Cyber Security Issues in South Korea and CSIRTs Cooperation September 17, 2014 Eunju Pak
AGENDA 01 LATEST NEWS 02 PHARMING 03 SMS PHISHING 04 CONCLUSION
01 Latest News
01. Latest News A GROUP OF CYBER FRAUD CRIMINALS WAS ARRESTED Unfair Profits 1 Billion KRW Victims’ financial information stolen Money withdrawn money from their bank accounts Cased by Phishing site, Pharming site and SMS Phishing 4
02 Pharming Case
02. Pharming Case Types of Malwares in South Korea Constant increase in the number of Phishing/Pharming Sites in South Korea 6
02. Pharming Case Pharming Incident? Infection Web defacement 7
02. Pharming Case Pharming Incident? Falsification hosts.ics falsified 8
02. Pharming Case Pharming Incident? Information Leak Victims’ bank account information leaked 9
02. Pharming Case JPCERT/CC’s ASSISTANCE NEEDED! Japanese IPs misused by Korean Pharming cases SOS to JPCERT/CC What JPCERT/CC is Doing: Analyzing malwares Monitoring servers distributing hosts.ics Discussing with relevant ISP (i.e Blocking sites) 10
03 SMS Phishing Case
03. SMS Phishing Case The more smartphone users are, the more SMS Phishing damages increase 2012Y 2013Y FH. 2014Y 569M 5,733M 330M Source : NPA Unit : KRW Damaged Amount of SMS Phishing in South Korea 12
03. SMS Phishing Case Text Message Received SMS Phishing Incident? Promotion Coupon(for free) Link to the URL Add bookmark Copy the text Downloading Do you want to install? 13
03. SMS Phishing Case ① Check Normal Banking Apps Malicious Application Installed SMS Phishing Incident? 14
03. SMS Phishing Case ② Download the Additional Malicious Application Malicious Application Installed SMS Phishing Incident? 15
03. SMS Phishing Case ③ Require Financial Information Malicious Application Installed SMS Phishing Incident? 16
SMS Phishing Case Malicious Application Installed SMS Phishing Incident? ④ Send away PKI folder, financial Information to specific address
SMS Phishing Case What KrCERT/CC is Doing: Providing CNCERT/CC with addresses, related evidences, samples Requesting takedown of related addresses What CNCERT/CC is Doing: Analyzing and Verifying malware samples Coordinating with relevant service provider to takedown the misused addresses Chinese Famous Portal addresses are misused for Korean SMS Phishing incidents CNCERT/CC’s ASSISTANCE NEEDED! 18
Cooperation Web Browser Notification to Infected PC Users : Received infected IP list from trusted organization and partners Web browser notification to infected PC users Respond CVE (Adobe Flash Player) : Received malware distributing URLs, suspicious URLs Request for proper actions to the distributing URLs Support technical measures, extract & analyze logs Web browser notification to infected PC users What KrCERT/CC is doing for Global Collaboration: WAIT!!! Remove malware from your PC 19
04 Conclusion
Conclusion Actions Required Each CSIRT has different capacities, rules,… Each CSIRT team’s circumstances to be explored Seek Ways to collaborate to Support Incident Handling Develop Information Sharing Protocol 21
04. Conclusion Asia Pacific Computer Emergency Response Team Forum of CSIRTs/CERTs in Asia Pacific region since 2003 To help create a SAFE, CLEAN and RELIABLE cyber space in the Asia Pacific region through global collaboration APCERT will maintain a trusted contact network of computer security experts in Asia Pacific region to improve the region’s awareness competency in relation to computer security incidents
감사합니다 THANK YOU