1 Spam and Transnational Crime KnujOn : A new initiative to fight email-borne security threats.
-
Upload
olivia-webb -
Category
Documents
-
view
213 -
download
0
Transcript of 1 Spam and Transnational Crime KnujOn : A new initiative to fight email-borne security threats.
1
Spam and Transnational Crime
KnujOn: A new initiative to fight email-borne security
threats
International HTCIA 8/2007 Knujon LLC 2007© 2
Who we are
Garth Bruen – the KnujOn ProjectNortheastern University, Software Engineering Certificate Suffolk University, Masters in Public AdministrationNortheastern University, B.S. Criminal Justice
Dr. Robert Bruen – Coldrain Technologies Harvard University, ALM History of Science Boston College, Ph.D. Higher Education AdministrationBoston University, M.S. Computer Information SystemsNortheastern University, B.A. Philosophy and Religion
International HTCIA 8/2007 Knujon LLC 2007© 3
What I Want You To Leave Believing
KnujOn is dedicated to technology fraud preventionHowever…..
1. The Spam problem is about more than the email
2. Solutions to spam cannot rely solely on technology
3. Filtering and deleting spam makes the issue worse
4. Spam is not an impossible problem to solve
International HTCIA 8/2007 Knujon LLC 2007© 4
Questions as a starting point
•What drives spam?
•What and Who enables the spammers?
•Who profits from it (beyond the spammers)?
•How do we all suffer from spammers?
•What tools are currently available to prevent spam?
•Of those tools, what is working and what isn't?
•Where are the failures and breakpoints?
•Where can our efforts be maximized?
International HTCIA 8/2007 Knujon LLC 2007© 5
•2 years in Beta testing
•32,201 site suspensions
•Reduction in spam traffic to many of our clients
•Processing 20 – 30 thousand emails per day
• Weekly status reports to our clients
• Changing people’s minds, providing actionable information, raising public awareness
What has KnujOn accomplished so far?
International HTCIA 8/2007 Knujon LLC 2007© 6
What We Do
• Challenge Beliefs: current assumption that there is too much junk email to process effectively
• Collaborate Globally: accept junk email submissions from thousands of official and non-official clients as the starting point for our procedures
• Enforce Policies:
• use the current policy structures to address the problem
• reveal breakpoints and bottlenecks in Internet compliance
International HTCIA 8/2007 Knujon LLC 2007© 7
What We Do
• Share Our Progress: Provide our clients with feedback and avenues for satisfaction that they are not getting from the Internet community
• Generate Big Picture Thinking
• Explore the complex issues driving spam
• Illustrate the impact on individual victims as well as the burden on the economy
• Use spam to create a “map” of transnational crime
International HTCIA 8/2007 Knujon LLC 2007© 8
KnujOn: A better model
• No software to download
• No live connection needed
• No active process or database on the net
• Reporting/Processing in different locations
• Compact and highly mobile
• DoS of our sites wont stop the process
9
International HTCIA 8/2007 Knujon LLC 2007© 10
The criminals are fighting back with technology…..
• Cyber criminals are launching massive Denial of Service attacks against anti-spam services
• Worms have been designed to specifically attack anti-virus software companies (and specific people)
• DDoS and hacking attacks have been used against law enforcement networks as revenge
International HTCIA 8/2007 Knujon LLC 2007© 11
…and beyond technology
• Malaysian media pirates have threatened police and customs dogs (bounties have been placed on specific animals)
• “Spammer Tries to Hire Hit man to Kill Children of Witness”
• Journalists investigating counterfeit product networks in many countries have been murdered
• Nigeria’s Rx fraud czar under constant attack
• Saad Echouafni (massive 2004 DoS) remains a fugitive, armed and dangerous, possibly in North Africa
International HTCIA 8/2007 Knujon LLC 2007© 12
•
Problems Behind the Problem
The criminal threat is much more aggressive than ever before
• Targeted attempts to intimidate and disrupt enforcement for the purpose of protecting lucrative criminal operations are commonplace.
• As the spam money grows, so will the physical threats.
• “Cybercops drowning in data” – Jim Christy
• Government sponsored simulated cyber attacks on the U.S. were successful in penetrating defenses
• Foreign intelligence services are “eating our lunch” – Joel Brenner, National Counterintelligence Executive
International HTCIA 8/2007 Knujon LLC 2007© 13
Resources are impacted
• Employees in the U.S. spend about 100 hours each year dealing with spam, a daily loss of $130 million to our workforce
• Loss of productivity on the company side: $712 Per Employee, $71 billon to all U.S. businesses annually
• 210,000 American manufacturing workers could be added to the economy if parts were made legally
• Illicit traffic is a $600 Billion industry
• 90% of all email traffic is spam
International HTCIA 8/2007 Knujon LLC 2007© 14
Spam Beyond “Email”: Geocities “encrypted” spam sites
International HTCIA 8/2007 Knujon LLC 2007© 15
Spam that isn’t email
International HTCIA 8/2007 Knujon LLC 2007© 16
Spam that isn’t email
International HTCIA 8/2007 Knujon LLC 2007© 17
Spam that isn’t email
International HTCIA 8/2007 Knujon LLC 2007© 18
Spam that isn’t email : Search Stacking
DISCOVERing deceit at uhuzy.org
173 instances of the phrase “discover card”. Over 1000 instances of the word “discover” first site returned in a Google of “Discover Payment
Address”
International HTCIA 8/2007 Knujon LLC 2007© 19
Spam that isn’t email : Search Stacking
International HTCIA 8/2007 Knujon LLC 2007© 20
Spam that isn’t email : Search Stacking
International HTCIA 8/2007 Knujon LLC 2007© 21
Spam that isn’t email : Search Stacking
International HTCIA 8/2007 Knujon LLC 2007© 22
Spam that isn’t email
Wiki Spam Social Networking sites Blogs Forums News:// iTunes?
International HTCIA 8/2007 Knujon LLC 2007© 23
Growth of the Internet and Illicit Traffic
International HTCIA 8/2007 Knujon LLC 2007© 24
Failure of Filtering In the Press
• PEW research study that suggested consumers have been worn down by spam and are now accepting it as a fact of modern life.
• Brockman & company survey that suggests anti-spam software "doesn't work."
• Research by the University of California, San Diego validates the contention that there are a small number of organized criminals behind most of the junk mail.
• People know the spam problem is worse than last year, and that the filter and block strategy has run its course.
International HTCIA 8/2007 Knujon LLC 2007© 25
*Based on 55,544,208 households with net access(2000 census) and $30 average cost of connection with only 10% of that going to support traffic that is wanted.
The Economic Idiocy of Spam Filtering
• 90% of the bandwidth taken up by spammers
• The communications network has been hijacked by fraudulent transmissions
• Consumers and taxpayers fund the maintenance on the this global network of cable, DLS, phone lines, optic, radio, etc…
In other words…..
• Americans are paying $1.5 Billion Per Month to ensure transmission of Spam* - $18 Billion per year
• If you have a virus scan and filtering software and get no spam in your inbox, you are still paying $27 per month to guarantee that it gets delivered just short of your mailbox
International HTCIA 8/2007 Knujon LLC 2007© 26
Paper Fraud On the Rise
•98% of forgers go free
•Only 2% of check frauds are arrested
•62% of bad checks go uncollected
•Only one state (Illinois) makes it illegal to order checks in someone else’s name
•Booming market in fake labels, packaging, and security holograms
•Forgery of FAA Part Approval forms found
•Deceptive mortgage and “prizes” mailings continue
27
Operational Highlights
Outline of a spamming operationWho are the spammers?
What is their operational path?How are they enabled?
International HTCIA 8/2007 Knujon LLC 2007© 28
Operation Highlights: Mapping the Distribution & Money
International HTCIA 8/2007 Knujon LLC 2007© 29
Operation Highlights: Mapping the Distribution & Money
International HTCIA 8/2007 Knujon LLC 2007© 30
Operation Highlights: the Spammers
Mercenary criminals, not really concerned with what is being sold in junk email
Spam, transaction sites, shipping, and supply are all distinct operations
They don’t have warehouses full of pills and handbags Possible that parties never meet face to face
Skills are easy to pick up and share Spamming “Kits” are available for sale/download Discussions and mentoring occur in chat rooms
International HTCIA 8/2007 Knujon LLC 2007© 31
Operation Highlights: Illicit Traffic is About Transactions* - not
Products or Spam
Attack the transaction, not the advertisement Blocking the transaction (at the website) keeps the
money from entering the cycle This will not happen if the spam is deleted. If the spam is
reported, there is a better possibility the site will be taken down
Once a connection is made to a victim, they are more likely to be victimized again
International HTCIA 8/2007 Knujon LLC 2007© 32
What does it mean to purchase goods sold in spam?
Where do the products sold in spam come from?
Who profits from merchandise sold in spam?
What is driving and enabling it?
International HTCIA 8/2007 Knujon LLC 2007© 33
The Path of Fake Goods Sold in Spam
Manufacture of these goods is often done using forced, prison, child or under compensated labor
International HTCIA 8/2007 Knujon LLC 2007© 34
The illegal factories are usually not inspected and pose serious health, safety and environmental threats
The Path of Fake Goods Sold in Spam
International HTCIA 8/2007 Knujon LLC 2007© 35
In order to operate large illegal factories, local government must be bribed or coerced
The Path of Fake Goods Sold in Spam
International HTCIA 8/2007 Knujon LLC 2007© 36
The products themselves represent copyright, trademark and intellectual property infringements
The Path of Fake Goods Sold in Spam
International HTCIA 8/2007 Knujon LLC 2007© 37
Fake goods must be smuggled out of source countries
The Path of Fake Goods Sold in Spam
International HTCIA 8/2007 Knujon LLC 2007© 38
Contraband is often carried by human mules, tying smuggling to human traffic, sexual exploitation, document forgery and other transnational crime
The Path of Fake Goods Sold in Spam
International HTCIA 8/2007 Knujon LLC 2007© 39
Taxes are unlikely to be paid on smuggled, counterfeit goods
The Path of Fake Goods Sold in Spam
International HTCIA 8/2007 Knujon LLC 2007© 40
Profits from illicit traffic fund criminal organizations, terror groups and bloody conflicts in developing countries
The Path of Fake Goods Sold in Spam
International HTCIA 8/2007 Knujon LLC 2007© 41
Substandard counterfeit goods explode, start fires, and poison people
The Path of Fake Goods Sold in Spam
International HTCIA 8/2007 Knujon LLC 2007© 42
Profits from illicit traffic must be moved by money launderers
The Path of Fake Goods Sold in Spam
International HTCIA 8/2007 Knujon LLC 2007© 43
Spammers snag customers!
650,000 people purchased at least one item sold in spam in a single month surveyed (Consumer Reports)
If the average spam “unit” is $75, that is $48,750,000 per month or $585,000,000 per year
While the majority of Internet users block and delete spam, the remainder keeps the spammers employed!
International HTCIA 8/2007 Knujon LLC 2007© 44
Knockoffs and Counterfeits as an industry
If the knockoff network was a single company it would be twice the size of Wal-Mart
If counterfeiting, smuggling, and piracy were a single industry it would be the world’s biggest
International HTCIA 8/2007 Knujon LLC 2007© 45
Product-Driven: Counterfeiting
German authorities seized $1.6 billion in pirated goods in 2006, which was a 500% increase from 2005
U.S. Customs and Border Protection reported an 83% increase in counterfeit good seizures in 2006
England claimed a 45% increase in fake drug traffic in 2005
Interpol has noted a steady 10-year surge in intellectual property crime
The International AntiCounterfeiting Coalition(iacc.org) claims a ten thousand percent increase in recent decades
International HTCIA 8/2007 Knujon LLC 2007© 46
What is being counterfeited?
Cigarettes – with twice the carcinogens Alcohol – with ethanol and other poisons Tea Leaves - dried with truck exhaust Weed Killer – that kills crops too Shampoo – with fecal matter (“shampoop”?) Break Pads – made from pressed sawdust Surge protectors – that explode
International HTCIA 8/2007 Knujon LLC 2007© 47
Scary Warning!
“We enforce if you are affiliated with or working for a brand name company mentioned either directly or indirectly, or any other related group, or were formally a worker, you cannot enter this web site, cannot access any of its files and you cannot view any of the HTM(L) files. If you enter this site you are not agreeing to these terms and you are violating code 431.322.12 of the Internet Privacy Act signed by Bill Clinton in 1995 and that means that you cannot threaten our ISP(s) or any person(s) or company storing these files, and cannot prosecute any person(s) affiliated with this page which includesfamily, friends or individuals who run or enter this web site.”
International HTCIA 8/2007 Knujon LLC 2007© 48
Distribution Network
International HTCIA 8/2007 Knujon LLC 2007© 49
The Secondary Threat of Software Piracy
The “big hack” Use of pirated software 50% worldwide ¼ of Software in U.S. is pirated Some developing countries have near 90%
piracy rates Microsoft and Vietnam: compromise or copout? Pirated software can provide an attack platform
for a variety of crimes
International HTCIA 8/2007 Knujon LLC 2007© 50
Tax Software and AutoCAD
International HTCIA 8/2007 Knujon LLC 2007© 51
Product-Driven: Software Piracy
Countries that are known sources for pirated software are also known for spying on the United States
Corrupt government elements or gangs? Wo Shing Wo, San Yee On, and 14K are all reportedly
involved in media piracy as well as human smuggling Authorities in China often claim Chinese Americans run
the gangs The international scope is complex and troubling
International HTCIA 8/2007 Knujon LLC 2007© 52
Threats from places you’ve never heard of
Transdnester: “Independent” republic within Russia; accused of being little more than a massive criminal enterprise
Ciudad del Este: Economic free zone in Paraguay; haven for smugglers and terrorists
Tuvalu: Tiny island nation that issues .TV domains to phishers and leases its telephone system for sex-lines
Nauru: Set up your bank here without ever going there; hid money for Slobodan Milosevic
International HTCIA 8/2007 Knujon LLC 2007© 53
Deposit Scams
Also called “Nigerian/419” or Advance Fee Scams
Present a unique problem for cybercops Victims of this kind of fraud have been
kidnapped or murdered while trying to retrieve their money overseas
International HTCIA 8/2007 Knujon LLC 2007© 54
.cd
.CD is emerging as a phisher favorite Is the domain extension for The Democratic Republic of
the Congo The DRC is not the same as the Republic of the Congo The DRC, formerly Zaire, has been in a state of political
upheaval since the late 1990’s Troubled countries are magnets for fraud and corruption The average consumer is not aware of the background
that allows spammers to operate
International HTCIA 8/2007 Knujon LLC 2007© 55
Sale of sovereignty
Nauru (.nr), Vanuatu (.vu), Cook Islands (.cc) and Western Samoa (.ws) like Tuvalu (.tv) are tiny island nations with few resources
Some use their very sovereignty as a commodity, and when that is sold there is nothing left
Countries can be “owned” by criminal groups – think about Al Qaeda and Afghanistan
International HTCIA 8/2007 Knujon LLC 2007© 56
Rx
Where The Bad Pills Come From
Filler Counterfeit Diverted Product Repackaging Up-Dosing
International HTCIA 8/2007 Knujon LLC 2007© 57
Rx
Impact of fake drugs and easy access
Deaths from painkiller overdoses have exceeded those from heroin and cocaine in recent years
In 2005 drug poisonings were second only to automobile accidents for unintended deaths
Counterfeit drug investigations by the FDA have increased 10 times since 2000
More steroids for young athletes
International HTCIA 8/2007 Knujon LLC 2007© 58
Rx
International HTCIA 8/2007 Knujon LLC 2007© 59
Rx
International HTCIA 8/2007 Knujon LLC 2007© 60
Rx
International HTCIA 8/2007 Knujon LLC 2007© 61
Rx
International HTCIA 8/2007 Knujon LLC 2007© 62
Rx
International HTCIA 8/2007 Knujon LLC 2007© 63
Rx
International HTCIA 8/2007 Knujon LLC 2007© 64
Rx
International HTCIA 8/2007 Knujon LLC 2007© 65
Rx
International HTCIA 8/2007 Knujon LLC 2007© 66
Vacations
What has happened to folks who use less-than-reputable travel services?
Customers pay for a trip and don't get anything. The company sends tickets or vouchers but the airline/hotel does
not honor them. Customers are charged extra(and often large) fees when
presenting vouchers. One fare is promised but a different one is charged. The company agrees to a schedule but the dates are then
changed by the company. Customers are promised a specific airline/hotel but different
services appear on the voucher(s).
International HTCIA 8/2007 Knujon LLC 2007© 67
Risky Loans
Mortgage fraud is on the increase 600 cases in 2004 to 21,971 in 2005 totaling over $1
Billion in losses(FBI) Hotspots are Michigan and Florida While the FBI reports that mortgage fraud cases are
increasing, convictions, seizures, and recovered funds are declining.
International HTCIA 8/2007 Knujon LLC 2007© 68
Risky Loans
International HTCIA 8/2007 Knujon LLC 2007© 69
Risky Loans
Some mortgage spams are just phishing/ID Theft attempts, others are “referrals”
Reverse Mortgages, “Teaser” ARMs, and “flipping” schemes are conducted by skilled industry insiders
Targets are often elderly, fixed income The increase in foreclosures has become a burden on the
market generally
International HTCIA 8/2007 Knujon LLC 2007© 70
Phishing
Phishing has evolved into multi-prong threats that combine viruses and ID theft
Hackers post exposed accounts for auction Changes in the banking industry may provide a
false sense of security (two-factor guidelines)
International HTCIA 8/2007 Knujon LLC 2007© 71
Phishing
Weakest points in any system will always be people Banks can lock down on-line transactions but deceived
customers and employees will still hand money over to crooks
Access is often a target an not simply money Increase in illicit traffic profits creates demand for more
money laundering
International HTCIA 8/2007 Knujon LLC 2007© 72
Market Manipulation
Spammers have successfully manipulated stock prices for their gain and other investor’s loss
Studies at Harvard, Oxford and Perdue have confirmed the viability of manipulating penny stocks for big gain
Penny Stocks(Pink sheets, OTCBB) are used because their small value does not require as much oversight or registration
Spammers use software similar to CAPTCHA to create stock touting images
International HTCIA 8/2007 Knujon LLC 2007© 73
Market Manipulation
International HTCIA 8/2007 Knujon LLC 2007© 74
Market Manipulation
Polish Epicenter Bulk of stock spam examined by Knujon
originated on Polish networks Secondary source: countries bordering Poland Tertiary source: Countries with large Polish
communities SEC Targeting a Latvian-Russian gang Points to “organic” nature of malware
International HTCIA 8/2007 Knujon LLC 2007© 75
And the list goes on, and on, and on….
Remainders Degrees Gambling Porn Sex Trade Political Attacks Hoaxes
International HTCIA 8/2007 Knujon LLC 2007© 76
Delivery Systems: MalWare
MalWare is often deployed unintentionally by users who: Download unknown programs Open attachments from unknown email senders Share files on peer-to-peer networks or other media
MalWare can also forced onto a machine through: Known, un-patched system exploits Buffer overflows Clever web scripting
International HTCIA 8/2007 Knujon LLC 2007© 77
Delivery Systems: MalWare
International HTCIA 8/2007 Knujon LLC 2007© 78
ISP Response to Sober Worm(2005)
adelphia.net Falltel.net Bblueyonder.co.uk Abtbroadband.com B-charter.net Fpacbell.net DPaeTec Arr.com C+sifycorp.com Atds.net A
International HTCIA 8/2007 Knujon LLC 2007© 79
ISP Response to Sober Worm(2005)
Why the failing grades?
•No clear reporting instructions•No feedback•Only took complaints from customers•Virus emails kept coming after detailed and repeated reports
Demonstrates a lack of consistency and professionalism from the companies that maintain the Internet
International HTCIA 8/2007 Knujon LLC 2007© 80
Where industry is failing us
•Knujon has a number of “add-on” modules available for Thunderbird, Outlook, Yahoo, Gmail, and AppleMail for reporting spam. These were developed by dedicated members, not by big software houses or ISPs
•The Internet industry continues to send confusing messages to consumers about security
•Defense Cyber Crime Institute called for "the industry to create tools to help us investigate large volumes of data.” The industry has not responded
International HTCIA 8/2007 Knujon LLC 2007© 81
Mystery Alerts
General warnings that do not include usable information will be ignored over time
International HTCIA 8/2007 Knujon LLC 2007© 82
Piracy Report Rejected by Microsoft
International HTCIA 8/2007 Knujon LLC 2007© 83
Spam Courtesy of CNN
Most media outlets have “built-in abuse interfaces”
International HTCIA 8/2007 Knujon LLC 2007© 84
Credit Cards, Air Miles and Mortgages
A confusing mix of transactions is being thrown out faster than consumer can absorb and understand them
International HTCIA 8/2007 Knujon LLC 2007© 85
“It’s as easy as firing off a text message”
Financial transactions on cell phones?
International HTCIA 8/2007 Knujon LLC 2007© 86
Phished by my own Credit Card
Questions about this bizarre email have not been addressed by Citibank
International HTCIA 8/2007 Knujon LLC 2007© 87
Who else is failing us?
The Media: by continuing to encourage people to ignore and delete spam rather than report it
The Business Community: by not properly protecting their brands on-line
The Government : by not providing feedback to citizens and more processing resources for electronic fraud
International HTCIA 8/2007 Knujon LLC 2007© 88
IP Theft & Espionage
Direct email is a favorite starting point for industrial espionage
Spies collect “gray material” on companies and researchers
Carefully crafted emails are used to open communication
Spies pretend to be colleagues and graduate students
International HTCIA 8/2007 Knujon LLC 2007© 89
IP Theft & Espionage
Threats can be foreign intelligence, foreign companies, domestic competitors, activists, and people with a grudge
Commonly held beliefs about spam and phishing, that they are purely the province of criminals and hackers, allow foreign intelligence services the opportunity to be “lost in the crowd”.
International HTCIA 8/2007 Knujon LLC 2007© 90
The Good News
30,000+ shutdowns through KnujOn happened because people reported junk mail
SEC has suspended trading of touted penny stocks, pursued many cases, frozen assets based on citizen tips
FTC has fined hundreds of companies for unsolicited faxes, one company was fined over $700,000, because of complaints
Services like APWG and CastleCops(PIRT/MIRT) are coordinating anti-phishing projects that target botnets in the process
International HTCIA 8/2007 Knujon LLC 2007© 91
Recommendations
1. Media needs to stop telling people to delete spam2. Create more cybercrime schools and professionals3. LE needs to publicize successes in enforcement4. Government needs to encourage reporting and expand processing
resources5. Banks need to have a proactive plan to educate customers and fight
phishing6. Researchers need to be educated about the dangers of industrial
espionage7. Private companies need to aggressively protect intellectual property
International HTCIA 8/2007 Knujon LLC 2007© 92
Join KnujOn
KnujOn wants your junk mail (yes, we’re serious)http://www.knujon.com
Phishing and BotNets:http://www.castlecops.comhttp://www.apwg.orghttp://www.isotf.org