International Trendsin Cyber Crime Prosecutions

Sean B. HoarAssistant United States Attorney

United States Department of Justicesean.hoar@usdoj.gov

Workshop for the Judiciary on Cyber CrimeAbu Dhabi, United Arab Emirates

June 3rd, 2010

The Internet . . . a new world . . .

In the time it takes for me to make this presentation . . . – Over 37,000 blogs will be posted on the Internet– Over 1,300,000 “tweets” will be sent on Twitter– Over 7,292,000 people will log on to Facebook– Over 41,660,000 videos will be watched on

YouTube– Over 118,000,000 searches will be conducted on

Google

Overview of presentation

International trends in cyber crime– Backdrop: insecure web infrastructure;

dynamic, constantly evolving technology– Result: malware, intrusions, spam,

financial fraud, intellectual property theft, sale of illegal substances & information

investigation & prosecution

Impediments & solutions

Primary international trend -malware-

Malware (a contraction of "malicious software") refers to software developed for the purpose of doing harm. Malware can generally be classified based on – how it is executed, how it is spread and/or

what it is intended to do

Malware generally takes the form of a virus, a worm, a Trojan horse, a backdoor, crimeware, or spyware

Primary international trend -malware-

Insecure web infrastructure– In last half of 2009

225% growth in malicious web sites

95% of user-generated comments to blogs, chat rooms/message boards were spam or malicious

77% of Web sites with malicious code are legitimate sites that have been compromised, i.e. they are sites that you visit . . .

13.7% of searches for trending news/buzz words led to malware

Websense Security Labs

Primary international trend -malware-

Insecure email messaging technology– Last half of 2009

85.8% of all emails were spam

81% of emails contained a malicious link

tens of thousands of Hotmail, Gmail and Yahoo email accounts were hacked and passwords stolen and posted online

phishing lures doubled in the second half of 2009 representing 4% of spam email

Websense Security Labs

Primary international trend -malware-

Cyber criminals continue to go where the money is . . .

Crimeware is malware specifically designed to steal money . . . Crimeware exploits continue unabated . . .

Primary international trend -Malware-

Web infrastructure & use– The top 100 most visited Web properties are

social networking and search engines.– The next 1,000,000 most visited sites, or the

known Web, are primarily current events, regional and genre sites.

– The next 100,000,000 sites - the “long tail” of the Internet, or the unknown Web, are junk, personal, and scam sites which are specifically set up for fraud and abuse.

Primary international trend -Malware-

Driving force behind cyber crime is $$

New generation of Web content targeted– Social networking sites and search engines

have evolved rapidlyBusiness growth is driving Web 2.0 adoption in the workplace

Consumer habits have shifted to Web 2.0 apps

– Because more businesses and consumers are using Web 2.0 sites, these sites are increasingly targeted for malicious purposes

International trendmalware perpetrator turf wars

A new Russian botnet – Spy Eye – has been programmed to kill a much more established rival botnet - Zeus – in order to remove the Zeus software from the victim computer, giving Spy Eye exclusive access to user names and passwords– Zeus and Spy Eye are both Trojan-making toolkits

Steal online banking credentials

Designed to give criminals easy means of creating own "botnet" networks of password-stealing programs

Provide option of deleting other malicious code, i.e. “Kill Zeus” option on Spy Eye

– Zeus sells for $2500, Spy Eye for $500, on the black market

International trendattackers capitalize on major events

Major events provide fodder for attacks designed to steal personal or business information - where there are major events there will be major scams:– The Olympics/major sporting events– Health concerns (H1N1 scare)– Natural catastrophes (earthquake in Haiti)– Economic crisis

International trendintrusions

Network intrusions– Identity theft – multi-billion dollar industry . . .

Critical infrastructure intrusions– Sensitive data – Sectors necessary to support society

Distributed denial of service attacks– Extortion

Web site defacement

International trendintrusions

February 3, 2010: – A Venezuelan citizen, Edwin Pena, was first to

be charged with hacking into networks of Voice Over Internet Protocol (VOIP) providers and reselling hacked VOIP services for profit

Pena sold more than 10 million minutes of Internet phone service to telecom businesses at deeply discounted rates, causing more than $1.4 million in losses in less than one year

One victim business was billed for more than 500,000 unauthorized calls

International trendintrusions/data mining

Identity theft/surreptitious software – Keyloggers

Exploit security flaws and monitor the path that carries data from the keyboard to other parts of the computer – more invasive than phishing – relying upon infection rather than deceptionTens of millions of machines are infected with keyloggers, putting billions in bank account assets at the fingertips of fraudstersMonitoring programs often hidden within e-mail attachments, files shared via p-2-p networks, or embedded in web pages – exploiting browser features

International trendintrusions/data mining

February 8, 2010– A Swedish national, Philip Pettersson, was charged

with hacking into computer networks of Cisco and the National Aeronautics and Space Administration

December 23, 2009– A New York man, Stephen Watt, was sentenced to

two years in prison and ordered to pay $171.5 million in restitution for providing a “sniffer” program to others

– The “sniffer” program was used to monitor and capture credit card data as it traveled across computer networks

International trendintrusions/data mining

December 29, 2009– A Miami man, Albert Gonzalez, pled guilty to

hacking into computer networks supporting major American retail and financial businesses

– Stole tens of millions of credit card accounts affecting more than 250 financial institutions

– It is one of the largest data breaches ever investigated and prosecuted in the U.S.A.

International trendintrusions/data mining

November 10, 2009– Hackers from Estonia, Russia, and Moldova charged

with hacking into a computer network which is part of the Royal Bank of Scotland

– They compromised data encryption used by RBS WorldPay to protect customer data on payroll debit cards

– They raised account limits, provided “cashers” counterfeit payroll debit cards, and withdrew more than $9 million from more than 2100 ATMs in over 280 cities worldwide in less than 12 hours

International trenddata breaches - still a problem?

In 2005, U.S. state laws began requiring disclosure of data breaches– February 15, 2005, ChoicePoint was first major

disclosed breach of 163,000 identitiesCost $25 million in damages and restitution

– June 16, 2005, CardSystems was next major disclosed breach and 40 million credit card accounts were compromised

Between January 2005 and May 2010 354,544,631 records were breached in U.S.

International trenddata breaches – getting more costly

In 2009, data breaches cost companies– Approximately $204 per compromised

customer record– Approximately $6.75 million per data breach

International trendphishing continues to evolve . . .

Phishing is a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials.

International trendphishing via social engineering . . .

Social‐engineering schemes use spoofed e‐mails purporting to be from legitimate businesses and agencies to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as usernames and passwords.

International trendphishing via technical subterfuge

Technical subterfuge schemes plant crimeware onto PCs to steal credentials– often using systems to intercept consumers

online account user names and passwords – to corrupt local navigational infrastructures to

misdirect consumers to counterfeit websites (or authentic websites through phisher -controlled proxies used to monitor and intercept consumers’ keystrokes)

International trendphishing

October 7, 2009– 100 persons charged in the U.S. and Egypt in

sophisticated phishing operation that fraudulently collected personal information from thousands of victims which was used to defraud American banks

International trend password stealing software: all-time high

The number of crimeware‐spreading sites infecting PCs with password‐stealing crimeware reached an all time high of 31,173 in December of 2008,

an 827 percent increase from January of 2008 (APWG)

International trendphishing reports: high value targets

While reports decreased, a substantial increase in phishing focused on high‐value targets such as personnel with treasury authority (APWG)

International trendunique phishing sites: far too many

The number of unique phishing websites detected by APWG during the fourth quarter of 2009 continue to be very high

International trendphishing targets – where the $$ is . . .

The financial services sector continues to be the most targeted industry sector (APWG)

International trendrogue anti-malware products . . .

Rogue antivirus products are some of the most efficient – and increasingly preferred ‐ ways to victimize consumers. Unlike banking Trojans, where cybercriminals have to infect a PC, steal data, etc., a rogueware attack simply fools users into paying for worthless software – or forcing them to make a ransom payment. The user is the one willing to pay in order to “disinfect” their PC ‐ or free it from a cybercriminal’s control.

International trendrogue anti-malware

Cybercriminals profit faster by increasing the proportion of users who pay after downloading rogueware. These techniques have rocketed , with new cybercriminals using ransomware – which don’t let you use

your PC until you buy a ‘license’ (AWPG)

International trendmalicious code evolution

Crimeware (data-stealing malicious code designed to victimize financial institution customers and co-opt institutional identities); Generic Data Stealing (data stealing Trojans and code designed to send information from an infected machine, control it, and open backdoors on it); Other (remainder of malicious code such as auto-replicating worms, dialers for charge-back scams, etc.) (APWG).

International trends48% of all computers are infected . . .

International trendspam . . . almost 9 out of 10 messages

3.1 billion messages were processed by the Hosted Infrastructure (over 100 million per day) of which 87.3% of all email was spam , 94.8% of spam included

an embedded URL , and 1.2% of spam emails were phishing attacks

www.websense.com

International trendspam categories

McAfee.com

International trendspam/phishing

January 14, 2010– A Romanian citizen, Cornel Tonita, pleaded guilty to

phishing and spamming by harvesting email addresses from Internet sites, primarily colleges and universities in the U.S., and providing the email addresses to others so that they could be spammed.

International trend spam/stock fraud

November 23, 2009– Residents of Hong Kong and the U.S. were each

sentenced to several years in prison for spamming with the use of botnets which compromised computers and manipulated financial transactions and the stock market

– They forfeited a total of $870,000

International trendfinancial fraud

Manifests in a variety of forms– Identity theft/carding– Auction fraud– Advance fee fraud/419 scams– High Yield “Investment” Programs– Pyramid schemes– Pump-and-dump stock scams– Pay-per-click advertising fraud– Espionage

International trend financial fraud/auction fraud/identity theft

United States v. Mondello – could have happened anywhere in the world– Local high school graduate and computer genius– Between December 2005 and October 2007

Initiated thousands of separate online auctions

Using more than 40 fictitious usernames and online payment accounts to sell copies of counterfeit software

Generated more than $400,000 in personal profit

International trend financial fraud/auction fraud/identity theft

United States v. Mondello – could have happened anywhere in the world– Mondello acquired victims’ names, bank account

numbers and passwords by using a computer keystroke logger.

– The keystroke logger installed itself on victims’ computers and recorded victim’s name and bank account information as information was being typed.

– The program then electronically sent the information back to Mondello which he then used to establish fictitious usernames and online payment accounts.

International trend financial fraud/auction fraud/identity theft

United States v. Mondello - outcome– Pled guilty to criminal copyright infringement,

aggravated identity theft and mail fraud– Consented to the forfeiture of more than $225,000 in

cash proceeds, and also forfeited computer-related equipment used to commit the crime.

– Sentenced to serve 48 months in prison – Ordered to serve three years of supervised release

and perform 450 hours of community service during that time

– Made anti-piracy video for RIAA

International trendNigerian scams continue to abound

Nigerian scams– Traditional “419” Nigerian letter scam– Overpayment scam– Check cashing scam– Re-shipping scam – Tax Refund scam – Lottery scam – Internet romance scam – Inheritance scam– Insurance scam – Business opportunities scam – Investment scam

International trendNigerian scams continue to abound

February 17, 2010– A Nigerian citizen, Okpako Mike Diamreyan

was convicted of wire fraud for running an advance fee fraud scam

– The scam enticed victims to send money via the Internet with the promise of receiving a larger sum of money in the future

International trend economic espionage

February 8, 2010– An aerospace engineer was sentenced to over 15

years in prison for economic espionage and acting as an agent of the People’s Republic of China for more than 30 years while working for Rockwell and Boeing in the U.S., from which he stole trade secrets, including information related to the Space Shuttle program and the Delta IV rocket

International trendIntellectual property theft

IP theft - a huge international problem– 90% of the software, DVDs, and CDs sold in

some countries are counterfeit*

The total global trade in counterfeit goods is more than $600 billion a year**– IP theft costs U.S.A. businesses an

estimated $250 billion annually, as well as 750,000 U.S.A. jobs.***

*InformationWeek**World Customs Organization; Interpol. *** U.S. Department of Commerce

International trendIntellectual property theft

January 22, 2010– A Saudi citizen, Ehab Ali Ashoor, was found guilty of

trafficking in counterfeit Cisco goods – He purchased counterfeit Cisco Gigabit Interface

Converters (GBICs) on the Internet in an attempt to satisfy a contract with the U.S. Marine Corps in Iraq

February 5, 2010– A Chinese national, Yongcai Li, was sentenced to 30

months in prison and ordered to pay $790,683 in restitution for trafficking in counterfeit Cisco goods

International trendsale of unlawful substances/information

Unlawful sale/distribution of narcotics & other controlled substances

Unlawful sale/distribution of classified information

Illegal exports – violation of trade embargos

Impediments to enforcement of international cyber crime

Technically complex subject matter– Lack of technically trained investigators,

prosecutors, judges and jurors– Technical forensic process may be required to

acquire and preserve evidence

Time sensitive– Evidence may be fleeting– Special legal process may be required to

acquire and preserve evidence

Impediments to enforcement of international cyber crime

Limited resources– Data intensive– Competes with other priorities

Transnational– Separate sovereigns– Lack of treaties or dual criminality provisions – Slow, cumbersome MLAT process– Language barriers

Solutions to enforcement of international cyber crime

Increased human and monetary resources– Increased technical training– Adequate technology– Increased language training

Increased international cooperation– Fundamental dual criminality standards

between all countries– Expansion of informal networks for immediate

assistance

Solutions to enforcement of international cyber crime

Increased international cooperation (continued)– Uniform financial standards for certain types

of transactions/sites– Uniform financial standards for suspicious

monetary transaction alerts– Uniform agreements to share seized assets,

which constitute proceeds of fraud, with assisting agencies/governments

Any questions??

International Trendsin Cyber Crime Prosecutions

Sean B. HoarAssistant United States Attorney

United States Department of Justicesean.hoar@usdoj.gov

Workshop for the Judiciary on Cyber CrimeAbu Dhabi, United Arab Emirates

June 3rd, 2010