1 / 75

How to Investigate

How to Investigate. SPAM. “WhoIs” behind the scam?. Who are the individuals who own that Web Site … ?. Introduction. The cost of spam. This section from http://www.cs.uml.edu/~pkrolak/91-113/DarkSideOfInternet.ppt. Spam.

kirby
Télécharger la présentation

How to Investigate

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to Investigate SPAM

  2. “WhoIs” behind the scam? Who are the individuals who own that Web Site … ?

  3. Introduction The cost of spam This section from http://www.cs.uml.edu/~pkrolak/91-113/DarkSideOfInternet.ppt

  4. Spam Spam is electronic junk mail that clogs our internet like the fatty canned meat of the same name clogs our arteries. Communication lines back up at an alarming rate, Storage is gobbled up, Servers and processors thrash, and Users are irritated at best – incapacitated at worst. Spam costs the ISPs and others a fortune to prevent and/or to remove. At its worst spam is used by scammers, hackers, and others to market and prey on literally millions of users at a very low cost. Source: http://www.unt.edu/benchmarks/archives/2005/february05/spamandcookiescolor.gif

  5. Spam • What is Spam? Junk email – unwanted, resource robbing, and often contains viruses, worms, and scams. • Why is it an increasing problem? Spam is the fastest growing component of messages on the Internet that consumes bandwidth, storage, and angers the user. ISPs and some consumer groups are attempting to shut down the worst offenders. Spam as harassment. Spam as DoS (Denial of Service) attack. Spam as Phishing (attempt to obtain a person’s ID, password, etc, by pretending to be a legitimate request.) • What can be done about it? (Discussion questions) • Closing down ISPs that permit email relaying (Is this too draconian?). • Apply filters and tools to remove it (Can they be by-passed?). • Lobby for federal legislation to create civil and criminal penalties for those who send Spam. (Does this interfere with free speech?) • A recently passed law to prosecute commercial spammers. (When is Internet advertising legitimate and when is it Spam?)

  6. Why Estimate the Cost of Spam? • Important for policy reasons to know severity of problem – helps in assigning priority to issue; • To determine which economic actors have to bear costs – also important in focusing on solutions; • Spam imposes negative externality on society (similar to pollution in the manufacturing economy): economic damage and cost borne by third parties resulting in an overall loss of welfare for society; • If costs of spam are unacceptable then have to put in place mechanisms to change behavior of producers of spam; • Provides metric to “let the punishment fit the crime.” • Market itself does not provide mechanism to correct for costs inflicted by spam. If economic solutions are used to combat spam, cost data can help determine prices applied to reduce or eliminate spam; http://www.oecd.org/dataoecd/47/5/26618988.pdf

  7. Spam Impact on Consumers • E-mail has value to recipient which varies with the content and should at least equal processing cost; • Each e-mail entails the same receiving/processing cost for consumer. For spam the value of the e-mail content is negative and to this must be added the processing cost; • If the amount of spam received is extremely high it could conceivably outweigh the positive value of receiving e-mail; • Costs to consumers for processing mail are declining as consumers switch to broadband from dial-up (where time based Internet access charges exist) and because of quicker download times; • But increase in volume of spam is likely to result in net increase in costs – if you can go fast but you produce crap, all you get is more crap; http://www.oecd.org/dataoecd/47/5/26618988.pdf

  8. Overall Cost: Some Estimates • Reduced use of an efficient and cheap means of communications among economic actors – slows down growth of e-commerce and development of digital economy. Total economic impact of spam – estimates vary: • Global cost “conservatively” estimated at estimated at €10 Billion (European Commission Study 2001); • Ferris Research (Jan. 2003) estimated that spam cost US companies $8.9 billion dollars in 2002. The same study estimated the cost of spam in Europe as US$2.5 billion. • UNCTAD (2003): $20 billion; • Cost to Hong Kong economy $1.3 billion (HKISPA 2004); • $2 - $20 Billion per year and growing. http://www.oecd.org/dataoecd/47/5/26618988.pdf

  9. CAN SPAM Law of 2003 CAN-SPAM Act of 2003 (Pub. L. 108-187, S. 877) • The Controlling the Assault of Non-Solicited Pornography and Marketing Act requires unsolicited commercial e-mail messages to be labeled (though not by a standard method) and to include opt-out instructions and the sender's physical address. It prohibits the use of deceptive subject lines and false headers in such messages. The FTC is authorized (but not required) to establish a "do-not-email" registry. State laws that require labels on unsolicited commercial e-mail or prohibit such messages entirely are pre-empted, although provisions merely addressing falsity and deception would remain in place. The CAN-SPAM Act took effect on January 1, 2004.

  10. Crimes of Persuasion Crimes of persuasion are scams that appeal to peoples’ greed, goodwill, or other emotions to use the victim to provide the access and assistance to information, the money or other resources, that are the target of the criminal. In other words – A Con Game

  11. Internet Scams

  12. Internet Scams • Scams over the Internet unlike the fraud and similar crime can be difficult to detect, prosecute, and prevent – and easy to perpetrate. • Email can be used to reach 250 million with a simple program and a CD-ROM with the email addresses. • Example - The African businessman who offers to split a large sum of money (like, $20M) if he can only electronically wire it to your checking account. He also requires a (small) fee ($250.) wired to his account to bribe fellow country men. Your fee and your bank account are immediately seen to vanish. • See: http://www.cnn.com/2000/TECH/computing/10/31/ftc.web.scams/

  13. Internet Pyramid schemes What is a Pyramid Scheme? • Pyramid schemes, also referred to as "chain referral", "binary compensation" or "matrix marketing" schemes, are marketing and investment frauds which reward participants for inducing other people to join the program.   Ponzi schemes, by contrast, operate strictly by paying earlier investors with money deposited by later investors without the emphasis on recruitment or awareness of participation structure. • Pyramid schemes focus on the exchange of money and recruitment.  At the heart of each pyramid scheme there is typically a representation that new participants can recoup their original investments by inducing two or more prospects to make the same investment.   • For each person you bring in you are promised future monetary rewards or bonuses based on your advancement up the structure.  Over time, the hierarchy of participants resembles a pyramid as newer, larger layers of participants join the established structure at the bottom. Source: http://www.crimes-of-persuasion.com/Crimes/Delivered/pyramids.htm

  14. Internet Pyramid schemes (more) • They say you will have to do "little or no work because the people below you will".  You should be aware that the actual business of sales and supervision is hard work. So if everyone is doing little or no work, how successful can a venture be? Too good to be true! • The marketing of a product or service, if done at all,  is only of secondary importance in an attempt to evade prosecution or to provide a corporate substance.  Often there is not even an established market for the products so the "sale" of such merchandise, newsletters or services is used as a front for transactions which occur only among and between the operation's distributors.  • Therefore, your earning potential depends primarily on how many people you sign up, not how much merchandise is sold. • When the Pyramid gets too big, the whole scheme collapses and the people who lose are the people at the bottom.

  15. Internet Pyramid schemes (more) • Pyramid schemes are not the same as Ponzi schemes which operate under false pretences about how your money is being invested and normally benefit only a central company or person along with possibly a few early participants who become unwitting shills. • Pyramid schemes involve a hierarchy of investors who participate in the growth of the structure with profits distributed according to one's position within the promotional hierarchy based on active recruitment of additional participants. • Both are fraudulent, because they induce an investment with no intention of using the funds as stated to the investor.

  16. Email Fraud Fraud has existed perhaps as long or longer than money. Any new sociological change can engender new forms of fraud, or other crime. Source: http://en.wikipedia.org/wiki/Email_fraud

  17. Email Fraud • Almost as soon as e-mail became widely used, it began to be used to defraud people via E-mail fraud. • E-mail fraud can take the form of a "con game" or scam. • Confidence tricks tend to exploit the inherent greed and dishonesty of their victims: the prospect of a 'bargain' or 'something for nothing' can be very tempting. • E-mail fraud, as with other 'bunco schemes' relies on naive individuals who put their confidence in get-rich-quick schemes such as 'too good to be true' investments or offers to sell popular items at 'impossibly low' prices. Many people have lost their life savings due to fraud. (Including E-Mail fraud!)

  18. Avoiding e-mail fraud E-mail fraud may be avoided by: • Keeping one's e-mail address as secret as possible, • Ignoring unsolicited e-mails of all types, simply deleting them, • Not giving in to greed, since greed is the element that allows one to be 'hooked‘, and • If you have been defrauded, report it to law enforcement authorities -- many frauds go unreported, due to shame, guilty feelings or embarrassment. Source: http://en.wikipedia.org/wiki/Email_fraud

  19. Identity Theft on the Internet Identity theft involves finding out the user’s personal information and then using it commit fraud and other crimes.

  20. Identity Theft “But he that filches from me my good name Robs me of that which not enriches him And makes me poor indeed."  - Shakespeare, Othello, Act III. Scene III.

  21. What is Identity Theft? • A Federal crime where someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain. • In 2004, almost 250,000 claims of Identity Theft within the US alone (1:1000) • More than $500 million in reported losses Source: http://www.consumer.gov/sentinel/pubs/Top10Fraud2004.pdf

  22. Categories of Identity Theft According to the non-profit Identity Theft Resource Center, identity theft is "sub-divided into four categories: • Financial Identity Theft (using another's name and SSN to obtain goods and services), • Criminal Identity Theft (posing as another when apprehended for a crime), • Identity Cloning (using another's information to assume his or her identity in daily life) and • Business/Commercial Identity Theft (using another's business name to obtain credit)." Source: http://en.wikipedia.org/wiki/Identity_theft

  23. Tiger Woods “A man who used Tiger Woods' identity to steal $17,000 worth of goods was sentenced to 200 years-to-life in prison. Anthony Lemar Taylor was convicted of falsely obtaining a driver's license using the name Eldrick T. Woods, Woods' Social Security number and his birth date. Though he looks nothing like golf's best player, the 30-year-old Taylor then used the false identification and credit cards to buy a 70-inch TV, stereos and a used luxury car between August 1998 and August 1999. Judge Michael Virga gave Taylor the maximum sentence under California's three-strikes law...”

  24. Identity Theft by Age Souce: http://www.consumer.gov/sentinel/pubs/Top10Fraud2004.pdf

  25. Identity Theft • Identity Theft – the acquiring of personal and financial information about a person for criminal purposes. • Your Social Security Number, credit card numbers, and passwords on your machine can be used to gain information about you from the web sources. • Once the information is gained it is used to charge large amounts for plane tickets, etc. • The criminal can also assume your identity for fraud and terrorism. • Some rings communicate data gathered to accomplices in other countries where the fraudulent charges are actually made. • It can take up to 18 months and thousands of dollars to restore your credit. See http://www.newsfactor.com/perl/story/15965.html

  26. The role of private industry and government in identity theft

  27. Techniques for obtaining information Low Tech – Social Engineering • Stealing (snail) mail or rummaging through rubbish (dumpster diving) • Eavesdropping on public transactions to obtain personal data (shoulder surfing) • Obtaining castings of fingers for falsifying fingerprint identification High Tech – Internet Approaches • Stealing personal information in computer databases [Trojan horses, hacking] – Including theft of laptops with personal data loaded. • The infiltration of organizations that store large amounts of personal information • Impersonating a trusted organization in an electronic communication (phishing) . • Spam (electronic): Some, if not all spam entices you to respond to alleged contests, enter into "Good Deals", etc. • Browsing social network (MySpace, Facebook, Bebo etc) sites, online for personal details that have been posted by users in public domains. Soruce: http://en.wikipedia.org/wiki/Identity_theft

  28. What is Pharming? Pharming is the exploitation of a vulnerability in the DNS server software that allows a hacker to acquire the Domain Name for a site, and to redirect traffic from that website to another web site. DNS servers are the machines responsible for resolving internet names into their real Internet Protocol (IP) addresses - the "signposts" of the internet. (e.g., Good_Stuff.com will translate to an address like 152 145 72 30 – i.e. four groups of base 8 (octal) numbers in IP version 4 (IPv4) or eight groups in base 16 (hex) in IP version 6 (IPv6). The Internet has thousands of DNS servers – each one a target for determined hackers.

  29. Phishing What is Phishing? • Using email or web sites to look like authentic corporate communications and web sites to trick people into giving personal and financial information. • FBI sees this a fast growing form of fraud and can lead to theft of identity. See http://www.crimes-of-persuasion.com/Crimes/Delivered/internet.htm

  30. What is Phishing? phishing (also known as carding and spoofing) n. 1. The act of attempting to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business with a real need for such information in a seemingly official electronic notification or message (most often an email, or an instant message). Source: http://en.wikipedia.org/wiki/Phishing

  31. Phishing Example • From: eBay Billing Department <aw-confirm@ebay.com> • To: you@uml.edu • Subject: Important Notification Register for eBay Dear valued customer Need Help? We regret to inform you that your eBay account could be suspended if you don't re-update your account information. To resolve this problems please click here and re-enter your account information. If your problems could not be resolved your account will be suspended for a period of 3-4 days, after this period your account will be terminated. For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us. Due to the suspension of this account, please be advised you are prohibited from using eBay in any way. This includes the registering of a new account. Please note that this suspension does not relieve you of your agreed-upon obligation to pay any fees you may owe to eBay. Regards, Safeharbor Department eBay, Inc The eBay team. This is an automatic message. Please do not reply. This link points to a bogus site that often will infect and attempt to corrupt or steal data from your computer or to coerce you into divulging private information when You access it. Source: http://en.wikipedia.org/wiki/Phishing

  32. Spoofing Spoofing • E-mail sent from someone pretending to be someone else is known as spoofing. Spoofing may take place in a number of ways. Common to all of them is that the actual sender's name and the origin of the message are concealed or masked from the recipient. Many, if not most, instances of e-mail fraud use at least minimal spoofing, as most frauds are clearly criminal acts. Criminals typically try to avoid easy traceability. Source: http://en.wikipedia.org/wiki/Email_fraud

  33. Methods to Steal an Identity • TCP Spoofing • Establish a fake session and act to the user like the real application the user thought was connected. • Can be done by substituting valid access software with “hacked” software after compromising a host or server machine • DNS Spoofing • Mentioned previously • Substitutes a fake IP address for the real one in the DNS table • Typo Squatting (e.g. www.goolge.com) • Set up a real web site with URL that represents common typo. Make site look enough like real one and try to get passwords, ID, etc. • Similar to phishing, but the “phish” catches himself!

  34. Your Goal Identify the people who are behind the Spam You want NAMES, and Civic Addresses, but be ready for the sad reality: the chances are very small that you will ever find them, but you will bring to light all the tools they are using to hide their real identity, And this is INFORMATION, because this tells you that the SPAM is a SCAM, and these people are criminals

  35. Their Goals At the end of the investigation you will discover the goals pursued by the spammers #1 - Have you send them money (Nigerian scam / buy their cloned products / medicine) (maybe they will never ship anything, but they will get your money) #2 – Steal your personal information by making your believe that you must enter your information to win something #3 – Enroll your computer as a zombie: your computer is infected by a Trojan when you visit their website and is then used to spam other people to do #1 or #2

  36. What to do at the end of your investigation This is explained at the end of this presentation (part 5)

  37. PART 1 List of steps to follow for a SPAM investigation

  38. Typical List of Stepsto investigate a SPAM Case 1) You need the email (body) AND the header of the email. How to see the email header depends on the email client you are using 2) You divide your research into 2 parts: - Finding information about the sender (spammer) - Finding the information about the target (the website where the spammer wants you to go)

  39. List of Steps 3) For researching “Who is the Spammer” and for researching “Who is behind the target web site”, You follow pretty much the same series of steps 4) Use “nslookup” to find the IP address of a domain name 5) Use the IP address to find who owns this address. Most of the time you will see that the address is in a block of addresses that have been assigned to an ISP or to a Web Hosting Company

  40. List of Steps 6) IPSs have large blocks of addresses, typically: N x 256 X 256 If it is an ISP, then the spammer has a fixed IP address (no need to run DHCP), and it should be relatively easy to identify who is leasing this IP address: Google with the IP address, the domain name, part of the message

  41. List of Steps 7) Web Hosting Companies have smaller blocks of addresses, typically: N x 256 X 256 and N = 1, 2 or 3 The WhoIs queries tell you the name of the company who owns the block of address

  42. List of Steps 8) Google for the domain name of the spammer and the name of the web hosting company. You should find the name of the registrant: the individual or the company WHO has registered the domain name that is attached to that IP address. Sometime the name of the registrant is a small company that is itself a Registrar, and operates as an intermediary (front) between the real customer (here, the spammer) and the big registrars Note that some of these intermediate companies do not really check the validity of the information provided by the customer: fake telephone numbers, no civic address, or a postal box, are all OK!

  43. Additional Note: Registries and Registrars A Registry is an organization that assigns IP addresses (typically to ISPs): There are 5, each for one continent (AFRINIC, ARIN, LACNIC, APNIC and RIPE)  See part 2 of this presentation  You use WhoIs to query the registries A Registrar is a company that attach a domain name to an IP address (www.uml.edu = 129.63.176.200) Read on the web to learn more about Registries and a Registrars

  44. List of Steps Google then for the missing information, use anything you already know: Track the names of the small fish The telephone numbers (sometimes the company is officially I one country and the tel.no in another country) Parts of the body of the message

  45. PART 2 Understanding how the Registries work

  46. Every computer needs an IP address to be accessible from other hosts on the Internet An IP address is a unique identifier of a computer You buy an IP address from your ISP, and your ISP buys blocks of addresses from a Registry There are 5 Registries managing each one region of the world

  47. The search is based on the IP address

  48. When should you use the information maintained by registries? Every time you want to know more about a website, especially when you suspect that the site is a rogue web site e.g. you have received an un-solicited email asking you to go a web site you have never heard of before

More Related