![Page 1: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/1.jpg)
Computer Crime andIntellectual Property Section
August 2010 1
Large-Scale Internet CrimesGlobal Reach, Vast Numbers, and AnonymityLarge-Scale Internet CrimesGlobal Reach, Vast Numbers, and Anonymity
Anthony V. TeelucksinghComputer Crime and Intellectual Property Section (CCIPS)
Criminal Division, United States Department of Justice
![Page 2: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/2.jpg)
Computer Crime andIntellectual Property Section
August 2010 2
REMJA Working Group on Cybercrimewww.oas.org/juridico/spanish/www.oas.org/juridico/english/
REMJA Working Group on Cybercrimewww.oas.org/juridico/spanish/www.oas.org/juridico/english/
[email protected]+1 (202) 514-1026
Computer Crime and Intellectual Property Sectionwww.cybercrime.gov
![Page 3: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/3.jpg)
USDOJ-CCIPSOEA-REMJA
AgendaAgenda
Globalization of crime
Some vexing problems
AnonymityBotnetsCardingDigital currency
August 2010 3
![Page 4: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/4.jpg)
Computer Crime andIntellectual Property Section
Globalization of CrimeGlobalization of Crime
August 2010 4
![Page 5: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/5.jpg)
USDOJ-CCIPSOEA-REMJA
August 2010 5
Globalization of CrimeGlobalization of Crime
The Internet knows no borders
Criminals exploit the Internet
Global reachAnonymitySafe havensMass targets
![Page 6: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/6.jpg)
USDOJ-CCIPSOEA-REMJA
August 2010 6
Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009
Botnets*
6.8 million bot-infected computers47,000 active each day 17,000 new command and control servers
*Symantec Internet Security Threat Report, Vol. XV, April 2010
![Page 7: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/7.jpg)
USDOJ-CCIPSOEA-REMJA
August 2010 7
Geographic distribution of infected computers in a single ZeuS botnet.
![Page 8: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/8.jpg)
USDOJ-CCIPSOEA-REMJA
August 2010 8
Symantec Internet Security Threat Report, Regional Data Sheet – Latin America , April 2010
![Page 9: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/9.jpg)
USDOJ-CCIPSOEA-REMJA
August 2010 9
Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009
2.9 million new malicious code threats*
Data breaches from hacking – examples**
160,000 health insurance and medical records – university530,000 social security numbers – government agency570,000 credit card records – business750,000 customer records – mobile telephone service provider
130,000,000 credit card numbers – credit card processor
*Symantec Internet Security Threat Report, Vol. XV, April 2010**Open Security Foundation, Dataloss Database, 2009
![Page 10: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/10.jpg)
USDOJ-CCIPSOEA-REMJA
August 2010 10
Symantec Internet Security Threat Report, Regional Data Sheet – Latin America , April 2010
![Page 11: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/11.jpg)
USDOJ-CCIPSOEA-REMJA
Online Underground EconomyOnline Underground Economy
August 2010 11
Symantec Internet Security Threat Report, Vol. XV, April 2010
![Page 12: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/12.jpg)
USDOJ-CCIPSOEA-REMJA
The PlayersThe Players
Cyber-economy crime organizationsTraditional organized crime – drugs, guns, goods, peopleGangsExtremists – terrorist organizations
Professional hackersSpammersCybercrime organizations
12August 2010
![Page 13: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/13.jpg)
USDOJ-CCIPSOEA-REMJA
13August 2010
![Page 14: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/14.jpg)
USDOJ-CCIPSOEA-REMJA
Some Vexing ProblemsSome Vexing Problems
Anonymity
Botnets
Carding Forums
Digital Currency
August 2010 14
![Page 15: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/15.jpg)
Computer Crime andIntellectual Property Section
AnonymityAnonymity
August 2010 15
![Page 16: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/16.jpg)
USDOJ-CCIPSOEA-REMJA
Attribution is Difficult…Impossible?Attribution is Difficult…Impossible?
Savvy online criminals know how to hide
False identificationDomain name registrationStolen credit cardsServices that do not verify user information
Online toolsProxiesAnonymizing networkPeer-to-peer
August 2010 16
Decentralized Decentralized –– Segmented Segmented –– Redundant Redundant –– ResilientResilient
![Page 17: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/17.jpg)
USDOJ-CCIPSOEA-REMJA
Web ProxyWeb Proxy
Sits between ISP and web serverISP and web server no longer talk to each other directlyResult: user anonymity from web server
USER ISP WEB SERVER
WEB PROXY
17August 2010
![Page 18: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/18.jpg)
USDOJ-CCIPSOEA-REMJA
Web ProxiesWeb Proxies
Type in the site you want
18August 2010
![Page 19: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/19.jpg)
USDOJ-CCIPSOEA-REMJA
Web-Based ProxiesWeb-Based Proxies
The proxy gets the site and passes it to
you
You are still communicating with
the proxy
19August 2010
![Page 20: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/20.jpg)
USDOJ-CCIPSOEA-REMJA
20
Peer-to-Peer file sharing (P2P)Peer-to-Peer file sharing (P2P)
Sharing files, using servers as little as possible
August 2010
![Page 21: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/21.jpg)
USDOJ-CCIPSOEA-REMJA
21
Old style P2POld style P2P
Relied on a server to keep track of the peers
Who has KIDDIE.MPG?
Second computer from the
right.August 2010
![Page 22: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/22.jpg)
USDOJ-CCIPSOEA-REMJA
22
Newer style P2PNewer style P2P
Uses “supernodes” instead of central servers
Who has KIDDIE.MPG? I’ll ask the
other supernodes.
One of my nodes has it.
August 2010
![Page 23: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/23.jpg)
USDOJ-CCIPSOEA-REMJA
P2P today: Gigatribe and DarknetsP2P today: Gigatribe and Darknets
Small, private communities sharing files
23
Difficult to find and enter
August 2010
![Page 24: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/24.jpg)
USDOJ-CCIPSOEA-REMJA
P2P today: BitTorrentP2P today: BitTorrent
Efficient technology for a huge number of people to share huge files
24
Tracker: knows which computer has which
pieces of the file
Leacher: peer still downloading
Seeder: Peeroffering all pieces
To join, get a .torrent file that identifies the
tracker.
August 2010
![Page 25: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/25.jpg)
USDOJ-CCIPSOEA-REMJA
Anonymizing Network: TorAnonymizing Network: Tor
Client = computer using Tor for anonymityOnion Router (OR) = computer that forwards data and anonymizes it (currently about 1200)Circuit = path taken by data through ORs
Client OR Web ServerOR OR
Tor = The Onion Router, an anonymity network that routes communication through multiple proxies, each with an independent layer of encryption (like an onion)
25August 2010
![Page 26: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/26.jpg)
Computer Crime andIntellectual Property Section
BotnetsBotnets
August 2010 26
![Page 27: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/27.jpg)
USDOJ-CCIPSOEA-REMJA
What is a Botnet?What is a Botnet?
A network of robots (bots)Robot :an automatic machine that can be programmed to perform specific tasks
Also known as ‘Zombies’
Thousands of computers controlled
A powerful network at “no cost”
27August 2010
![Page 28: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/28.jpg)
USDOJ-CCIPSOEA-REMJA
Purpose of a BotnetPurpose of a BotnetDistributed denial of service attacksAdvertising – spammingSniffing trafficKeyloggingSpreading new malwareInstalling advertisementsAttacking IRC networksManipulating online polls or gamesMass identity theft
28August 2010
![Page 29: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/29.jpg)
USDOJ-CCIPSOEA-REMJA
IRC BotnetsIRC Botnets
Earlier Botnets controlled by Command and Control (C2) server
Botnet user
29August 2010
![Page 30: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/30.jpg)
USDOJ-CCIPSOEA-REMJA
IRC BotnetsIRC Botnets
Newer Botnets distribute and have redundant C2 servers
Botnet user
30August 2010
![Page 31: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/31.jpg)
USDOJ-CCIPSOEA-REMJA
P2P BotnetsP2P Botnets
Distributed control
31August 2010
![Page 32: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/32.jpg)
USDOJ-CCIPSOEA-REMJA
P2P BotnetsP2P Botnets
Hard to Disable
32August 2010
![Page 33: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/33.jpg)
Computer Crime andIntellectual Property Section
CardingCarding
August 2010 33
![Page 34: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/34.jpg)
USDOJ-CCIPSOEA-REMJA
What is Carding?What is Carding?
Carding: large-scale fraudulent use of stolen credit or debit card information
Carding forums: websites and bulletin boards dedicated to carding
Data usually comes from phishing/spamming or data breaches, rather than “real world” thefts
Bulk transactions (“dumps”) are the norm
Credit card data can be encoded on plastic cards for card-present transactions
August 2010 34
![Page 35: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/35.jpg)
USDOJ-CCIPSOEA-REMJA
What do Carding Forums Offer?What do Carding Forums Offer?
Identity documents
Stolen financial information
User names and passwords
“Full info” – package of data on victim
Card-making equipment and blanks
Tutorials on how to be a carder or hacker
August 2010 35
![Page 36: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/36.jpg)
USDOJ-CCIPSOEA-REMJA
36August 2010
![Page 37: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/37.jpg)
Computer Crime andIntellectual Property Section
Digital CurrencyDigital Currency
August 2010 37
![Page 38: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/38.jpg)
USDOJ-CCIPSOEA-REMJA
38August 2010
![Page 39: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/39.jpg)
USDOJ-CCIPSOEA-REMJA
Characteristics of Digital CurrencyCharacteristics of Digital Currency
Often “backed” by a precious metal such as goldMay involve both an issuer and an exchangerCan be transferred to other digital currencyPopular with cyber-criminals
August 2010 39
![Page 40: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/40.jpg)
USDOJ-CCIPSOEA-REMJA
Example:Example:
WebMoney Transfer (www.wmtransfer.com)
Based in Russia
Open account by downloading WebMoney client and providing name, address, and e-mail address
Accepts bank transfers, credit cards, money orders, and cash
Can transfer funds from one account to another
August 2010 40
![Page 41: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/41.jpg)
USDOJ-CCIPSOEA-REMJA
SummarySummary
Globalization of crime
Some vexing problems
AnonymityBotnetsCardingDigital currency
August 2010 41
![Page 42: Large-Scale Internet Crimes - OAS · Global Cybercrime Snapshots – 2009Global Cybercrime Snapshots – 2009 Botnets* à6.8 million bot-infected computers à47,000 active each day](https://reader033.vdocuments.net/reader033/viewer/2022050200/5f5438261d7b300ca75af5f3/html5/thumbnails/42.jpg)
Computer Crime andIntellectual Property Section
August 2010 42
REMJA Working Group on Cybercrimewww.oas.org/juridico/spanish/www.oas.org/juridico/english/
REMJA Working Group on Cybercrimewww.oas.org/juridico/spanish/www.oas.org/juridico/english/
[email protected]+1 (202) 514-1026
Computer Crime and Intellectual Property Sectionwww.cybercrime.gov