Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet
description
Transcript of Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet
Menace 2 the Wires
Advances in the Business Models of Cyber Criminals
-Guillaume Lovet
Presentation Objectives
• Recall different Cyber Criminals profiles
• Recognize new cyber criminal schemes and understand where they originate from
• Identify and quantify the business models behind
• Raise public and industry awareness
Agenda
• Quick reminders:– Cyber criminals profiles– Cybercrime Marketplace– Cybercrime Currency
• Mass Injections: from harmless defacements to MPack
• Threats 2.0: from the desktop to online applications
• Auction Fraud: from your account to your door
Introduction
• Cybercrime: criminal activity in which computers or networks are involved
• Cybercrime profits (World): $50 billion to $100 billion per annum
Introduction (II)
• Awareness increase
• How do Cyber criminals sustain their profits?
• Our habits evolve, blurring the online/real life line
• Cybercrime evolves accordingly
Quick Reminders
Cyber criminals:
Profiles, Marketplace, Currencies
Cyber criminals profiles
• Codersthe skilled
• Kidsthe workforce
• Mobthe puppet masters?
• Dropsthe mules
Cybercrime Marketplace
Cybercrime Currency
• e-gold– Anonymity– Irreversibility– Independence
• Wired cash– Irreversible– Crosses borders instantly– Fairly anonymous
E-gold feedback
Hey Doug, Still Baffled?
E-gold indictment charges
Mass Injections
…from harmless defacements to MPack
A bit of history
• Defacing: Replacing the victim’s web server index page
• Mainstream in the early 2000s
• Moderately destructive
• Common Characteristics: Custom, usually dark gfx Patriotism Leet speech Admin taunting Linux preaching / Microsoft bashing
Defaced Page Paradigm
What for ?!
• Mass-defacements highly regarded
• But motivation was not financial gain
• Rarely carries a real political message
• So why?
For that!
• Based on the common characteristics, defacing expresses a need to:assert one’s belonging to a groupassert one’s national identity (wider group)assert one’s competences / capacitiesdo something “forbidden”compete with others
• In a nutshell: Defacers = Teenagers growing
Another, more recent example (2007)
The Mpack case: Taking over Italy
• Mpack is a web-application serving malicious content to visitors
• The malicious content exploits several flaws in various browsers, making it a “drive by install” tool (No user interaction is needed from the victim)
• Mpack is sold by a gang of Russian “coders” for about $700
Mpack Case: What happened in June 2007?
• Thousands of Italian websites compromised
• 90% of those sites were hosted by Aruba.it– Possible flaw exploited in the server hosting all those sites– Still under investigation
• A malicious Iframe was injected in each hacked site
• silently led visitors to a Mpack server, infecting
thousands of them
Mpack Case: a snippet of compromised sites
Mpack Case: Stats Server
Mpack Case: the business model behind
• Costs– Mpack software: $700
– Compromising a host company server hosting thousands of sites: $10,000 (assuming 0day)
– Script inserting IFrames into each page: little skill, or about $50
Mpack Case: the business model behind
• ProfitsUsing each one of the 10,000 infected computers as
a spam relay (“one shot” operation)• Assuming:
• Sending 100K emails before being blacklisted• Advertisers pay 0.03 cents per email:
10,000 x 100K x $0.0003 = $300,000
Using each one of the 10,000 infected computers for Adware planting:
$32,000 (monthly)
Mpack case: the business model behind
• Total Costs: $10,750
• Total Profits (first month): $332,000
• Gain (first month): $321,259
• Productivity index (Profits/Costs): 31
Threats 2.0
…from the desktop to online applications
Web 2.0
• Detailed inputs about the "Web 2.0" concept
-> outside of our scope
• A quote that puts Web 2.0 in a nutshell:
“seemingly every aspect of our data [is] moving toward online apps and away from the traditional desktop model“
(Wired Magazine)
Consequences on the Threat Landscape
• Raise in online identity theft attacks
• Impersonating a user on an online app allows for:– Retrieving the victim’s personal data– Performing actions on the victim’s behalf
• Arsenal:– Phisher Worms– XSS / CSRF– Plain old client-side trojaning
Phisher Worm / Social WormExample
Rogue Login Page
Phisher Worm outlines
• Combines Phishing and Automation
• Malicious code sits on the server, not on the victim’s computer
• Advanced Phisher Worms exist, resorting to tricky user-provided HTML, redirectors and mind-tricks
• Spreads exponentially fast: the average user has about 100 friends
XSS / CSRF Worms
• Cross Site Scripting (XSS) exploits the trust that the client has for the vulnerable website
Typically used to steal cookies and hijack sessions on the vulnerable site
• Cross Site Request Forgery (CSRF) exploits the trust that the vulnerable website has for the user
Typically used to execute actions on behalf of the victim on the vulnerable site (eg: send a message, modify some personal settings, etc…)
XSS / CSRF Worms (continued)
• In 2005: Sammy’s worm (for fun) => over one million friends within 20 hours
• In Dec. 2006: Quickspace worm (for profit):– viewing = getting infected– Being infected = infecting others + having a banner on your profile
• It did happen and it will likely happen again (XSS/CSRF hard to spot)
• Main Question: What is the point ?!
The Business Logic BehindExample
The Business Logic BehindExample
The Business Logic Behind: Model (Costs)
Costs
• Assuming: – Target: Posting an ad every week (so that it is always
on the front page) for a month to 60,000 individual profiles
– Price to pay for each posted ad: Equals 10 times the average price to pay a bot herder for sending out one spam email (~ $0.003)
• Renting the services of a social networking site phisher:
60,000 x $0.003 x 4 = $720 per month
The Business Logic Behind: Model(Profits)
Profits• Assuming:
– Each ad is viewed on average 30 times per day (equals the average daily page views per profile on MySpace)
– Posted ads click-through rate: 5% – Pay per click rate: $0.05
• Pay per click affiliate program monthly revenue:
= $135,000 per month
x $0.05 x 5% x 30 days x 30 daily views60,000 ads
The Business Logic Behind: Model(Summary)
• Summary– Total Costs: $720– Total Profits: $135,000– Gain: $134,280 – Productivity index (Profits/Costs): 187
• Bottom line?– more or less masqueraded spam is flourishing on
social networking sites– may seem innocuous at first sight– But very organized and yields outstanding
profitability figures
Auction Fraud
…from your account to your door
“eBaying”
• The term “eBaying” has two meanings…
• eBaying guides sold on IRC
• As old as eBay itself
• Evolution over the past two years:– Automation– Risk taking
Plain Bogus Item
• One of the easiest and quickest way to make money on the internet:
1. Choose an item with high buzz factor, or a real bargain
2. Create an account and set up a bogus auction
3. Use low-ball to obtain payment via WU / MG
4. Cash in (possibly via a drop) and vanish
5. GOTO 1
• Gives raise to amusing situations
Plain Bogus Item: The Magic Pen
Bogus Item with User Feedback
• Used to work well, but with user awareness increase: difficult selling from accounts with no feedback
• To sustain productivity: Need to find a way to get a hold of an account with good feedback at will
• There are really only two solutions:– Steal It– Craft it
Steal It: Costs
• Costs (covering the actual Phishing operation)
Phishing Kit: Scam letter + scam page: $5
Fresh spam list: $8
php-mailers to spam out 100K emails for 6 hours: $30
Hacked site for hosting scam page for a couple of days: $10
Valid cc to register domain name: $10
Steal It: Profits
• Profits
Assuming:A phishing success rate of 0.0001
Half of the hooked accounts suitable for bogus auctionAn average price of $4,000 for the items sold
10 x 0.5 x $4,000 = $20,000
Steal It: Summary
• Summary– Total costs: $63 – Total profits: $20,000 – Productivity Index (Profits/Costs): 317
• Notes:– Raw profits not impressive, but P.I. is outstanding– Selling more valued items may boost P.I. but
increase risks and decrease robustness
Craft It: Broker Bots
• Many "buy it now" items at the price of 1 cent with no delivery cost (usually eBooks, pictures, wallpapers, etc.)
Spot The Seven Differences
Craft It: Recollection
1. Someone is massively creating randomly named, ”spider” user accounts
2. Spiders seek & buy 1-cent "buy it now" items
3. The seller script is emailing the spider with the item, and posts its standard feedback on his profile
4. The spider automatically responds with a standard feedback comment on the seller’s profile
In a nutshell: two bots are talking – and doing business
Craft It: Model
• Costs: – Building 100 accounts with 15 positive feedback
messages each: $0.1 x 100 x 15 = $15
• Profits:
Assuming• A moderate scam success rate of ¼• Moderately priced bogus items (about $100)
100 x 1/4 x $100 = $2,500
Craft It: Summary
• Total costs: $15
• Total profits: $2,500
• Gain: $2,475
• Productivity Index (Profits/Costs): 166
The pay-on-delivery scam
• Pay on delivery (aka Cash on Delivery, or “COD”) earns buyers confidence
=> Easier to sell bogus items
• But then, how can cyber criminals make money with that?
The pay-on-delivery scam (cont)
• On IRC, a “lead” = someone willing to buy something somewhere, with payment on delivery
• Leads can be sold on IRC (via e-gold, WU, MG…)
• Lead buyer:– dress as TNT guy– show up at the victim’s door– deliver a box full of turds– cash the payment– Leave
• Is it Cybercrime, plain crime, or a mix of both?
• Cyber criminals are willing to take more risks to get richer, faster
Conclusion
• New cyber criminal schemes still:– Highly profitable– Relatively easy to implement– Involve abnormally low risks, given the odds
Thus tremendously tempting
• Issues• The Internet is borderless• The police in emerging countries focuses on
criminal activity that produces corpses
Bonus Track: The 10 most profitable Cyber criminal Business Models
Questions?
(No, I still do not drive a Mercedes 600SL)