Technology and Method behind Cross-border Fraud Investigation in Telecom and Internet

How to Combat Cyber Crime EffectivelyHow to Combat Cyber Crime Effectively

Fraud Crime Cases through Telecom and Internet

Challenges

Trace Communication Route and Obtain Related Data

Case Study of the Recent Investigation on Cyber Crime

Conclusion

OutlinesOutlines

2

3

Fraud Crime Cases through Telecom and

Internet

Nature of Cyber CrimesNature of Cyber Crimes

Traditional crime with the cutting edge technology

Crime globalization

Hard to analyze large volume of complicated data during investigation

Crime toward seamless processes and delicate organization

Emerging type of Emerging type of fraud crime cases fraud crime cases through telecom and through telecom and Internet and its Internet and its associated featuresassociated features

4

5

With mobile, Internet, IP phone, mobile Internet access or other value-added telecom services, swindlers commit more crimes easily; However, by whatever advanced technology and tool they use, the nature of their crimes always stays all the same. We still need to profile such crimes by the analysis on conditions, mindset, and behavior of crime.

Traditional Crime with Cutting Edge Technology

Traditional Crime

Advanced Technology

Emerging type of Crime

6

Crime Globalization

As applications and services of telecom technology and Internet are developing rapidly and pervasively, people are also familiar with those services. Fraud crimes through telecom and Internet, which are just like contagious diseases, may widespread globally by networks.

7

Globalized Crime IssueGlobalized Crime IssueBorderless Internet makes crime behavior more globalized. Through the Internet and cloud computing, communication in swindler group can be enhanced and anonymous. Because of limitation of state authority and anonymity, it is really hard for state prosecutors and police to take investigation on the entire crime activities.

Thailand

North America

China/HK

Japan

South Korea

TaiwanSwindlers

Vietnam

Cloud Computing = Network ComputingThrough Internet, computers can cooperate with each

other, or services are available more far-reaching

8

Hard to analyze large volume of complicated data

There is often large volume of data or information (such as phone multiple transfers) produced by telecom and Internet fraud crimes because of converged IT network and telecom routes. In reality, such huge amount of data is acquired from multiple service providers. Investigators must apply multiple orders from court in advance to connect with data from those service providers.

(for example: If there is phone transfer between 2 operators, investigator must request both to

provide CDR information and call content by 2 orders from court ahead of time, and integrate

all information for further analysis.)

Therefore, it is no way to cope with such telecom and Internet fraud crime only by tradition way of comparing, claiming or tracing targets manually. It is the best way for investigator to adopt several effective software tools to analyze such huge amount of data.

9

Converged ICT Communication RoutesConverged ICT Communication Routes

IT NetworkTelecomNetwork

Cross Border

Domestic

Illegal Transfer

Internet D

Internet E

TelecomNetwork A

FixedNetwork B

Mobile C

Illegal DMT by ISP

Illegal ISP

10

Crime toward seamless processes and delicate organization

It is a nature trend that group crime is toward seamless process and delicate organization. There is very clear hierarchy of role and responsibility (R&R) for leader, telecom engineer and service staff in crime group. They never mix the use of phones for crime and private, and adopt one-way contact in order not to be cracked with whole group. Such crime model can be easily duplicated. Fraud crime group often splits into small ones, forms new gang, commits more crimes, and exchanges information and new techniques of fraud.

Swindler Group

Telecom

Internet

Finance

R & D

Telecom

contact

Private collection

Jump board

Cash flow

ATM Operation

New crime

Recruiting

Monitor Police

11

Common FeaturesCommon Features

Converged ICT technologies in daily life and not far above police head

Telephone as primary communication during crime commitment

Skillful at all Internet and telecom services but not familiar with operations behind and LI by police

Faults can be tracked from

human behavior

Telephone

Criminals(Group)

Converged ICT

Technologies

Skillful at all

services

Faults by human

12

ChallengesChallenges

13

Hard to Identify Criminal

Hard to Track Cross-border

Phone

Hard to Find Foreign Proxy or Router as Jump Board

● By new technologies (like IP phones), it is hard to intercept their calls with existing equipment. We need professionals and suppliers to find the way out

● Looking for cross border cooperation or other related clues if no cooperation

● VPN, Foreign Proxy as Jump Board for criminals may be hidden behind deeper in Internet

14

Large Volume of CDR, and Hard to Take

Analysis

Wrong CDR or Missing

Partial Data

Hard to Track Calls with Dummy

Accounts

● Analyze data and find the key information by text mining and data warehousing

● CDR is for billing management of ISP, and we must find how it is happening and analyze the reason

● Find source and links, and know the key point by technical assistance and help from ISPs

15

Trace Communication Route and Obtain

Related Data

Methodology and GuidelinesMethodology and Guidelinesofof

Cyber Crime InvestigationCyber Crime Investigation

16

The way of investigation on fraud crimes behind telecom and Internet is the same with the one on traditional crimes. All the techniques are not for specific case, but can be used flexibly by need.

Check Post

Deployment

Archive Look-up

Tenant Interview

Tracking

Lawful Intercept

Warrant & Confiscation

e-Positioning

17

Gap between Physical and Cyber Crimes

Physical Crimes

Cyber Crimes

CluesEvidence

collection & investigation

Enforcement

Sourcing

clues

Analysis & highlight

Evidence collection & investigation

Enforcement

Different sources dealt by police: hard to get clue (don’t know how to do it), and no way to trace!

•Finance Record•Interview （ Video ）•CDR, LI

•Informers•others

•human ： apprehend arrest•place ： warrant, confiscate

•Crime side （ web or tool ）•non-Crime side （ Social network ）

•others excluded （ Useless ）•Lock activities （ by Account ）

•IP tracking•Finance Record• CDR, LI

•human ：apprehend, arrest•place ：warrant, confiscate

18

Quest for Investigation on Cyber Crimes

Tenant List

Credit card 、 Insurance

Cable TV 、 Broadband

Internet googling

165 voice signature

Finance Transaction

Shipping List

ImmigrantLabor Insurance

Property Tax

Car Meter Record

Co-prisoners

Crime Record

Relatives

Resident Information

Car PlateCDR

Cross CheckFind Links

19

There is no difference between cyber crime and traditional crime in nature. With the advantages of convenience, anonymity and mobility of telecom and Internet, criminals are able to disguise their command center and disrupt the direction of investigation. Lawful enforcement officers need to make more effort in studying crime model and finding the way out to combat criminals.

1 、 Set up dedicated database for information collection and analysis

3 、 data organization and link analysis by software

2 、 clear about crime tool and method, and find the key point

20

Process Flow for Investigation

Follow-up

Primary data sourcing and collection

Suspect arrest and evidence collect

Further Investigation

Primary data study and

further collection &

sourcing

21

Primary data sourcing and

collection

Primary data study and further collection

& sourcing

Further Investigation

Suspects arrest and evidence

collection

Follow-up

● A1 clue 、 informer 、 case claim 、 daily crime information collection and integration, sourcing

● Study primary data, cross check databases in Police Department, googling in Internet and confirm crime type in order to prepare investigation

● Phone record, check post 、 lawful intercept, tracking, location positioning, knowledge of crime organization and members

● Arrest all suspects, confiscate all evidence, check all computers, telephone record, booking record…etc.

● follow-up investigation on related targets & evidence and hunting for clues from other members to combat all gangsters

VoIP based Interception and data interception of other 150 Internet services

Flexible implementation in multiple telecom operators

Intercept all VoIP routes from different sources simultaneously

Collect original pcap as well as reconstructed voice data for evidence in court

Support all common VoIP protocols such as G.711a-law, G,711µ-law, G.726, G.729, iLBC

Meet the requirement of state LI Law, ESTI standards

22

LAN Internet Monitoring, Data Retention, Data Leakage Protection & IP Network Forensics Analysis Solution

Solution for: Route of Internet Monitoring/Network Behavior Recording Auditing and Record Keeping Forensics Analysis and Investigation, Legal and Lawful Interception (LI) VoIP Tactic Server & Mediation Platform

FX-30NFX-06

FX-100 FX-120

E-Detective Standard System Models and Series (Appliance based)

Telco/ISPLawful Interception

Play back of reconstructed VoIP audio file using Media Player

CalleePhone #

CallerPhone #

IP Address

DurationDate & Time

Source IP Address Telephone number of caller Telephone number of receivers/victims Date & time of calls Duration of calls Call content

26

27

Case Study of the Recent Investigation

on Cyber Crimes

Lessons and ExperienceLessons and Experience

28

Real Case on VOIP InvestigationReal Case on VOIP Investigation

The most common tool by The most common tool by

swindler group is telephone. swindler group is telephone.

While arriving the telecom room While arriving the telecom room

of criminal, sometimes police of criminal, sometimes police

can’t do anything because they can’t do anything because they

know nothing about these know nothing about these

equipments and can’t track IP equipments and can’t track IP

phone source from Internet.phone source from Internet.

Problem Here:Problem Here:

Group and Billing Systems Account information in SIP

Gateway or IP-PBX Servers Detail CDR from SIP Gateway

or IP-PBX Servers

29

30

VOIP Tracking from Swindler Group – Group and Billing SystemGroup and Billing System

Group System-Random to Call

Billing System-Call CDR

31

VOIP Gateway Investigation from Swindler group- Track SIP ServerTrack SIP Server

ServerIP

AccountPassword

32

VOIP Tracking from Operator – CDR of SIP ServerCDR of SIP Server

Callee ID and CDR of IP phone from ISP

Callee VOIP ID Caller Callee VAD Srvc- Redial

Initial Time Ans Time End time Interval

IP of VOIP ID

33

Key Points of Investigation

1) Aggressively hunting for intelligence

2) Don’t give up any follow-up opportunities ，

and carefully analyze any useful

information

3) Active Lawful Intercept ： tap into

suspected lines, intercept phone number

and IMEI, phones in China, interview

resident houses, and clarify criminal

organization, identity and location

3434

Experience

1) familiar with law and regulations, understand what

the target is and what the key evidence is. For

example: find Chinese victim information and

testimony through cooperation with Chinese Police

after breaking cross-strait swindler group in Taiwan.

Otherwise, these criminal will be non-prosecuted or

non-guilty sentence by court.

2) Telecom equipment supplier, telecom shop, network

engineer, telecom engineer, telecom sales …network

and telecom professionals usually are aware of

information and location of suspects.

35

3) Understand calling flow, and accounts of swindler

group from operators side in order to find more

background information from CRM and billing systems

4) Active Lawful Intercept ： Tap into suspected lines,

intercept phone numbers to China

5) Carefully Trail down ： Prepare information (Time,

place, behavior) in advance, trail by segment (not to

expose self), identify criminal from different sides

6) Use confiscated computers for investigation to find

more strong evidence

Experience (continue…)

36

Conclusion

Follow-up…Follow-up…

37

1) It is quite nature for criminal to use advanced ICT technologies.

Human is the key of every crime act. Although there may not be

fault in technology itself, human may make mistakes by using it.

Investigators are able to find the way out and combat these

criminals

2) Enhanced on-job technical training for police to promote capability

of investigation and understanding of criminal law

3) From viewpoint of investigation, more horizontal coordination

among all units in order not to waste resources. From tactical

viewpoint, more international, cross-strait cooperation to combat

cross-border swindler group

4) God will help those who work hard for justice

Q & AQ & A

38