Illicit Distribution Networks: Spam Tactics of Online CriminalsKnujOn (“no junk” backwards)

http://www.knujon.com

Fighting Spam and E-crime with Information and Policy Enforcement

KnujOn is… Garth Bruen – g_bruen@knujon.com Dr. Robert Bruen – b_bruen@knujon.com Boston, MA/Wilmington, VT Project opened to public in 2005

KnujOn does… 54,357 confirmed illicit domain terminations 200,000+ unconfirmed terminations 69,111 pending suspensions Accepting 30,000 junk email samples each

day from the public Issuing detailed reports to members

KnujOn does… Gathering detailed data on illicit networks Testing Internet policy to expose breakpoints

and bottlenecks Challenging misconceptions held by the

public and the media Making direct connections between spam,

illicit websites, registration forgery, and counterfeit products

90% of Illicit Sites are at just 20 Registrars

90% of Illicit Sites are at just 20 Registrars

Over 800 ICANN Accredited Registrars 20 Of them have the bulk of illicit sites Fake pharmacies, knockoff sites, pirate

software downloads, and phony mortgage institutions clustered at specific providers

Lack of standards, poor accountability and no enforcement have created havens

Illicit website defined by… Offering bogus, unlicensed, or non-existent

products or services Advertised with spam Uses registration forgery as standard practice

Policy Enforcement Model “There’s too much junk email to process

effectively for enforcement” – Not True The resources to fix this problem currently

exist Unused, ignored, and untested procedures lie

idle Processes that have been proven to work need

more money and personnel to expand

Problem and Solution Distribution No single party or sector is completely to

blame for the spam epidemic Therefore the different pieces of the answer

sit in various locations Streamlining and merging the existing

functions produces measurable results

Analysis of Compliance Layers ICANN – Issues Registrar Accreditations Registrars – Issue domain names ISPs – Provide Space on the Net Industry – Develop software and hardware Regulatory/Enforcement – The Gov’t Brands – Selling stuff The Public – You, me, private business

Why New Direction? Filtering is not a complete solution Deleting spam is destroying data and

evidence Current abuse structure helps spammers Spammers are mercenaries – not driving the

problem Profits from illicit traffic growing

Yahoo and Postini Study of one webmail filter, one network enterprise

filter (not singling them out) 332 spam items bypassed Yahoo! filtering in 2007 Postini missed 221 spam items in the same year More or less seeing one piece of spam for every

business day of the year “99 out of 100 Pickpockets”

Spam from CNN

Spam from CNN

Spam from CNN

Thousands of media sites…

There are a number of untapped resources spammers could use…

ICANN case study2003 – 2005: GAO Reports and Congressional

testimony by experts outline serious fraud within the Whois Records

Critics contend that Whois is largely a “fiction”

Little has been done…

ICANN Case Study KnujOn files 5 – 10 thousand inaccuracy

reports a week, we could do this many a day but ICANN can’t handle it

Their process has crashed 4 times because of our reporting, the database has had to be purged and upgraded

They are reluctant to engage us or acknowledge the problem

Registrar Havoc10 Registrars have 92% of the domain abuse

Rating the Registrars Several metrics:

1. Raw count of reported sites2. Proportion of reported sites to total held by registrar3. “Aggression” rate – how many individual spam messages advertise these sites?4. Proportional aggression5. Volume of inaccurate records6. Number of trademark-related sites

Privacy for whom? Big debate/point of contention Cultural line between U.S. and Europe Fact: Criminals are flocking to privacy services Privacyprotect.org is the spammer favorite, basically

deny all access to domain owner information in violation of ICANN terms

Thousands of fake pharmacy sites use this service

ISP Spam Site Crop Rotation

Few ISPs with Many Illicit Sites 169 IP addresses account for 50% of the illicit

sites tracked by KnujOn The typical illicit IP address hosts between

one to five thousand domains advertised through spam

These extensive operations cannot exist without at least the tacit support of a service provider

Registration Fraud Opens Door to Fake Pharmacies

Where are the tools? - Industry "Cybercops are drowning in data… we need

the industry to create tools to help us investigate large volumes of data."

-Jim Christy, Defense Cyber Crime Institute(DCCI or DC3)

Where are the tools? - Industry KnujOn participants have developed their own

utilities for reporting spam from Thunderbird, Outlook, Yahoo, Gmail, AppleMail

Created by dedicated members, not by big software houses or ISPs

The Internet industry has in many cases made it more difficult for consumers to report junk email

Where is the Enforcement? Lack of data or too much unsorted data No organizational or political will Jurisdiction issues Process and procedure need updating No “victim”:

- Brands enforcing trademarks

- Buyers of bogus products not stepping up

Busting Individuals Not A Solution Spammers are mercenaries Downloadable kits make spamming easy Number of arrests and successful prosecutions

small in relation to scope of the problem Spammers don’t have a warehouse of pills

and handbags

Brands need to enforce trademarks Phishing is brand-related – Anti-phishing push did

not come from banks but from LE, consumers, and academics

Brand-related spam accounts for approximately 85% of what KnujOn processes

Not just luxury brands, but ordinary consumer products

Old Model of Network Security

Access management

Building firewalls

Intrusion detection and prevention

Countermeasures and proactive actions shunned

Internet has drastically changed the nature of the threat…

New model…

Threats are outside the network!

New processing and storage models eliminate complete control and old boundaries of the network

Internet commerce means you have to leave the network to do anything

Smear/reputation attacks

Brandjacking threat not within the network

What happened to stock spam? 2005/2006 there was nothing but stock spam Criminals made real profits Security Exchange Commission started project that involved:

* Accepting reports from the public* Analyzing the emails and featured stocks* Suspended trading of featured stocks* Froze assets of those who profited* Indicted perpetrators

Problem has been minimized and managed Proper policy enforcement works

Breaking down the spam campaign ratio Botnet with tens of thousands of machines… Sends millions of spams… To millions of mailboxes… That advertise several hundred links… That redirect to a few hundred real domains… Sitting on a few dozen IPs… Registered at 1 or 2 registrars.

Problem explodes, then focuses

What do they want? Transactions

A transaction could be:* Exchange of money for goods* Surrender of money for nothing* Identity data theft* Compromise account/network* Delivery of malware

Sending spam, not a transaction

Target the transaction

The reasons for spam, what is driving and enabling it.

What does it mean to purchase goods sold in spam?

Where do the products sold in spam come from?

Who profits from merchandise sold in spam?

The Path of Fake Goods Sold in Spam

Manufacture of these goods is often done using forced, prison, child or under compensated labor

The Path of Fake Goods Sold in Spam

The illegal factories are usually not inspected and pose serious health, safety and environmental threats

The Path of Fake Goods Sold in Spam

In order to operate large illegal factories, local government must be bribed or coerced

The Path of Fake Goods Sold in Spam

The products themselves represent copyright, trademark and intellectual property infringements

The Path of Fake Goods Sold in Spam

Fake goods must be smuggled out of source countries

The Path of Fake Goods Sold in Spam

Contraband is often carried by human mules, tying smuggling to human traffic, sexual exploitation, document forgery and other transnational crime

The Path of Fake Goods Sold in Spam

Taxes are unlikely to be paid on smuggled, counterfeit goods

The Path of Fake Goods Sold in Spam

Profits from illicit traffic fund criminal organizations, terror groups and bloody conflicts in developing countries

The Path of Fake Goods Sold in Spam

Substandard counterfeit goods explode, start fires, and poison people

The Path of Fake Goods Sold in Spam

Profits from illicit traffic must be moved by money launderers

Growth of illicit traffic in comparison to Internet

Spammers still get customers 650,000 people purchased at least one item sold in

spam in a single month surveyed (Consumer Reports)

If the average spam “unit” is $75, that is $48,750,000 per month or $585,000,000 per year

While the majority of Internet users block and delete spam, the remainder keeps the spammers employed!

Engaging the public… Encouraging everyone to report spam Report often and to as many authorities as

possible KnujOn shares samples with APWG,

StopPhishing, CastleCops and others Supply feedback, re-engage the reporter

Send us spam!Forward email to knujon@coldrain.net

Upload bulk junk here:

http://www.knujon.com/sendusspam.html

Spam Independence Day

Between Memorial Day and July 4th, report as much spam as possible to as many services as possible.

Focus on your area of expertise if you have one

Join KnujOnGo to http://www.knujon.com/htcia

Enter: htciaOH2008 for a free KnujOn account