What is cybercrime? Running a cybercrime syndicate Cybercrime attacks Countermeasures Organization profiles
“The degree of overlap between [organized crime and cybercrime] is likely to increase considerably in the next few years. This is something that needs to be recognized by business and government as an emerging and very serious threat to cyber-security.”
Cybercrime is…? “offenses ranging from criminal activity against
data to content and copyright infringement” (Council of Europe’s CC Treaty)
United Nations refers to acts of fraud, forgery and unauthorized access
“…unlawful acts wherein the computer is either a tool or a target or both.”.
The Internet encourages anonymity and is distributed in nature
Many countries have very few laws addressing cybercrime Love Bug Virus VB script that spread via email and
corrupted many different file types FBI traced the virus to the Philippines
The increasing growth of e-commerce
22.3% increase in # from 2008211% increase in financial loss Median dollar loss: $575 Crimes with no documented loss or harm are not included
Top 5 categories:Non-delivered merchandise: 19.9%Identity Theft: 14.1%Credit Card Fraud: 10.4%Auction Fraud: 10.3%Computer Fraud: 7.9%
UNORGANIZED ORGANIZED Usually the work of an
individual Decentralized Smaller resource base Hit and run
mentality/opportunistic
Centralized group of criminals
Many based in “hostile” nation
Extensive access to resources/business connections
Extended operations
Hackers discover vulnerabilities and sell to the highest bidder
Crimeware suites created and sold to less technically inclined users
Crimeware-as-a-service mentality Data supplier model Pricing profiles introduced
Credits cards = cheap Healthcare info/single logins for organizations = expensive
Cybercrime economy mirrors actual economy
Organized crime closely mimics the actual economy Regionally-specific & enterprise-specific
campaign Each attack campaign gathered centrally to
sell Campaigns managed remotely from these
central servers Data and asset management is just as
essential as in traditional business
(1) Boss deploys malicious code package
(2) Campaign managers retrieve package and customized as needed
(3) Malicious network used to inject package into legitimate sites. Commission-based
(4) Injected code served to users (5) Toolkit affects individual users (6) Infection data sent back to central
location (7) PII flows back to boss
Example of crimeware toolkit that originates from Eastern Europe, primarily Russia and the Ukraine
Utilizes three major components and powerful encryption: ZueS trojan ZueS config file Specifcation of dropsite
Config file defines subset of targets ZueS collects session variables
during sessions Bypasses auth. Mechanisms and piggybacks
session Criminals are able to move money to third
parties in real-time ZueS Builder provides binary files for
constructing a botnet
How simple is it? Number of new ZeuS binaries in the past
month: 18,985 Number of new ZeuS binaries seen in the
past week: 4,582 Number of new ZeuS binaries seen in one
day: 977
Trend Report ZeuS Video
Consider: Hardware and software keeps getting
cheaper Combine the Internet and a global scope,
the the potential for attacks is limitless Security will always be breached Even when laws are passed to increase
technological safeguards, new technology will always outstrip legislation
I3C Accepts complaints, investigates, and/or redirects
to appropriate law enforcement Joint operations with other agencies Publishes cyber-security information
IT Act(2000) Attempt to define various electronic specifications:
Digital Signatures Use/Retention of electronic records Security Certification Authorities Offenses
http://www.ic3.gov/media/annualreport/2009_IC3Report.pdf
http://www.ic3.gov/media/annualreport/2009_IC3Report.pdf
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/zeusapersistentcriminalenterprise.pdf
http://www.legalserviceindia.com/cyber/itact.html http://www.symantec.com/norton/cybercrime/
definition.jsp http://www.securityworld.com/ia-420-love-bug-
virus.aspx http://www.finjan.com/Content.aspx?id=827