How to Investigate

1
How to Investigate

• SPAM

2
WhoIs behind the scam?

• Who are the individuals who own that Web Site ?

3
Introduction

• The cost of spam

This section from http//www.cs.uml.edu/pkrolak/9
1-113/DarkSideOfInternet.ppt
4
Spam

• Spam is electronic junk mail that clogs our
  internet like the fatty canned meat of the same
  name clogs our arteries.
• Communication lines back up at an alarming rate,
• Storage is gobbled up,
• Servers and processors thrash, and
• Users are irritated at best incapacitated at
  worst.
• Spam costs the ISPs and others a fortune to
  prevent and/or to remove.
• At its worst spam is used by scammers, hackers,
  and others to market and prey on literally
  millions of users at a very low cost.

Source http//www.unt.edu/benchmarks/archives/200
5/february05/spamandcookiescolor.gif
5
Spam

• What is Spam?
• Junk email unwanted, resource robbing, and
  often contains viruses, worms, and scams.
• Why is it an increasing problem?
• Spam is the fastest growing component of messages
  on the Internet that consumes bandwidth, storage,
  and angers the user. ISPs and some consumer
  groups are attempting to shut down the worst
  offenders.
• Spam as harassment.
• Spam as DoS (Denial of Service) attack.
• Spam as Phishing (attempt to obtain a persons
  ID, password, etc, by pretending to be a
  legitimate request.)
• What can be done about it? (Discussion questions)
• Closing down ISPs that permit email relaying (Is
  this too draconian?).
• Apply filters and tools to remove it (Can they be
  by-passed?).
• Lobby for federal legislation to create civil and
  criminal penalties for those who send Spam. (Does
  this interfere with free speech?)
• A recently passed law to prosecute commercial
  spammers. (When is Internet advertising
  legitimate and when is it Spam?)

6
Why Estimate the Cost of Spam?

• Important for policy reasons to know severity of
  problem
• helps in assigning priority to issue
• To determine which economic actors have to bear
  costs also
• important in focusing on solutions
• Spam imposes negative externality on society
  (similar to
• pollution in the manufacturing economy) economic
  damage
• and cost borne by third parties resulting in an
  overall loss of
• welfare for society
• If costs of spam are unacceptable then have to
  put in place
• mechanisms to change behavior of producers of
  spam
• Provides metric to let the punishment fit the
  crime.
• Market itself does not provide mechanism to
  correct for costs
• inflicted by spam. If economic solutions are used
  to combat
• spam, cost data can help determine prices applied
  to reduce or
• eliminate spam

http//www.oecd.org/dataoecd/47/5/26618988.pdf
7
Spam Impact on Consumers

• E-mail has value to recipient which varies with
  the content and should at least equal processing
  cost
• Each e-mail entails the same receiving/processing
  cost for consumer. For spam the value of the
  e-mail content is negative and to this must be
  added the processing cost
• If the amount of spam received is extremely high
  it could conceivably outweigh the positive value
  of receiving e-mail
• Costs to consumers for processing mail are
  declining as consumers switch to broadband from
  dial-up (where time based Internet access charges
  exist) and because of quicker download times
• But increase in volume of spam is likely to
  result in net increase in costs if you can go
  fast but you produce crap, all you get is more
  crap

http//www.oecd.org/dataoecd/47/5/26618988.pdf
8
Overall Cost Some Estimates

• Reduced use of an efficient and cheap means of
  communications among economic actors slows down
  growth of e-commerce and development of digital
  economy.
• Total economic impact of spam estimates vary
• Global cost conservatively estimated at
  estimated at 10 Billion (European Commission
  Study 2001)
• Ferris Research (Jan. 2003) estimated that spam
  cost US companies 8.9 billion dollars in 2002.
  The same study estimated the cost of spam in
  Europe as US2.5 billion.
• UNCTAD (2003) 20 billion
• Cost to Hong Kong economy 1.3 billion (HKISPA
  2004)
• 2 - 20 Billion per year and growing.

http//www.oecd.org/dataoecd/47/5/26618988.pdf
9
CAN SPAM Law of 2003

• CAN-SPAM Act of 2003 (Pub. L. 108-187, S. 877)
• The Controlling the Assault of Non-Solicited
  Pornography and Marketing Act requires
  unsolicited commercial e-mail messages to be
  labeled (though not by a standard method) and to
  include opt-out instructions and the sender's
  physical address. It prohibits the use of
  deceptive subject lines and false headers in such
  messages. The FTC is authorized (but not
  required) to establish a "do-not-email" registry.
  State laws that require labels on unsolicited
  commercial e-mail or prohibit such messages
  entirely are pre-empted, although provisions
  merely addressing falsity and deception would
  remain in place. The CAN-SPAM Act took effect on
  January 1, 2004.

10
Crimes of Persuasion

• Crimes of persuasion are scams that appeal to
  peoples greed, goodwill, or other emotions to
  use the victim to provide the access and
  assistance to information, the money or other
  resources, that are the target of the criminal.
• In other words A Con Game

11
Internet Scams
12
Internet Scams

• Scams over the Internet unlike the fraud and
  similar crime can be difficult to detect,
  prosecute, and prevent and easy to perpetrate.
• Email can be used to reach 250 million with a
  simple program and a CD-ROM with the email
  addresses.
• Example - The African businessman who offers to
  split a large sum of money (like, 20M) if he can
  only electronically wire it to your checking
  account. He also requires a (small) fee (250.)
  wired to his account to bribe fellow country men.
  Your fee and your bank account are immediately
  seen to vanish.
• See http//www.cnn.com/2000/TECH/computing/10/31/
  ftc.web.scams/

13
Internet Pyramid schemes

• What is a Pyramid Scheme?
• Pyramid schemes, also referred to as "chain
  referral", "binary compensation" or "matrix
  marketing" schemes, are marketing and investment
  frauds which reward participants for inducing
  other people to join the program.   Ponzi
  schemes, by contrast, operate strictly by paying
  earlier investors with money deposited by later
  investors without the emphasis on recruitment or
  awareness of participation structure.
• Pyramid schemes focus on the exchange of money
  and recruitment.  At the heart of each pyramid
  scheme there is typically a representation that
  new participants can recoup their original
  investments by inducing two or more prospects to
  make the same investment.  
• For each person you bring in you are promised
  future monetary rewards or bonuses based on your
  advancement up the structure.  Over time, the
  hierarchy of participants resembles a pyramid as
  newer, larger layers of participants join the
  established structure at the bottom.

Source http//www.crimes-of-persuasion.com/Crimes
/Delivered/pyramids.htm
14
Internet Pyramid schemes (more)

• They say you will have to do "little or no work
  because the people below you will".  You should
  be aware that the actual business of sales and
  supervision is hard work. So if everyone is doing
  little or no work, how successful can a venture
  be? Too good to be true!
• The marketing of a product or service, if done at
  all,  is only of secondary importance in an
  attempt to evade prosecution or to provide a
  corporate substance.  Often there is not even an
  established market for the products so the "sale"
  of such merchandise, newsletters or services is
  used as a front for transactions which occur only
  among and between the operation's distributors. 
• Therefore, your earning potential depends
  primarily on how many people you sign up, not how
  much merchandise is sold.
• When the Pyramid gets too big, the whole scheme
  collapses and the people who lose are the people
  at the bottom.

15
Internet Pyramid schemes (more)

• Pyramid schemes are not the same as Ponzi schemes
  which operate under false pretences about how
  your money is being invested and normally benefit
  only a central company or person along with
  possibly a few early participants who become
  unwitting shills.
• Pyramid schemes involve a hierarchy of investors
  who participate in the growth of the structure
  with profits distributed according to one's
  position within the promotional hierarchy based
  on active recruitment of additional participants.
• Both are fraudulent, because they induce an
  investment with no intention of using the funds
  as stated to the investor.

16
Email Fraud

• Fraud has existed perhaps as long or longer than
  money. Any new sociological change can engender
  new forms of fraud, or other crime.

Source http//en.wikipedia.org/wiki/Email_fraud
17
Email Fraud

• Almost as soon as e-mail became widely used, it
  began to be used to defraud people via E-mail
  fraud.
• E-mail fraud can take the form of a "con game" or
  scam.
• Confidence tricks tend to exploit the inherent
  greed and dishonesty of their victims the
  prospect of a 'bargain' or 'something for
  nothing' can be very tempting.
• E-mail fraud, as with other 'bunco schemes'
  relies on naive individuals who put their
  confidence in get-rich-quick schemes such as 'too
  good to be true' investments or offers to sell
  popular items at 'impossibly low' prices. Many
  people have lost their life savings due to fraud.
  (Including E-Mail fraud!)

18
Avoiding e-mail fraud

• E-mail fraud may be avoided by
• Keeping one's e-mail address as secret as
  possible,
• Ignoring unsolicited e-mails of all types, simply
  deleting them,
• Not giving in to greed, since greed is the
  element that allows one to be 'hooked, and
• If you have been defrauded, report it to law
  enforcement authorities -- many frauds go
  unreported, due to shame, guilty feelings or
  embarrassment.

Source http//en.wikipedia.org/wiki/Email_fraud
19
Identity Theft on the Internet

• Identity theft involves finding out the users
  personal information and then using it commit
  fraud and other crimes.

20
Identity Theft

• But he that filches from me my good name
• Robs me of that which not enriches him
• And makes me poor indeed."  - Shakespeare,
  Othello, Act III. Scene III.

21
What is Identity Theft?

• A Federal crime where someone wrongfully obtains
  and uses another person's personal data in some
  way that involves fraud or deception, typically
  for economic gain.
• In 2004, almost 250,000 claims of Identity Theft
  within the US alone (11000)
• More than 500 million in reported losses

Source http//www.consumer.gov/sentinel/pubs/Top1
0Fraud2004.pdf
22
Categories of Identity Theft

• According to the non-profit Identity Theft
  Resource Center, identity theft is "sub-divided
  into four categories
• Financial Identity Theft (using another's name
  and SSN to obtain goods and services),
• Criminal Identity Theft (posing as another when
  apprehended for a crime),
• Identity Cloning (using another's information to
  assume his or her identity in daily life) and
• Business/Commercial Identity Theft (using
  another's business name to obtain credit)."

Source http//en.wikipedia.org/wiki/Identity_thef
t
23
Tiger Woods

• A man who used Tiger Woods' identity to steal
  17,000 worth of goods was sentenced to 200
  years-to-life in prison.
• Anthony Lemar Taylor was convicted of falsely
  obtaining a driver's license using the name
  Eldrick T. Woods, Woods' Social Security number
  and his birth date.
• Though he looks nothing like golf's best player,
  the 30-year-old Taylor then used the false
  identification and credit cards to buy a 70-inch
  TV, stereos and a used luxury car between August
  1998 and August 1999.
• Judge Michael Virga gave Taylor the maximum
  sentence under California's three-strikes law...

24
Identity Theft by Age
Souce http//www.consumer.gov/sentinel/pubs/Top10
Fraud2004.pdf
25
Identity Theft

• Identity Theft the acquiring of personal and
  financial information about a person for criminal
  purposes.
• Your Social Security Number, credit card numbers,
  and passwords on your machine can be used to gain
  information about you from the web sources.
• Once the information is gained it is used to
  charge large amounts for plane tickets, etc.
• The criminal can also assume your identity for
  fraud and terrorism.
• Some rings communicate data gathered to
  accomplices in other countries where the
  fraudulent charges are actually made.
• It can take up to 18 months and thousands of
  dollars to restore your credit.
• See http//www.newsfactor.com/perl/story/15965.htm
  l

26
The role of private industry and government in
identity theft
27
Techniques for obtaining information

• Low Tech Social Engineering
• Stealing (snail) mail or rummaging through
  rubbish (dumpster diving)
• Eavesdropping on public transactions to obtain
  personal data (shoulder surfing)
• Obtaining castings of fingers for falsifying
  fingerprint identification
• High Tech Internet Approaches
• Stealing personal information in computer
  databases Trojan horses, hacking Including
  theft of laptops with personal data loaded.
• The infiltration of organizations that store
  large amounts of personal information
• Impersonating a trusted organization in an
  electronic communication (phishing) .
• Spam (electronic) Some, if not all spam entices
  you to respond to alleged contests, enter into
  "Good Deals", etc.
• Browsing social network (MySpace, Facebook, Bebo
  etc) sites, online for personal details that have
  been posted by users in public domains.

Soruce http//en.wikipedia.org/wiki/Identity_thef
t
28
What is Pharming?

• Pharming is the exploitation of a vulnerability
  in the DNS server software that allows a hacker
  to acquire the Domain Name for a site, and to
  redirect traffic from that website to another web
  site.
• DNS servers are the machines responsible for
  resolving internet names into their real Internet
  Protocol (IP) addresses - the "signposts" of the
  internet. (e.g., Good_Stuff.com will translate to
  an address like 152 145 72 30 i.e. four groups
  of base 8 (octal) numbers in IP version 4 (IPv4)
  or eight groups in base 16 (hex) in IP version 6
  (IPv6). The Internet has thousands of DNS servers
  each one a target for determined hackers.

29
Phishing

• What is Phishing?
• Using email or web sites to look like authentic
  corporate communications and web sites to trick
  people into giving personal and financial
  information.
• FBI sees this a fast growing form of fraud and
  can lead to theft of identity.
• See http//www.crimes-of-persuasion.com/Crimes/Del
  ivered/internet.htm

30
What is Phishing?

• phishing (also known as carding and spoofing)
• n.
• 1. The act of attempting to fraudulently acquire
  sensitive information, such as passwords and
  credit card details, by masquerading as a
  trustworthy person or business with a real need
  for such information in a seemingly official
  electronic notification or message (most often an
  email, or an instant message).

Source http//en.wikipedia.org/wiki/Phishing
31
Phishing Example
From eBay Billing Department ltaw-confirm_at_ebay.com
gt To you_at_uml.edu Subject Important
Notification
This link points to a bogus site that often will
infect and attempt to corrupt or steal data from
your computer or to coerce you into divulging
private information when You access it.

• Register for eBay
• Dear valued customer
• Need Help?
• We regret to inform you that your eBay account
  could be suspended if you don't re-update your
  account information. To resolve this problems
  please click here and re-enter your account
  information. If your problems could not be
  resolved your account will be suspended for a
  period of 3-4 days, after this period your
  account will be terminated.
• For the User Agreement, Section 9, we may
  immediately issue a warning, temporarily suspend,
  indefinitely suspend or terminate your membership
  and refuse to provide our services to you if we
  believe that your actions may cause financial
  loss or legal liability for you, our users or us.
  We may also take these actions if we are unable
  to verify or authenticate any information you
  provide to us.
• Due to the suspension of this account, please be
  advised you are prohibited from using eBay in any
  way. This includes the registering of a new
  account. Please note that this suspension does
  not relieve you of your agreed-upon obligation to
  pay any fees you may owe to eBay.
• Regards,
• Safeharbor Department
• eBay, Inc
• The eBay team.
• This is an automatic message. Please do not
  reply.

Source http//en.wikipedia.org/wiki/Phishing
32
Spoofing

• Spoofing
• E-mail sent from someone pretending to be someone
  else is known as spoofing. Spoofing may take
  place in a number of ways. Common to all of them
  is that the actual sender's name and the origin
  of the message are concealed or masked from the
  recipient. Many, if not most, instances of e-mail
  fraud use at least minimal spoofing, as most
  frauds are clearly criminal acts. Criminals
  typically try to avoid easy traceability.

Source http//en.wikipedia.org/wiki/Email_fraud
33
Methods to Steal an Identity

• TCP Spoofing
• Establish a fake session and act to the user like
  the real application the user thought was
  connected.
• Can be done by substituting valid access software
  with hacked software after compromising a host
  or server machine
• DNS Spoofing
• Mentioned previously
• Substitutes a fake IP address for the real one in
  the DNS table
• Typo Squatting (e.g. www.goolge.com)
• Set up a real web site with URL that represents
  common typo. Make site look enough like real one
  and try to get passwords, ID, etc.
• Similar to phishing, but the phish catches
  himself!

34
(No Transcript)
35
Your Goal

• Identify the people who are behind the Spam
• You want NAMES, and Civic Addresses, but be ready
  for the sad reality the chances are very small
  that you will ever find them, but you will bring
  to light all the tools they are using to hide
  their real identity,
• And this is INFORMATION, because this tells you
  that the SPAM is a SCAM, and these people are
  criminals

36
Their Goals

• At the end of the investigation you will discover
  the goals pursued by the spammers
• 1 - Have you send them money (Nigerian scam /
  buy their cloned products / medicine)
• (maybe they will never ship anything, but
  they will get your money)
• 2 Steal your personal information by making
  your believe that you must enter your information
  to win something
• 3 Enroll your computer as a zombie your
  computer is infected by a Trojan when you visit
  their website and is then used to spam other
  people to do 1 or 2

37
What to do at the end of your investigation

• This is explained at the end of this presentation
  (part 5)

38
PART 1

• List of steps to follow
• for a SPAM investigation

39
Typical List of Stepsto investigate a SPAM Case

• 1) You need the email (body) AND the header of
  the email.
• How to see the email header depends on the email
  client you are using
• 2) You divide your research into 2 parts
• - Finding information about the sender (spammer)
• - Finding the information about the target
• (the website where the spammer wants you to go)

40
List of Steps

• 3) For researching Who is the Spammer and for
  researching Who is behind the target web site,
• You follow pretty much the same series of
  steps
• 4) Use nslookup to find the IP address of a
  domain name
• 5) Use the IP address to find who owns this
  address.
• Most of the time you will see that the address is
  in a block of addresses that have been assigned
  to an ISP or to a Web Hosting Company

41
List of Steps

• 6) IPSs have large blocks of addresses,
  typically
• N x 256 X 256
• If it is an ISP, then the spammer has a fixed IP
  address (no need to run DHCP), and it should be
  relatively easy to identify who is leasing this
  IP address
• Google with the IP address, the domain name,
  part of the message

42
List of Steps

• 7) Web Hosting Companies have smaller blocks of
  addresses, typically
• N x 256 X 256 and N 1, 2 or 3
• The WhoIs queries tell you the name of the
  company who owns the block of address

43
List of Steps

• 8) Google for the domain name of the spammer and
  the name of the web hosting company.
• You should find the name of the registrant the
  individual or the company WHO has registered the
  domain name that is attached to that IP address.
• Sometime the name of the registrant is a small
  company that is itself a Registrar, and operates
  as an intermediary (front) between the real
  customer (here, the spammer) and the big
  registrars
• Note that some of these intermediate companies do
  not really check the validity of the information
  provided by the customer fake telephone numbers,
  no civic address, or a postal box, are all OK!

44
Additional Note Registries and Registrars

• A Registry is an organization that assigns IP
  addresses (typically to ISPs)
• There are 5, each for one continent (AFRINIC,
  ARIN, LACNIC, APNIC and RIPE)
• ? See part 2 of this presentation
• ? You use WhoIs to query the registries
• A Registrar is a company that attach a domain
  name to an IP address (www.uml.edu
  129.63.176.200)
• Read on the web to learn more about Registries
  and a Registrars

45
List of Steps

• Google then for the missing information, use
  anything you already know
• Track the names of the small fish
• The telephone numbers (sometimes the company is
  officially I one country and the tel.no in
  another country)
• Parts of the body of the message

46
PART 2

• Understanding how the Registries work

47
Every computer needs an IP address to be
accessible from other hosts on the Internet

• An IP address is a unique identifier of a
  computer
• You buy an IP address from your ISP, and your ISP
  buys blocks of addresses from a Registry
• There are 5 Registries managing each one region
  of the world

48
The search is based on the IP address
49
When should you use the information maintained by
registries?

• Every time you want to know more about a website,
  especially when you suspect that the site is a
  rogue web site
• e.g. you have received an un-solicited email
  asking you to go a web site you have never heard
  of before

50
(No Transcript)
51
When you want to know who owns a websiteyou
query the databases of these Registries
52
Enter the IP address

• The databases of these registries are based on
  the IP addresses that they have assigned
• If you do not know the IP Address of a domain,
  first you need to run nslookup

53
Registries maintain Databases that can be
searched usinga web browser

• The search box is always on the home page of the
  Registry

54
AFRINIC

• http//www.afrinic.net/

AfriNIC is a non-government, not-for-profit,
membership based organization, based in Mauritius
that serves the African Internet Community.
AfriNIC is the Regional Registry for Internet
Number Resources for Africa. Membership is open
to anybody.
55
APNIC
http//www.apnic.net/

• The Asia-Pacific Network Information Centre
• maintains the public Whois Database for the Asia
  Pacific region

Headquarters in Brisbane, Australia
The Whois search box is in the upper right corner
56
ARIN

• American Registry for Internet Numbers
• is the Regional Internet Registry (RIR) for
  Canada, many Caribbean and North Atlantic
  islands, and the United States.
• ARIN manages the distribution of Internet number
  resources.
• Headquarters in Fairfax County (VA), USA.

https//www.arin.net/
The Whois Search Box is in the right upper corner
57
LACNIC

• The Latin America and Caribbean Network
  Information Centre is the Regional Internet
  Registry for the Latin American and Caribbean
  regions.
• LACNIC provides number resource allocation and
  registration services that support the global
  operation of the Internet. It is a
  not-for-profit, membership-based organization
  whose members include Internet Service Providers,
  and similar organizations.

http//www.lacnic.net/en/
Headquarters in Montevideo, Uruguay
The Whois Search Box is in the right upper corner
58
RIPE
Regional Internet Registry for Europe, the Middle
East and parts of Central Asia. Headquarters in
Amsterdam, the Netherlands.

• http//www.ripe.net/
• Enter the IP address in the data base
  search box
• (in the middle of the page, on the right)

This is different search box from the search
engine that searches the RIPE web site
59
Five Registries?

• When you want to know who owns an IP address,
• - You clearly do not know where in the world is
  this IP Address
• - You do not know which of these 5 registries
  you should search
• OK, just get IP2C a portable freeware tool that
  will query the 5 registries for you using a nice
  GUI
• http//web.newsguy.com/lmgava/code/Download.php?a
  ip2cfip2c_1.0.12.zip
• Unzip, run, enter the IP address

60
Additional Resources

• WhoIs for TLD .ru
• http//whois7.ru (Russia Region - English)
• http//whois.twnic.net for Taiwan
• One website listing the blacklisted website
• http//www.joewein.de/sw/dbl-update/2011-03-28.htm
  

61
Additional WhoIs Resources
62
PART 3

• Searching the registrars
• Input IP address / Domain Name

63
Information on who has registered a domain

• http//whois.domaintools.com
• Example
• http//whois.domaintools.com/businessdevelopmentre
  gistry.com

64
PART 4

• SCAM / SPAM tracking Forums

65
The Spam Fighters

• http//www.joewein.de/sw/dbl-update/
• SPAMCOP
• http//en.wikipedia.org/wiki/SpamCop
• http//www.spamcop.net/
• The SPAMHAUS Project
• http//en.wikipedia.org/wiki/Spamhaus
• http//www.spamhaus.org/

66
SPAM TRACKERS

• http//rbls.org/
• Lists where a website is black listed
• List the Domains related with a specific domain
• http//dnstree.com/
• Offers many services
• http//www.robtex.com/

67
SPAM TRACKERS

• http//www.scamomatic.com/
• For the Lottery-type scam
• http//www.419scam.org/

68
List of Web Tools

• http//www.dmoz.org/Computers/Internet/Protocols/D
  NS/Web_Tools/
• TRACK web sites infected with malware
• http//support.clean-mx.de/clean-mx/viruses.php
• http//malwaredomainlist.com

69
Read More

• http//scamoftheday.com/
• http//www.419scam.org/

70
Also Research the Telephone Numbers

• http//www.callwiki.com
• http//www.numberinvestigator.com/phone

71
PART 5

• You are now at the end of your investigation.
  Probably you cannot put a name of the email
  address that sent that spam email, but you now
  have a clear understanding that these people are
  criminals trying to steal money, identity and
  computing resources of innocent people!
• What can you do next? ?

72
How to Report SPAM

• Report SPAM to
• The Spammers ISP
• Forums that track spam
• http//email.about.com/od/spamandgettingridofit/a/
  report_spam.htm

73
Happy WhoIsing !
74
Appendix - 1

• When you read the email header, you should know
  the following
• Bigfish, Forefront and Postini are software
  applications used to filter spam emails
• They sometimes run on a different machine (not
  the email server this explains address such as
  10.xx)

75
Reference

•  http//email.about.com/cs/spamgeneral/a/spam_head
  ers.htm
• http//email.about.com/od/spamandgettingridofit/a/
  report_spam.htm