Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.
-
Upload
karin-maxwell -
Category
Documents
-
view
215 -
download
0
Transcript of Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.
![Page 1: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/1.jpg)
Menace 2 the Wires
Advances in the Business Models of Cyber Criminals
-Guillaume Lovet
![Page 2: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/2.jpg)
Presentation Objectives
• Recall different Cyber Criminals profiles
• Recognize new cyber criminal schemes and understand where they originate from
• Identify and quantify the business models behind
• Raise public and industry awareness
![Page 3: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/3.jpg)
Agenda
• Quick reminders:– Cyber criminals profiles– Cybercrime Marketplace– Cybercrime Currency
• Mass Injections: from harmless defacements to MPack
• Threats 2.0: from the desktop to online applications
• Auction Fraud: from your account to your door
![Page 4: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/4.jpg)
Introduction
• Cybercrime: criminal activity in which computers or networks are involved
• Cybercrime profits (World): $50 billion to $100 billion per annum
![Page 5: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/5.jpg)
Introduction (II)
• Awareness increase
• How do Cyber criminals sustain their profits?
• Our habits evolve, blurring the online/real life line
• Cybercrime evolves accordingly
![Page 6: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/6.jpg)
Quick Reminders
Cyber criminals:
Profiles, Marketplace, Currencies
![Page 7: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/7.jpg)
Cyber criminals profiles
• Codersthe skilled
• Kidsthe workforce
• Mobthe puppet masters?
• Dropsthe mules
![Page 8: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/8.jpg)
Cybercrime Marketplace
![Page 9: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/9.jpg)
Cybercrime Currency
• e-gold– Anonymity– Irreversibility– Independence
• Wired cash– Irreversible– Crosses borders instantly– Fairly anonymous
![Page 10: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/10.jpg)
E-gold feedback
![Page 11: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/11.jpg)
Hey Doug, Still Baffled?
![Page 12: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/12.jpg)
E-gold indictment charges
![Page 13: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/13.jpg)
Mass Injections
…from harmless defacements to MPack
![Page 14: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/14.jpg)
A bit of history
• Defacing: Replacing the victim’s web server index page
• Mainstream in the early 2000s
• Moderately destructive
• Common Characteristics: Custom, usually dark gfx Patriotism Leet speech Admin taunting Linux preaching / Microsoft bashing
![Page 15: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/15.jpg)
Defaced Page Paradigm
![Page 16: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/16.jpg)
What for ?!
• Mass-defacements highly regarded
• But motivation was not financial gain
• Rarely carries a real political message
• So why?
![Page 17: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/17.jpg)
For that!
• Based on the common characteristics, defacing expresses a need to:assert one’s belonging to a groupassert one’s national identity (wider group)assert one’s competences / capacitiesdo something “forbidden”compete with others
• In a nutshell: Defacers = Teenagers growing
![Page 18: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/18.jpg)
Another, more recent example (2007)
![Page 19: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/19.jpg)
The Mpack case: Taking over Italy
• Mpack is a web-application serving malicious content to visitors
• The malicious content exploits several flaws in various browsers, making it a “drive by install” tool (No user interaction is needed from the victim)
• Mpack is sold by a gang of Russian “coders” for about $700
![Page 20: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/20.jpg)
Mpack Case: What happened in June 2007?
• Thousands of Italian websites compromised
• 90% of those sites were hosted by Aruba.it– Possible flaw exploited in the server hosting all those sites– Still under investigation
• A malicious Iframe was injected in each hacked site
• silently led visitors to a Mpack server, infecting
thousands of them
![Page 21: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/21.jpg)
Mpack Case: a snippet of compromised sites
![Page 22: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/22.jpg)
Mpack Case: Stats Server
![Page 23: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/23.jpg)
Mpack Case: the business model behind
• Costs– Mpack software: $700
– Compromising a host company server hosting thousands of sites: $10,000 (assuming 0day)
– Script inserting IFrames into each page: little skill, or about $50
![Page 24: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/24.jpg)
Mpack Case: the business model behind
• ProfitsUsing each one of the 10,000 infected computers as
a spam relay (“one shot” operation)• Assuming:
• Sending 100K emails before being blacklisted• Advertisers pay 0.03 cents per email:
10,000 x 100K x $0.0003 = $300,000
Using each one of the 10,000 infected computers for Adware planting:
$32,000 (monthly)
![Page 25: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/25.jpg)
Mpack case: the business model behind
• Total Costs: $10,750
• Total Profits (first month): $332,000
• Gain (first month): $321,259
• Productivity index (Profits/Costs): 31
![Page 26: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/26.jpg)
Threats 2.0
…from the desktop to online applications
![Page 27: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/27.jpg)
Web 2.0
• Detailed inputs about the "Web 2.0" concept
-> outside of our scope
• A quote that puts Web 2.0 in a nutshell:
“seemingly every aspect of our data [is] moving toward online apps and away from the traditional desktop model“
(Wired Magazine)
![Page 28: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/28.jpg)
Consequences on the Threat Landscape
• Raise in online identity theft attacks
• Impersonating a user on an online app allows for:– Retrieving the victim’s personal data– Performing actions on the victim’s behalf
• Arsenal:– Phisher Worms– XSS / CSRF– Plain old client-side trojaning
![Page 29: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/29.jpg)
Phisher Worm / Social WormExample
![Page 30: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/30.jpg)
Rogue Login Page
![Page 31: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/31.jpg)
Phisher Worm outlines
• Combines Phishing and Automation
• Malicious code sits on the server, not on the victim’s computer
• Advanced Phisher Worms exist, resorting to tricky user-provided HTML, redirectors and mind-tricks
• Spreads exponentially fast: the average user has about 100 friends
![Page 32: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/32.jpg)
XSS / CSRF Worms
• Cross Site Scripting (XSS) exploits the trust that the client has for the vulnerable website
Typically used to steal cookies and hijack sessions on the vulnerable site
• Cross Site Request Forgery (CSRF) exploits the trust that the vulnerable website has for the user
Typically used to execute actions on behalf of the victim on the vulnerable site (eg: send a message, modify some personal settings, etc…)
![Page 33: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/33.jpg)
XSS / CSRF Worms (continued)
• In 2005: Sammy’s worm (for fun) => over one million friends within 20 hours
• In Dec. 2006: Quickspace worm (for profit):– viewing = getting infected– Being infected = infecting others + having a banner on your profile
• It did happen and it will likely happen again (XSS/CSRF hard to spot)
• Main Question: What is the point ?!
![Page 34: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/34.jpg)
The Business Logic BehindExample
![Page 35: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/35.jpg)
The Business Logic BehindExample
![Page 36: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/36.jpg)
The Business Logic Behind: Model (Costs)
Costs
• Assuming: – Target: Posting an ad every week (so that it is always
on the front page) for a month to 60,000 individual profiles
– Price to pay for each posted ad: Equals 10 times the average price to pay a bot herder for sending out one spam email (~ $0.003)
• Renting the services of a social networking site phisher:
60,000 x $0.003 x 4 = $720 per month
![Page 37: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/37.jpg)
The Business Logic Behind: Model(Profits)
Profits• Assuming:
– Each ad is viewed on average 30 times per day (equals the average daily page views per profile on MySpace)
– Posted ads click-through rate: 5% – Pay per click rate: $0.05
• Pay per click affiliate program monthly revenue:
= $135,000 per month
x $0.05 x 5% x 30 days x 30 daily views60,000 ads
![Page 38: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/38.jpg)
The Business Logic Behind: Model(Summary)
• Summary– Total Costs: $720– Total Profits: $135,000– Gain: $134,280 – Productivity index (Profits/Costs): 187
• Bottom line?– more or less masqueraded spam is flourishing on
social networking sites– may seem innocuous at first sight– But very organized and yields outstanding
profitability figures
![Page 39: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/39.jpg)
Auction Fraud
…from your account to your door
![Page 40: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/40.jpg)
“eBaying”
• The term “eBaying” has two meanings…
• eBaying guides sold on IRC
• As old as eBay itself
• Evolution over the past two years:– Automation– Risk taking
![Page 41: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/41.jpg)
Plain Bogus Item
• One of the easiest and quickest way to make money on the internet:
1. Choose an item with high buzz factor, or a real bargain
2. Create an account and set up a bogus auction
3. Use low-ball to obtain payment via WU / MG
4. Cash in (possibly via a drop) and vanish
5. GOTO 1
• Gives raise to amusing situations
![Page 42: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/42.jpg)
Plain Bogus Item: The Magic Pen
![Page 43: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/43.jpg)
Bogus Item with User Feedback
• Used to work well, but with user awareness increase: difficult selling from accounts with no feedback
• To sustain productivity: Need to find a way to get a hold of an account with good feedback at will
• There are really only two solutions:– Steal It– Craft it
![Page 44: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/44.jpg)
Steal It: Costs
• Costs (covering the actual Phishing operation)
Phishing Kit: Scam letter + scam page: $5
Fresh spam list: $8
php-mailers to spam out 100K emails for 6 hours: $30
Hacked site for hosting scam page for a couple of days: $10
Valid cc to register domain name: $10
![Page 45: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/45.jpg)
Steal It: Profits
• Profits
Assuming:A phishing success rate of 0.0001
Half of the hooked accounts suitable for bogus auctionAn average price of $4,000 for the items sold
10 x 0.5 x $4,000 = $20,000
![Page 46: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/46.jpg)
Steal It: Summary
• Summary– Total costs: $63 – Total profits: $20,000 – Productivity Index (Profits/Costs): 317
• Notes:– Raw profits not impressive, but P.I. is outstanding– Selling more valued items may boost P.I. but
increase risks and decrease robustness
![Page 47: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/47.jpg)
Craft It: Broker Bots
• Many "buy it now" items at the price of 1 cent with no delivery cost (usually eBooks, pictures, wallpapers, etc.)
![Page 48: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/48.jpg)
Spot The Seven Differences
![Page 49: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/49.jpg)
Craft It: Recollection
1. Someone is massively creating randomly named, ”spider” user accounts
2. Spiders seek & buy 1-cent "buy it now" items
3. The seller script is emailing the spider with the item, and posts its standard feedback on his profile
4. The spider automatically responds with a standard feedback comment on the seller’s profile
In a nutshell: two bots are talking – and doing business
![Page 50: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/50.jpg)
Craft It: Model
• Costs: – Building 100 accounts with 15 positive feedback
messages each: $0.1 x 100 x 15 = $15
• Profits:
Assuming• A moderate scam success rate of ¼• Moderately priced bogus items (about $100)
100 x 1/4 x $100 = $2,500
![Page 51: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/51.jpg)
Craft It: Summary
• Total costs: $15
• Total profits: $2,500
• Gain: $2,475
• Productivity Index (Profits/Costs): 166
![Page 52: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/52.jpg)
The pay-on-delivery scam
• Pay on delivery (aka Cash on Delivery, or “COD”) earns buyers confidence
=> Easier to sell bogus items
• But then, how can cyber criminals make money with that?
![Page 53: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/53.jpg)
The pay-on-delivery scam (cont)
• On IRC, a “lead” = someone willing to buy something somewhere, with payment on delivery
• Leads can be sold on IRC (via e-gold, WU, MG…)
• Lead buyer:– dress as TNT guy– show up at the victim’s door– deliver a box full of turds– cash the payment– Leave
• Is it Cybercrime, plain crime, or a mix of both?
• Cyber criminals are willing to take more risks to get richer, faster
![Page 54: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/54.jpg)
Conclusion
• New cyber criminal schemes still:– Highly profitable– Relatively easy to implement– Involve abnormally low risks, given the odds
Thus tremendously tempting
• Issues• The Internet is borderless• The police in emerging countries focuses on
criminal activity that produces corpses
![Page 55: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/55.jpg)
Bonus Track: The 10 most profitable Cyber criminal Business Models
![Page 56: Menace 2 the Wires Advances in the Business Models of Cyber Criminals - Guillaume Lovet.](https://reader036.fdocuments.in/reader036/viewer/2022062516/56649e2c5503460f94b1c126/html5/thumbnails/56.jpg)
Questions?
(No, I still do not drive a Mercedes 600SL)