Cyber CrimeSpecial Thanks toSpecial Agent Martin McBride for sharing most of this information in his talk at Siena last semester

Criminal Activity Todayhas shifted to the Internet

Canadian Lottery ScamA call from Canada:Youve won the Canadian LottoWell protect your winnings from US capital gains taxes (i.e., Canadian Bank)Just pay the Canadian Lotto tax 0.5% and well set everything upYou say:You mean I just have to pay you $5000 and youll put $1,000,000 in my own Canadian Bank Account. Sounds great!

Canadian Lottery ScamIts estimated that over $10,000,000 has been scammed off people in just the US.The scammer are so sophisticated that they get Direct Mailing/Marketing List and target specific demographics (homeowners over 65).http://www.experian.com/products/listlink_express.htmlThank you Experian!

Canadian Lottery ScamThe scammer use cloned cell phones Checks sent to Mailboxes Etc.set up using a stolen identityThe FBI and RCMP have developed counter-measuresThus, the Scammers have retreated to the Internet, where they have greater reach and less risk.

Criminal Activity TodayPhishingNigerian Letters FraudInternet Sales FraudCardingIntrusionsViruses & Worms

Criminal Activity Today-continued-Distributed Denial of Service (DDOS)Spam Attack/DDOSIntellectual Property TheftSabotage

Phishinguses spam, spoofed e-mails and fraudulent websites todeceive consumers into disclosing credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive informationby hijacking the trusted brands of well-known banks, online retailers and credit card companies

We are currently performing regular maintenance of our security measures. Your account has been randomly selected for this maintenance, and you now be taken through a verification process.Protecting the security of your PayPal account is our primary concern, and we apologize for any inconvenience this may cause.Please click here and fill in the correct information to verify your identity.NOTE: Failure to complete the verification process or providing wrong information will lead to account suspension or even termination.

Nigerian Letter FraudClaiming to be Nigerian officials, business people or the surviving spouses of former government honchos, con artists offer to transfer millions of dollars into your bank account in exchange for a small fee.

Nigerian Letter FraudIf you respond, you may receive "official looking" documents. Typically, you're then asked to provide blank letterhead and your bank account numbers, as well as some money to cover transaction and transfer costs and attorney's fees.

Nigerian Letter FraudYou may even be encouraged to travel to Nigeria or a border country to complete the transaction.Sometimes, the fraudsters will produce trunks of dyed or stamped money to verify their claims.Inevitably, though, emergencies come up, requiring more of your money and delaying the "transfer" of funds to your account; in the end, there aren't any profits for you to share, and the scam artist has vanished with your money.

Internet Sales FraudOverpayment scheme (E-bay)A buyer accidentally over pays you$1000 check rather than $100 checkBuyer says, My mistake but you owe me $900 if you cash that check.Buyer says, Dude man! I need that $900 bucks, since this was my mistake, if you wire me $800 bucks, the check is yours.You get an additional $100 for you trouble, cool!

Internet Sales FraudDid you know that if you deposit a check worth $10,000 or more at HSBC it can take over 5 business days for it to clear or to realize its fraud.A week gives a scammer a long time to put pressure on you to return the over payment.Perhaps the overpayment is $9000.Guess what? If you send a wire transfer or a money order out of your account, your account balance is immediately reduced (instantaneous at the time the order or wire is entered into their system).Thank you HSBC for making it easy to scam me!

Internet Sales FraudAlexey Ivanov and othersauctioned non-existent items on eBaybid on own items using stolen credit cardsas high bidder, paid himself through Paypal

CardingCarding" the illegal use of credit card numbers. Carders..Acquire valid credit card numbers (not their own)Use them to make purchasesSell them to othersTrade them over the Internet

CardingMaxus, a Russian, stole 300,000 credit card numbers from CDUniverse.comMaxus scheme was broken into 4 basic parts: Whole-selling Cards Cards were distributed to trusted partners, mainly in lots of 1,000, for $1 each. Re-selling Cards Cards were then sold by Maxus' partners. These "re-sellers" sold card numbers mainly in blocks of 50. The price to the "end consumer" was around $500. Pure Liquidation Maxus set himself up as an online retailer, and used the stolen numbers as if they belonged to his customersEnd Users Individuals would use the cards bought from Maxus to conduct their own fraud.

IntrusionsUnauthorized access into a computerDifferent types of intrudersHackers create code to exploit vulnerabilitiesScript-kiddies use code readily available over the Internet to exploit vulnerabilitiesInsiders - former employees whose accounts were not disabled upon termination

IntrusionsExampleBob leaves Experian for EquifaxEquifax is a competitor to Experian Bob uses same password at Equifax that he had used while at ExperianEquifax has to crack Bobs password because no one can get into his account to retrieve the work he left behindExperian decides to try Bobs password on Equifax s e-mail systemIt worked!Experian attempts to steal customers from Equifax by intercepting e-mail sent to Bobs account at Equifax.

Viruses, Worms, & TrojansViruses are computer code written to degrade the health of a computer or computer networkWorms are viruses that are written such that they can spread themselves to other computersTrojans are viruses that remain dormant or hidden until a certain action is taken or a specified period of time has elapsed

Denial of Service (DOS)An attack in which a large network of compromised computers is used to attack a target computerExamplesMafiaboy - Feb 2000Yahoo!, eBay, CNN.com, eTrade, and othersDDOS attack against 9 of 13 root servers Oct 2002

Intellectual Property TheftThe unauthorized acquisition and/or distribution of proprietary computer software or data files

Intellectual Property TheftExampleOnline warez piratesBuy or steal copies of software programs such as video games or operating systemsIllegally share the programs through FTP servers located throughout the worldHundreds and perhaps thousands of organized groups existMany groups contain hundreds of members

SabotageDeliberate destruction of the functionality of a computer or computer network

InsidersGreatest threat to computer networksKnow the systemHave access via user accountsSecurity lapsesEasy-to-guess passwordsShare accounts/passwordsHostile terminations/revenge

Criminal Cyber Crime TechniquesCasing the establishmentFootprintingScanningEnumeration

Hacking Exposed, Second Edition

Casing the EstablishmentFootprintingLocate a potential targetLearn everything about target networkMap the networkDomain names in useRoutable IP address rangeServices running and versions usedFirewalls and Intrusion Detection SystemsHacking Exposed, Second Edition

Casing the EstablishmentScanningTurning door knobs and seeing if windows are lockedSearch for vulnerabilitiesPing sweepDetermine what systems are up and runningTrace routePort scanID operating systemID applications runningCheops (does it all)Hacking Exposed, Second Edition

Casing the EstablishmentEnumerationOpen the door and look inside (cross the line)Active connection to target is established toID valid user accountsID poorly protected resource sharesSocial EngineeringGain access to inside human resourcesDumpster diving go through the trashHacking Exposed, Second Edition

Hacking the TargetDirectly connect to shared resourcesUse that access to dig deeperInstall backdoors/TrojansCrack passwords for administrator accountsDictionary and Brute ForceL0phtcrackJohn the RipperCrackHacking Exposed, Second Edition

Hacking the TargetPrivilege escalationWhen you have password for non-admin accountUse Trojans to give yourself an admin accounte.g. change Dir command so that it adds new userInstall and run sniffersKeystroke loggers

Hacking Exposed, Second Edition

Hiding the TrailProxy ServersMake Web queries on behalf of inquiring computerQuery traces to proxy rather than point of originAnonymizersE-mail spoofingIP spoofing

Bad GuyProxy 1DestinationProxy 2

Cyber Crime InvestigationsBig Brother is Watching

Following the TrailServer logsE-mail headersWhois databasesHuman resources

Critical ConceptInternet Protocol (IP) addressingEvery computer connected to the Internet has a unique IP address assigned while it is connected#.#.#.# (e.g. 192.168.1.100)Each # is 0 to 255256 possibilities28 (binary math)255 = 1111 1111

Critical ConceptStatic addressesLike telephone numbersDont changeEasy to find day after dayDynamic addressesDifferent each time you connectDifficult to find from one use to the next

Server LogsDomain ControllersAccess logsWeb ServersFTP ServersE-mail Servers

Tracking via Server Logs192.168.50.165 - - [17/Sep/2002:17:46:52 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=15 HTTP/1.0" 200 18627192.168.50.165 - - [17/Sep/2002:17:48:32 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=9&reply=1&form=newmsg HTTP/1.0" 200 8020192.168.50.165 - - [17/Sep/2002:17:49:53 -0500] "POST /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396 HTTP/1.0" 302 426192.168.50.165 - - [17/Sep/2002:17:50:01 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=9 HTTP/1.0" 200 19721192.168.50.165 - - [17/Sep/2002:17:50:34 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=6&reply=1&form=newmsg HTTP/1.0" 200 8102

Tracking via Server Logs192.168.50.165 - - [17/Sep/2002:17:46:52 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=15 HTTP/1.0" 200 18627192.168.50.165 - - [17/Sep/2002:17:48:32 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=9&reply=1&form=newmsg HTTP/1.0" 200 8020192.168.50.165 - - [17/Sep/2002:17:49:53 -0500] "POST /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396 HTTP/1.0" 302 426192.168.50.165 - - [17/Sep/2002:17:50:01 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&form=readmsg&pos=9 HTTP/1.0" 200 19721192.168.50.165 - - [17/Sep/2002:17:50:34 -0500] "GET /webmail/cgi-bin/sqwebmail/login/Credit@creditsite.net.authvchkpw/FAE810691B0001A0D294054EB5B832ED/1032302396?folder=INBOX&pos=6&reply=1&form=newmsg HTTP/1.0" 200 8102

E-mail HeadersNormal HeadersTo:, From:, Date:, and Subj:Full HeadersRecord of path an e-mail takes from its origin to its destination

Return-Path: Delivered-To: mmcbride@leo.govReceived: from mailscan-a.leo.gov (mailscan-a-pub.leo.gov [172.30.1.101])by mail.leo.gov (Postfix) with ESMTP id AADAA26E4Bfor ; Thu, 15 Apr 2004 14:01:34 -0400 (EDT)Received: from dell61 (localhost [127.0.0.1])by mailscan-a.leo.gov (Postfix) with ESMTP id 2ABB838641for ; Thu, 15 Apr 2004 14:01:34 -0400 (EDT)Received: from dmzproxy.leo.gov ([4.21.116.65]) by dell61 via smtpd (for smtp.leo.gov [172.30.1.100]) with ESMTP; Thu, 15 Apr 2004 14:01:53 -0400Received: from internetfw.leo.gov (internetfw-dmz.leo.gov [4.21.116.126])by dmzproxy.leo.gov (Postfix) with SMTP id 5C21CAA8AFfor ; Thu, 15 Apr 2004 14:01:33 -0400 (EDT)Received: from [66.194.176.8] by internetfw.leo.gov via smtpd (for mx.leo.gov [4.21.116.65]) with SMTP; Thu, 15 Apr 2004 14:01:33 -0400Received: FROM exchange2.siena.edu BY claven.siena.edu ; Thu Apr 15 14:01:24 2004 -0400X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0Content-class: urn:content-classes:messageMIME-Version: 1.0Content-Type: text/plain;charset="iso-8859-1"Content-Transfer-Encoding: quoted-printableSubject: Radio InterviewDate: Thu, 15 Apr 2004 14:01:35 -0400Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Radio InterviewThread-Index: AcQjE7E0Ke2vVSlaR5mlEdbMSjmvMw==From: "Breimer, Eric" To: Cc: X-UIDL: 'B?!!L^)#!ce^"!Hf_"!

E-mail HeadersReceived: from internetfw.leo.gov (internetfw-dmz.leo.gov [4.21.116.126])by dmzproxy.leo.gov (Postfix) with SMTP id 5C21CAA8AFfor ; Thu, 15 Apr 2004 14:01:33 -0400 (EDT)Received: from [66.194.176.8] by internetfw.leo.gov via smtpd (for mx.leo.gov [4.21.116.65]) with SMTP; Thu, 15 Apr 2004 14:01:33 -0400Received: FROM exchange2.siena.edu BY claven.siena.edu ; Thu Apr 15 14:01:24 2004 -0400X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0Content-class: urn:content-classes:messageMIME-Version: 1.0

Whois DatabasesContain registration information for the Domain Name System and IP addressesExampleswww.dnsstuff.comwww.arin.netwww.samspade.orgwww.networksolutions.com

Human ResourcesEasiest way to find a criminalFind someone that knows what happened and is willing to tell what they knowFind someone that has inside access to the type of hacking you are investigating and enlist their assistance

InfraGard

A Cooperative Undertaking/PartnershipU.S. Government (led by the FBI) Association of BusinessesAcademic institutionsState and local law enforcement agenciesOther participants Dedicated to increasing the security of United States critical infrastructuresWhat Is InfraGard?

What Is A Critical Infrastructure?Services so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States.

Executive Order 13010

Why Partner?Our businesses, our country, and our world depend on functional infrastructuresIndustries and infrastructures are interdependentMore than 80 percent of U.S. infrastructures are owned and operated by the private sectorGovernment has resources that are critical to successfully protecting all infrastructuresOnly by working together can the Nations infrastructures be properly protectedInfraGard is a critical entity in bringing all the right players to the same table

National InfraGard ProgramPilot project in 1996Cleveland FBI Field Office asked local computer professionals to assist the FBI in determining how to better protect critical information systems in the public and private sectorsFirst InfraGard Chapter was formedHow Did InfraGard Get Started?

What is the Cost?InfraGard is a not-for-profit membership organizationThere are no duesCost is your time & energy

Who Should Join InfraGard?Infrastructure stakeholdersInfrastructure providersInfrastructure end users (everyone?)Individuals with organizational skillsAccountantsLawyersManagersMarketing ExpertsEtc.

Infrastructure ProtectionInfrastructure protection is everyones problem.Dont get complacent! Get involved!

Our critical infrastructures consist of physical and electronic networks that depend on each other to operate safely and reliably. They are defined as critical because their debilitation would have a significantly adverse impact on our economic security or national defense. The existing national infrastructures and the underlying information infrastructures are becoming more vulnerable to disruption or incapacitation by a wide range of physical or cyber threats. These vulnerabilities represent security, reliability, and system survivability problems that, if attacked, could have disastrous effects on system hardware, software, communications media, and peoples lives.As our technology advances and society becomes more dependent on these information infrastructures, the risks from external threats will increasingly become even more evident. One only has to look at the recent power outages caused by the weather in the Eastern United States or the single point of failure that removed a communication satellite from service, to realize some of the potential impacts.

Our critical infrastructures are illustrated here. As you can see, these infrastructures play a crucial role in our society and daily lives. As such, the destruction or degradation of one or more of these infrastructures could cause serious harm to our economic and national security. The President has recognized this potential threat and has ordered that steps be taken to protect our infrastructures from an attack.

In the past, threats to our nations infrastructures were mainly physical in nature. We used to be concerned primarily about threats from terrorist groups and hostile nations. Now, criminal groups, terrorists, and hostile nations can interrupt critical infrastructures through cyber attacks on crucial automation systems.

As our society becomes more global and utilizes technology to increase the efficiency of our enterprises, our nations critical infrastructures are becoming increasingly interdependent within an enterprise, across several enterprises, even across industries. For example, the financial services industry depends on the availability and reliability of the telecommunications infrastructure, which in turn relies on electric power.

Hence, future attacks against one infrastructure could have cascading effects in the operations of others. within one enterprise, across several enterprises, or industries, and potentially all over the world.