Graham Butler – Chairman Bitek Group of Companies © 2016
Cyber-laundering: dirty money digitally laundered-
Tackling the illegal trade in the Digital world
Graham Butler
Special Presentation to the Academy of European LawBudapest – March 2016
Co-funded by the Justice Programme of the European Union 2014-2020
Graham Butler – President and CEO Bitek © 2013
Tackling the illegal trade in the Digital world
Supporting the Cyber-Security agenda
ERA (Academy of European Law) – Lisbon / Trier / Sofia / BrusselsAddress: Threats to Financial Systems – VoIP, lawful intercept, money laundering
CTO (Commonwealth Telecommunications Organisation) LondonAddress: Working group on strategic development for 2016-2020
ITU High level Experts Group – Cybersecurity Agenda – Geneva (United Nations)Address: VoIP and P2P Security – Lawful Intercept
ENFSC (European Network Forensic and Security Conference) - MaastrichtAddress: Risks of P2P in Corporate Networks
CTITF (Counter Terrorism Implementation Taskforce) - SeattleAddress: Terrorist use of encrypted VoIP/P2P protocols - Skype
Norwegian Police Investigation Section - OsloAddress: Next Generation Networks – VoIP Security (fixed and mobile networks)
IGF (Internet Governance Forum) – Sharm El Sheikh, EgyptAddress: Threats to Carrier Revenues and Government Taxes – VoIP bypass
EastWest Institute Working Group on Cybercrime - Brussels / LondonWorking Groups: Global Treaty on Cybersecurity / Combating Online Child Abuse
CANTO (Caribbean Association of National Telecoms Org) – Belize / Barbados Address: Reversing Declines in Telecommunications Revenue
ICLN (International Criminal Law Network) - The Hague Address: Cybercrime Threats to Financial Systems
CIRCAMP (Interpol / Europol) - BrusselsWorking Groups: Online Child Abuse – The Fight Against illegal Content
2
Graham Butler – President and CEO Bitek © 2013
The evolution of interception - circuit switched networks
Tackling the illegal trade in the Digital world
3
4. Court issues interception warrant
3. Court application for LI warrant
1. Threat to National Security
2. Suspect identified
6. Operator sends LI data to agency
5. Agency provides warrant to Operator
Time-Division Multiplexing (TDM) Traditional Circuit Switched Networks
2G / 3G / 4G / 5G
TDM ‘numbered’ calls
2G / 3G / 4G / 5G
TDM Interconnect
Circuit Switch
Court Order Lawful Interception
Graham Butler – President and CEO Bitek © 20134
VoIP Packets(Encrypted Services?)
CLOUD A The World Wide Web CLOUD B National IP Network
2G / 3G / 4G
TDM ‘numbered’ call
SIM BankPBX/VoIP SwitchMedia Gateway
IP Gateway IP Gateway
Inbound VoIP / OTT SERVICESUnlicensed / Bypass / Fraud
Diversity and encryption creates a ‘safe haven’ for crime/terrorism
A BWiFi, WiMax
3G, 4G
VoIP/OTT app call
WiFi, WiMax 3G, 4G
VoIP/OTT app call
SIM BankPBX/VoIP SwitchMedia Gateway
2G / 3G / 4G
TDM ‘numbered’ call
Broadband Router
VoIP/OTT app call
(Gaming Console) VoIP/OTT app
Broadband Router
VoIP/OTT app call
(Gaming Console) VoIP/OTT app
Next Generation Traffic Challenges (ML)
The evolution of interception - packet switched networks?
Graham Butler – President and CEO Bitek © 2013
Diversity of Internet Activity (Intel)
5
Tackling the illegal trade in the Digital world
Graham Butler – President and CEO Bitek © 2013
Unlicensed SIP VoIP (RFC 3261 variants) 373 competitors
aamranetworks.com, Abovenet Communications, Acess Kenya Group, ACN_DSL, Atlantic Broadband, Airtel Broadband, Akamai, ALGX, Amazon.com, AmazonHosting, Angel Drops, Aruba, ASKTel, ASTA Net, 24/7 Real Media ARTNET, AT&T U-verse, AT&T wireless, Bandcom, Beeline, Beam Telecom, Belgacom Skynet, BellCanada, Bell Mobility, BellSouth, BTS, Bharti Airtel, Bankstown-Clinical-School , BICS, Blast_Comms , Bluewin, Bouygues Telecom, Bright House Networks, Broadvoice, BSNL, BT Italia, Beyond The Network America, Cable 1, Cablecom, Cablevision, Cabel Digital Kabel TV, Cable and Wireless Americas Operations, CANTV services, Century Link, Checkbox, Charter Communications, China Telecom, China Mobile, China Telecom YunNan, China Telecom Jiangsu, China Telecom Sichuan, CJSC Ural Trans Telecom, Completel, Cameroon Telecommunications Ltd, China Tie Tong, CoLoSolutions, Cogent Communications, CommPeak (Amazon Hosted), Canaca.com, China Unicom, Claro Dominican Republic, Claro Peru, Clear Wireless, Comnet, CANL, Choopa, Connexions 4 London, Cogeco Cable, Compass , ComCast, Corgi Tech Ltd, Chunghwa telecom, Consejo Hondureno de Ciencie y Tecnologia, CTBC, Cybercon, CYTA HELLAS, nyc callcenter 1, Datacenter, Dedibox, Dial Telecom, Digital Networks CJSC, Distributel Communications, Dixivox, Deltathree, DIGI Ltd, Digicel Jamaica, Dooel Kavadarci, Donbass Electronic Communications Ltd, DNA Oy, DODO, DTS Ltd, E Networks, Econocall, Ecatel, Ecuador Telecoms, EdgeCast Networks, EGNET, Elion Enterprises GANDI, Eircom, Elisa OYJ Mobile, Emirates Telecom, Enterprise Networks, Entertainment Television, Eweka Internet Services, FibreNet, Fibernetica Corp, FLOW, Fonebee, FORTHnet, Freeport-McMoran, Free SAS, Gateway Communications, Galaxy Communications, Gestora de infraestructursa de telecomm, GetGeorgeMobile, GCA Telecom El Salvador, GCN/DCN Networks, GIO Moblie Ghana, Globalinx, Global Net Access, Global Village, Globe Telecom, googletalk, Godaddy.com, GoandCall, GoGent, Golden Lines Cable, Guandong Molile Communications, Hadara, Haiti Networking Group, Haiti Telecom, Hanaro Telecom, H3G Italy, Home Network Japan, Hong Kong Broadband Networks, Hotwire Communications, Hubei, Hurricane Electric, INDIT Hostings, Infracom Italia, Inphonex, Inei international, Internap Network Services, Icall, IDT Corporation, iweb, Incapsula.com, Inet Limited, Internetcalls/Freecall, Internet Development Company, IPCommunications, Lifeisbetteron, Iscon Internet, Isotropic Networks, Ispro Lietisum, IPTelligentLLC, ITIBITI.COM, Jazz Telecom, Joyent, JSC, JSC Kazakhtelecom, Kabel Deutschland, Kampung Communications, Karib Cable, KEKU (Amazon), Kimsufi.com, Korea Telecom, Krypt Technologies, KPN B>V>, Lankacom, Lbisat, Leaseweb BV, Level 3 Communication, Lexis-nexis, LgDacomCo, Libantelecom, Lightspeed_SBCglobal, Lightyear Network, Limelight Networks, Link Egypt, LG Powercom, LG Telecom, LLP Asket, LowRateVoIp, Mana S>A>, Magma, Maroc Telecom, Magyar Telecoms, LINODE, MobileOne, Mainehealth Medical Centre, Mauritius Telecom, Mediaserv, Mediaring network services, Mediacom Communications, Megapath, merkenmarketeers (BICS), MS Hotmail, Microsoft corporation, Microsoft Hosting, MIR Telematiki, M2 Telecomms Group, Microsoft Ltd, Microsoft Internet data center, MTNBusiness (telkom Hosted), Mobitel, Movistar, Multilink, Multiregional Transit Telecom, MWEB Connect, mycingilar.net, N Layer, Nec Biglobe, NC Nummericable, Netvision, Net2Wholesale, Net2Phone, Netzquadrat, NexG, Nexgen Networks, Nextgen tel, NetstreamTechnology, NetTalk, Netia SA, NOC4HOSTS, ntlworld, NTT&Verio, Nymgo, Net 1, OFFRATEL, Open Market, Onavo, Open Computer network, Oi Internet, Oi Velox, OVH SASOOREDOO, OVH Hosting, Orange Espania, Orange Dominica Power phone, Orange France, Orange Home UK, Orange Palastine Group, OJSC Kyrgyztelecom, OJSC Rostelom, OJSC MegaFon, Ortel Communications M/S, Pakistan Telecommunications Company, Palastine, Packet Exchange, Rackspace Pixius Communications, Primus, Paetec, Peer1, Pinger, Peru_S.a.c, PLDT (Philippine Long Distance Telephone), Republican Unitary Telecommunications, RCS & RDS Residential, RNADTA, Quadranet, Reflected Networks, Rodgers Cable, ROM Telecom, Rostelcom Kaluga, RCN, RSL COM Canada, R Cable y telecomuniciones Galicia ServerCentral, Samjung Data Service, SSDN Communications, sakura internet inc, SaudiNet, SFR, Sedel, SK Telecom, SKY Broadband, Singlehop, Smart Broadband, Softbank Telecom Corp, Softlayer, SoftlayerMGBlock, STS, SONATEL, Sprint, Speedclick, Splendor, Spectrmnet, Starnet, Starhub Internet, Subisu Cablenet (pvt ) Ltd, Switchspace, Syrian Telecommunications, TATA Communications, Telefonica USA, Telecommunications Company, Time Warner Cable, T Mobile, Telebec, Telkom Internet, Telstra Internet, Telecom Algeria, telenet N.V., Telio Holdings, Telefonica De Argentina, Telus Communications, TPG Internet Pty, TalkFree, Telenor, TeliaCarrier, Tikona Digital Networks Pvt, Telefonica De Espana, Telia Network Services, Telecom Internet, Telecom Services Trinidad & Tobago, Tiscali, Telecom Malaysia Berhad, Tricom, Talk4Free, Telgua, Telinta VoIP Company, Telefonica Moviles Panama, Tirpitz, Tim Celular S.A. Telecom Indonesia, TOT Public Company Limited, Turk Telecom, UK Rtelecom, Ubiquity Servers, UCOM, UPC AUSTRIA, UPC Polska, Vonage (Leaseweb.B.V), Voyager Internet Limited, Verat DOO, Verizon, Verizon Sweden, Vivacom, VideoTron, VDC, VIVO, VOO, Vosox, voxsun.net, ViVox, Vitelity, Virtustream, Vonage, VolumeDrive, Vaboomz, Voipms, Yahoo, VoX Communications, Voxee, Wave Internet Services, WebNX, Webair, WholeSale Internet, WindTelecom, Windstream Communications, XO_Communications, Xplornet Communications, YahooSIP, YOU Broadband, ZAMTEL, Ziggo, ZON TV cabo, ZSR-ZT Bratislava, 44Direct, 8 x 8
373 offshore SIP operators (Haiti telecoms)
Unlicensed competition causes false market rates (anti-competitive)
Policy decision to remove fraudulent bypass services
Create a regulatory environment where SIP operators are licensed
SIP operators will pay the appropriate fees and taxes
Fair market conditions will establish correct market rates
What is the financial model behind each operator? Linked to ML?
6
Tackling the illegal trade in the Digital world
Graham Butler – President and CEO Bitek © 2013
The diversity of VoIP protocols and applications
PROTOCOLS (6) APPLICATIONS (113) – Commercial VoIP Operators
SIP (95) Astra, Asterisk (PBX), AIM Phone, AllfreeCalls.net, Broadvoice, BT-Yahoo, BuddyTalk, Calleasy, Chamaleon, Deltathree, Dialpad, Dialnow, Cheap calls to India, Cockatoo, Ding-a-Ling, Earthcaller, Ekiga (old GnomeMeeting), Expresstalk, Fonebee, Freeswitch, Fring, FreeCallPlanet, Free calls to Pakistan, Free VoIP International Calls, FWD.Communicator, Gizmocall, Gizmo Project (Gizmo5), Globalinx, GrandCentra, iCall, intervoip, iSkoot, Jajah, Jangl, Jaxtr, Justvoip, KCall, Kphone, Kutecom, Lingo VoIP, Linphone, LowrateVoip, Lycos, MagicJack, MediaRing, Minisip, Mobivox, MrTalk, MSN Messenger, Nettalk, Nonoh, ooVoo, OpenWengo, PacPhone, Packet8, Paltalk, Peerio, Pennytel, OpenSip, PhoneGaim, PhoneGnome, Sgoope, SightSpeed, SIP Communicator, SIP User Agent, SIPCLI, SipXphone, SJPhone, SMSDiscount, Switchspace, Talqer, TalkPlus, Teltub, Tringme,Truphone, Yaka, Yahoo, VD3Delta, Viber, Vivox, Vonage, Voncp, VoIP Buster, VoIP Cheap, Voipraider, Voipwise, VOX, Voixio, Windows Live Messenger, X-Lite, X-Pro-Vonage, Yate , 3XC, 8x8, 12voip
H323 NetMeeting, SJPhone, WebTalk, Open H323, CallGen323, Ekiga (old GnomeMeeting), Freeswitch, YateTLS Whatsapp, Skype, SkypeIn, SkypeOut, Viber, ooVooGoogle Google TalkNet2phone Net2PhoneIAX IAX Phone, Freeswitch, Yate, Kiax, MoziaxOTHER VOIP PROTOCOLS (3)
Megaco (H248), MGCP, Skinny (SCCP)
E-MAIL PROTOCOLS (3)
POP, SMTP, IMAP
IM PROTOCOLS (10)
OSCAR, AIM/ICQ, IRC, iChat, Mac OS X, MobileMe, SightSpeed, Skype, Yahoo! Messenger, XMPP/JABBER
VOIP APPLICATIONS LARGEST VOIP SERVICES (Example: US to Caribbean)
7
Tackling the illegal trade in the Digital world
Graham Butler – President and CEO Bitek © 2013
Tackling the illegal trade in the Digital world
PROTOCOLS (11) APPLICATIONS (85)
IAX Astrix PBX, Freeswitch, Kiax, Moziax, Yate
BitTorrent ABC, AllPeers, Bit Comet, BitLord, BitSpirit, BitTornado, Burst, Deluge, FlashGet, G3Torrent, Halite, Ktorrent, MLDonkey, Opera, QTorrent, rTorrent, TorrentFlux, Transmission, Tribler, Thunder, µTorrent
Direct Connect Direct Connect, SababaDC, DC++, BCDC++, ApexDC++, StrongDC++
Ares AresGalaxy, Warez P2P, Filecroc
eDonkeye eDonkey2000, aMule, eMule, eMulePlus, FlashGet, Hydranode, iMesh, Jubster, IMule, Lphant, MLDonkey, Morpheus, Pruna, xMule
Gnutella Acquisition, BearShare, Cabos, FrostWire, Gnucleus, gtk-gnutella, iMesh, Kiwi Alpha, MLDonkey, Morpheus, Poisoned, Swapper, XoloX
Gnutella2 Gnucleus, iMesh, Kiwi Alpha, MLDonkey, Morpheus,TrustyFiles
FastTrack giFT, iMesh, Kazaa, Kceasy, Mammoth, MLDonkey, Poisoned
Napster Napigator, Napster
Manolito Blubster, Piolet
OpenNAP Lopster, Napster , WinLop, WinMX, Utatane, XNap
8
The diversity of P2P file transfer systems
Graham Butler – President and CEO Bitek © 2013
Diversity of social networksURLs SOCIAL NETWORK APPLICATIONS
Social Websites(210)
Many services encrypted
43 Things, Academia.edu, Advogato, aNobii, AsianAvenue, aSmallWorld, Athlinks, Audimated.com, Badoo,Bebo, BIGADDA, Biip.no, BlackPlanet, Blauk, Blogster, Bolt.com, Busuu, Buzznet, CafeMom, Cake, Financial, Care2, CaringBridge, Cellufun, Classmates.com, Cloob, CouchSurfing, CozyCot, Cross.tv, Crunchyroll, Cyworld, DailyBooth, DailyStrength, delicious, deviantART, Diaspora, Disaboom, Dol2day, DontStayIn, Draugiem.lv, douban, DXY.cn, Elftown, Elixio, Epernicus, Eons.com, Experience Project, Exploroo, Facebook, Faceparty, Faces.com, Fetlife, FilmAffinity, Filmow, FledgeWing, Flixster, Flickr, Focus.com, Fotki, Fotolog, Foursquare, Fuelmyblog, Friendica, Friends Reunited, Friendster, Frühstückstreff, Fubar, Gaia Online, GamerDNA, Gapyear.com, Gather.com, Gays.com, Geni.com, GetGlue, Gogoyoko, Goodreads, Goodwizz, Google+, GovLoop, Grono.net, Habbo, hi5, Hospitality Club, Hotlist, HR.com, Hub Culture, Hyves, Ibibo, Identi.ca, Indaba Music, IRC-Galleria, italki.com, Itsmy, iWiW, Jaiku, Kaixin001, Kiwibox, Lafango, LAGbook, LaiBhaari, Last.fm, LibraryThing, Lifeknot, LinkedIn, LinkExpats, Listography, LiveJournal, Livemocha, LunarStorm, Makeoutclub, MEETin, Meetup, Meettheboss, MillatFacebook, mixi, MocoSpace, MOG, MouthShut.com, Mubi (website), MyHeritage, MyLife, My Opera, Myspace, myYearbook, Nasza-klasa.pl, Netlog, Nettby, Nexopia, NGO Post, Ning, Odnoklassniki, OneClimate, OneWorldTV, Open Diary, Orkut, OUTeverywhere, Passportstamp, PatientsLikeMe, Partyflock, Pingsta, Pinterest, Plaxo, Playahead, PureVolume, Playfire, Playlist.com, Plurk, Qapacity, Quechup, Qzone, Raptr, Ravelry, Renren, ResearchGate, ReverbNation.com, Ryze, ScienceStage, ShareTheMusic, Shelfari, Sina Weibo, Skoob, Skyrock, Social Life, SocialVibe, Sonico.com, SoundCloud, Stickam, StudiVZ, Students Circle Network, StumbleUpon, Tagged, TalentTrove, Talkbiznow, Taltopia, Taringa!, TeachStreet, TermWiki, The Sphere, TravBuddy.com, Travellerspoint, tribe.net, Trombi.com, Tuenti, Twitter, Vkontakte, Vampirefreaks.com, Viadeo, Virb, Vox, Wakoopa, Wattpad, Wasabi, WAYN, WebBiographies, WeeWorld, Wellwer, WeOurFamily, Wepolls.com, Wer-kennt-wen, weRead, WiserEarth, Wooxie, WriteAPrisoner.com, Xanga, XING, Xt3, Yammer, Yelp, Inc. Zoo.gr, Zooppa
E-MAIL APPLICATIONS (PSEUDONYM REGISTRATION)
No ID Required(23)
AIM Mail, BigString.com Service, Care2 E-mail, Facebook Messages, FastMail, Gawab.com, HotPOP, Inbox.com Service, iCloud Mail, Lavabit, Mail.com, GMX Mail, My Way Mail Service, MSN Hotmail, MyRealBox, Myspace Mail, Shortmail, Windows Live Hotmail, Yahoo! Mail, Zapak Mail, Zenbe Personal, IMAP, Zoho Mail
9
Tackling the illegal trade in the Digital world
Graham Butler – President and CEO Bitek © 2013
What is on your national IP network?
Example - Viber Media
“Call, text, and send photos to each other, worldwide - for free!”
• 350m downloads / 105m concurrent users / 550k sign ups each day.
• Viber client will not install unless the user allows access to their contacts list.
• Development centre located in Israel - hosting at Amazon Cloud / Akamai Cloud (US).
• Cloud hosting in liberal jurisdictions allows OTT services to bypass national policies.
• Consistent refusal to provide intercept data to courts and LEAs.
Hiding and Trading - Fraud Over VoIP
What OTT services are on your network? Are they lawful intercept compliant?
479Cyber-currencies Crypto-currencies
268VoIP/P2P/IM (Chat)
33Real-Time
Entertainment
105Mobile Money
Transfer Operators
584Online Gambling
Operators
73Online Gaming
Operators
210Social Networks
OTT Examples
10
Graham Butler – President and CEO Bitek © 2013
Forensic analysis of packet data
11
Hiding and Trading - Fraud Over VoIP
Detailed records are individually searchable
• Actual IP address initiating the call/event• Actual IP address receiving the call/event• Actual Mac address initiating the call/event (Subject to Protocol*)• Actual Mac address receiving the call/event *• Actual telephone number initiating the call/event *• Actual telephone number receiving the call/event *• Actual email address initiating the call/event *• Actual email address receiving the call/event *• Time the call/event was initiated• Time the call/event was disconnected• Traffic statistics to identify signatures of SIM bank, Media Gateway and IBTs • Geographic location of IP addresses/suspect can be produced in some cases through registries• Selective filtering of VoIP traffic on a call-by-call basis. Allow ‘authorised’ and disconnect ‘un-authorised’
Additional Guardian module – URL control• Stop access to inappropriate or offensive websites identified on approved blacklists (Interpol)
Graham Butler – President and CEO Bitek © 2013
Money laundering over VoIP
Tackling the illegal trade in the Digital world
VoIP Operator
Criminal Network
Customers
VoIP Operator
Criminal Network
The Laundering Sequence:
1. Fraudsters set up as a VoIP operator
2. Service is typically hosted offshore in a liberal jurisdiction
3. Offshore shell companies hide ownership and accountability
4. Services such as calling cards can be purchased for cash
5. Criminal network can easily insert dirty cash into the system
6. The receiving operator can charge for bulk voice services
7. The authenticity of the services provided cannot be verified
8. VoIP calls running 24hrs a day offers limitless laundering
9. Cleaned cash lands in destinations – typically tax havens
10. Hidden model for funding organised crime and terrorism
VoIP Service Agents
Firewall
Telecommunications Provider
Firewall
VoIP Services / Calling Cards
VoIP Service Host InternetFirewall
12
Dirty MoneyOffshore Banks
Shell Co’s (buffering)
Graham Butler – President and CEO Bitek © 2013
SIP Phone
Traffic Pumping - toll fraud targeting VoIP switch and apps
Traffic Pumping / International Revenue Sharing Fraud (IRSF)
1. Fraudsters hack into corporate PBX/softswitch resources
2. VoIP apps (multiple installs on devices) = multiple lines
3. Once access is gained the information is typically sold
4. Criminals set up offshore premium rate numbers and SMS
5. Attacks typically take place outside working hours
6. Huge bills can be run up in hours – unnoticed by victims
7. The carrier has provided a legitimate service
8. Corporate receives bill for $1000’s
9. Private user receives bill for $1000’s
Case Study:
• VoIP calls were directed at premium rate numbers @ $5 per min
• Fraud remained undetected for 6 hours = $1,800 per line
• 25 exploited VoIP numbers in 6 hours = $90,000
Toll fraud targeting VoIP PBXVoIP mobile apps
13
International Numbers
Fraudsters
Zombie Networks
InternetCompromised Firewall
FirewallTelecommunications Carrier
Customer
Offshore Bank
Small $ amounts keeps below anti-laundering radar
Premium SMS
Premium Numbers
SIP Phone Compromised OTT VoIP App
Infected Mobile Device
Tackling the illegal trade in the Digital world
Graham Butler – President and CEO Bitek © 2013
Traffic Pumping – exploiting Sipvicious to hack SIP
Tackling the illegal trade in the Digital world
Sipvicious “Friendly-Scanner” (not friendly at all)
1. Sipvicious is a mainstream auditing tool for VoIP systems.
2. Exploited by hackers to take control of VoIP servers for fraudulent purposes, such as traffic pumping (toll fraud).
3. A type of botnet which scans IP ranges for SIP servers such as softswitches and PBX which communicate via the 5060 port.
4. If it finds the port open, it attempts to brute force its way into the SIP server by testing sequential SIP account numbers with common usernames/passwords.
5. Typically downloaded through a Trojan (jps.exe) which connects to bot ‘command and control’ servers.
6. Sets User-Agent in the SIP requests to “friendly-scanner” or others.
14
Bitek monitoring of Sipvicious attacks
Haiti 7th Feb 2016 19.00 to 21.00 GMT (2 hours)17.5m international inbound registration attempts to IPBBX using Sipvicious 1.0
Suspect User Agents
• sipvicious• siparmyknife• iWar• sip-scan /
sipsak• sundayddr• friendly-
scanner• friendly-
request• CSipSimple• SIVuS• Gulp / Sipv /
Smap• VaxIPUserAgen
t• VaxSIPUserAge
nt
Graham Butler – President and CEO Bitek © 2013
VoIP Missing Trade Intra-Community VAT Fraud (MTIC)
Tackling the illegal trade in the Digital world
VoIP Operator
Criminal Network
Customers
VoIP Operator
Criminal Network
VoIP Service Agents
Firewall
Telecommunications Provider
Firewall
VoIP Services / Calling Cards
VoIP Service Host InternetFirewall
15
MTIC VAT fraud example - Italy:
1. MTIC is essentially the theft of VAT
2. Fraudsters set up as VoIP operators (buffered)
3. Involved companies in Italy, UK, US and Finland
4. EU cross-border B2B transaction is VAT neutral
5. Fraudsters collected VAT on the sale of domestic VoIP services
6. When the tax became due the companies had disappeared.
7. Cost the Italian economy €400m in non-payment of VAT
8. Connected to a scheme to launder €2 billion
Complexity of case: Fraud committed in 2003–2007; 50 arrest warrants issued 2010; court hearings 2013.Europol: MTIC fraud costs the EU €100b a year or €270m
a dayEurojust: Makes MTIC fraud a top priority for 2014-2017
period
MTIC uses the same model
Shell Co’s (buffering)
Dirty MoneyOffshore Banks
VAT Paid
VAT
€ Tax Demand
Graham Butler – President and CEO Bitek © 2013
Setting up a vishing scam using VoIP
1. Vishing is a phone call scam utilizing phishing, social media and VoIP
2. Fraudsters set up spoof companies and websites to support the scam
3. Cheap or free VoIP calls allow scammers to set up ‘call centre’ models
4. Anonymity of VoIP/P2P registration avoids LI detection and tracking
5. Stolen identity data provides enough information to sound genuine
Large scale vishing scams over VoIP
Typical Costs targeting US CitizensPer attack: $5000 to $30,000Total per year: $100’s millions
Scam?
CALL ID UNKNOWN
Case Study - Banking
1. VoIP calls to landline numbers - fraudsters posing as bank officials
2. Vulnerable small business owners and the elderly are targeted
“We have identified active fraudulent behaviour on your account”
“To protect you, we need to transfer your balance into a holding account”
“Please call the number on the back of your bank card to authorise”
3. The scammer who has not hung up plays a ‘dialing tone’ and a ‘ringing tone’
4. A new scammer then appears to answer at the bank – the fraud is completed
16
Tackling the illegal trade in the Digital world
Graham Butler – President and CEO Bitek © 2013
1. As vulnerable consumers become more wary of scams they know not to answer calls identified with “Unknown” or “No Caller ID”
2. Fraudsters can now use a new VoIP services called bitphone to get around this problem by spoofing the caller ID. Any number can be used.
3. Low cost call $0.021 per minute + caller-ID spoofing at $0.0912 per call.
4. Payment through Bitcoin or other virtual currencies retains anonymity.
5. To help provide legal cover, bitphone includes the FCC’s caller-ID and spoofing guidelines in its T&C’s that each user must accept.
6. Using a public WiFi hotspot adds additional security buffering.
Spoofing Caller ID – the evolution of cybercrime
+1 800 829 1040
17
Tackling the illegal trade in the Digital world
IRS Spoofing
Graham Butler – President and CEO Bitek © 2013
The global trade in identity theft information
18
Tackling the illegal trade in the Digital world
The Times Feb 2016 – Online fraud costs Britain’s economy £27 billion per year
• 1m stolen bank details discovered for sale on http://bestvalid.cc/session
• Criminals trade with impunity on the internet - not the dark web.
• Sold for as little as £1.67 each
• Stolen Identities from 100,000 Britons
Source: Symantec 2014 Report
Graham Butler – President and CEO Bitek © 2013
Spear-Phishing and ransom attacks
19
Next Generation Traffic Challenges (ML)
Spear-Phishing bypasses spam filters
1. Spear-Phishing is an attack which hacks into our “trusted” email or social media contacts lists.
2. Spam filters accept inbound emails which appear to be from a work colleague, family or friend.
3. We are more likely to click on a link from a friend – unaware that it is malware.
4. More than 317 million new pieces of malware were created last year, nearly a million a day.
5. Crypto-ransom attacks, where the victim's files are encrypted and held hostage without warning, skyrocketed 4,000 percent.
6. Ransomware attacks grew 113 percent
7. 70 percent of social media attacks rely on the initial victim to spread the threat to others.
Source: Symantec 2014 Report
Graham Butler – President and CEO Bitek © 2013
Abra – the digital version of Hawala
Tackling the illegal trade in the Digital world
Money transfer without money movement
1. The Hawala model has been used for centuries for money transfer without physical money movement.
2. Hawaladars are people who collect and hand out funds on behalf of others over long distances, settling with each other via barter transactions.
3. In the US no one is allowed to hold or remit funds on behalf of someone else without being a licensed money transmitter.
4. As tellers are always holding their own money it is extremely difficult to identify or regulate these activities.
5. Abra is a Peer to Peer (P2P) smartphone app designed to bring Hawaladar into the digital age.
A B(A) wants to transfer $1000 to (B)
1 2Hawaladar (Tellers)
“Trust”$1000
Reverse money transfers equalise the $ balance between Tellers
Teller (1) now owes $1000 to Teller (2)
20
Graham Butler – President and CEO Bitek © 2013
Abra P2P service bypasses the regulated money transfer industry (virtual infrastructure = low fees)
Abra P2P – bypasses the regulated money transfer market
Tackling the illegal trade in the Digital world
A B
1. Deposit (domestic)
Deposit cash to the app through an Abra Teller - or add with your debit
card.
3. Withdraw (domestic)
Withdraw cash from the app via any Abra Teller.
Users rate tellers on website (trust).
21
2. Send (virtual transfer)
Instantly send any amount of money
directly from the app to anyone in the world.
“Digital cash” transfers
Graham Butler – President and CEO Bitek © 2013
The Dark Web – the DIY cybercrime toolkit
Tackling the illegal trade in the Digital world
22
Graham Butler – President and CEO Bitek © 2013
The Dark Web – the DIY financial toolkit
Tackling the illegal trade in the Digital world
23
Graham Butler – President and CEO Bitek © 2013
Taliban Communications
• VoIP enabled handsets
• P2P Skype used widely
• Frustrates SIS / NATO intercept
• Microsoft purchase Skype in 2011
• Microsoft LI patent granted 2012
Mumbai Terror Attack
• VoIP phones purchased in PK
• Calls via US provider
• Co-ordinated from Pakistan
• Lack of digital evidence frustrated LEA investigations
The Dark Web - terrorist communications and funding
2008 2016
24
ISIL Communications
• Edward Snowdon leaks 2013
• Jihadi organizations become more informed about NSA techniques
• Dark web becomes the preferred communications tool
• VoIP system developed by Pakistan ISI distributed on dark web by ISIL
Tackling the illegal trade in the Digital world
Graham Butler – President and CEO Bitek © 2013
Obama asks congress for $19 billion for Cybersecurity
Tackling the illegal trade in the Digital world
25
Obama targets US Cybersecurity
1. $19 Billion includes $3.1 billion for technology modernization at various federal agencies.
2. Cyber threats are "among the most urgent dangers to America’s economic and national security,”
3. Launch Presidential Commission on Cybersecurity to strengthen US cyber-defences over the next decade.
4. Government’s cyber-defense system, known as Einstein, is “ineffective at combating hackers.”
5. Recent high-profile hacks include Office of Personnel Management, Sony Pictures and Target that were “largely met with legislative inaction”
Norse cyber-attack data (15 minute sample) – represents a fraction of the total attacks on URLs
Graham Butler – President and CEO Bitek © 2013
The Internet – Cybercrime toolkit (not just the dark web)
Tackling the illegal trade in the Digital world
26
Graham Butler – President and CEO Bitek © 2013
You know Sir, you can do this just as easily online!
27
Organized fraud, tax evasion, money laundering
Hiding and Trading - Fraud Over VoIP
Graham Butler – Chairman Bitek Group of Companies © 2016
Thank you for your attention
Graham Butler
Co-funded by the Justice Programme of the European Union 2014-2020