Information Security Association (ISA)
November 14, 2007
Leveraging Technology to Combat Fraudto Combat Fraud
Dan VanBelleghem, Technical Director Security and Systems Engineering Solutions, SRA
DISCLAIMERPoints of view or opinions expressed in this presentation do not necessarily represent the officialposition orpolicies of SRA or any past, future or present bosses.
About Me• SRA
• Leading provider of technology and strategic consulting services and solutions - including systems design, development and integration; and outsourcing and managed services.
• Comprehensive information assurance practice integrating security architecture, risk assessments, and certification & accreditation. SRA’s IA practice currently rated at NSA-CMM Level 3.
• Dan VanBelleghem• Dan VanBelleghem• Technical Director of SRA Security Systems and Engineering
Solutions Team. Conducts security-related research and consulting activities including providing strategic guidance to customers, analyzing network traffic for security-related incidents, and designing security solutions to maintain integrity and prevent loss of intellectual capital
• Member of the faculty at the George Washington University’s Computer Security and Information Assurance program.
Agenda
• Introduction • Attack Description• Threats
• Recent Threat Examples• Recent Threat Examples• Organized Crime
• Additional resources • Q&A
CreateBackdoor
CoverTracks
TrophyHunting
Network Attack Methodology
InformationGathering
ServiceIdentification Hunting
Exploit andGain Access
2007 SRA International, Inc. - Proprietary
Identification
VulnerabilityAnalysis
Denial ofService
Attacks range from focused attempts for a specific target to random scans looking for a vulnerable victim.
Aim Versus EffectAr
chite
ctur
e
Common Attacks Focus on vulnerability of a component (e.g., poor
authentication) Potential to affect the host system or platform Network becomes affected Which could impact a mission process
•Tec
hnica
l•A
rchi
tect
ure
•Ope
ratio
nal
•Arc
hite
ctur
e
•Mission Operations
•Networks
•Systems
•Components
Customer Case Studies • Common Security
Assessment Findings• Storage area networks
default administrative accounts
• Printers, switches and routers discovered with no routers discovered with no authentication enabled
• Security officer’s files found on open network share with vulnerability reports
• Databases discovered with default system accounts and passwords
Attack Sophistication• Attack sophistication continues to increase
while the amount of knowledge an attacker needs is decreasing• Tools are getting better
• Script Kiddies• Target the Internet for a known vulnerability;
however, only 1 percent of the systems may be however, only 1 percent of the systems may be vulnerable. If you can scan 1 million host, you will find 10,000 vulnerable victims.
• Black Hats• Will focus their attack to a specific victim or target.
2007 SRA International, Inc. - Proprietary
Yesterday’s Attacks • Common attacks in 2000 & 2001 were web
defacements and Denial of Service attacks against your IRC foe.• Hacker underground bragging rights• Elevate IRC user control• Fun and curiosity
• Old school tools include NetBus, Sub7, Back Orifice • Open CD tray• Remote administration• Key logging
2007 SRA International, Inc. - Proprietary
Today’s Attacks• More focused on financial and identity theft• Underground economy that exists to buy and
sell financial and identity data
2007 SRA International, Inc. - Proprietary
Common Attack Scenario
Exploit & Escalate
DiscoverBackendCustomerDatabase
CompromiseCustomerDatabase
Capture CreditCard Data
Sell Data inUnderground
Market
2007 SRA International, Inc. - Proprietary
Scan for Vulnerable
web servers
EscalatePrivileges(admin)
Database
Infect Web Server withBot code Users
Download Bot& join Bot heard
Attacker buildsarmy ofzombies
Key StrokeLogger
Threat Environment is Changing• Gartner, via the March 2007 issue of CIO
Decisions:• "By the end of 2007, 75% of enterprises will be
infected with undetected, financially motivated, targeted malware. These attacks will evade traditional perimeter and host defenses. The threat traditional perimeter and host defenses. The threat environment is changing: Targeted attacks for financial gain are increasing, and automated malware generation kits allow simple creation of thousands of variants quickly. But our security processes and technologies haven't kept up."
2007 SRA International, Inc. - Proprietary
Recent Security Breaches• TJX
• 45.7 Million User Credit Cards and debit cards were stolen over 18 month period
• USDA• Up to 63,000 Social Security Numbers for farmers
receiving aid were disclosedreceiving aid were disclosed• University of Missouri
• Over 22,000 Students’ PII compromised
2007 SRA International, Inc. - Proprietary
Topic: Transnational Cyber-Crime• Traditional Organized Crime: smuggling, trafficking,
drugs, gambling, etc.• Anonymity and financial lure has made cyber-crime
more attractive• Separation between the physical and virtual world.
The virtual world is another universe where groups The virtual world is another universe where groups form and engage in illegal activities
• Organized cyber-crime groups can conduct operations without ever making physical contact with each other. All can be independent, anonymous cells.
• Organization can be networked or hierarchical
Motivation…
• A highly organized criminal network based primarily in Eastern Europe
• Consist of Specialized Cells for Specific Functions– “a network of networks”
• Utilize Web Forums such as Carderportal, IAACA, Mazafaka, Shadowcrew, Carderplanet
Who Are They ?
IAACA, Mazafaka, Shadowcrew, Carderplanet• Inflict a significant amount of damage to the U.S.
and international financial industry
Where are they?• Global: All continents• Concentrations in: Middle East, Eastern Europe, Russia, Brazil,
SE Asia, USA.
What do they do?• Conduct network intrusion on merchant
processors• Write Viruses, Malware, and trojans• Use of Spam/Phishing to exploit eBay/PayPal
users, banks, credit card users, online account holders, etcholders, etc
• Software piracy, illegal pharmaceuticals• Escrow and Auction Fraud• Use of compromised credit cards and
compromised online accounts to conduct reshipping operations
Other Characteristics• Geopolitical/Cultural Perspectives:
• Lax Cyber-Laws in some countries, but getting better
• Poorly funded, untrained, and inadequately equipped police forces w/ little expertise in cyber crime or computers crime or computers
• Highly literate, educated, and skilled work force + no jobs leads young adults to find creative ways to make “easy money”--little incentive to find legit job.
• Part of the Culture: young adults spending much of their day online.
Carding Carding Carding Carding Carding Carding Carding Carding networks: networks: networks: networks: networks: networks: networks: networks:
past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present,
Carding Carding Carding Carding Carding Carding Carding Carding networks: networks: networks: networks: networks: networks: networks: networks:
past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, futurefuturefuturefuturefuturefuturefuturefuture
past, present, past, present, past, present, past, present, past, present, past, present, past, present, past, present, futurefuturefuturefuturefuturefuturefuturefuture
Key Facts: ICA• Formed: 2001 during meeting in Odessa, Ukraine• Founders: Dmitriy Golubov and Roman Vega• 150 Original members• Status: The group’s members are still somewhat active with
many actors involved in other forums and groups• Dozens have been arrested
Inactive Sites Active Sites•CarderPlanet •Carders Market
Dmitriy Golubov “Script”
Arrested: July 2005
Roman Vega“BOA”
Arrested: May 2003
•CarderPlanet•CarderPortal•Darkprofits•Dumpsmarket •IAACA•Mazafaka•ShadowCrew
•Carders Market•Carders Army•Cardingworld•Darkmarket •The Grifters •TheftServices (IAACA) •Mazafaka •Tanec Hackerov• Vendorsname•TalkCash•Carder.info
• Carder - Slang used to describe individuals who use stolen credit card account information to conduct fraudulent transactions.• Carding - Trafficking in and fraudulent use of stolen credit card account information.• Cashing - The act of obtaining money by committing fraud. This act can be committed in a variety of ways: The term can stand for cashing out Western
Union wires, Postal money orders and WebMoney; using track data with PINs to obtain cash at ATMs, from PayPal accounts, or setting up a bank account with a fake ID to withdraw cash on a credit card account.
• CC - Slang for credit card. • Change of Billing (COB or COBs) - Term used to describe the act of changing the billing address on a credit account to match that of a mail drop. This
act allows the carder full takeover capability of the compromised credit card account and increases the probability that the account will not be rejected when being used for Internet transactions.
• CVV2 - CVV2 stands for credit card security code. Visa, MasterCard, and Discover require this feature. It is a 3 digit number on the back of the card.• DDoS - Acronym for Distributed Denial of Service Attack. The intent when conducting a DDOS attack is to shut down a targeted website, at least for a
period of time, by flooding the network with an overflow of traffic.• DLs - A slang term that stands for counterfeit or novelty driver's licenses.• Drop - An intermediary used to disguise the source of a transaction (addresses, phones etc.) • Dumps - Copied payment card information, at least Track 1 data, but usually Track 1 and Track 2 data.• Dump checking - Using specific software or alternatively encoding track data on plastic and using a point of sale terminal to test whether the dump is
approved or declined. This provides carders a higher sense of security for obtaining quality dumps from those who offer them and also a sense of security when doing in store carding.Full info(s)
Carding Lingo
• Full info(s) - Term used to describe obtaining addresses, phone numbers, social security numbers, PIN numbers, credit history reports and so on. Full Info(s) are synonymous with carders who wish to take over the identity of a person or to sell the identity of a person.
• Holos - Slang for the word Holograms. Holograms are important for those who make counterfeit plastic credit cards to emulate an existing security feature.
• ICQ - An abbreviation for "I Seek You". ICQ is the most widely used instant messaging system for carders. Popular among Eastern Europeans in their Internet culture, it continues to be used for carding activity.
• IRC - An abbreviation for "Internet Relay Chat". IRC is a global system of servers through which users can conduct real-time text-based chat, exchange files, and interact in other ways.
• IDs - Slang for identification documents. Carders market a variety of IDs, including bills, diplomas, driver's licenses, passports, or anything that can be used as an identity document.
• MSR (Magnetic Strip Reader) - Device that can be used for skimming payment card information and/or encoding track information on plastic. • Phishing - The extraction of information from a target using a hook (usually an e-mail purporting to be from a legitimate company). Phishers spam the
Internet with e-mails in hopes of obtaining information that can be used for fraudulent purposes. • POS (Point of Sale) - Acronym for a terminal through which credit cards are swiped in order to communicate with processors who approve or decline
transactions. • Proxies - Term used for proxy servers. The use of proxy servers to mask ones identity on the Internet is widely practiced amongst carders. Many vendors
sell access to proxy servers, socks, http, https, and VPN (Virtual Private Networks), which aide in hiding the user's actual IP address when committing fraud or other illegal activity on the Internet.
• Track 1/Track 2 data - Track 1 and Track 2 data is the information stored on the magnetic stripe of a payment card that contains the account information.
How They Market Themselves
Stages of Carding• Collection:
• Technical Means • Social Engineering means• Desired Data:
• Account Holder’s Information
• Expiration Date
Collection: Acquisition of Data
Processing: Sell “Dump” to
Databroker
• Expiration Date• Primary Acct No. (PAN)• PIN No.• CVV No.
• Processing• Production• Distribution
Distribution: ATM Cashing/
Reshipping
Production: Documents and
Merchandise
Collection of Data • Technical Methods:
• Skimming• Hacking• Malicious Programs
• Social Engineering:• Phishing (via web or phone)
Collection via Phishing
As reported by the Anti-Phishing Working Group Targeted Industry Sectors
A subset of Digital Phishnet
* Gary WarnerCopyright CastleCops®
2 Nov 2006
Metrics• 485 ‘harvest’ (‘drop’) e-mail accounts identified
associated with phish• 400 deactivated & evidence preserved• Each ‘harvest’ account contains dozens to
thousands of cardsthousands of cards• Average ‘value’ to each card is $5,000 according to
several US Court Districts• Realistic loss = $300 to $2,000 per card• 400 accounts * 100 cards/account * $600/card =
$24,000,000USD
Processing and Production• Processing includes filtering the credible data and
selling to a data broker. • Production can include:
• Fake Documents: Passports, License, Birth Certificates, etc.• Fake Credit Cards:
• Dump Data: Track 1 and 2 • An example of a “dump” (Track 1 and Track 2):
B412345123456789^John/Doe^06101011123400567000000;;41234B412345123456789^John/Doe^06101011123400567000000;;412345123456789=061010111234005679991
• Data is recorded onto a blank “white card” via a Magnetic Strip Reader (MSR)
Distribution: Cashier/Reshipping• ATM Cashing: Cashiers will receive “white plastic”
cards and withdraw funds from an ATM machine.• Reshipping Fraud: A scheme where a scammer
overseas has purchased merchandise with illegal credit cards and has it shipped to a co-conspirator (aka reshipper), often in the USA. The reshipper (aka reshipper), often in the USA. The reshipper repackages the item and sends it to a destination usually overseas. The reshipper is paid for his/her services.
1. Hacker/Programmer1. Hacker/Programmer2. Spammer2. Spammer3. Data Broker3. Data Broker
5. Reshipper/Cashier5. Reshipper/Cashier
VladuzVladuz BluetoothBluetooth
4. Documents & Mechandise4. Documents & Mechandise
6. Money Launderer6. Money Launderer5. Reshipper/Cashier5. Reshipper/CashierDMSDMS
KLADKLADSINJIISINJII
BOABOA
Financial: Money Laundering• Money Orders• Western Union
• Speedy • Highly anonymous• Ability to pickup money
wordwide• Many outlets are owned
by carders themselvesby carders themselves• Paypal
• Avaliable currencies: Canadian Dollar, Euro, Pound Sterling, USD, Yen, Australian Dollar
• Easy Setup• All transactions logged
Financial: Money Laundering• E-Gold
• Uses “virtual gold” for payment• Cashout services available
• Webmoney.ru• Z-Wallet accounts• Easy transactions via the internet, cellphone, or Webmoney
outlet (170 countries)• Fee based cashout service
Mazafaka Screenshot
CardingWorld Screenshot
Where are they going?
Use of malicious code in the carding world
As reported by the Anti-Phishing Working Group
Phishing based trojans and keyloggers
International Challenges• Cyber Crime has no geographical boundaries• Some countries just starting to recognize the
need for adequate cyber laws.• Law Enforcement cooperation often based
upon personal relationships.upon personal relationships.• Hard for U.S. law enforcement to gain venue
within the U.S. as many key targets are located overseas.
Questions
Slide - 45
Who We Are – SRA
SRA is a leading provider of technology and strategic consulting services and solutions to clients in national security, civil government, and health care and public health
We offer cutting-edge business solutions in a wide range of different areas, including:• Business Intelligence• Text & Data Mining• Contingency & Disaster Response Planning• Environmental Strategies• Enterprise Architecture• Wireless Integration• AND• Information Assurance & Privacy!
Who We Are – SRA FactoidsFounded by Dr. Ernst Volgenau in 1978• Began operations out of Dr. Volgenau’s Reston basementIPO in May 2002 (SRX)• Stock Price = $29.51 (as of 11/13/07)6,300+ employees (more than doubled in size in the last four years)300+ government clients; 900+ active engagementsHeadquartered in Fairfax, VA; offices in 17 states, DC, France, Germany, & the United Kingdom$1.269 billion in revenue in FY07 (doubled in size in just three years)$1.269 billion in revenue in FY07 (doubled in size in just three years)Goal $5 billion in revenue by FY12Chosen by Fortune magazine as one of the “100 Best Companies to Work For” for eight consecutive yearsStrong community service orientation (SRA “CARES” Committee) & environmental focus (SRA’s “Green Team”)Rolling out new college recruiting, internship, and co-op programsMajor training and development initiatives underway (career paths and training opportunities)More than 200 immediately-billable open positions currently available
Who We Are – IA & Privacy
Began operations with fewer than a half dozen practitioners c. 2000 200+ IA & Privacy professionals work within the practice today We have helped more than 300 federal information systems achieve
certification and accreditation (C&A) and are currently performing physical- and cyber-security services Government-wide
SRA’s IA analysts and engineers have obtained the highest professional certifications in the industry, including:professional certifications in the industry, including:• NSA’s Information Assurance Methodology (IAM)• NSA’s Information Engineering Methodology (IEM)• Certified Information System Security Professional certification (CISSP)• Certified Business Continuity Planner (CBCP)• Project Management Professional (PMP) • Certified Information System Auditor (CISA) • Certified Information Security Management (CISM)
What We Do
Forensics Penetration Testing Vulnerability Assessment Compliance Risk Assessment System Testing and Evaluation Incident Response Incident Response Operations Staff Augmentation Security Awareness & Training Privacy FOIA