Presentation on theme: "Trends in Cyber Crime: The Dark Side of the Internet Sean B. Hoar Assistant United States Attorney United States Department of Justice"— Presentation transcript:
Trends in Cyber Crime: The Dark Side of the Internet Sean B. Hoar Assistant United States Attorney United States Department of Justice Presentation for the Computer & Internet Law Section for the Oregon State Bar Association May 26 th, 2011
The Internet... a new world... In the time it takes for me to make this presentation –Over 37,000 blogs will be posted on the Internet –Over 180,000 images will be uploaded on flickr –Over 1,300,000 “tweets” will be sent on Twitter –Over 8,330,000 people will log on to Facebook –Over 42,000,000 videos will be watched on YouTube –Over 118,000,000 searches will be conducted on Google –Over 10,292,000,000 s will be sent, 82% of which will be spam year-laterhttp://econsultancy.com/us/blog/7334-social-media-statistics-one- year-later &
The Internet... Life changing... The Internet has fundamentally changed our way of life – –the way we work, play and communicate A forum for the best of our ideas and the worst of our deeds – –Insecure web infrastructure and technology produce dark opportunities malware, intrusions, spam, financial fraud, intellectual property theft, sale of illegal substances, child exploitation...
Overview of presentation Backdrop - insecure web architecture Online criminal activity trends Federal offenses – –Prosecution guidelines Investigations & prosecutions Significant digital evidence issues – –Search & seizure – –Discovery and litigation
Primary trend - creation & dissemination of malware- Malware (a contraction of "malicious software") refers to software developed for the purpose of doing harm. Malware can generally be classified based on –how it is executed –how it is spread and/or –what it is intended to do Malware generally takes the form of a virus, a worm, a Trojan horse, a backdoor, crimeware, or spyware
Malware growth Web insecurity –225% growth in malicious web sites –95% of user-generated comments to blogs, chat rooms/message boards were spam or malicious –77% of Web sites with malicious code are legitimate sites that have been compromised, i.e. they are sites that you visit... –13.7% of searches for trending news/buzz words led to malware Websense Security Labs (4 th Q 2009)
Malware dissemination insecurity –85.8% of all s were spam –81% of s contained a malicious link –tens of thousands of Hotmail, Gmail and Yahoo accounts were hacked and passwords stolen and posted online –phishing lures doubled in the second half of 2009 representing 4% of spam –58% of data-stealing attacks done via the Web Websense Security Labs (4 th Q 2009)
Malware sophistication Cyber criminals continue to go where the money is... Crimeware exploits continue unabated...
Malware’s global platform Countries where most attempts to infect the web with malware occurred as of May 3, The pollution begins at home...
Malware adaptation Web infrastructure & use –The top 100 most visited Web properties are social networking and search engines. –The next 1,000,000 most visited sites, or the known Web, are primarily current events, regional and genre sites. –The next 100,000,000 sites - the “long tail” of the Internet, or the unknown Web, are junk, personal, and scam sites which are specifically set up for fraud and abuse.
Malware directed to $$ New generation of Web content targeted Driving force behind cyber crime is $$ –Social networking sites and search engines have evolved rapidly Business growth is driving Web 2.0 adoption in the workplace Consumer habits have shifted to Web 2.0 apps –Because more businesses and consumers are using Web 2.0 sites, these sites are increasingly targeted for malicious purposes
Malware perpetrator turf wars Zeus vs. Spy Eye –Trojan-making toolkits designed to give criminals easy means of creating their own "botnet" networks of password-stealing programs provide option of deleting other malicious code, i.e. “Kill Zeus” option on Spy Eye
Attackers capitalize on major events Major events provide fodder for attacks designed to steal personal or business information Where there are major events there will be major scams –Example: March 2011 Natural catastrophes: Japan earthquake/tsunami Celebrity events: Elizabeth Taylor’s death Political events: turmoil in Egypt, Libya, Yemen, Bahrain, Tunisia, Syria, etc.
Attackers capitalize on major events Malicious websites Malicious websites –content connected in some way to the event ‘Nigerian’ letters via –emotional requests for $$ to help suffering Spam messages Spam messages –containing malicious links Tweets –Containing malicious links
Intrusions Network intrusions –Identity theft – multi-billion dollar industry... Critical infrastructure intrusions –Domestic and international terrorism Sensitive data Sectors necessary to support society Distributed denial of service attacks –Political statements; extortion Web site defacement –Political statements; extortion
Intrusions/data mining Identity theft/surreptitious software – –Keyloggers Exploit security flaws and monitor the path that carries data from the keyboard to other parts of the computer – more invasive than phishing – relying upon infection rather than deception Tens of millions of machines are infected with keyloggers, putting billions in bank account assets at the fingertips of fraudsters Monitoring programs often hidden within attachments, files shared via p-2-p networks, or embedded in web pages – exploiting browser features
Data breaches - still a problem? February 15, 2005: 163,000 ChoicePoint records breached when fraudsters presented themselves as legitimate ChoicePoint customers, purchased data profiles on individuals, then used that data to commit identity theft. ChoicePoint settled with FTC for $10 million in civil penalties and $5 million for consumer redress, and $10,000,000 in private class action suit. Data-Breaches_-_Privacy-Rights-Clearinghouse.pdf
Data breaches - still a problem? June 16, 2005: over 40 million credit card accounts were exposed to potential fraud due to a security breach at CardSystems. Information on 68,000 MasterCard accounts, 100,000 Visa accounts and 30,000 other card brand accounts were confirmed exported by the hackers. The data exported included names, card numbers and card security codes. of-Data-Breaches_-_Privacy-Rights-Clearinghouse.pdf
Data breaches - still a problem? April 27, 2011: Sony PlayStation Network hacked; 24,600,000 user accounts may have been compromised; 12,000,000 unencrypted credit card accounts may have been compromised. Data-Breaches_-_Privacy-Rights-Clearinghouse.pdf May 24, 2011: 533,686,527 total records breached from 2,503 data breaches made public since 2005 in the U.S.A. alone.
Data breaches increasingly expensive Data breaches get more expensive –$204 per compromised customer record –$6.75 million per data breach in 2009 Sony says it has already spent over $121 million for April 2011 data breach
Phishing continues to evolve... Phishing is a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials.
Phishing via social engineering... Social ‐ engineering schemes use spoofed e ‐ mails purporting to be from legitimate businesses and agencies to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as usernames and passwords.
Phishing via technical subterfuge Technical subterfuge schemes plant crimeware onto PCs to steal credentials –often using systems to intercept consumers online account user names and passwords –to corrupt local navigational infrastructures to misdirect consumers to counterfeit websites (or authentic websites through phisher - controlled proxies used to monitor and intercept consumers’ keystrokes)
Password stealing software The number of crimeware ‐ spreading sites infecting PCs with password ‐ stealing crimeware reached an all time high of 31,173 in December of 2008, an 827 percent increase from January of
Phishing reports The number of unique phishing reports submitted to APWG in Q described a steady increase with the number for June eclipsing the previous annual high of 30,577 for 2010 reached in March.
Unique phishing sites The number of unique phishing websites detected by APWG during the second quarter of 2010 continue to be very high.
Phishing targets – where the $$ is... The payment services sector has surpassed the financial services sector as the most targeted industry sector.
U.S.A. still the worst... The U.S.A. continues to host more phishing sites that any other country.
Rogue anti-malware products... Rogue antivirus products are some of the most efficient – and increasingly preferred ‐ ways to victimize consumers. Unlike banking Trojans, where cybercriminals have to infect a PC, steal data, etc., a rogueware attack simply fools users into paying for worthless software – or forcing them to make a ransom payment. The user is the one willing to pay in order to “disinfect” their PC ‐ or free it from a cybercriminal’s control.
Rogue anti-malware Cybercriminals profit faster by increasing the proportion of users who pay after downloading rogueware. These techniques had a 13% quarterly increase with new cybercriminals using ransomware – which won’t let you use your PC until you buy a ‘license.’
Malicious code evolution Crimeware (data-stealing malicious code designed to victimize financial institutions’ customers and to co-opt those institutions’ identities); Generic Data Stealing (code designed to send information from the infected machine, control it, and open backdoors on it); Other (the remainder of malicious code commonly encountered in the field such as auto-replicating worms, dialers for telephone charge-back scams, etc.)
50% of all computers are infected...
Spam... 9 out of 10 messages 4.1 billion messages were processed in March 2011 by the Hosted Infrastructure (over 134 million per day) of which 92.6% of all was spam, 84.1% of spam included an embedded URL, and 3.1% of spam s were phishing attacks.
Financial fraud Manifests in a variety of forms –Identity theft/carding –Auction fraud –Advance fee fraud/419 scams –High Yield “Investment” Programs –Pyramid schemes –Pump-and-dump stock scams –Pay-per-click advertising fraud –Espionage
Intellectual property theft IP theft - a huge international problem –90% of the software, DVDs, and CDs sold in some countries are counterfeit* The total global trade in counterfeit goods is more than $600 billion a year** –IP theft costs U.S.A. businesses an estimated $250 billion annually, as well as 750,000 U.S.A. jobs.*** *InformationWeek **World Customs Organization; Interpol. *** U.S. Department of Commerce
Child pornography/child exploitation The manufacture and distribution of child pornography is one of the fastest growing businesses online, and the content is becoming much worse. –More than 20,000 images of child pornography are posted every week. –Approximately 20% of all Internet pornography involves children. –Child pornography is more than a $3 billion annual industry. –The number of Internet child pornography images has increased over 1500% in the past twenty years.
Sale of unlawful substances/information Unlawful sale/distribution of narcotics & other controlled substances Unlawful sale/distribution of classified information Illegal exports – violation of trade embargos
Common federal online offenses Computer fraud/intrusion, 18 U.S.C. § 1030 –Computer intrusion resulting in the theft of information, 18 U.S.C. § 1030(a)(2) –Computer intrusion with intent to defraud, 18 U.S.C. § 1030(a)(4) –computer intrusion with intent to damage, 18 U.S.C. § 1030(a)(5) Wire (Internet) fraud, 18 U.S.C. § 1343 Identity theft, 18 U.S.C. § 1028(a)(7) Aggravated identity theft, 18 U.S.C. § 1028A(a)(1) Credit card fraud, 18 U.S.C. § 1029(a)(2) Threatening communications, 18 U.S.C. § 875(c) Cyber stalking, 18 U.S.C. § 2261A Criminal copyright infringement for financial gain, without financial gain, or distribution of work prepared for commercial distribution, 17 U.S.C. § 506 & 18 U.S.C. § 2319 Economic espionage, 18 U.S.C. § 1831 Trade secret theft, 18 U.S.C. § 1832 Child pornography distribution, receipt, or possession,18 U.S.C. § 2252A(a)(2) and (a)(5)
Prosecution guidelines for computer fraud (for U.S. Attorney’s Office in Oregon) Computer fraud/intrusion related cases may be prosecuted where all of the elements of a federal criminal offense are present and there is a loss (or intended loss) of $70,000 or more or other aggravating factors exist. The federal offense requires one of the following required factors: –The offense involved espionage. 18 U.S.C. § 1030(a)(1); –The victim is a financial institution or a federal government agency. 18 U.S.C. § 1030(a)(2) and (3); –The offense affected use of a protected computer. 18 U.S.C. § 1030(a)(3). –The offense was in furtherance of a fraud scheme. 18 U.S.C. § 1030(a)(4). –The offense caused “damage” (see definition at § 1030(e)(8)). 18 U.S.C. § 1030(a)(5); –The offense involved trafficking in passwords or similar information. 18 U.S.C. § 1030(a)(6). (See also 18 U.S.C. § 1029(a)(3) relating to possession of unauthorized access devices); –The offense involved threats or extortion. 18 U.S.C. § 1030(a)(7).
Prosecution guidelines for computer fraud (for U.S. Attorney’s Office in Oregon) If the loss is less than $70,000, the following aggravating factors may justify prosecution: –The defendant has a prior criminal record, particularly one involving computers; –The offense involved more than one victim; –The offense involved sophisticated methods or a conspiracy; –The offense involved abuse of a position of trust. The above aggravating factors need not all be present and there may be other factors which justify prosecution on a case-by-case basis.
Prosecution guidelines for financial fraud (for U.S. Attorney’s Office in Oregon) Financial fraud cases may be prosecuted where all of the elements of a federal criminal offense are present and there is a loss (or intended loss) of $70,000 or more or other aggravating factors exist. The following aggravating factors may justify prosecution when the loss is less than $70,000: –The defendant has a prior criminal record; –The offense involved more than ten victims: –The offense was committed through mass marketing; –The offense involved misrepresentation that the defendant was acting on behalf of a charitable, educational, religious, or political organization or a government agency; or –The subject matter of the case involves a specific federal interest such as fraud against an Indian Tribe, health care fraud, bankruptcy fraud, fraud involving protected computers, or fraud against a federally-insured financial institution. These aggravating factors need not all be present and there may be other factors which justify prosecution on a case-by-case basis.
Prosecution guidelines for copyright infringement (for U.S. Attorney’s Office in Oregon) Cases involving the criminal infringement of copyright will be considered on a case-by-case basis. A significant factor in the charging decision should be the volume of counterfeited or pirated material. The role of a potential defendant in the counterfeiting or infringement scheme should also be considered and may be critical in proving criminal intent. While the potential civil remedy is not a substitute for criminal prosecution in appropriate cases, the availability of civil remedies should receive serious consideration. This will be especially true where there is a reasonable concern about substantive legal issues or where proof of criminal intent may be insufficient.
Prosecution guidelines for economic espionage/theft of trade secrets (for U.S. Attorney’s Office in Oregon) Economic espionage and theft of trade secret cases may be prosecuted where all of the elements of a federal criminal offense are present and there is a loss (or intended loss) of $70,000 or more or other aggravating factors exist. The following aggravating factors may justify prosecution when the loss is less than $70,000: (1) the defendant has a prior criminal record; (2) the offense involved more than one victim; (3) the offense involved sophisticated methods or a conspiracy; (4) the offense involved abuse of a position of trust. These aggravating factors need not all be present and there may be other factors which justify prosecution on a case-by-case basis.
Prosecution guidelines for child pornography (for U.S. Attorney’s Office in Oregon) Assuming a provable child pornography case exists, cases may be prosecuted where the evidence establishes any of the following conduct by the potential defendant: (1) sexual abuse of a minor; (2) production of child pornography; (3) importation of child pornography; (4) distribution of child pornography for profit; (5) origination of child pornography into cyberspace; (6) intentionally furnishing child pornography to a minor for a sexual purpose; (7) prior criminal conviction involving child pornography or sex offense. Absent these factors, prosecution will nonetheless be considered where the evidence indicates that a defendant has (1) engaged in the distribution of a substantial quantity of child pornography without profit or received or possessed a substantial quantity of child pornography, exclusive of any materials obtained through a government sting operation; or (2) where a person in a position of trust with a minor (school teacher, foster parent, day care provider) receives or possesses child pornography. Absent any of the above factors, prosecution will be declined and matters involving small quantities of child pornography will be referred to state authorities.
Computer fraud/intrusions May 19, 2011
Computer fraud/intrusions/data mining April 21, 2011
Computer fraud/intrusions/data mining March 26, 2010
Computer fraud/intrusions/data mining December 23, 2009
Phishing/spam March 25, 2011
Phishing/spam February 8, 2010
Spam/stock fraud November 23, 2009
Economic espionage February 8, 2010
Intellectual property theft January 22, 2010
Intellectual property theft May 6, 2010
Intellectual property theft February 5, 2010
Nigerian scams February 17, 2010
Copyright infringement/auction fraud identity theft United States v. Mondello Copyright infringement/auction fraud identity theft United States v. Mondello Overview –South Eugene High School graduate –Computer genius –University of Oregon student –Between December 2005 and October 2007 initiated thousands of separate online auctions used more than 40 fictitious usernames and online payment accounts to sell copies of counterfeit software generated more than $400,000 in personal profit
Copyright infringement/auction fraud identity theft United States v. Mondello Scheme –Mondello acquired victims’ names, bank account numbers and passwords by using a computer keystroke logger. –The keystroke logger installed itself on victims’ computers and recorded victim’s name and bank account information as information was being typed. –The program then electronically sent the information back to Mondello which he then used to establish fictitious usernames and online payment accounts.
Copyright infringement/auction fraud identity theft United States v. Mondello Outcome –Pled guilty to criminal copyright infringement, aggravated identity theft and mail fraud –Consented to the forfeiture of more than $225,000 in cash proceeds, and also forfeited computer-related equipment used to commit the crime. –Sentenced to serve 48 months in prison –Ordered to serve three years of supervised release and perform 450 hours of community service during that time –Made anti-piracy video for RIAA
Internet fraud United States v. Daniel Wheatley et al Overview Profits4investingtoo.com was a High Yield Investment Program (HYIP) operated by Daniel Wheatley with the assistance of Sunshine Simmons and Edwin Garcia. –claimed to be a long term high yield private loan program, “intended for people willing to achieve their financial freedom but unable to do so because they’re not financial experts.” –claimed to be “backed up by investing in various funds and activities.” –claimed that “profits from these investments are used to enhance our program and increase its stability for the long term.”
Internet fraud United States v. Daniel Wheatley et al The scheme (“investment plans”) Profits4investingtoo.com offered several “investment” programs 38% daily PLANAMOUNTDAILY PROFIT (%) Plan 1$1 - $ Plan 2$101- $2, Plan 3$2,501 – and more day deposit - 156% after 4 days PLANAMOUNTDAILY PROFIT (%) Plan 4$5 - $ Plan 5$101 - $1, Plan 6$1,001 - $4,
Internet fraud United States v. Daniel Wheatley et al The scheme (“investment plans”) 10 day deposit - 425% after 10 days PLANAMOUNTDAILY PROFIT (%) Plan 7$10 - $ Plan 8$501 - $2, Plan 9$2,501 - $4, day deposit - 650% after 15 days PLANAMOUNTDAILY PROFIT (%) PLANAMOUNTDAILY PROFIT (%) Plan 10$250 - $2, Referral program –Earn up to 9.00% of referral deposits
Internet fraud United States v. Daniel Wheatley et al The scheme (payment processing) –“Investors” were directed to use Stormpay or E-gold, money processors similar to PayPal, and to fund accounts with cash, credit cards, or checking accounts. –They then directed their “investment,” via Stormpay, to Garcia’s Stormpay account. Wheatley recruited Garcia to process money through Garcia’s Stormpay account because Wheatley’s account had been shut down due to his involvement in a previous HYIP scheme.
Internet fraud United States v. Daniel Wheatley et al The scheme (payment processing) –Garcia directed Stormpay to wire investor money to his checking account. He then wired a portion of the money to Wheatley’s bank account. –Between December 13, 2005, and March 8, 2006, 27,330 transactions were conducted through Garcia’s Stormpay account. These transactions included moneys invested, money paid to some investors with other investor money, and charge-backs resulting from customer complaints.
Internet fraud United States v. Daniel Wheatley et al The scheme (payment processing) –Money from new “investors” was used to pay old investor obligations, consistent with a “Ponzi” scheme. If investors were paid, it was not always on time nor for the amount promised. –To delay investor complaints, Profit4investingtoo.com made a variety of representations, including that they were experiencing “denial of service” attacks, having other technical difficulties with the site, or were suffering personal medical emergencies.
Internet fraud United States v. Daniel Wheatley et al The scheme (payment processing) –In one 30 day period of time, $664, was wired into Garcia’s Stormpay account, $435,675 of which was wired to Wheatley’s bank account. –None of the money was invested. it was spent on personal and real property, including a home in Springfield, Oregon, a 2005 Mercedes Benz C230, a 2004 Hummer, electronics, furniture and jewelry. –When Profits4investingtoo.com finally shut down, all unpaid investors lost their money.
Internet fraud United States v. Daniel Wheatley et al The outcome –Wheatley pled guilty to Internet fraud and money laundering. Garcia pled guilty to Internet fraud. Simmons pled guilty to a tax violation. –Wheatley was sentenced to 46 months, Garcia to 33 months, and Simmons to probation. –All were ordered to pay restitution of $124,446.74, jointly and severally, to the 174 people who claimed to be victims... –All seized proceeds of the fraud were forfeited, including a home in Springfield, Oregon, a 2005 Mercedes Benz C230, a 2004 Hummer, jewelry and furniture.
Digital evidence issues Right to privacy in stored communications –Theofel v. Farey-Jones, 359 F.3d 1066 (9 th Cir. 2004) –United States v. Warshak, 631 F.3d 266 (6 th Cir. 2010) Third party privacy interest in stored content –United States v. Comprehensive Drug Testing, Inc., 621 F.3d 1162 (9 th Cir. 2010) Digital database creation and use –Investigation; discovery; litigation
Impediments to enforcement of cyber crime Technically complex subject matter –Lack of technically trained investigators, prosecutors, judges and jurors –Technical forensic process required to acquire and preserve evidence Time sensitive –Evidence may be fleeting –Special legal process may be required to acquire and preserve evidence
Impediments to enforcement of cyber crime Limited resources –Data intensive –Competes with other priorities Transnational –Separate sovereigns –Lack of treaties or dual criminality provisions –Slow, cumbersome MLAT process –Language barriers
Solutions to enforcement of cyber crime Increased human and monetary resources –Increased technical training –Adequate technology –Increased language training Increased international cooperation –Fundamental dual criminality standards between all countries –Expansion of informal networks for immediate assistance
Solutions to enforcement of cyber crime Increased international cooperation (continued) –Uniform financial standards for certain types of transactions/sites –Uniform financial standards for suspicious monetary transaction alerts –Uniform agreements to share seized assets, which constitute proceeds of fraud, with assisting agencies/governments
Trends in Cyber Crime: The Dark Side of the Internet Sean B. Hoar Assistant United States Attorney United States Department of Justice Presentation for the Computer & Internet Law Section for the Oregon State Bar Association May 26 th, 2011