Illicit Distribution Networks: Spam Tactics of Online Criminals KnujOn (“no junk” backwards) ...
-
Upload
mark-nichols -
Category
Documents
-
view
218 -
download
2
Transcript of Illicit Distribution Networks: Spam Tactics of Online Criminals KnujOn (“no junk” backwards) ...
Illicit Distribution Networks: Spam Tactics of Online CriminalsKnujOn (“no junk” backwards)
http://www.knujon.com
Fighting Spam and E-crime with Information and Policy Enforcement
KnujOn is… Garth Bruen – [email protected] Dr. Robert Bruen – [email protected] Boston, MA/Wilmington, VT Project opened to public in 2005
KnujOn does… 54,357 confirmed illicit domain terminations 200,000+ unconfirmed terminations 69,111 pending suspensions Accepting 30,000 junk email samples each
day from the public Issuing detailed reports to members
KnujOn does… Gathering detailed data on illicit networks Testing Internet policy to expose breakpoints
and bottlenecks Challenging misconceptions held by the
public and the media Making direct connections between spam,
illicit websites, registration forgery, and counterfeit products
90% of Illicit Sites are at just 20 Registrars
90% of Illicit Sites are at just 20 Registrars
Over 800 ICANN Accredited Registrars 20 Of them have the bulk of illicit sites Fake pharmacies, knockoff sites, pirate
software downloads, and phony mortgage institutions clustered at specific providers
Lack of standards, poor accountability and no enforcement have created havens
Illicit website defined by… Offering bogus, unlicensed, or non-existent
products or services Advertised with spam Uses registration forgery as standard practice
Policy Enforcement Model “There’s too much junk email to process
effectively for enforcement” – Not True The resources to fix this problem currently
exist Unused, ignored, and untested procedures lie
idle Processes that have been proven to work need
more money and personnel to expand
Problem and Solution Distribution No single party or sector is completely to
blame for the spam epidemic Therefore the different pieces of the answer
sit in various locations Streamlining and merging the existing
functions produces measurable results
Analysis of Compliance Layers ICANN – Issues Registrar Accreditations Registrars – Issue domain names ISPs – Provide Space on the Net Industry – Develop software and hardware Regulatory/Enforcement – The Gov’t Brands – Selling stuff The Public – You, me, private business
Why New Direction? Filtering is not a complete solution Deleting spam is destroying data and
evidence Current abuse structure helps spammers Spammers are mercenaries – not driving the
problem Profits from illicit traffic growing
Yahoo and Postini Study of one webmail filter, one network enterprise
filter (not singling them out) 332 spam items bypassed Yahoo! filtering in 2007 Postini missed 221 spam items in the same year More or less seeing one piece of spam for every
business day of the year “99 out of 100 Pickpockets”
Spam from CNN
Spam from CNN
Spam from CNN
Thousands of media sites…
There are a number of untapped resources spammers could use…
ICANN case study2003 – 2005: GAO Reports and Congressional
testimony by experts outline serious fraud within the Whois Records
Critics contend that Whois is largely a “fiction”
Little has been done…
ICANN Case Study KnujOn files 5 – 10 thousand inaccuracy
reports a week, we could do this many a day but ICANN can’t handle it
Their process has crashed 4 times because of our reporting, the database has had to be purged and upgraded
They are reluctant to engage us or acknowledge the problem
Registrar Havoc10 Registrars have 92% of the domain abuse
Rating the Registrars Several metrics:
1. Raw count of reported sites2. Proportion of reported sites to total held by registrar3. “Aggression” rate – how many individual spam messages advertise these sites?4. Proportional aggression5. Volume of inaccurate records6. Number of trademark-related sites
Privacy for whom? Big debate/point of contention Cultural line between U.S. and Europe Fact: Criminals are flocking to privacy services Privacyprotect.org is the spammer favorite, basically
deny all access to domain owner information in violation of ICANN terms
Thousands of fake pharmacy sites use this service
ISP Spam Site Crop Rotation
Few ISPs with Many Illicit Sites 169 IP addresses account for 50% of the illicit
sites tracked by KnujOn The typical illicit IP address hosts between
one to five thousand domains advertised through spam
These extensive operations cannot exist without at least the tacit support of a service provider
Registration Fraud Opens Door to Fake Pharmacies
Where are the tools? - Industry "Cybercops are drowning in data… we need
the industry to create tools to help us investigate large volumes of data."
-Jim Christy, Defense Cyber Crime Institute(DCCI or DC3)
Where are the tools? - Industry KnujOn participants have developed their own
utilities for reporting spam from Thunderbird, Outlook, Yahoo, Gmail, AppleMail
Created by dedicated members, not by big software houses or ISPs
The Internet industry has in many cases made it more difficult for consumers to report junk email
Where is the Enforcement? Lack of data or too much unsorted data No organizational or political will Jurisdiction issues Process and procedure need updating No “victim”:
- Brands enforcing trademarks
- Buyers of bogus products not stepping up
Busting Individuals Not A Solution Spammers are mercenaries Downloadable kits make spamming easy Number of arrests and successful prosecutions
small in relation to scope of the problem Spammers don’t have a warehouse of pills
and handbags
Brands need to enforce trademarks Phishing is brand-related – Anti-phishing push did
not come from banks but from LE, consumers, and academics
Brand-related spam accounts for approximately 85% of what KnujOn processes
Not just luxury brands, but ordinary consumer products
Old Model of Network Security
Access management
Building firewalls
Intrusion detection and prevention
Countermeasures and proactive actions shunned
Internet has drastically changed the nature of the threat…
New model…
Threats are outside the network!
New processing and storage models eliminate complete control and old boundaries of the network
Internet commerce means you have to leave the network to do anything
Smear/reputation attacks
Brandjacking threat not within the network
What happened to stock spam? 2005/2006 there was nothing but stock spam Criminals made real profits Security Exchange Commission started project that involved:
* Accepting reports from the public* Analyzing the emails and featured stocks* Suspended trading of featured stocks* Froze assets of those who profited* Indicted perpetrators
Problem has been minimized and managed Proper policy enforcement works
Breaking down the spam campaign ratio Botnet with tens of thousands of machines… Sends millions of spams… To millions of mailboxes… That advertise several hundred links… That redirect to a few hundred real domains… Sitting on a few dozen IPs… Registered at 1 or 2 registrars.
Problem explodes, then focuses
What do they want? Transactions
A transaction could be:* Exchange of money for goods* Surrender of money for nothing* Identity data theft* Compromise account/network* Delivery of malware
Sending spam, not a transaction
Target the transaction
The reasons for spam, what is driving and enabling it.
What does it mean to purchase goods sold in spam?
Where do the products sold in spam come from?
Who profits from merchandise sold in spam?
The Path of Fake Goods Sold in Spam
Manufacture of these goods is often done using forced, prison, child or under compensated labor
The Path of Fake Goods Sold in Spam
The illegal factories are usually not inspected and pose serious health, safety and environmental threats
The Path of Fake Goods Sold in Spam
In order to operate large illegal factories, local government must be bribed or coerced
The Path of Fake Goods Sold in Spam
The products themselves represent copyright, trademark and intellectual property infringements
The Path of Fake Goods Sold in Spam
Fake goods must be smuggled out of source countries
The Path of Fake Goods Sold in Spam
Contraband is often carried by human mules, tying smuggling to human traffic, sexual exploitation, document forgery and other transnational crime
The Path of Fake Goods Sold in Spam
Taxes are unlikely to be paid on smuggled, counterfeit goods
The Path of Fake Goods Sold in Spam
Profits from illicit traffic fund criminal organizations, terror groups and bloody conflicts in developing countries
The Path of Fake Goods Sold in Spam
Substandard counterfeit goods explode, start fires, and poison people
The Path of Fake Goods Sold in Spam
Profits from illicit traffic must be moved by money launderers
Growth of illicit traffic in comparison to Internet
Spammers still get customers 650,000 people purchased at least one item sold in
spam in a single month surveyed (Consumer Reports)
If the average spam “unit” is $75, that is $48,750,000 per month or $585,000,000 per year
While the majority of Internet users block and delete spam, the remainder keeps the spammers employed!
Engaging the public… Encouraging everyone to report spam Report often and to as many authorities as
possible KnujOn shares samples with APWG,
StopPhishing, CastleCops and others Supply feedback, re-engage the reporter
Send us spam!Forward email to [email protected]
Upload bulk junk here:
http://www.knujon.com/sendusspam.html
Spam Independence Day
Between Memorial Day and July 4th, report as much spam as possible to as many services as possible.
Focus on your area of expertise if you have one
Join KnujOnGo to http://www.knujon.com/htcia
Enter: htciaOH2008 for a free KnujOn account