreadmsgpos9
HTTP/1.0" 200 19721
192.168.50.165 - - 17/Sep/2002175034 -0500
"GET /webmail/cgi-bin/sqwebmail/login/Credit_at_credi
tsite.net.authvchkpw/FAE810691B0001A0D294054EB5B83
2ED/1032302396?folderINBOXpos6reply1formnew
msg HTTP/1.0" 200 8102

46
E-mail Headers

Normal Headers
To, From, Date, and Subj
Full Headers
Record of path an e-mail takes from its origin to
its destination

47
(No Transcript)
48
Return-Path ltebreimer_at_siena.edugt Delivered-To
mmcbride_at_leo.gov Received from
mailscan-a.leo.gov (mailscan-a-pub.leo.gov
172.30.1.101) by mail.leo.gov (Postfix) with
ESMTP id AADAA26E4B for ltmmcbride_at_leo.govgt Thu,
15 Apr 2004 140134 -0400 (EDT) Received from
dell61 (localhost 127.0.0.1) by
mailscan-a.leo.gov (Postfix) with ESMTP id
2ABB838641 for ltmmcbride_at_leo.govgt Thu, 15 Apr
2004 140134 -0400 (EDT) Received from
dmzproxy.leo.gov (4.21.116.65) by dell61
via smtpd (for smtp.leo.gov 172.30.1.100)
with ESMTP Thu, 15 Apr 2004 140153
-0400 Received from internetfw.leo.gov
(internetfw-dmz.leo.gov 4.21.116.126) by
dmzproxy.leo.gov (Postfix) with SMTP id
5C21CAA8AF for ltmmcbride_at_leo.govgt Thu, 15 Apr
2004 140133 -0400 (EDT) Received from
66.194.176.8 by internetfw.leo.gov
via smtpd (for mx.leo.gov 4.21.116.65) with
SMTP Thu, 15 Apr 2004 140133 -0400 Received
FROM exchange2.siena.edu BY claven.siena.edu
Thu Apr 15 140124 2004 -0400 X-MimeOLE
Produced By Microsoft Exchange V6.5.6944.0 Content
-class urncontent-classesmessage MIME-Version
1.0 Content-Type text/plain charset"iso-8859-1
" Content-Transfer-Encoding quoted-printable Subj
ect Radio Interview Date Thu, 15 Apr 2004
140135 -0400 Message-ID lt8DEC59405C543C4D88AF28
B7AAB0F87302A47CC4_at_EXCHANGE2.siena.edugt X-MS-Has-A
ttach X-MS-TNEF-Correlator Thread-Topic
Radio Interview Thread-Index AcQjE7E0Ke2vVSlaR5ml
EdbMSjmvMw From "Breimer, Eric"
ltebreimer_at_siena.edugt To ltmmcbride_at_leo.govgt Cc
ltgrimmcom_at_nycap.rr.comgt X-UIDL
'B?!!L)!ce"!Hf_"!
49
E-mail Headers

Received from internetfw.leo.gov
(internetfw-dmz.leo.gov 4.21.116.126)
by dmzproxy.leo.gov (Postfix) with SMTP id
5C21CAA8AF
for ltmmcbride_at_leo.govgt Thu, 15 Apr 2004
140133 -0400 (EDT)
Received from 66.194.176.8 by
internetfw.leo.gov
via smtpd (for mx.leo.gov
4.21.116.65) with SMTP Thu, 15 Apr 2004
140133 -0400
Received FROM exchange2.siena.edu BY
claven.siena.edu Thu Apr 15 140124 2004 -0400
X-MimeOLE Produced By Microsoft Exchange
V6.5.6944.0
Content-class urncontent-classesmessage
MIME-Version 1.0

50
Whois Databases

Contain registration information for the Domain
Name System and IP addresses
Examples
www.dnsstuff.com
www.arin.net
www.samspade.org
www.networksolutions.com

51
(No Transcript)
52
(No Transcript)
53
(No Transcript)
54
(No Transcript)
55
Human Resources

Easiest way to find a criminal
Find someone that knows what happened and is
willing to tell what they know
Find someone that has inside access to the type
of hacking you are investigating and enlist their
assistance

56
InfraGard
57
What Is InfraGard?

A Cooperative Undertaking/Partnership
U.S. Government (led by the FBI)
Association of
Businesses
Academic institutions
State and local law enforcement agencies
Other participants
Dedicated to increasing the security of United
States critical infrastructures

58
What Is A Critical Infrastructure?
Services so vital that their incapacity or
destruction would have a debilitating impact on
the defense or economic security of the United
States. Executive Order 13010
59
(No Transcript)
60
Why Partner?

Our businesses, our country, and our world depend
on functional infrastructures
Industries and infrastructures are interdependent
More than 80 percent of U.S. infrastructures are
owned and operated by the private sector
Government has resources that are critical to
successfully protecting all infrastructures
Only by working together can the Nations
infrastructures be properly protected
InfraGard is a critical entity in bringing all
the right players to the same table

61
How Did InfraGard Get Started?

National InfraGard Program
Pilot project in 1996
Cleveland FBI Field Office asked local computer
professionals to assist the FBI in determining
how to better protect critical information
systems in the public and private sectors
First InfraGard Chapter was formed

62
What is the Cost?