Embed Size (px)
DESCRIPTION
Ponencia de Richard Stiennon. Analista jefe de Investigación. IT Harvest. Presentation by Richard Stiennon. Chief Research Analyst. IT Harvest. Curso de Verano / Summer Course CIGTR/URJC 2011
Citation preview
Cyber Crime Prepare for the next wave: Business Process Hacking
Richard Stiennon – Chief Research Analyst, IT-Harvest
Friday, July 1, 2011
IT-Harvest 2011
The Rise of Cybercrime
Ubiquitous Internet
New vulnerabilitiesMarket for identities
Success (profits) 30 million bots
Insider recruitmentOrganization
International cooperation (or not)
Better security
DRIVERS
INHIBITORS
Friday, July 1, 2011
IT-Harvest 2011
Historical Criminal Societies
Friday, July 1, 2011
IT-Harvest 2011
The first wave: the adware economy
E-commerce Sites
Hit StatsFake “Top Ten”BrokersWebrings
Affiliate Web SitesSoftware parasitesWormsVirusesSpamInfected DesktopsADware
Friday, July 1, 2011
IT-Harvest 2011
The Adware economy
E-commerce Sites
Hit StatsPopularity- StatsBrokersWebrings
Affiliate Web SitesSoftware parasitesWormsVirusesSpamInfected DesktopsADware
Friday, July 1, 2011
IT-Harvest 2011
IP theft as a service in Israel
Friday, July 1, 2011
IT-Harvest 2011
Physical presence targets “where the money is” - Willie Sutton• Sumitomo Mitsui Bank Branch
Friday, July 1, 2011
IT-Harvest 2011
Cyber Defense :-) Sumitomo Best Practice
Friday, July 1, 2011
IT-Harvest 2011
Stop&Shop
Friday, July 1, 2011
IT-Harvest 2011
Stop&Shop cyber defense
Friday, July 1, 2011
IT-Harvest 2011
TJX: targeting data repositoriesTJ MAXX, Marshall’s45 Million Credit cards@ $80/card=$3.6 Billion in costs!
Pringle’s can or…?
Friday, July 1, 2011
IT-Harvest 2011
Business Process Hacking• Step one: identify the business process• Step two: identify key vulnerabilities and trust
relationships Insiders Customers Partners
• Step three: steal something• Step four: monitization
12
Friday, July 1, 2011
IT-Harvest 2011
An insider’s perspective• Major railroad in US• Major computer manufacturer in US
13
Friday, July 1, 2011
IT-Harvest 2011
Pump and dump• Break in to online trading account• Sell off owner’s portfolio• Purchase penny stocks • Dump attacker’s holdings when stock price jumps• Leave account holder with worthless portfolio• Canadian attacks thwarted $11 million frozen in
Lithuanian bank.
14
Friday, July 1, 2011
IT-Harvest 2011
E-ticketing fraud• Indian railway reservations. Scalpers use software to
corner the market for tickets and resell them at a mark up.
• Concert tickets. Scammers snipe tickets when they go on sale using elaborate hacks to avoid fraud detection schemes. They resell them immediately on sites such as StubHub.com or TicketsNow.com ($1,000)
• Even better: scammers buy seats and block others from getting seats.
15
Friday, July 1, 2011
IT-Harvest 2011
Carbon credits• 2010 Phishing attack against dozens of companies • Seven out of 2,000 German companies fall for it• Carbon credits transferred to two accounts owned by
attackers• $4 million stolen
• 2011 1.6 million carbon credits stolen from the Romanian branch of Swiss cement company Holcim. $36 million.
16
Friday, July 1, 2011
IT-Harvest 2011
Vulnerable business processes• Treasury functions• Logistics• Payroll• Trading platforms for energy, natural resources, commodities,
securities• Voting platforms• Gaming sites• Foreign Exchange• “Deal rooms” • Central banks•
17
Friday, July 1, 2011
IT-Harvest 2011
Beyond theft
• Commerce relies on trust. Break that trust and commerce fails.
18
Friday, July 1, 2011
