Case Studies Part I - iFrameCash
Transcription
Case Studies Part I - iFrameCash
Fighting the Malware Online Organized g Crime Yesterday: SaaS – Software as a Service Today: CaaS – Crime as a Service Speaker: Peter Stelzhammer www.kompetenzzentrum.it | www.av-comparatives.org About Us Two Divisions AV-Comparatives AV Comparati es – Independent Testing Organi Organization ation - Worldwide Leader in Security Software Testing - Charter Member of AMTSO ((Anti Malware Standard Testing g Organization) g ) kompetenzzentrum.IT – Commercial Consulting - IT Securityy Auditing g & Consulting g - IT Solution Center - e-Commerce / Marketing - Management Consulting Our O Customers C t - AV-Industry: Microsoft, Kaspersky, Symantec, Avira, McAfee and many more - Business & Government: sorry, sorry under non disclosure agreements Page 2 Agenda 1 R ll boring Really b i statistical t ti ti l d data t – infections, i f ti d damage, $$$ $$$. 2 Why are they still out there? Case Studies Part I (EstDomain, iFrameCash) 3 Why companies/users get infected? Case Conficker 4 Case Studies Part II (Carder (C d Pl Planet, t S Swedbank) db k) 5 6 DataTheft – Watch Your Accounts! 7 Who are they? y Where are they? y 8 What can we do against them? Page 3 Spam – And how to earn money with it Statistical Data Number of new threats 2009: 2,200.000 Page 4 Statistical Data Potential infections by type, EMEA and global Page 5 Statistical Data Threats to confidential Information, EMEA and global Page 6 Statistical Data Page 7 Statistical Data Page 8 Statistical Data Page 9 Statistical Data Phishing Top 3 Fake ID`s Bank B k off America A i Paypal Abbey Abb Page 10 More than 55,000 people/month are victims of phishing Round about 660,000 victims in 2009 Statistical Data IT-Guys fighting against Online-Criminals Approximately pp y 5,000 IT-Guys y in the AV-Industry Endless Online Criminals Page 11 Statistical Data Disadvantages 55 Mrd. USD Worldwide about 55 Mrd. USD 18 Mrd. USD Germany about 18 Mrd. USD 1.8 Mrd USD Austria about 1.8 Mrd. USD growing Page 12 Steadily growing! Case Studies Part I - EstDomains Case Study – EstDomains Vladimir Tšaštšin – aka SCR Where do they get their Domains? No Name – No Follow Up Page 13 Case Studies Part I - EstDomains Tartu, Estland Page 14 Case Studies Part I - EstDomains Tartu, Estland Page 15 Case Studies Part I - EstDomains Tartu, Estland Page 16 Case Studies Part I - EstDomains Tartu, Estland Page 17 Case Studies Part I - EstDomains Tartu, Estland Page 18 Case Studies Part I - EstDomains Tartu, Estland Mr. Tšaštšin is also the CEO and largest owner of Rove Digital. Rove generates revenues of several million Euros a year, as shown in this listing of TOP Estonian IT companies by the Äripäev magazine . Vladimir Tšaštšin ((aka "SCR")) was sentenced earlier to six months of jjail for credit card fraud,, money y laundering, and related charges. Page 19 Case Studies Part I - EstDomains Tartu, Estland Page 20 Case Studies Part I - EstDomains Tartu, Estland Page 21 Case Studies Part I - iFrameCash Case Study – iFrameCash Andrey Sporaw – aka Sp0Raw We pay affiliates $61 per 1,000 infections, no questions asked! Page 22 Case Studies Part I - iFrameCash Tartu, Estland Page 23 Case Studies Part I - iFrameCash Tartu, Estland Page 24 Case Studies Part I - iFrameCash Tartu, Estland Page 25 Case Studies Part I - iFrameCash Tartu, Estland Page 26 Case Studies Part I - iFrameCash Mebroot – how does it work? Tartu, Estland Page 27 Case Studies Part I - iFrameCash Tartu, Estland Page 28 Case Studies Part I - iFrameCash Tartu, Estland Page 29 Case Studies Part I - iFrameCash Tartu, Estland Page 30 Case Studies Part I - iFrameCash Tartu, Estland Page 31 Case Studies Part I - iFrameCash Tartu, Estland Page 32 Case Studies Part I - iFrameCash Tartu, Estland Page 33 Case Conficker Why Companies Get Infected Case Conficker Downup, Downadup, Dumprep und Worm.Win32/Conficker Conficker only became famous because of ist name It‘s a worm like millions. Page 34 Case Conficker Tartu, Estland Page 35 Case Conficker Tartu, Estland Page 36 Case Conficker Timeline 2008 1 29th September 2008 – Gimmiv seen in the wild - Hanoi 2 23rd October – Microsoft issues Security Patch MS08-067 3 26th October O t b – Chinese Chi hackers h k prepare a toolkit t lkit and sell it for $ 37.80 4 21st November – Conficker.A spotted in the wild 5 22ndd November – Microsoft f release a strongly worded post recommending to „immediatly“ apply MS08-67 Page 37 Case Conficker Timeline 6 24th December 2008 – 1.5m 1 5m machines infected Later more than 50.000.000 (6 %) 7 29th December – Conficker.B spotted in the wild 8 6th January 2009 – UK‘s MOD suffers first infections 9 11th Januars – Microsoft updates Removal Tool 10 And the infections are going on!! Page 38 Case Conficker 7 bis 10 Jänner 2009 Infektionen bei KABEG obwohl der Patch seit fast 2 Monaten verfügbar ist Nur wenige Tage nachdem der Wurm Conficker/Downad die Rechner der Kärntner Landesregierung lahmgelegt hat, meldet nun auch die Kärntner Krankenanstalten Betriebsgesellschaft (KABEG) einen Befall durch den Schädling. "Wir müssen das gesamte Netzwerk außer Betrieb setzten", erklärte der kaufmännische Direktor Herwig Wetzlinger gegenüber der APA. Der Wurm bringe eine Verlangsamung des Systems mit sich, sich Gefahr für Daten bestehe allerdings nicht. Betroffen sind rund 3.000 PCs. "Es Es handelt sich um eine Mutation des Virus, Virus der auch schon in der Landesregierung aufgetreten ist", sagte Wetzlinger. Das Problem sei mit einem externen Datenträger - vermutlich einem USB-Stick - eingeschleppt worden. Page 39 Case Studies Part II - Carderplanet Case Study – Carderplanet Dmitri Golubov – aka Script Credit Card Dumps Page 40 Case Studies Part II - Carderplanet Tartu, Estland Page 41 Case Studies Part II - Carderplanet Tartu, Estland Page 42 Case Studies Part II - Carderplanet Tartu, Estland Page 43 Case Studies Part II - Carderplanet Tartu, Estland Page 44 Case Studies Part II - Carderplanet Where do they get their dumps? Hack Shopadmins (xtc, ( tc osc, osc virtuemart irt emart etc.) etc ) Phishing Buy data from adressbrokers Finding CD‘S with db‘s on the street Many more…. Page 45 Case Studies Part II - Carderplanet Dmitri Golubov aka Script Golubov was convicted in 2005 for selling credit card details ("dumps") stolen via trojans. He was accused of causing multi-million dollar damages. Turns out Mr. Golubov is now out of jail — and is running a political party in Ukraine, possibly seeking a position the Ukrainian government (which would grant him automatic immunity from prosecution for criminal activities). His party IPU has — wait for it — promised to fight against public corruption. Page 46 Case Studies Part II - Carderplanet Tartu, Estland Page 47 Case Studies Part II - Carderplanet Tartu, Estland Page 48 Case Studies Part II - Carderplanet Tartu, Estland Page 49 Case Studies Part II - Carderplanet Tartu, Estland Page 50 Case Studies Part II - Swedbank Case Study – Swedbank Remote Control Device The New Gun of Bankrobbers! Page 51 Case Studies Part II - Swedbank Tartu, Estland Page 52 Case Studies Part II - Swedbank 500.000.000 USD Page 53 Private Datenerfassung 56.000 Datensätze Bewerberdatenbank von PricewaterhouseCoopers Woher? Datenpannen Datenmissbrauch Angriffe auf Datenbanken IdentitätsIdentitäts und Datendiebstahl 17 Millionen Kundenstammdaten bei T-Mobile T Mobile – mit Bankdaten Page 54 Spam and how to earn money with it Spam Don‘t eat it. Mail it! Page 55 Spam and how to earn money with it! Page 56 Spam and how to earn money with it! Page 57 Spam and how to earn money with it! Page 58 Spam and how to earn money with it! Page 59 Spam and how to earn money with it! Page 60 Who and where are they? Who are they? Where are they? It is easier to hack cc data than to rob a handbag! Page 61 Who and where are they? Hi, I am Ronit. Hi Ronit I am in the 9th grade grade. I struggled a lot in my life, but I'm still happy bcoz my family is with me. But now I don't have any friends. All people are very bad. I really want to change my life. Please teach me how to hack credit cards and shop admins. Page 62 Where do they do their Business? Page 63 Where do they do their Business? Page 64 Where do they do their Business? Page 65 Who and where are they? Page 66 Summary 1 Threat scenario is not getting better 2 The enemy is everywhere and they are not stupid 3 It is getting harder and harder to keep protected 4 Most Companies are not protected enough 5 We've never seen this many new samples coming in (40,000 just yesterday) Page 67 Do you have any questions? Page 68