INTERNET SECURITY SEMINAR

Full text

(1)

INTERNET SECURITY

SEMINAR

Paper :“An inquiry into the nature and causes of the wealth of internet miscreants”

By

Jason Franklin &Vern Paxson presented by

Matimbila Lyuba at University of Birmingham 28/01/2013

(2)

Structure of presentation

Underground Market

Research analysis

Countermeasures

(3)

SECTION I:

UNDERGROUND ECONOMY

•  Underground economy

- commoditization of activities like

 credit card fraud

 Identity theft

 Spamming

 Phishing

 Online credit theft

 Compromised host

 What other illegal activities ….?

-Underground market

 internet as the backbone of communication

 Internet Relay Chat(IRC) networks

(4)

IRC

•  Provide buyers and sellers a meeting place. •  How IRC works?

 A standard protocol for real-time message exchange over internet.

 Employes a client/server architecture/model

(5)

IRC terminologies

•  Seller

 A person capable to provide goods or service

•  Buyer

 A person who needs good or service

•  Cashier

 Convert accounts credentials into funds

•  Confirmer

 Pretends to be card owner

 Can be a buyer if reside in the same country where the victim account

exist

•  Ripper

 Dishonest seller or buyer

•  Participant

(6)
(7)

The game

•  Hence fund is transferred through western union or

E-Gold

•  Demo for accessing the channel

•  What parameters can you easily identify …? •  What is track1 & track 2 …?

(8)

Accessing the market

•  Market administrator

 Insure participants have identifiers

 Notify participants about “rippers”

•  Client participation

 Start client program then connect to the network via server

 Provide nickname

 Provided with a seal of approval “+v”

 Choose channel

 Can PM

•  Verified status

 Attain to be trusted

 Provide sample of valid data

 Approximate 95% of participants post less than 18 sample to attain “+v”

(9)

Access the market

(10)

Market activities

Question:

What do you think is sold

on these channels?

(11)

Market activities

(12)
(13)

SECTION II

Research analysis

•  How study was conducted •  Data collection

 Connect to particular channel on different IRC networks

 Logging all subsequent public messages

 Format {timestamp, IRC server IP address, source identifier, channel

name, message}

•  Why not logging private messages …? •  Why logging in this format …..?

•  Dataset collected 2.4GB over a period of 7 months.

•  Messages collected 13 million from a total of more than

(14)

Market analysis

•  Most sensitive data

 Credit card data

 Financial data

(15)

Credit card data

•  No repetition

•  Checked against Luhn digit: a checksum value guide

against simple error in transmission

•  A necessary condition for a card validity •  A total of 100,490 unique cards numbers

(16)

Credit card arrival

•  Valid Luhn cards arrive at a rate of 402 cards per day •  Invalid Luhn cards arrive at a rate of 145 cards per day

(17)

Credit card arrival

•  Why many valid Luhn cards…?

Implies miscreants:

 Continuously collect data

 Posses large number of stolen then release in batches bases

•  Why invalid Luhn cards….?

 Novice miscreants

(18)

New vs repeated cards

•  With the channel

•  Between channels •  95% of card repeats

(19)
(20)

Financial data

•  Checking and saving account numbers with their balances

 Copied from the access webpage of banks  Effectiveness of phishing attacks…..?

 Demonstrating ability to access the stated accounts  Gain buyers trust

•  Validity

 Dynamicity of account…!

(21)

Financial data

•  Assume all amount is valid and successfully remove

(22)

Identity data

•  Social Security Number (SSNs)

 SSN==individual identity

 Falls with the issued range listed by Social Security Administration.  No proof whether they have issued

•  Majority are repeated •  Why…?

(23)

Market service

• 

Activity level

 64,000 messages are seen per day

 Average of new messages per day is greater than 19,000  Repeated messages arrives at a rate of 45,000 per day

•  How?

•  automated scripts are used.. •  Why?

(24)

Participants identification

•  Lurkers

•  Idle sending zero public messages

•  Can monitor the channel ads and contacts seller via

private messages

•  Leechers

•  Looking for free financial data

•  Preventions services eg CardCops

(25)

Participants

•  An average of 1,500 nicks participate per day

•  New nicks arrives at an average rate of 553 nicks per day •  Active Lifetime

 Time between the nick’s first and last message

 Measure the extend of building relationship by maintaining a nick over a

(26)

Participants

•  95% of nicks have an active lifetime of 112.5 days

•  The longer you maintain nick the more relationship and

(27)

Channel services

•  Run by channel administrator •  Executed through command •  Provides useful services:

 Credit card limit check

(28)

Channel service bot commands

•  No service for free!

•  !chk,!cclimit,!cvv2 are fallacious

•  Returns deterministic results without querying the

database or attempting a transaction to infer the card’s limit!

possible..?

Bot administrator use to steal other credit card numbers..! Does it mean “Return on investment” ?

(29)

Pricing

•  Price for compromised host varies

•  For DDoS you can get 1,000 hosts for $10,000 •  Helps to analyse threat model

(30)

Client IP lookup

•  10% in CBL (Composed Block List)

•  Compromised host are used to connect to the market •  1% in SBL(Spamhaus Block List)

(31)

Total wealth of Miscreants

•  Estimation base on assumptions

 Add total loss from credit card frauds and financial theft  Include only cards with valid Luhn digit check

 Some are still retained by miscreants  Removal repetitions

 Only collection from public messaging

•  Reasons

(32)

Results

•  Average funds loss per card credit/debit fraud $427.50

according to Internet Crime Complaint Centre Report (2006)

•  Total wealth from credit card only $37M •  Financial frauds $56M

(33)

SECTION III

Countermeasures

•  Enforce laws such as:

 Locating and disabling hosting infrastructures

 Identifying and arresting market participants

•  Challenges

•  Multi-national cooperation may be

 time and resource consuming

 Cooperation to foreign law enforcement agencies is difficult

 Market can re-merge under new administration with new bulletproof

 Political differences

(34)

Low cost countermeasures

•  Sybil attack to the market

 Undercutting participant verification system

•  How..?

•  Sybil generation

 register as many nickname as equal to number of verified-sellers in the

market

•  Achieve verified status

 build the status for each identity

 for low-cost post or replay credit card seen in one channel to other

(35)

Low cost countermeasures

•  deceptive sales

 advertise goods and services for sale

 rapping

-request payment and fail providing goods or service

 make buyer unwilling to pay since can't differentiate honest sellers

 lemon market

(36)

Low cost countermeasures

•  Slander attack

•  Eliminate the verified status of buyers and sellers through

false defamation

 reduce the status of honest seller so buyers can turn to dishonest

who fails to deliver hence discourage the market Principals of economy

(37)

Learning with security in mind

•  Quantifying the security of systems

•  Forecasting and predict future state of internet security •  Understanding the true costs and benefits of deployed

security technologies, data breeches and new security protocols

•  Analysing the threat model

•  1,000 compromised hosts for $10,000 =DDoS

•  Estimate global trends that are difficult to measure

 Total number of compromised hosts on the internet

(38)

SECTION IV

Conclusion

• 

MORE QUESTIONS AND

(39)

Special thanks

Tom Chothia

You all

Figure

Updating...

References

Updating...