Internet Vulnerabilities & Criminal Activity

1
Internet Vulnerabilities Criminal Activity

• Phishing, Nigerian 419s, High-Yield Investment
  Programs (HYIP)
• 8.1
• 3/22/10

2
Phishing

• The criminally fraudulent process of attempting
  to acquire sensitive information such as
  usernames, passwords and credit card details by
  masquerading as a trustworthy entity in an
  electronic communication.

(Wikipedia.org)
3
Why ph ? Phishing History

• Original hackers
• phone freaks phreakers
• Term first used 1996
• Coined by hackers who conned AOL users into
  divulging their passwords
• Phish hacked account
• Phish traded as currency among hackers by 1997

4
How Phishing Works

• Victim receives an official looking e-mail from
  and ISP, online bank, or government agency
• Victim advised he/she must validate or his/her
  information to prevent dire consequences
• Victim clicks on provided link and is taken to a
  spoofed website
• Victim asked to enter personal information to
  validate/update his/her account
• User name, account number, credit card number,
  password, etc.

5
Phishing Techniques

• Social engineering
• Subject To restore access to your bank
  account..
• Link manipulation
• Casual observation leads victim to believe the
  link in e-mail is to legitimate web page
• Filter evasion
• Use of images rather than text

6
Phishing Techniques cont.

• Website forgery
• Address bar forgery
• Cross-scripting
• Man-in-the-middle attacks
• Phone phishing
• Phone message apparently from bank has victim
  call phishers using VOIP
• Vishing
• Other techniques
• Pop-up windows over legitimate bank sites

7
Spear Phishing

• An e-mail spoofing fraud attempt that targets a
  specific organization, seeking unauthorized
  access to confidential data
• E-mail appears to come from a trusted source
  usually within ones own company
• Likely to be conducted by "sophisticated groups
  out for financial gain, trade secrets or military
  information. NY Times
• Overcomes normal suspicions

8
Rock Phish

• No one really sure what it is
• Wikipedia - phishing tool
• Others - one of the most prominent phishing
  groups in operation
• Techno-savvy
• Specializes in European and U.S. financial
  institutions
• Responsible for 1/3 to 1/2 of all phishing
  e-mails sent in any given day
• Credit card fraud, money laundering

9
Rock Phish Demo

• http//www.youtube.com/watch?v6NviimO64qA

10
Phishing Costs

• 2.8 billion in 2006
• 3.2 billion in 2007
• 350 - 1244 per victim
• Most cost born by financial institutions

11
Phishing in 2009
APWG
12
Phishing Laws

• CAN SPAM Act
• Controls conditions under which unsolicited
  commercial e-mail may be sent
• Anti-phishing Act of 2004
• Did not become law

13
Problems for Law Enforcement

• Phishing web sites quickly move from one ISP to
  another
• 7 different servers in 12 days
• Average phishing web site active for only 54
  hours
• Web sites gone long before victim realizes he/she
  is a victim
• Webs sites have global location

14
Phishing Example
15
(No Transcript)
16
Phishing Example

• URL - http//mail.opmcm.gov.np/locale/ar/LC_MESSAG
  ES/online.lloydstsb.co.uk/customer.ibcWT.achpIBlo
  gon/
• 202.45.147.69 is from Nepal(NP) in region
  Southern and Eastern Asia

17
(No Transcript)
18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
Pharming

• Redirecting one web sites traffic to another web
  site.

23
Nigerian 419s

• An advance-fee fraud in which the target is
  persuaded to advance sums of money in the hope of
  realizing a significantly larger gain.

(Wikipedia.org)
24
Nigerian 419 e-mail scams

• Advanced Fee Fraud - (AFF)
• 419 - Nigerian criminal code
• Originated in early 1980s as Nigerian oil
  profits declined
• One of Nigerias most important export
  industries
• Many variations

25
419 Elements

• Scammers use Internet Cafes / Spoofed web sites
• Official sounding introduction and
  correspondence
• Uses name of real individual
• May use religious theme

26
419 Elements cont.

• Knows about a large sum of money that scammer
  cannot directly access
• Victim offered 10 - 40 of money for assisting
  scammer
• Victim asked to send money to assist scammer in
  accessing large fund
• Amount asked for may be large, but not in
  comparison to promised portion
• Funds transferred by untraceable wire transfer

27
419 Elements cont.

• If victim is hooked, scammer will continue to ask
  for funds for various purposes
• Once victim has invested in scam, he/she will
  feel the need to see the deal through
• Victim may be scammed a second time by scammer
  pretending to be law enforcement or government
  official

28
Problems for Law Enforcement

• Anonymity
• Jurisdiction
• Untraceable wire transfer
• Prosecutions by Nigerian government have become
  opportunities for bribery

29
Example Recent 419 Scam
30
High-Yield Investment Programs

• A type of Ponzi scheme, which is an investment
  scam that promises an unsustainably high return
  on investment by paying previous investors with
  the money invested by newcomers.
• (Wikipedia.org)

31
Ponzi Scheme

• Ponzi schemes are a type of illegal pyramid
  scheme named for Charles Ponzi, who duped
  thousands of New England residents into investing
  in a postage stamp speculation scheme back in the
  1920s. Ponzi thought he could take advantage of
  differences between U.S. and foreign currencies
  used to buy and sell international mail coupons.
  Ponzi told investors that he could provide a 40
  return in just 90 days compared with 5 for bank
  savings accounts. Ponzi was deluged with funds
  from investors, taking in 1 million during one
  three-hour period and this was 1921! Though a few
  early investors were paid off to make the scheme
  look legitimate, an investigation found that
  Ponzi had only purchased about 30 worth of the
  international mail coupons.

32
HYIP Operators

• Set up web site offering investments
• Promised returns of 45 per month, 6 per day
• No details offered on underlying investments
• Incorporate in countries with lax investment laws
• Web sites frequently infect visitors with malware

33
HYIP Monitor Sites
http//lifehyips.net/
34
HYIP Web Site
35
(No Transcript)
36
Start Your Own HYIP
37
HYIP and US Law

• HYIP is a fraud
• Prosecution by the SEC - Security Exchange
  Commission
• Problems
• Anonymity
• Jurisdiction