How to Investigate

About This Presentation

Title:

How to Investigate

Description:

How to Investigate SPAM SPAM TRACKERS http://rbls.org/ Lists where a website is black listed List the Domains related with a specific domain http://dnstree.com ... – PowerPoint PPT presentation

Number of Views:479

Avg rating:3.0/5.0

Slides: 76

Provided by: csUmlEdu8

Category:

more less

Transcript and Presenter's Notes

Title: How to Investigate

1
How to Investigate

SPAM

2
WhoIs behind the scam?

Who are the individuals who own that Web Site ?

3
Introduction

The cost of spam

This section from http//www.cs.uml.edu/pkrolak/9
1-113/DarkSideOfInternet.ppt
4
Spam

Spam is electronic junk mail that clogs our
internet like the fatty canned meat of the same
name clogs our arteries.
Communication lines back up at an alarming rate,
Storage is gobbled up,
Servers and processors thrash, and
Users are irritated at best incapacitated at
worst.
Spam costs the ISPs and others a fortune to
prevent and/or to remove.
At its worst spam is used by scammers, hackers,
and others to market and prey on literally
millions of users at a very low cost.

Source http//www.unt.edu/benchmarks/archives/200
5/february05/spamandcookiescolor.gif
5
Spam

What is Spam?
Junk email unwanted, resource robbing, and
often contains viruses, worms, and scams.
Why is it an increasing problem?
Spam is the fastest growing component of messages
on the Internet that consumes bandwidth, storage,
and angers the user. ISPs and some consumer
groups are attempting to shut down the worst
offenders.
Spam as harassment.
Spam as DoS (Denial of Service) attack.
Spam as Phishing (attempt to obtain a persons
ID, password, etc, by pretending to be a
legitimate request.)
What can be done about it? (Discussion questions)
Closing down ISPs that permit email relaying (Is
this too draconian?).
Apply filters and tools to remove it (Can they be
by-passed?).
Lobby for federal legislation to create civil and
criminal penalties for those who send Spam. (Does
this interfere with free speech?)
A recently passed law to prosecute commercial
spammers. (When is Internet advertising
legitimate and when is it Spam?)

6
Why Estimate the Cost of Spam?

Important for policy reasons to know severity of
problem
helps in assigning priority to issue
To determine which economic actors have to bear
costs also
important in focusing on solutions
Spam imposes negative externality on society
(similar to
pollution in the manufacturing economy) economic
damage
and cost borne by third parties resulting in an
overall loss of
welfare for society
If costs of spam are unacceptable then have to
put in place
mechanisms to change behavior of producers of
spam
Provides metric to let the punishment fit the
crime.
Market itself does not provide mechanism to
correct for costs
inflicted by spam. If economic solutions are used
to combat
spam, cost data can help determine prices applied
to reduce or
eliminate spam

http//www.oecd.org/dataoecd/47/5/26618988.pdf
7
Spam Impact on Consumers

E-mail has value to recipient which varies with
the content and should at least equal processing
cost
Each e-mail entails the same receiving/processing
cost for consumer. For spam the value of the
e-mail content is negative and to this must be
added the processing cost
If the amount of spam received is extremely high
it could conceivably outweigh the positive value
of receiving e-mail
Costs to consumers for processing mail are
declining as consumers switch to broadband from
dial-up (where time based Internet access charges
exist) and because of quicker download times
But increase in volume of spam is likely to
result in net increase in costs if you can go
fast but you produce crap, all you get is more
crap

http//www.oecd.org/dataoecd/47/5/26618988.pdf
8
Overall Cost Some Estimates

Reduced use of an efficient and cheap means of
communications among economic actors slows down
growth of e-commerce and development of digital
economy.
Total economic impact of spam estimates vary
Global cost conservatively estimated at
estimated at 10 Billion (European Commission
Study 2001)
Ferris Research (Jan. 2003) estimated that spam
cost US companies 8.9 billion dollars in 2002.
The same study estimated the cost of spam in
Europe as US2.5 billion.
UNCTAD (2003) 20 billion
Cost to Hong Kong economy 1.3 billion (HKISPA
2004)
2 - 20 Billion per year and growing.

http//www.oecd.org/dataoecd/47/5/26618988.pdf
9
CAN SPAM Law of 2003

CAN-SPAM Act of 2003 (Pub. L. 108-187, S. 877)
The Controlling the Assault of Non-Solicited
Pornography and Marketing Act requires
unsolicited commercial e-mail messages to be
labeled (though not by a standard method) and to
include opt-out instructions and the sender's
physical address. It prohibits the use of
deceptive subject lines and false headers in such
messages. The FTC is authorized (but not
required) to establish a "do-not-email" registry.
State laws that require labels on unsolicited
commercial e-mail or prohibit such messages
entirely are pre-empted, although provisions
merely addressing falsity and deception would
remain in place. The CAN-SPAM Act took effect on
January 1, 2004.

10
Crimes of Persuasion

Crimes of persuasion are scams that appeal to
peoples greed, goodwill, or other emotions to
use the victim to provide the access and
assistance to information, the money or other
resources, that are the target of the criminal.
In other words A Con Game

11
Internet Scams
12
Internet Scams

Scams over the Internet unlike the fraud and
similar crime can be difficult to detect,
prosecute, and prevent and easy to perpetrate.
Email can be used to reach 250 million with a
simple program and a CD-ROM with the email
addresses.
Example - The African businessman who offers to
split a large sum of money (like, 20M) if he can
only electronically wire it to your checking
account. He also requires a (small) fee (250.)
wired to his account to bribe fellow country men.
Your fee and your bank account are immediately
seen to vanish.
See http//www.cnn.com/2000/TECH/computing/10/31/
ftc.web.scams/

13
Internet Pyramid schemes

What is a Pyramid Scheme?
Pyramid schemes, also referred to as "chain
referral", "binary compensation" or "matrix
marketing" schemes, are marketing and investment
frauds which reward participants for inducing
other people to join the program. Ponzi
schemes, by contrast, operate strictly by paying
earlier investors with money deposited by later
investors without the emphasis on recruitment or
awareness of participation structure.
Pyramid schemes focus on the exchange of money
and recruitment. At the heart of each pyramid
scheme there is typically a representation that
new participants can recoup their original
investments by inducing two or more prospects to
make the same investment.
For each person you bring in you are promised
future monetary rewards or bonuses based on your
advancement up the structure. Over time, the
hierarchy of participants resembles a pyramid as
newer, larger layers of participants join the
established structure at the bottom.

Source http//www.crimes-of-persuasion.com/Crimes
/Delivered/pyramids.htm
14
Internet Pyramid schemes (more)

They say you will have to do "little or no work
because the people below you will". You should
be aware that the actual business of sales and
supervision is hard work. So if everyone is doing
little or no work, how successful can a venture
be? Too good to be true!
The marketing of a product or service, if done at
all, is only of secondary importance in an
attempt to evade prosecution or to provide a
corporate substance. Often there is not even an
established market for the products so the "sale"
of such merchandise, newsletters or services is
used as a front for transactions which occur only
among and between the operation's distributors.
Therefore, your earning potential depends
primarily on how many people you sign up, not how
much merchandise is sold.
When the Pyramid gets too big, the whole scheme
collapses and the people who lose are the people
at the bottom.

15
Internet Pyramid schemes (more)

Pyramid schemes are not the same as Ponzi schemes
which operate under false pretences about how
your money is being invested and normally benefit
only a central company or person along with
possibly a few early participants who become
unwitting shills.
Pyramid schemes involve a hierarchy of investors
who participate in the growth of the structure
with profits distributed according to one's
position within the promotional hierarchy based
on active recruitment of additional participants.
Both are fraudulent, because they induce an
investment with no intention of using the funds
as stated to the investor.

16
Email Fraud

Fraud has existed perhaps as long or longer than
money. Any new sociological change can engender
new forms of fraud, or other crime.

Source http//en.wikipedia.org/wiki/Email_fraud
17
Email Fraud

Almost as soon as e-mail became widely used, it
began to be used to defraud people via E-mail
fraud.
E-mail fraud can take the form of a "con game" or
scam.
Confidence tricks tend to exploit the inherent
greed and dishonesty of their victims the
prospect of a 'bargain' or 'something for
nothing' can be very tempting.
E-mail fraud, as with other 'bunco schemes'
relies on naive individuals who put their
confidence in get-rich-quick schemes such as 'too
good to be true' investments or offers to sell
popular items at 'impossibly low' prices. Many
people have lost their life savings due to fraud.
(Including E-Mail fraud!)

18
Avoiding e-mail fraud

E-mail fraud may be avoided by
Keeping one's e-mail address as secret as
possible,
Ignoring unsolicited e-mails of all types, simply
deleting them,
Not giving in to greed, since greed is the
element that allows one to be 'hooked, and
If you have been defrauded, report it to law
enforcement authorities -- many frauds go
unreported, due to shame, guilty feelings or
embarrassment.

Source http//en.wikipedia.org/wiki/Email_fraud
19
Identity Theft on the Internet

Identity theft involves finding out the users
personal information and then using it commit
fraud and other crimes.

20
Identity Theft

But he that filches from me my good name
Robs me of that which not enriches him
And makes me poor indeed." - Shakespeare,
Othello, Act III. Scene III.

21
What is Identity Theft?

A Federal crime where someone wrongfully obtains
and uses another person's personal data in some
way that involves fraud or deception, typically
for economic gain.
In 2004, almost 250,000 claims of Identity Theft
within the US alone (11000)
More than 500 million in reported losses

Source http//www.consumer.gov/sentinel/pubs/Top1
0Fraud2004.pdf
22
Categories of Identity Theft

According to the non-profit Identity Theft
Resource Center, identity theft is "sub-divided
into four categories
Financial Identity Theft (using another's name
and SSN to obtain goods and services),
Criminal Identity Theft (posing as another when
apprehended for a crime),
Identity Cloning (using another's information to
assume his or her identity in daily life) and
Business/Commercial Identity Theft (using
another's business name to obtain credit)."

Source http//en.wikipedia.org/wiki/Identity_thef
t
23
Tiger Woods

A man who used Tiger Woods' identity to steal
17,000 worth of goods was sentenced to 200
years-to-life in prison.
Anthony Lemar Taylor was convicted of falsely
obtaining a driver's license using the name
Eldrick T. Woods, Woods' Social Security number
and his birth date.
Though he looks nothing like golf's best player,
the 30-year-old Taylor then used the false
identification and credit cards to buy a 70-inch
TV, stereos and a used luxury car between August
1998 and August 1999.
Judge Michael Virga gave Taylor the maximum
sentence under California's three-strikes law...

24
Identity Theft by Age
Souce http//www.consumer.gov/sentinel/pubs/Top10
Fraud2004.pdf
25
Identity Theft

Identity Theft the acquiring of personal and
financial information about a person for criminal
purposes.
Your Social Security Number, credit card numbers,
and passwords on your machine can be used to gain
information about you from the web sources.
Once the information is gained it is used to
charge large amounts for plane tickets, etc.
The criminal can also assume your identity for
fraud and terrorism.
Some rings communicate data gathered to
accomplices in other countries where the
fraudulent charges are actually made.
It can take up to 18 months and thousands of
dollars to restore your credit.
See http//www.newsfactor.com/perl/story/15965.htm
l

26
The role of private industry and government in
identity theft
27
Techniques for obtaining information

Low Tech Social Engineering
Stealing (snail) mail or rummaging through
rubbish (dumpster diving)
Eavesdropping on public transactions to obtain
personal data (shoulder surfing)
Obtaining castings of fingers for falsifying
fingerprint identification
High Tech Internet Approaches
Stealing personal information in computer
databases Trojan horses, hacking Including
theft of laptops with personal data loaded.
The infiltration of organizations that store
large amounts of personal information
Impersonating a trusted organization in an
electronic communication (phishing) .
Spam (electronic) Some, if not all spam entices
you to respond to alleged contests, enter into
"Good Deals", etc.
Browsing social network (MySpace, Facebook, Bebo
etc) sites, online for personal details that have
been posted by users in public domains.

Soruce http//en.wikipedia.org/wiki/Identity_thef
t
28
What is Pharming?

Pharming is the exploitation of a vulnerability
in the DNS server software that allows a hacker
to acquire the Domain Name for a site, and to
redirect traffic from that website to another web
site.
DNS servers are the machines responsible for
resolving internet names into their real Internet
Protocol (IP) addresses - the "signposts" of the
internet. (e.g., Good_Stuff.com will translate to
an address like 152 145 72 30 i.e. four groups
of base 8 (octal) numbers in IP version 4 (IPv4)
or eight groups in base 16 (hex) in IP version 6
(IPv6). The Internet has thousands of DNS servers
each one a target for determined hackers.

29
Phishing

What is Phishing?
Using email or web sites to look like authentic
corporate communications and web sites to trick
people into giving personal and financial
information.
FBI sees this a fast growing form of fraud and
can lead to theft of identity.
See http//www.crimes-of-persuasion.com/Crimes/Del
ivered/internet.htm

30
What is Phishing?

phishing (also known as carding and spoofing)
n.
1. The act of attempting to fraudulently acquire
sensitive information, such as passwords and
credit card details, by masquerading as a
trustworthy person or business with a real need
for such information in a seemingly official
electronic notification or message (most often an
email, or an instant message).

Source http//en.wikipedia.org/wiki/Phishing
31
Phishing Example
From eBay Billing Department ltaw-confirm_at_ebay.com
gt To you_at_uml.edu Subject Important
Notification
This link points to a bogus site that often will
infect and attempt to corrupt or steal data from
your computer or to coerce you into divulging
private information when You access it.

Register for eBay
Dear valued customer
Need Help?
We regret to inform you that your eBay account
could be suspended if you don't re-update your
account information. To resolve this problems
please click here and re-enter your account
information. If your problems could not be
resolved your account will be suspended for a
period of 3-4 days, after this period your
account will be terminated.
For the User Agreement, Section 9, we may
immediately issue a warning, temporarily suspend,
indefinitely suspend or terminate your membership
and refuse to provide our services to you if we
believe that your actions may cause financial
loss or legal liability for you, our users or us.
We may also take these actions if we are unable
to verify or authenticate any information you
provide to us.
Due to the suspension of this account, please be
advised you are prohibited from using eBay in any
way. This includes the registering of a new
account. Please note that this suspension does
not relieve you of your agreed-upon obligation to
pay any fees you may owe to eBay.
Regards,
Safeharbor Department
eBay, Inc
The eBay team.
This is an automatic message. Please do not
reply.

Source http//en.wikipedia.org/wiki/Phishing
32
Spoofing

Spoofing
E-mail sent from someone pretending to be someone
else is known as spoofing. Spoofing may take
place in a number of ways. Common to all of them
is that the actual sender's name and the origin
of the message are concealed or masked from the
recipient. Many, if not most, instances of e-mail
fraud use at least minimal spoofing, as most
frauds are clearly criminal acts. Criminals
typically try to avoid easy traceability.

Source http//en.wikipedia.org/wiki/Email_fraud
33
Methods to Steal an Identity

TCP Spoofing
Establish a fake session and act to the user like
the real application the user thought was
connected.
Can be done by substituting valid access software
with hacked software after compromising a host
or server machine
DNS Spoofing
Mentioned previously
Substitutes a fake IP address for the real one in
the DNS table
Typo Squatting (e.g. www.goolge.com)
Set up a real web site with URL that represents
common typo. Make site look enough like real one
and try to get passwords, ID, etc.
Similar to phishing, but the phish catches
himself!

34
(No Transcript)
35
Your Goal

Identify the people who are behind the Spam
You want NAMES, and Civic Addresses, but be ready
for the sad reality the chances are very small
that you will ever find them, but you will bring
to light all the tools they are using to hide
their real identity,
And this is INFORMATION, because this tells you
that the SPAM is a SCAM, and these people are
criminals

36
Their Goals

At the end of the investigation you will discover
the goals pursued by the spammers
1 - Have you send them money (Nigerian scam /
buy their cloned products / medicine)
(maybe they will never ship anything, but
they will get your money)
2 Steal your personal information by making
your believe that you must enter your information
to win something
3 Enroll your computer as a zombie your
computer is infected by a Trojan when you visit
their website and is then used to spam other
people to do 1 or 2

37
What to do at the end of your investigation

This is explained at the end of this presentation
(part 5)

38
PART 1

List of steps to follow
for a SPAM investigation

39
Typical List of Stepsto investigate a SPAM Case

1) You need the email (body) AND the header of
the email.
How to see the email header depends on the email
client you are using
2) You divide your research into 2 parts
- Finding information about the sender (spammer)
- Finding the information about the target
(the website where the spammer wants you to go)

40
List of Steps

3) For researching Who is the Spammer and for
researching Who is behind the target web site,
You follow pretty much the same series of
steps
4) Use nslookup to find the IP address of a
domain name
5) Use the IP address to find who owns this
address.
Most of the time you will see that the address is
in a block of addresses that have been assigned
to an ISP or to a Web Hosting Company

41
List of Steps

6) IPSs have large blocks of addresses,
typically
N x 256 X 256
If it is an ISP, then the spammer has a fixed IP
address (no need to run DHCP), and it should be
relatively easy to identify who is leasing this
IP address
Google with the IP address, the domain name,
part of the message

42
List of Steps

7) Web Hosting Companies have smaller blocks of
addresses, typically
N x 256 X 256 and N 1, 2 or 3
The WhoIs queries tell you the name of the
company who owns the block of address

43
List of Steps

8) Google for the domain name of the spammer and
the name of the web hosting company.
You should find the name of the registrant the
individual or the company WHO has registered the
domain name that is attached to that IP address.
Sometime the name of the registrant is a small
company that is itself a Registrar, and operates
as an intermediary (front) between the real
customer (here, the spammer) and the big
registrars
Note that some of these intermediate companies do
not really check the validity of the information
provided by the customer fake telephone numbers,
no civic address, or a postal box, are all OK!

44
Additional Note Registries and Registrars

A Registry is an organization that assigns IP
addresses (typically to ISPs)
There are 5, each for one continent (AFRINIC,
ARIN, LACNIC, APNIC and RIPE)
? See part 2 of this presentation
? You use WhoIs to query the registries
A Registrar is a company that attach a domain
name to an IP address (www.uml.edu
129.63.176.200)
Read on the web to learn more about Registries
and a Registrars

45
List of Steps

Google then for the missing information, use
anything you already know
Track the names of the small fish
The telephone numbers (sometimes the company is
officially I one country and the tel.no in
another country)
Parts of the body of the message

46
PART 2

Understanding how the Registries work

47
Every computer needs an IP address to be
accessible from other hosts on the Internet

An IP address is a unique identifier of a
computer
You buy an IP address from your ISP, and your ISP
buys blocks of addresses from a Registry
There are 5 Registries managing each one region
of the world

48
The search is based on the IP address
49
When should you use the information maintained by
registries?

Every time you want to know more about a website,
especially when you suspect that the site is a
rogue web site
e.g. you have received an un-solicited email
asking you to go a web site you have never heard
of before

50
(No Transcript)
51
When you want to know who owns a websiteyou
query the databases of these Registries
52
Enter the IP address

The databases of these registries are based on
the IP addresses that they have assigned
If you do not know the IP Address of a domain,
first you need to run nslookup

53
Registries maintain Databases that can be
searched usinga web browser

The search box is always on the home page of the
Registry

54
AFRINIC

http//www.afrinic.net/

AfriNIC is a non-government, not-for-profit,
membership based organization, based in Mauritius
that serves the African Internet Community.
AfriNIC is the Regional Registry for Internet
Number Resources for Africa. Membership is open
to anybody.
55
APNIC
http//www.apnic.net/

The Asia-Pacific Network Information Centre
maintains the public Whois Database for the Asia
Pacific region

Headquarters in Brisbane, Australia
The Whois search box is in the upper right corner
56
ARIN

American Registry for Internet Numbers
is the Regional Internet Registry (RIR) for
Canada, many Caribbean and North Atlantic
islands, and the United States.
ARIN manages the distribution of Internet number
resources.
Headquarters in Fairfax County (VA), USA.

https//www.arin.net/
The Whois Search Box is in the right upper corner
57
LACNIC

The Latin America and Caribbean Network
Information Centre is the Regional Internet
Registry for the Latin American and Caribbean
regions.
LACNIC provides number resource allocation and
registration services that support the global
operation of the Internet. It is a
not-for-profit, membership-based organization
whose members include Internet Service Providers,
and similar organizations.

http//www.lacnic.net/en/
Headquarters in Montevideo, Uruguay
The Whois Search Box is in the right upper corner
58
RIPE
Regional Internet Registry for Europe, the Middle
East and parts of Central Asia. Headquarters in
Amsterdam, the Netherlands.

http//www.ripe.net/
Enter the IP address in the data base
search box
(in the middle of the page, on the right)

This is different search box from the search
engine that searches the RIPE web site
59
Five Registries?

When you want to know who owns an IP address,
- You clearly do not know where in the world is
this IP Address
- You do not know which of these 5 registries
you should search
OK, just get IP2C a portable freeware tool that
will query the 5 registries for you using a nice
GUI
http//web.newsguy.com/lmgava/code/Download.php?a
ip2cfip2c_1.0.12.zip
Unzip, run, enter the IP address

60
Additional Resources

WhoIs for TLD .ru
http//whois7.ru (Russia Region - English)
http//whois.twnic.net for Taiwan
One website listing the blacklisted website
http//www.joewein.de/sw/dbl-update/2011-03-28.htm

61
Additional WhoIs Resources
62
PART 3

Searching the registrars
Input IP address / Domain Name

63
Information on who has registered a domain

http//whois.domaintools.com
Example
http//whois.domaintools.com/businessdevelopmentre
gistry.com

64
PART 4

SCAM / SPAM tracking Forums

65
The Spam Fighters

http//www.joewein.de/sw/dbl-update/
SPAMCOP
http//en.wikipedia.org/wiki/SpamCop
http//www.spamcop.net/
The SPAMHAUS Project
http//en.wikipedia.org/wiki/Spamhaus
http//www.spamhaus.org/

66
SPAM TRACKERS

http//rbls.org/
Lists where a website is black listed
List the Domains related with a specific domain
http//dnstree.com/
Offers many services
http//www.robtex.com/

67
SPAM TRACKERS

http//www.scamomatic.com/
For the Lottery-type scam
http//www.419scam.org/

68
List of Web Tools

http//www.dmoz.org/Computers/Internet/Protocols/D
NS/Web_Tools/
TRACK web sites infected with malware
http//support.clean-mx.de/clean-mx/viruses.php
http//malwaredomainlist.com

69
Read More

http//scamoftheday.com/
http//www.419scam.org/

70
Also Research the Telephone Numbers

http//www.callwiki.com
http//www.numberinvestigator.com/phone

71
PART 5

You are now at the end of your investigation.
Probably you cannot put a name of the email
address that sent that spam email, but you now
have a clear understanding that these people are
criminals trying to steal money, identity and
computing resources of innocent people!
What can you do next? ?

72
How to Report SPAM

Report SPAM to
The Spammers ISP
Forums that track spam
http//email.about.com/od/spamandgettingridofit/a/
report_spam.htm

73
Happy WhoIsing !
74
Appendix - 1

When you read the email header, you should know
the following
Bigfish, Forefront and Postini are software
applications used to filter spam emails
They sometimes run on a different machine (not
the email server this explains address such as
10.xx)