Tackling the illegal trade in the Digital world

Graham Butler – Chairman Bitek Group of Companies © 2016

Cyber-laundering: dirty money digitally laundered-

Tackling the illegal trade in the Digital world

Graham Butler

Special Presentation to the Academy of European LawBudapest – March 2016

Co-funded by the Justice Programme of the European Union 2014-2020

Graham Butler – President and CEO Bitek © 2013


Supporting the Cyber-Security agenda

ERA (Academy of European Law) – Lisbon / Trier / Sofia / BrusselsAddress: Threats to Financial Systems – VoIP, lawful intercept, money laundering

CTO (Commonwealth Telecommunications Organisation) LondonAddress: Working group on strategic development for 2016-2020

ITU High level Experts Group – Cybersecurity Agenda – Geneva (United Nations)Address: VoIP and P2P Security – Lawful Intercept

ENFSC (European Network Forensic and Security Conference) - MaastrichtAddress: Risks of P2P in Corporate Networks

CTITF (Counter Terrorism Implementation Taskforce) - SeattleAddress: Terrorist use of encrypted VoIP/P2P protocols - Skype

Norwegian Police Investigation Section - OsloAddress: Next Generation Networks – VoIP Security (fixed and mobile networks)

IGF (Internet Governance Forum) – Sharm El Sheikh, EgyptAddress: Threats to Carrier Revenues and Government Taxes – VoIP bypass

EastWest Institute Working Group on Cybercrime - Brussels / LondonWorking Groups: Global Treaty on Cybersecurity / Combating Online Child Abuse

CANTO (Caribbean Association of National Telecoms Org) – Belize / Barbados Address: Reversing Declines in Telecommunications Revenue

ICLN (International Criminal Law Network) - The Hague Address: Cybercrime Threats to Financial Systems

CIRCAMP (Interpol / Europol) - BrusselsWorking Groups: Online Child Abuse – The Fight Against illegal Content

2


The evolution of interception - circuit switched networks


3

4. Court issues interception warrant

3. Court application for LI warrant

1. Threat to National Security

2. Suspect identified

6. Operator sends LI data to agency

5. Agency provides warrant to Operator

Time-Division Multiplexing (TDM) Traditional Circuit Switched Networks

2G / 3G / 4G / 5G

TDM ‘numbered’ calls

2G / 3G / 4G / 5G

TDM Interconnect

Circuit Switch

Court Order Lawful Interception


VoIP Packets(Encrypted Services?)

CLOUD A The World Wide Web CLOUD B National IP Network

2G / 3G / 4G

TDM ‘numbered’ call

SIM BankPBX/VoIP SwitchMedia Gateway

IP Gateway IP Gateway

Inbound VoIP / OTT SERVICESUnlicensed / Bypass / Fraud

Diversity and encryption creates a ‘safe haven’ for crime/terrorism

A BWiFi, WiMax

3G, 4G

VoIP/OTT app call

WiFi, WiMax 3G, 4G

VoIP/OTT app call

SIM BankPBX/VoIP SwitchMedia Gateway

2G / 3G / 4G

TDM ‘numbered’ call

Broadband Router

VoIP/OTT app call

(Gaming Console) VoIP/OTT app

Broadband Router

VoIP/OTT app call

(Gaming Console) VoIP/OTT app

Next Generation Traffic Challenges (ML)

The evolution of interception - packet switched networks?


Diversity of Internet Activity (Intel)

5



Unlicensed SIP VoIP (RFC 3261 variants) 373 competitors

aamranetworks.com, Abovenet Communications, Acess Kenya Group, ACN_DSL, Atlantic Broadband, Airtel Broadband, Akamai, ALGX, Amazon.com, AmazonHosting, Angel Drops, Aruba, ASKTel, ASTA Net, 24/7 Real Media ARTNET, AT&T U-verse, AT&T wireless, Bandcom, Beeline, Beam Telecom, Belgacom Skynet, BellCanada, Bell Mobility, BellSouth, BTS, Bharti Airtel, Bankstown-Clinical-School , BICS, Blast_Comms , Bluewin, Bouygues Telecom, Bright House Networks, Broadvoice, BSNL, BT Italia, Beyond The Network America, Cable 1, Cablecom, Cablevision, Cabel Digital Kabel TV, Cable and Wireless Americas Operations, CANTV services, Century Link, Checkbox, Charter Communications, China Telecom, China Mobile, China Telecom YunNan, China Telecom Jiangsu, China Telecom Sichuan, CJSC Ural Trans Telecom, Completel, Cameroon Telecommunications Ltd, China Tie Tong, CoLoSolutions, Cogent Communications, CommPeak (Amazon Hosted), Canaca.com, China Unicom, Claro Dominican Republic, Claro Peru, Clear Wireless, Comnet, CANL, Choopa, Connexions 4 London, Cogeco Cable, Compass , ComCast, Corgi Tech Ltd, Chunghwa telecom, Consejo Hondureno de Ciencie y Tecnologia, CTBC, Cybercon, CYTA HELLAS, nyc callcenter 1, Datacenter, Dedibox, Dial Telecom, Digital Networks CJSC, Distributel Communications, Dixivox, Deltathree, DIGI Ltd, Digicel Jamaica, Dooel Kavadarci, Donbass Electronic Communications Ltd, DNA Oy, DODO, DTS Ltd, E Networks, Econocall, Ecatel, Ecuador Telecoms, EdgeCast Networks, EGNET, Elion Enterprises GANDI, Eircom, Elisa OYJ Mobile, Emirates Telecom, Enterprise Networks, Entertainment Television, Eweka Internet Services, FibreNet, Fibernetica Corp, FLOW, Fonebee, FORTHnet, Freeport-McMoran, Free SAS, Gateway Communications, Galaxy Communications, Gestora de infraestructursa de telecomm, GetGeorgeMobile, GCA Telecom El Salvador, GCN/DCN Networks, GIO Moblie Ghana, Globalinx, Global Net Access, Global Village, Globe Telecom, googletalk, Godaddy.com, GoandCall, GoGent, Golden Lines Cable, Guandong Molile Communications, Hadara, Haiti Networking Group, Haiti Telecom, Hanaro Telecom, H3G Italy, Home Network Japan, Hong Kong Broadband Networks, Hotwire Communications, Hubei, Hurricane Electric, INDIT Hostings, Infracom Italia, Inphonex, Inei international, Internap Network Services, Icall, IDT Corporation, iweb, Incapsula.com, Inet Limited, Internetcalls/Freecall, Internet Development Company, IPCommunications, Lifeisbetteron, Iscon Internet, Isotropic Networks, Ispro Lietisum, IPTelligentLLC, ITIBITI.COM, Jazz Telecom, Joyent, JSC, JSC Kazakhtelecom, Kabel Deutschland, Kampung Communications, Karib Cable, KEKU (Amazon), Kimsufi.com, Korea Telecom, Krypt Technologies, KPN B>V>, Lankacom, Lbisat, Leaseweb BV, Level 3 Communication, Lexis-nexis, LgDacomCo, Libantelecom, Lightspeed_SBCglobal, Lightyear Network, Limelight Networks, Link Egypt, LG Powercom, LG Telecom, LLP Asket, LowRateVoIp, Mana S>A>, Magma, Maroc Telecom, Magyar Telecoms, LINODE, MobileOne, Mainehealth Medical Centre, Mauritius Telecom, Mediaserv, Mediaring network services, Mediacom Communications, Megapath, merkenmarketeers (BICS), MS Hotmail, Microsoft corporation, Microsoft Hosting, MIR Telematiki, M2 Telecomms Group, Microsoft Ltd, Microsoft Internet data center, MTNBusiness (telkom Hosted), Mobitel, Movistar, Multilink, Multiregional Transit Telecom, MWEB Connect, mycingilar.net, N Layer, Nec Biglobe, NC Nummericable, Netvision, Net2Wholesale, Net2Phone, Netzquadrat, NexG, Nexgen Networks, Nextgen tel, NetstreamTechnology, NetTalk, Netia SA, NOC4HOSTS, ntlworld, NTT&Verio, Nymgo, Net 1, OFFRATEL, Open Market, Onavo, Open Computer network, Oi Internet, Oi Velox, OVH SASOOREDOO, OVH Hosting, Orange Espania, Orange Dominica Power phone, Orange France, Orange Home UK, Orange Palastine Group, OJSC Kyrgyztelecom, OJSC Rostelom, OJSC MegaFon, Ortel Communications M/S, Pakistan Telecommunications Company, Palastine, Packet Exchange, Rackspace Pixius Communications, Primus, Paetec, Peer1, Pinger, Peru_S.a.c, PLDT (Philippine Long Distance Telephone), Republican Unitary Telecommunications, RCS & RDS Residential, RNADTA, Quadranet, Reflected Networks, Rodgers Cable, ROM Telecom, Rostelcom Kaluga, RCN, RSL COM Canada, R Cable y telecomuniciones Galicia ServerCentral, Samjung Data Service, SSDN Communications, sakura internet inc, SaudiNet, SFR, Sedel, SK Telecom, SKY Broadband, Singlehop, Smart Broadband, Softbank Telecom Corp, Softlayer, SoftlayerMGBlock, STS, SONATEL, Sprint, Speedclick, Splendor, Spectrmnet, Starnet, Starhub Internet, Subisu Cablenet (pvt ) Ltd, Switchspace, Syrian Telecommunications, TATA Communications, Telefonica USA, Telecommunications Company, Time Warner Cable, T Mobile, Telebec, Telkom Internet, Telstra Internet, Telecom Algeria, telenet N.V., Telio Holdings, Telefonica De Argentina, Telus Communications, TPG Internet Pty, TalkFree, Telenor, TeliaCarrier, Tikona Digital Networks Pvt, Telefonica De Espana, Telia Network Services, Telecom Internet, Telecom Services Trinidad & Tobago, Tiscali, Telecom Malaysia Berhad, Tricom, Talk4Free, Telgua, Telinta VoIP Company, Telefonica Moviles Panama, Tirpitz, Tim Celular S.A. Telecom Indonesia, TOT Public Company Limited, Turk Telecom, UK Rtelecom, Ubiquity Servers, UCOM, UPC AUSTRIA, UPC Polska, Vonage (Leaseweb.B.V), Voyager Internet Limited, Verat DOO, Verizon, Verizon Sweden, Vivacom, VideoTron, VDC, VIVO, VOO, Vosox, voxsun.net, ViVox, Vitelity, Virtustream, Vonage, VolumeDrive, Vaboomz, Voipms, Yahoo, VoX Communications, Voxee, Wave Internet Services, WebNX, Webair, WholeSale Internet, WindTelecom, Windstream Communications, XO_Communications, Xplornet Communications, YahooSIP, YOU Broadband, ZAMTEL, Ziggo, ZON TV cabo, ZSR-ZT Bratislava, 44Direct, 8 x 8

373 offshore SIP operators (Haiti telecoms)

Unlicensed competition causes false market rates (anti-competitive)

Policy decision to remove fraudulent bypass services

Create a regulatory environment where SIP operators are licensed

SIP operators will pay the appropriate fees and taxes

Fair market conditions will establish correct market rates

What is the financial model behind each operator? Linked to ML?

6



The diversity of VoIP protocols and applications

PROTOCOLS (6) APPLICATIONS (113) – Commercial VoIP Operators

SIP (95) Astra, Asterisk (PBX), AIM Phone, AllfreeCalls.net, Broadvoice, BT-Yahoo, BuddyTalk, Calleasy, Chamaleon, Deltathree, Dialpad, Dialnow, Cheap calls to India, Cockatoo, Ding-a-Ling, Earthcaller, Ekiga (old GnomeMeeting), Expresstalk, Fonebee, Freeswitch, Fring, FreeCallPlanet, Free calls to Pakistan, Free VoIP International Calls, FWD.Communicator, Gizmocall, Gizmo Project (Gizmo5), Globalinx, GrandCentra, iCall, intervoip, iSkoot, Jajah, Jangl, Jaxtr, Justvoip, KCall, Kphone, Kutecom, Lingo VoIP, Linphone, LowrateVoip, Lycos, MagicJack, MediaRing, Minisip, Mobivox, MrTalk, MSN Messenger, Nettalk, Nonoh, ooVoo, OpenWengo, PacPhone, Packet8, Paltalk, Peerio, Pennytel, OpenSip, PhoneGaim, PhoneGnome, Sgoope, SightSpeed, SIP Communicator, SIP User Agent, SIPCLI, SipXphone, SJPhone, SMSDiscount, Switchspace, Talqer, TalkPlus, Teltub, Tringme,Truphone, Yaka, Yahoo, VD3Delta, Viber, Vivox, Vonage, Voncp, VoIP Buster, VoIP Cheap, Voipraider, Voipwise, VOX, Voixio, Windows Live Messenger, X-Lite, X-Pro-Vonage, Yate , 3XC, 8x8, 12voip

H323 NetMeeting, SJPhone, WebTalk, Open H323, CallGen323, Ekiga (old GnomeMeeting), Freeswitch, YateTLS Whatsapp, Skype, SkypeIn, SkypeOut, Viber, ooVooGoogle Google TalkNet2phone Net2PhoneIAX IAX Phone, Freeswitch, Yate, Kiax, MoziaxOTHER VOIP PROTOCOLS (3)

Megaco (H248), MGCP, Skinny (SCCP)

E-MAIL PROTOCOLS (3)

POP, SMTP, IMAP

IM PROTOCOLS (10)

OSCAR, AIM/ICQ, IRC, iChat, Mac OS X, MobileMe, SightSpeed, Skype, Yahoo! Messenger, XMPP/JABBER

VOIP APPLICATIONS LARGEST VOIP SERVICES (Example: US to Caribbean)

7


http://www.viber.com/















PROTOCOLS (11) APPLICATIONS (85)

IAX Astrix PBX, Freeswitch, Kiax, Moziax, Yate

BitTorrent ABC, AllPeers, Bit Comet, BitLord, BitSpirit, BitTornado, Burst, Deluge, FlashGet, G3Torrent, Halite, Ktorrent, MLDonkey, Opera, QTorrent, rTorrent, TorrentFlux, Transmission, Tribler, Thunder, µTorrent

Direct Connect Direct Connect, SababaDC, DC++, BCDC++, ApexDC++, StrongDC++

Ares AresGalaxy, Warez P2P, Filecroc

eDonkeye eDonkey2000, aMule, eMule, eMulePlus, FlashGet, Hydranode, iMesh, Jubster, IMule, Lphant, MLDonkey, Morpheus, Pruna, xMule

Gnutella Acquisition, BearShare, Cabos, FrostWire, Gnucleus, gtk-gnutella, iMesh, Kiwi Alpha, MLDonkey, Morpheus, Poisoned, Swapper, XoloX

Gnutella2 Gnucleus, iMesh, Kiwi Alpha, MLDonkey, Morpheus,TrustyFiles

FastTrack giFT, iMesh, Kazaa, Kceasy, Mammoth, MLDonkey, Poisoned

Napster Napigator, Napster

Manolito Blubster, Piolet

OpenNAP Lopster, Napster , WinLop, WinMX, Utatane, XNap

8

The diversity of P2P file transfer systems


Diversity of social networksURLs SOCIAL NETWORK APPLICATIONS

Social Websites(210)

Many services encrypted

43 Things, Academia.edu, Advogato, aNobii, AsianAvenue, aSmallWorld, Athlinks, Audimated.com, Badoo,Bebo, BIGADDA, Biip.no, BlackPlanet, Blauk, Blogster, Bolt.com, Busuu, Buzznet, CafeMom, Cake, Financial, Care2, CaringBridge, Cellufun, Classmates.com, Cloob, CouchSurfing, CozyCot, Cross.tv, Crunchyroll, Cyworld, DailyBooth, DailyStrength, delicious, deviantART, Diaspora, Disaboom, Dol2day, DontStayIn, Draugiem.lv, douban, DXY.cn, Elftown, Elixio, Epernicus, Eons.com, Experience Project, Exploroo, Facebook, Faceparty, Faces.com, Fetlife, FilmAffinity, Filmow, FledgeWing, Flixster, Flickr, Focus.com, Fotki, Fotolog, Foursquare, Fuelmyblog, Friendica, Friends Reunited, Friendster, Frühstückstreff, Fubar, Gaia Online, GamerDNA, Gapyear.com, Gather.com, Gays.com, Geni.com, GetGlue, Gogoyoko, Goodreads, Goodwizz, Google+, GovLoop, Grono.net, Habbo, hi5, Hospitality Club, Hotlist, HR.com, Hub Culture, Hyves, Ibibo, Identi.ca, Indaba Music, IRC-Galleria, italki.com, Itsmy, iWiW, Jaiku, Kaixin001, Kiwibox, Lafango, LAGbook, LaiBhaari, Last.fm, LibraryThing, Lifeknot, LinkedIn, LinkExpats, Listography, LiveJournal, Livemocha, LunarStorm, Makeoutclub, MEETin, Meetup, Meettheboss, MillatFacebook, mixi, MocoSpace, MOG, MouthShut.com, Mubi (website), MyHeritage, MyLife, My Opera, Myspace, myYearbook, Nasza-klasa.pl, Netlog, Nettby, Nexopia, NGO Post, Ning, Odnoklassniki, OneClimate, OneWorldTV, Open Diary, Orkut, OUTeverywhere, Passportstamp, PatientsLikeMe, Partyflock, Pingsta, Pinterest, Plaxo, Playahead, PureVolume, Playfire, Playlist.com, Plurk, Qapacity, Quechup, Qzone, Raptr, Ravelry, Renren, ResearchGate, ReverbNation.com, Ryze, ScienceStage, ShareTheMusic, Shelfari, Sina Weibo, Skoob, Skyrock, Social Life, SocialVibe, Sonico.com, SoundCloud, Stickam, StudiVZ, Students Circle Network, StumbleUpon, Tagged, TalentTrove, Talkbiznow, Taltopia, Taringa!, TeachStreet, TermWiki, The Sphere, TravBuddy.com, Travellerspoint, tribe.net, Trombi.com, Tuenti, Twitter, Vkontakte, Vampirefreaks.com, Viadeo, Virb, Vox, Wakoopa, Wattpad, Wasabi, WAYN, WebBiographies, WeeWorld, Wellwer, WeOurFamily, Wepolls.com, Wer-kennt-wen, weRead, WiserEarth, Wooxie, WriteAPrisoner.com, Xanga, XING, Xt3, Yammer, Yelp, Inc. Zoo.gr, Zooppa

E-MAIL APPLICATIONS (PSEUDONYM REGISTRATION)

No ID Required(23)

AIM Mail, BigString.com Service, Care2 E-mail, Facebook Messages, FastMail, Gawab.com, HotPOP, Inbox.com Service, iCloud Mail, Lavabit, Mail.com, GMX Mail, My Way Mail Service, MSN Hotmail, MyRealBox, Myspace Mail, Shortmail, Windows Live Hotmail, Yahoo! Mail, Zapak Mail, Zenbe Personal, IMAP, Zoho Mail

9



What is on your national IP network?

Example - Viber Media

“Call, text, and send photos to each other, worldwide - for free!”

• 350m downloads / 105m concurrent users / 550k sign ups each day.

• Viber client will not install unless the user allows access to their contacts list.

• Development centre located in Israel - hosting at Amazon Cloud / Akamai Cloud (US).

• Cloud hosting in liberal jurisdictions allows OTT services to bypass national policies.

• Consistent refusal to provide intercept data to courts and LEAs.

Hiding and Trading - Fraud Over VoIP

What OTT services are on your network? Are they lawful intercept compliant?

479Cyber-currencies Crypto-currencies

268VoIP/P2P/IM (Chat)

33Real-Time

Entertainment

105Mobile Money

Transfer Operators

584Online Gambling

Operators

73Online Gaming

Operators

210Social Networks

OTT Examples

10


Forensic analysis of packet data

11


Detailed records are individually searchable

• Actual IP address initiating the call/event• Actual IP address receiving the call/event• Actual Mac address initiating the call/event (Subject to Protocol*)• Actual Mac address receiving the call/event *• Actual telephone number initiating the call/event *• Actual telephone number receiving the call/event *• Actual email address initiating the call/event *• Actual email address receiving the call/event *• Time the call/event was initiated• Time the call/event was disconnected• Traffic statistics to identify signatures of SIM bank, Media Gateway and IBTs • Geographic location of IP addresses/suspect can be produced in some cases through registries• Selective filtering of VoIP traffic on a call-by-call basis. Allow ‘authorised’ and disconnect ‘un-authorised’

Additional Guardian module – URL control• Stop access to inappropriate or offensive websites identified on approved blacklists (Interpol)


Money laundering over VoIP


VoIP Operator

Criminal Network

Customers

VoIP Operator

Criminal Network

The Laundering Sequence:

1. Fraudsters set up as a VoIP operator

2. Service is typically hosted offshore in a liberal jurisdiction

3. Offshore shell companies hide ownership and accountability

4. Services such as calling cards can be purchased for cash

5. Criminal network can easily insert dirty cash into the system

6. The receiving operator can charge for bulk voice services

7. The authenticity of the services provided cannot be verified

8. VoIP calls running 24hrs a day offers limitless laundering

9. Cleaned cash lands in destinations – typically tax havens

10. Hidden model for funding organised crime and terrorism

VoIP Service Agents

Firewall

Telecommunications Provider

Firewall

VoIP Services / Calling Cards

VoIP Service Host InternetFirewall

12

Dirty MoneyOffshore Banks

Shell Co’s (buffering)


SIP Phone

Traffic Pumping - toll fraud targeting VoIP switch and apps

Traffic Pumping / International Revenue Sharing Fraud (IRSF)

1. Fraudsters hack into corporate PBX/softswitch resources

2. VoIP apps (multiple installs on devices) = multiple lines

3. Once access is gained the information is typically sold

4. Criminals set up offshore premium rate numbers and SMS

5. Attacks typically take place outside working hours

6. Huge bills can be run up in hours – unnoticed by victims

7. The carrier has provided a legitimate service

8. Corporate receives bill for $1000’s

9. Private user receives bill for $1000’s

Case Study:

• VoIP calls were directed at premium rate numbers @ $5 per min

• Fraud remained undetected for 6 hours = $1,800 per line

• 25 exploited VoIP numbers in 6 hours = $90,000

Toll fraud targeting VoIP PBXVoIP mobile apps

13

International Numbers

Fraudsters

Zombie Networks

InternetCompromised Firewall

FirewallTelecommunications Carrier

Customer

Offshore Bank

Small $ amounts keeps below anti-laundering radar

Premium SMS

Premium Numbers

SIP Phone Compromised OTT VoIP App

Infected Mobile Device



Traffic Pumping – exploiting Sipvicious to hack SIP


Sipvicious “Friendly-Scanner” (not friendly at all)

1. Sipvicious is a mainstream auditing tool for VoIP systems.

2. Exploited by hackers to take control of VoIP servers for fraudulent purposes, such as traffic pumping (toll fraud).

3. A type of botnet which scans IP ranges for SIP servers such as softswitches and PBX which communicate via the 5060 port.

4. If it finds the port open, it attempts to brute force its way into the SIP server by testing sequential SIP account numbers with common usernames/passwords.

5. Typically downloaded through a Trojan (jps.exe) which connects to bot ‘command and control’ servers.

6. Sets User-Agent in the SIP requests to “friendly-scanner” or others.

14

Bitek monitoring of Sipvicious attacks

Haiti 7th Feb 2016 19.00 to 21.00 GMT (2 hours)17.5m international inbound registration attempts to IPBBX using Sipvicious 1.0

Suspect User Agents

• sipvicious• siparmyknife• iWar• sip-scan /

sipsak• sundayddr• friendly-

scanner• friendly-

request• CSipSimple• SIVuS• Gulp / Sipv /

Smap• VaxIPUserAgen

t• VaxSIPUserAge

nt


VoIP Missing Trade Intra-Community VAT Fraud (MTIC)


VoIP Operator

Criminal Network

Customers

VoIP Operator

Criminal Network

VoIP Service Agents

Firewall

Telecommunications Provider

Firewall

VoIP Services / Calling Cards

VoIP Service Host InternetFirewall

15

MTIC VAT fraud example - Italy:

1. MTIC is essentially the theft of VAT

2. Fraudsters set up as VoIP operators (buffered)

3. Involved companies in Italy, UK, US and Finland

4. EU cross-border B2B transaction is VAT neutral

5. Fraudsters collected VAT on the sale of domestic VoIP services

6. When the tax became due the companies had disappeared.

7. Cost the Italian economy €400m in non-payment of VAT

8. Connected to a scheme to launder €2 billion

Complexity of case: Fraud committed in 2003–2007; 50 arrest warrants issued 2010; court hearings 2013.Europol: MTIC fraud costs the EU €100b a year or €270m

a dayEurojust: Makes MTIC fraud a top priority for 2014-2017

period

MTIC uses the same model

Shell Co’s (buffering)

Dirty MoneyOffshore Banks

VAT Paid

VAT

€ Tax Demand


Setting up a vishing scam using VoIP

1. Vishing is a phone call scam utilizing phishing, social media and VoIP

2. Fraudsters set up spoof companies and websites to support the scam

3. Cheap or free VoIP calls allow scammers to set up ‘call centre’ models

4. Anonymity of VoIP/P2P registration avoids LI detection and tracking

5. Stolen identity data provides enough information to sound genuine

Large scale vishing scams over VoIP

Typical Costs targeting US CitizensPer attack: $5000 to $30,000Total per year: $100’s millions

Scam?

CALL ID UNKNOWN

Case Study - Banking

1. VoIP calls to landline numbers - fraudsters posing as bank officials

2. Vulnerable small business owners and the elderly are targeted

“We have identified active fraudulent behaviour on your account”

“To protect you, we need to transfer your balance into a holding account”

“Please call the number on the back of your bank card to authorise”

3. The scammer who has not hung up plays a ‘dialing tone’ and a ‘ringing tone’

4. A new scammer then appears to answer at the bank – the fraud is completed

16



1. As vulnerable consumers become more wary of scams they know not to answer calls identified with “Unknown” or “No Caller ID”

2. Fraudsters can now use a new VoIP services called bitphone to get around this problem by spoofing the caller ID. Any number can be used.

3. Low cost call $0.021 per minute + caller-ID spoofing at $0.0912 per call.

4. Payment through Bitcoin or other virtual currencies retains anonymity.

5. To help provide legal cover, bitphone includes the FCC’s caller-ID and spoofing guidelines in its T&C’s that each user must accept.

6. Using a public WiFi hotspot adds additional security buffering.

Spoofing Caller ID – the evolution of cybercrime

+1 800 829 1040

17


IRS Spoofing


The global trade in identity theft information

18


The Times Feb 2016 – Online fraud costs Britain’s economy £27 billion per year

• 1m stolen bank details discovered for sale on http://bestvalid.cc/session

• Criminals trade with impunity on the internet - not the dark web.

• Sold for as little as £1.67 each

• Stolen Identities from 100,000 Britons

Source: Symantec 2014 Report

http://bestvalid.cc/session




Spear-Phishing and ransom attacks

19

Next Generation Traffic Challenges (ML)

Spear-Phishing bypasses spam filters

1. Spear-Phishing is an attack which hacks into our “trusted” email or social media contacts lists.

2. Spam filters accept inbound emails which appear to be from a work colleague, family or friend.

3. We are more likely to click on a link from a friend – unaware that it is malware.

4. More than 317 million new pieces of malware were created last year, nearly a million a day.

5. Crypto-ransom attacks, where the victim's files are encrypted and held hostage without warning, skyrocketed 4,000 percent.

6. Ransomware attacks grew 113 percent

7. 70 percent of social media attacks rely on the initial victim to spread the threat to others.

Source: Symantec 2014 Report


Abra – the digital version of Hawala


Money transfer without money movement

1. The Hawala model has been used for centuries for money transfer without physical money movement.

2. Hawaladars are people who collect and hand out funds on behalf of others over long distances, settling with each other via barter transactions.

3. In the US no one is allowed to hold or remit funds on behalf of someone else without being a licensed money transmitter.

4. As tellers are always holding their own money it is extremely difficult to identify or regulate these activities.

5. Abra is a Peer to Peer (P2P) smartphone app designed to bring Hawaladar into the digital age.

A B(A) wants to transfer $1000 to (B)

1 2Hawaladar (Tellers)

“Trust”$1000

Reverse money transfers equalise the $ balance between Tellers

Teller (1) now owes $1000 to Teller (2)

20


Abra P2P service bypasses the regulated money transfer industry (virtual infrastructure = low fees)

Abra P2P – bypasses the regulated money transfer market


A B

1. Deposit (domestic)

Deposit cash to the app through an Abra Teller - or add with your debit

card.

3. Withdraw (domestic)

Withdraw cash from the app via any Abra Teller.

Users rate tellers on website (trust).

21

2. Send (virtual transfer)

Instantly send any amount of money

directly from the app to anyone in the world.

“Digital cash” transfers


The Dark Web – the DIY cybercrime toolkit


22


The Dark Web – the DIY financial toolkit


23


Taliban Communications

• VoIP enabled handsets

• P2P Skype used widely

• Frustrates SIS / NATO intercept

• Microsoft purchase Skype in 2011

• Microsoft LI patent granted 2012

Mumbai Terror Attack

• VoIP phones purchased in PK

• Calls via US provider

• Co-ordinated from Pakistan

• Lack of digital evidence frustrated LEA investigations

The Dark Web - terrorist communications and funding

2008 2016

24

ISIL Communications

• Edward Snowdon leaks 2013

• Jihadi organizations become more informed about NSA techniques

• Dark web becomes the preferred communications tool

• VoIP system developed by Pakistan ISI distributed on dark web by ISIL



Obama asks congress for $19 billion for Cybersecurity


25

Obama targets US Cybersecurity

1. $19 Billion includes $3.1 billion for technology modernization at various federal agencies.

2. Cyber threats are "among the most urgent dangers to America’s economic and national security,”

3. Launch Presidential Commission on Cybersecurity to strengthen US cyber-defences over the next decade.

4. Government’s cyber-defense system, known as Einstein, is “ineffective at combating hackers.”

5. Recent high-profile hacks include Office of Personnel Management, Sony Pictures and Target that were “largely met with legislative inaction”

Norse cyber-attack data (15 minute sample) – represents a fraction of the total attacks on URLs


The Internet – Cybercrime toolkit (not just the dark web)


26


You know Sir, you can do this just as easily online!

27

Organized fraud, tax evasion, money laundering


Graham Butler – Chairman Bitek Group of Companies © 2016

Thank you for your attention

Graham Butler

Co-funded by the Justice Programme of the European Union 2014-2020

Tackling the illegal trade in the Digital world

Documents

Transcript of Tackling the illegal trade in the Digital world