Case Studies Part I - iFrameCash

Transcription

Case Studies Part I - iFrameCash
Fighting the Malware
Online Organized
g
Crime
Yesterday: SaaS – Software as a Service
Today:
CaaS – Crime as a Service
Speaker:
Peter Stelzhammer
www.kompetenzzentrum.it | www.av-comparatives.org
About Us
Two Divisions
 AV-Comparatives
AV Comparati es – Independent Testing Organi
Organization
ation
- Worldwide Leader in Security Software Testing
- Charter Member of AMTSO ((Anti Malware Standard Testing
g Organization)
g
)
 kompetenzzentrum.IT – Commercial Consulting
- IT Securityy Auditing
g & Consulting
g
- IT Solution Center
- e-Commerce / Marketing
- Management Consulting
 Our
O Customers
C t
- AV-Industry: Microsoft, Kaspersky, Symantec, Avira, McAfee and many more
- Business & Government: sorry,
sorry under non disclosure agreements
Page  2
Agenda
1
R ll boring
Really
b i statistical
t ti ti l d
data
t – infections,
i f ti
d
damage,
$$$
$$$.
2
Why are they still out there? Case Studies Part I (EstDomain, iFrameCash)
3
Why companies/users get infected? Case Conficker
4
Case Studies Part II (Carder
(C d Pl
Planet,
t S
Swedbank)
db k)
5
6
DataTheft – Watch Your Accounts!
7
Who are they?
y Where are they?
y
8
What can we do against them?
Page  3
Spam – And how to earn money with it
Statistical Data
Number of new threats
2009: 2,200.000
Page  4
Statistical Data
Potential infections by type, EMEA and global
Page  5
Statistical Data
Threats to confidential Information, EMEA and global
Page  6
Statistical Data
Page  7
Statistical Data
Page  8
Statistical Data
Page  9
Statistical Data
Phishing
 Top 3 Fake ID`s
 Bank
B k off America
A
i
 Paypal
 Abbey
Abb
Page  10
 More than 55,000
people/month are
victims of phishing
 Round about
660,000 victims
in 2009
Statistical Data
IT-Guys fighting against Online-Criminals
 Approximately
pp
y 5,000 IT-Guys
y
in the AV-Industry
 Endless Online Criminals
Page  11
Statistical Data
Disadvantages
55 Mrd. USD
 Worldwide about 55 Mrd. USD
18 Mrd. USD
 Germany about 18 Mrd. USD
1.8 Mrd USD
 Austria about 1.8 Mrd. USD
growing
Page  12
 Steadily growing!
Case Studies Part I - EstDomains
Case Study – EstDomains
Vladimir Tšaštšin – aka SCR
Where do they get their Domains?
No Name – No Follow Up
Page  13
Case Studies Part I - EstDomains
Tartu,
Estland
Page  14
Case Studies Part I - EstDomains
Tartu,
Estland
Page  15
Case Studies Part I - EstDomains
Tartu,
Estland
Page  16
Case Studies Part I - EstDomains
Tartu,
Estland
Page  17
Case Studies Part I - EstDomains
Tartu,
Estland
Page  18
Case Studies Part I - EstDomains
Tartu,
Estland
Mr. Tšaštšin is also the CEO and largest owner of Rove Digital. Rove generates revenues of several
million Euros a year, as shown in this listing of TOP Estonian IT companies by the Äripäev magazine .
Vladimir Tšaštšin ((aka "SCR")) was sentenced earlier to six months of jjail for credit card fraud,, money
y
laundering, and related charges.
Page  19
Case Studies Part I - EstDomains
Tartu,
Estland
Page  20
Case Studies Part I - EstDomains
Tartu,
Estland
Page  21
Case Studies Part I - iFrameCash
Case Study – iFrameCash
Andrey Sporaw – aka Sp0Raw
We pay affiliates $61 per 1,000 infections,
no questions asked!
Page  22
Case Studies Part I - iFrameCash
Tartu,
Estland
Page  23
Case Studies Part I - iFrameCash
Tartu,
Estland
Page  24
Case Studies Part I - iFrameCash
Tartu,
Estland
Page  25
Case Studies Part I - iFrameCash
Tartu,
Estland
Page  26
Case Studies Part I - iFrameCash
Mebroot – how does it work?
Tartu,
Estland
Page  27
Case Studies Part I - iFrameCash
Tartu,
Estland
Page  28
Case Studies Part I - iFrameCash
Tartu,
Estland
Page  29
Case Studies Part I - iFrameCash
Tartu,
Estland
Page  30
Case Studies Part I - iFrameCash
Tartu,
Estland
Page  31
Case Studies Part I - iFrameCash
Tartu,
Estland
Page  32
Case Studies Part I - iFrameCash
Tartu,
Estland
Page  33
Case Conficker
Why Companies Get Infected
Case Conficker
Downup, Downadup, Dumprep und Worm.Win32/Conficker
Conficker only became famous
because of ist name
It‘s a worm like millions.
Page  34
Case Conficker
Tartu,
Estland
Page  35
Case Conficker
Tartu,
Estland
Page  36
Case Conficker
Timeline 2008
1
29th September 2008 – Gimmiv seen in the wild - Hanoi
2
23rd October – Microsoft issues
Security Patch MS08-067
3
26th October
O t b – Chinese
Chi
hackers
h k
prepare a toolkit
t lkit
and sell it for $ 37.80
4
21st November – Conficker.A spotted in the wild
5
22ndd November – Microsoft
f release a strongly worded
post recommending to „immediatly“ apply MS08-67
Page  37
Case Conficker
Timeline
6
24th December 2008 – 1.5m
1 5m machines infected
Later more than 50.000.000 (6 %)
7
29th December – Conficker.B spotted in the wild
8
6th January 2009 – UK‘s MOD suffers first infections
9
11th Januars – Microsoft updates Removal Tool
10 And the infections are going on!!
Page  38
Case Conficker
7 bis 10 Jänner 2009
Infektionen bei KABEG obwohl
der Patch seit fast 2 Monaten verfügbar ist
Nur wenige Tage nachdem der Wurm Conficker/Downad die Rechner der
Kärntner Landesregierung lahmgelegt hat, meldet nun auch die Kärntner
Krankenanstalten Betriebsgesellschaft (KABEG) einen Befall durch den
Schädling. "Wir müssen das gesamte Netzwerk außer Betrieb setzten", erklärte
der kaufmännische Direktor Herwig Wetzlinger gegenüber der APA. Der Wurm
bringe eine Verlangsamung des Systems mit sich,
sich Gefahr für Daten bestehe
allerdings nicht. Betroffen sind rund 3.000 PCs.
"Es
Es handelt sich um eine Mutation des Virus,
Virus der auch schon in der
Landesregierung aufgetreten ist", sagte Wetzlinger. Das Problem sei mit einem
externen Datenträger - vermutlich einem USB-Stick - eingeschleppt worden.
Page  39
Case Studies Part II - Carderplanet
Case Study – Carderplanet
Dmitri Golubov – aka Script
Credit Card Dumps
Page  40
Case Studies Part II - Carderplanet
Tartu,
Estland
Page  41
Case Studies Part II - Carderplanet
Tartu,
Estland
Page  42
Case Studies Part II - Carderplanet
Tartu,
Estland
Page  43
Case Studies Part II - Carderplanet
Tartu,
Estland
Page  44
Case Studies Part II - Carderplanet
Where do they get their dumps?
 Hack Shopadmins (xtc,
( tc osc,
osc virtuemart
irt emart etc.)
etc )
 Phishing
 Buy data from adressbrokers
 Finding CD‘S with db‘s on the street
 Many more….
Page  45
Case Studies Part II - Carderplanet
Dmitri Golubov aka Script
Golubov was convicted in 2005 for selling credit card
details ("dumps") stolen via trojans. He was accused
of causing multi-million dollar damages.
Turns out Mr. Golubov is now out of jail — and is
running a political party in Ukraine, possibly seeking a
position the Ukrainian government (which would grant
him automatic immunity from prosecution for criminal
activities). His party IPU has — wait for it — promised
to fight against public corruption.
Page  46
Case Studies Part II - Carderplanet
Tartu,
Estland
Page  47
Case Studies Part II - Carderplanet
Tartu,
Estland
Page  48
Case Studies Part II - Carderplanet
Tartu,
Estland
Page  49
Case Studies Part II - Carderplanet
Tartu,
Estland
Page  50
Case Studies Part II - Swedbank
Case Study – Swedbank
Remote Control Device
The New Gun of Bankrobbers!
Page  51
Case Studies Part II - Swedbank
Tartu,
Estland
Page  52
Case Studies Part II - Swedbank
500.000.000 USD
Page  53
Private Datenerfassung
56.000 Datensätze Bewerberdatenbank von
PricewaterhouseCoopers
Woher?
 Datenpannen
 Datenmissbrauch
 Angriffe auf Datenbanken
 IdentitätsIdentitäts und Datendiebstahl
17 Millionen Kundenstammdaten bei T-Mobile
T Mobile – mit Bankdaten
Page  54
Spam and how to earn money with it
Spam
Don‘t eat it. Mail it!
Page  55
Spam and how to earn money with it!
Page  56
Spam and how to earn money with it!
Page  57
Spam and how to earn money with it!
Page  58
Spam and how to earn money with it!
Page  59
Spam and how to earn money with it!
Page  60
Who and where are they?
Who are they?
Where are they?
It is easier to hack cc data
than to rob a handbag!
Page  61
Who and where are they?
Hi, I am Ronit.
Hi
Ronit I am in the 9th grade
grade.
I struggled a lot in my life, but I'm still
happy bcoz my family is with me.
But now I don't have any friends. All
people are very bad.
I really want to change my life.
Please teach me how to hack credit
cards and shop admins.
Page  62
Where do they do their Business?
Page  63
Where do they do their Business?
Page  64
Where do they do their Business?
Page  65
Who and where are they?
Page  66
Summary
1
Threat scenario is not getting better
2
The enemy is everywhere and they are not stupid
3
It is getting harder and harder to keep protected
4
Most Companies are not protected enough
5
We've never seen this many new samples coming in
(40,000 just yesterday)
Page  67
Do you have any questions?
Page  68