Presented By: Brian Nienhaus

 What is cybercrime?
 Running a cybercrime syndicate
 Cybercrime attacks
 Countermeasures
 Organization profiles
Who, Where, When, Why
 “The degree of overlap between
[organized crime and cybercrime] is
likely to increase considerably in the
next few years. This is something that
needs to be recognized by business and
government as an emerging and very
serious threat to cyber-security.”
 Cybercrime is…?
 “offenses ranging from criminal activity against
data to content and copyright infringement”
(Council of Europe’s CC Treaty)
 United Nations refers to acts of fraud, forgery
and unauthorized access

 “…unlawful acts wherein the computer is

either a tool or a target or both.”.
 The Internet encourages anonymity and
is distributed in nature
 Many countries have very few laws
addressing cybercrime
 Love Bug Virus
 VB script that spread via email and corrupted
many different file types
 FBI traced the virus to the Philippines
 The increasing growth of e-commerce
  22.3% increase in # from 2008
211% increase in financial loss
 Median dollar loss: $575
 Crimes with no documented loss
or harm are not included
Top 5 categories:
Non-delivered merchandise: 19.9%
Identity Theft: 14.1%
Credit Card Fraud: 10.4%
Auction Fraud: 10.3%
Computer Fraud: 7.9%
 UNORGANIZED
 Usually the work of an
individual
 Decentralized
 Smaller resource base
 Hit and run
mentality/opportunistic
ORGANIZED
 Centralized group of
criminals
 Many based in “hostile”
nation
 Extensive access to
resources/business
connections
 Extended operations
 Hackers discover vulnerabilities and sell to
the highest bidder
 Crimeware suites created and sold to less
technically inclined users
 Crimeware-as-a-service mentality
 Data supplier model
 Pricing profiles introduced
 Credits cards = cheap
 Healthcare info/single logins for organizations = expensive
 Cybercrime economy mirrors actual economy
 Organized crime closely mimics the
actual economy
 Regionally-specific & enterprise-specific
campaign
 Each attack campaign gathered centrally to sell
 Campaigns managed remotely from these
central servers
 Data and asset management is just as
essential as in traditional business
 (1) Boss deploys malicious code package
 (2) Campaign managers retrieve package
and customized as needed
 (3) Malicious network used to inject
package into legitimate sites. Commission-
based
 (4) Injected code served to users
 (5) Toolkit affects individual users
 (6) Infection data sent back to central
location
 (7) PII flows back to boss
 Example of crimeware toolkit that
originates from Eastern Europe,
primarily Russia and the Ukraine
 Utilizes three major components and
powerful encryption:
 ZueS trojan
 ZueS config file
 Specifcation of dropsite
 Config file defines subset of targets
 ZueS collects session variables during
sessions
 Bypasses auth. Mechanisms and piggybacks
session
 Criminals are able to move money to third
parties in real-time
 ZueS Builder provides binary files for
constructing a botnet
 How simple is it?
 Number of new ZeuS binaries in the past month:
18,985
 Number of new ZeuS binaries seen in the past
week: 4,582
 Number of new ZeuS binaries seen in one day:
977
 Trend Report
 ZeuS Video
 Consider:
 Hardware and software keeps getting cheaper
 Combine the Internet and a global scope, the the
potential for attacks is limitless
 Security will always be breached
 Even when laws are passed to increase
technological safeguards, new technology will
always outstrip legislation
 I3C
 Accepts complaints, investigates, and/or redirects to
appropriate law enforcement
 Joint operations with other agencies
 Publishes cyber-security information
 IT Act(2000)
 Attempt to define various electronic specifications:
 Digital Signatures
 Use/Retention of electronic records
 Security
 Certification Authorities
 Offenses
 http://www.ic3.gov/media/annualreport/2009_IC3Report.p
df
 http://www.ic3.gov/media/annualreport/2009_IC3Report.p
df
 http://us.trendmicro.com/imperia/md/content/us/trendwat
ch/researchandanalysis/zeusapersistentcriminalenterprise.
pdf
 http://www.legalserviceindia.com/cyber/itact.html
 http://www.symantec.com/norton/cybercrime/definition.js
p
 http://www.securityworld.com/ia-420-love-bug-virus.aspx
 http://www.finjan.com/Content.aspx?id=827