Cyber Crime - PowerPoint PPT Presentation

cyber crime n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Cyber Crime PowerPoint Presentation
Download Presentation
Cyber Crime

play fullscreen
1 / 64
Cyber Crime
258 Views
Download Presentation
isra
Download Presentation

Cyber Crime

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Cyber Crime • Special Thanks to • Special Agent Martin McBridefor sharing most of this information in his talk at Siena last semester

  2. Criminal Activity Today has shifted to the Internet

  3. Canadian Lottery Scam • A call from Canada: • You’ve won the Canadian Lotto • We’ll protect your winnings from US capital gains taxes (i.e., Canadian Bank) • Just pay the Canadian Lotto tax 0.5% and we’ll set everything up • You say: • You mean I just have to pay you $5000 and you’ll put $1,000,000 in my own Canadian Bank Account. Sounds great!

  4. Canadian Lottery Scam • Its estimated that over $10,000,000 has been scammed off people in just the US. • The scammer are so sophisticated that they get Direct Mailing/Marketing List and target specific demographics (homeowners over 65). • http://www.experian.com/products/listlink_express.html • Thank you Experian!

  5. Canadian Lottery Scam • The scammer use cloned cell phones • Checks sent to “Mailboxes Etc.” • set up using a stolen identity • The FBI and RCMP have developed counter-measures • Thus, the Scammers have retreated to the Internet, where they have greater reach and less risk.

  6. Criminal Activity Today • Phishing • Nigerian Letters Fraud • Internet Sales Fraud • Carding • Intrusions • Viruses & Worms

  7. Criminal Activity Today-continued- • Distributed Denial of Service (DDOS) • Spam Attack/DDOS • Intellectual Property Theft • Sabotage

  8. Phishing • uses spam, spoofed e-mails and fraudulent websites to • deceive consumers into disclosing credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive information • by hijacking the trusted brands of well-known banks, online retailers and credit card companies

  9. <TABLE cellSpacing=0 cellPadding=0 width=600 align=center> <TBODY> <TR> <TD><FONT style="FONT-WEIGHT: 400; FONT-SIZE: 13px; FONT-FAMILY: verdana,arial,helvetica,sans-serif">We are currently performing regular maintenance of our security measures. Your account has been randomly selected for this maintenance, and you now be taken through a verification process.<BR><BR>Protecting the security of your PayPal account is our primary concern, and we apologize for any inconvenience this may cause.<BR><BR>Please <A href="http://verify.paypal.com.auth23.net:4180/us/cgi-bin/webscr.cmd=_verification-run/verify.html"><FONT color=#0033cc>click here</FONT></A> and fill in the correct information to verify your identity.<BR><BR>NOTE: Failure to complete the verification process or providing wrong information will lead to account suspension or even termination.</FONT></TD></TR></TBODY></TABLE><BR><BR>

  10. Nigerian Letter Fraud • Claiming to be • Nigerian officials, • business people or • the surviving spouses of former government honchos, • con artists offer to transfer millions of dollars into your bank account in exchange for a small fee.

  11. Nigerian Letter Fraud • If you respond, you may receive "official looking" documents. • Typically, you're then asked to • provide blank letterhead and • your bank account numbers, • as well as some money to cover transaction and transfer costs and attorney's fees.

  12. Nigerian Letter Fraud • You may even be encouraged to travel to Nigeria or a border country to complete the transaction. • Sometimes, the fraudsters will produce trunks of dyed or stamped money to verify their claims. • Inevitably, though, emergencies come up, requiring more of your money and delaying the "transfer" of funds to your account; • in the end, there aren't any profits for you to share, and the scam artist has vanished with your money.

  13. Internet Sales Fraud • Overpayment scheme (E-bay) • A buyer accidentally over pays you • $1000 check rather than $100 check • Buyer says, “My mistake but you owe me $900 if you cash that check.” • Buyer says, “Dude man! I need that $900 bucks, since this was my mistake, if you wire me $800 bucks, the check is yours.” • You get an additional $100 for you trouble, cool!

  14. Internet Sales Fraud • Did you know that if you deposit a check worth $10,000 or more at HSBC it can take over 5 business days for it to clear or to realize its fraud. • A week gives a scammer a long time to put pressure on you to return the over payment. • Perhaps the overpayment is $9000. • Guess what? If you send a wire transfer or a money order out of your account, your account balance is immediately reduced (instantaneous at the time the order or wire is entered into their system). • Thank you HSBC for making it easy to scam me!

  15. Internet Sales Fraud • Alexey Ivanov and others • auctioned non-existent items on eBay • bid on own items using stolen credit cards • as high bidder, paid himself through Paypal

  16. Carding • “Carding" the illegal use of credit card numbers. Carders.. • Acquire valid credit card numbers(not their own) • Use them to make purchases • Sell them to others • Trade them over the Internet

  17. Carding • Maxus, a Russian, stole 300,000 credit card numbers from CDUniverse.com • Maxus’ scheme was broken into 4 basic parts: • Whole-selling Cards — Cards were distributed to trusted partners, mainly in lots of 1,000, for $1 each. • Re-selling Cards — Cards were then sold by Maxus' partners. These "re-sellers" sold card numbers mainly in blocks of 50. The price to the "end consumer" was around $500. • Pure Liquidation — Maxus set himself up as an online retailer, and used the stolen numbers as if they belonged to his customers • End Users — Individuals would use the cards bought from Maxus to conduct their own fraud.

  18. Intrusions • Unauthorized access into a computer • Different types of intruders • Hackers – create code to exploit vulnerabilities • Script-kiddies – use code readily available over the Internet to exploit vulnerabilities • Insiders - former employees whose accounts were not disabled upon termination

  19. Intrusions • Example • Bob leaves Experian for Equifax • Equifax is a competitor to Experian • Bob uses same password at Equifax that he had used while at Experian • Equifax has to crack Bob’s password because no one can get into his account to retrieve the work he left behind • Experian decides to try Bob’s password on Equifax ’s e-mail system • It worked! • Experian attempts to steal customers from Equifax by intercepting e-mail sent to Bob’s account at Equifax.

  20. Viruses, Worms, & Trojans • Viruses are computer code written to degrade the health of a computer or computer network • Worms are viruses that are written such that they can spread themselves to other computers • Trojans are viruses that remain dormant or hidden until a certain action is taken or a specified period of time has elapsed

  21. Denial of Service (DOS) • An attack in which a large network of compromised computers is used to attack a target computer • Examples • Mafiaboy - Feb 2000 • Yahoo!, eBay, CNN.com, eTrade, and others • DDOS attack against 9 of 13 root servers – Oct 2002

  22. Intellectual Property Theft • The unauthorized acquisition and/or distribution of proprietary computer software or data files

  23. Intellectual Property Theft • Example • Online warez pirates • Buy or steal copies of software programs such as video games or operating systems • Illegally share the programs through FTP servers located throughout the world • Hundreds and perhaps thousands of organized groups exist • Many groups contain hundreds of members

  24. Sabotage • Deliberate destruction of the functionality of a computer or computer network

  25. Insiders • Greatest threat to computer networks • Know the system • Have access via user accounts • Security lapses • Easy-to-guess passwords • Share accounts/passwords • Hostile terminations/revenge

  26. Criminal Cyber Crime Techniques • Casing the establishment • Footprinting • Scanning • Enumeration Hacking Exposed, Second Edition

  27. Casing the Establishment • Footprinting • Locate a potential target • Learn everything about target network • Map the network • Domain names in use • Routable IP address range • Services running and versions used • Firewalls and Intrusion Detection Systems Hacking Exposed, Second Edition

  28. Casing the Establishment • Scanning • Turning door knobs and seeing if windows are locked • Search for vulnerabilities • Ping sweep • Determine what systems are up and running • Trace route • Port scan • ID operating system • ID applications running • Cheops (does it all) Hacking Exposed, Second Edition

  29. Casing the Establishment • Enumeration • Open the door and look inside (cross the line) • Active connection to target is established to • ID valid user accounts • ID poorly protected resource shares • Social Engineering • Gain access to inside human resources • “Dumpster diving” – go through the trash Hacking Exposed, Second Edition

  30. Hacking the Target • Directly connect to shared resources • Use that access to dig deeper • Install backdoors/Trojans • Crack passwords for administrator accounts • Dictionary and Brute Force • L0phtcrack • John the Ripper • Crack • Hacking Exposed, Second Edition

  31. Hacking the Target • Privilege escalation • When you have password for non-admin account • Use Trojans to give yourself an admin account • e.g. change Dir command so that it adds new user • Install and run sniffers • Keystroke loggers Hacking Exposed, Second Edition

  32. Hiding the Trail • Proxy Servers • Make Web queries on behalf of inquiring computer • Query traces to proxy rather than point of origin • Anonymizers • E-mail spoofing • IP spoofing

  33. Proxy 2 Bad Guy Proxy 1 Destination

  34. Cyber Crime Investigations Big Brother is Watching

  35. Following the Trail • Server logs • E-mail headers • Whois databases • Human resources

  36. Critical Concept • Internet Protocol (IP) addressing • Every computer connected to the Internet has a unique IP address assigned while it is connected • #.#.#.# (e.g. 192.168.1.100) • Each # is 0 to 255 • 256 possibilities • 28 (binary math) • 255 = 1111 1111

  37. Critical Concept • Static addresses • Like telephone numbers • Don’t change • Easy to find day after day • Dynamic addresses • Different each time you connect • Difficult to find from one use to the next

  38. Server Logs • Domain Controllers • Access logs • Web Servers • FTP Servers • E-mail Servers

  39. Tracking via Server Logs 192.168.50.165 - - [17/Sep/2002:17:46:52 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=15 HTTP/1.0" 200 18627 192.168.50.165 - - [17/Sep/2002:17:48:32 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=9&reply=1&form=newmsg HTTP/1.0" 200 8020 192.168.50.165 - - [17/Sep/2002:17:49:53 -0500] "POST /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396 HTTP/1.0" 302 426 192.168.50.165 - - [17/Sep/2002:17:50:01 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=9 HTTP/1.0" 200 19721 192.168.50.165 - - [17/Sep/2002:17:50:34 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=6&reply=1&form=newmsg HTTP/1.0" 200 8102

  40. Tracking via Server Logs 192.168.50.165 - - [17/Sep/2002:17:46:52 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=15 HTTP/1.0" 200 18627 192.168.50.165 - - [17/Sep/2002:17:48:32 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=9&reply=1&form=newmsg HTTP/1.0" 200 8020 192.168.50.165 - - [17/Sep/2002:17:49:53 -0500] "POST /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396 HTTP/1.0" 302 426 192.168.50.165 - - [17/Sep/2002:17:50:01 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=9 HTTP/1.0" 200 19721 192.168.50.165 - - [17/Sep/2002:17:50:34 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=6&reply=1&form=newmsg HTTP/1.0" 200 8102

  41. E-mail Headers • Normal Headers • To:, From:, Date:, and Subj: • Full Headers • Record of path an e-mail takes from its origin to its destination

  42. Return-Path: <ebreimer@siena.edu> Delivered-To: mmcbride@leo.gov Received: from mailscan-a.leo.gov (mailscan-a-pub.leo.gov [172.30.1.101]) by mail.leo.gov (Postfix) with ESMTP id AADAA26E4B for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:34 -0400 (EDT) Received: from dell61 (localhost [127.0.0.1]) by mailscan-a.leo.gov (Postfix) with ESMTP id 2ABB838641 for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:34 -0400 (EDT) Received: from dmzproxy.leo.gov ([4.21.116.65]) by dell61 via smtpd (for smtp.leo.gov [172.30.1.100]) with ESMTP; Thu, 15 Apr 2004 14:01:53 -0400 Received: from internetfw.leo.gov (internetfw-dmz.leo.gov [4.21.116.126]) by dmzproxy.leo.gov (Postfix) with SMTP id 5C21CAA8AF for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:33 -0400 (EDT) Received: from [66.194.176.8] by internetfw.leo.gov via smtpd (for mx.leo.gov [4.21.116.65]) with SMTP; Thu, 15 Apr 2004 14:01:33 -0400 Received: FROM exchange2.siena.edu BY claven.siena.edu ; Thu Apr 15 14:01:24 2004 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: Radio Interview Date: Thu, 15 Apr 2004 14:01:35 -0400 Message-ID: <8DEC59405C543C4D88AF28B7AAB0F87302A47CC4@EXCHANGE2.siena.edu> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Radio Interview Thread-Index: AcQjE7E0Ke2vVSlaR5mlEdbMSjmvMw== From: "Breimer, Eric" <ebreimer@siena.edu> To: <mmcbride@leo.gov> Cc: <grimmcom@nycap.rr.com> X-UIDL: 'B?!!L^)#!ce^"!Hf_"!

  43. E-mail Headers Received: from internetfw.leo.gov (internetfw-dmz.leo.gov [4.21.116.126]) by dmzproxy.leo.gov (Postfix) with SMTP id 5C21CAA8AF for <mmcbride@leo.gov>; Thu, 15 Apr 2004 14:01:33 -0400 (EDT) Received: from [66.194.176.8] by internetfw.leo.gov via smtpd (for mx.leo.gov [4.21.116.65]) with SMTP; Thu, 15 Apr 2004 14:01:33 -0400 Received: FROM exchange2.siena.edu BY claven.siena.edu ; Thu Apr 15 14:01:24 2004 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Content-class: urn:content-classes:message MIME-Version: 1.0

  44. Whois Databases • Contain registration information for the Domain Name System and IP addresses • Examples • www.dnsstuff.com • www.arin.net • www.samspade.org • www.networksolutions.com