The Scenes of Cyber Crime

Transcription

1 Organizer: BRIDGING BARRIERS: LEGAL AND TECHNICAL OF CYBERCRIME CASES The Scenes of Cyber Crime 5 July 2011 Toralv Dirro EMEA Security Strategist, McAfee Labs

2 Low Risk + High Profit -> Crime

3 500,000 Cyber Crime Altering Threat Landscape Virus and Bots PUP Trojan 400, , , , Malware Growth (Main Variations) 3 July 5, 2011

4 Organizer: Cyber Crime Altering Threat Landscape Virus and Bots PUP Trojan 2,200,000 2,000,000 1,800,000 1,600,000 1,400,000 1,200,000 1,000, , , , , Malware Growth (Main Variations) 4 4 Source: McAfee Labs July 5,

5 Organizer: Cyber Crime Altering Threat Landscape Virus and Bots PUP Trojan 3,200,000 3,000,000 2,800,000 2,600,000 2,400,000 2,200,000 2,000,000 1,800,000 1,600,000 1,400,000 1,200,000 1,000, , , , , Malware Growth (Main Variations) Source: McAfee Labs July 5, 2011

6 Key Trend: Malware Growth Continues The growth in the number of new malware continues unabated. McAfee Labs identifies approximately 55,000 pieces of new malware each day. At its current pace the total number of malware samples in the McAfee zoo will reach 75 million by the end of Total Malware Samples in the Database 70,000,000 60,000,000 50,000,000 40,000,000 30,000,000 20,000,000 10,000,000 0 Jan 10 Feb 10 Mar 10 Apr 10 May 10 Jun 10 Jul 10 Aug 10 Sep 10 Oct 10 Nov 10 Dec 10 Jan 11 Feb 11 Mar 11

7 Key Trend: Malware Growth Continues The growth in the number of new malware continues unabated. McAfee Labs identifies approximately 55,000 pieces of new malware each day. At its current pace the total number of malware samples in the McAfee zoo will reach 75 million by the end of ,000 pieces of new malware each day. 70,000,000 60,000,000 50,000,000 40,000,000 30,000,000 20,000,000 10,000,000 0 Jan 10 Feb 10 Mar 10 Apr 10 May 10 Jun 10 Jul 10 Aug 10 Sep 10 Oct 10 Nov 10 Dec 10 Jan 11 Feb 11 Mar 11

8 The Malware Market Trojan and Exploit Kits easily available

9 New Crimeware Kits

10 URLZone Malware / Crimeware The Trojan calls back to its command and control server for specific instructions on exactly how much to steal from the victim's bank account without raising any suspicion, and to which money mule account to send it the money. Then it forges the victim's on-screen bank statements so the person and bank don't see the unauthorized transaction. (Downloader-BQZ.a) This statement shows a transaction of Euros when actually 8, Euros was removed from the account. The balance has been changed by the Trojan. ( malware-now-covers-its-tracks-inbank-statements /) 10 10

11 ZeuS - human MITM Step 1 Maintenance, please wait

12 ZeuS - human MITM Step 2 Math for security reasons

13 ZeuS - human MITM Step 3 For Security Reasons: Your phone number please

14 ZeuS - human MITM Step 4 Acknowledge with itan 10

15 ZeuS - human MITM Step 5 Added successful

16 ZeuS - human MITM Step 6 Unfortunately we are closed for maintenance

17 ZeuS - human MITM Admin Panel

18 Key Trend: Android 3 rd Most Popular Mobile Target Overall mobile malware activity growth slowed to 5% quarter over quarter, but there was a marked increase in the activity on the Android platform, which moved from the #5 most popular target to #3. The mobile attack strategies are starting to mirror the approaches historically used to attack PC operating systems. A maliciously altered application obtains root access and then connects the device to a botnet-like command center, which issues subsequent instructions to extract data from the device or (over time) extend the attack to other devices. Total Mobile Malware Samples Mobile Malware Targets 1,200 1, Q1 '09 Q2 '09 Q3 '09 Q4 '09 Q1 '10 Q2 '10 Q3 '10 Q4 '10 Q1 '11 Symbian OS Java 2 Mobile Edition Android Python WinCE MSIL VBS BlackBerry Linux

19 Mobile Crimeware Geinimi : A new Trojan affecting Android devices has recently Q1 emerged in China Geinimi is the first Android malware in the wild that displays botnet-like capabilities. Once the malware is installed on a user s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone. Send location coordinates (fine location) Send device identifiers (IMEI and IMSI) Download and prompt the user to install an app Prompt the user to uninstall an app Enumerate and send a list of installed apps to the server Read and collect SMS messages Send and delete selected SMS messages Pull all contact information and send it to a remote server (number, name, the time they were last contacted) Place a phone call Silently download files Launch a web browser with a specific URL Credit for screenshot: intseq=1881&code=4

20 Mobile Crimeware A variant of the ZeuS trojan is targeting the mobile phone based, Q1 two-factor authentication used by Polish ING Bank Slaski Polish Security Consultant, Piotr Konieczny reported that operators of the Zeus botnet are attempting to reach into the mobile sphere with two new variants targeting users on Window Mobile and Symbian phones. Zeus in the Mobile (or Zitmo), are again attempting to authenticate bank transactions by intercepting the mtan authentication code sent to mobile devices. Credit for screenshot: An mtan (mobile Transaction Authentication Number) is used by some online banking services in Europe to authorize financial transactions by sending an SMS to the customer s phone. TANs were put in to add an extra layer of security in order to complete large transactions. It is believed that Zitmo was developed to circumvent this added layer of security implemented by the banks.

21 $70mio International Cybercrime Ring Busted October 1st 2010: Operation Trident Breach Investigations began in May criminals charged, 10 arrested International Partnership with SBU and other authorities The Federal Bureau of Investigation, including the New York Money Mule Working Group, the Newark Cyber Crime Task Force, the Omaha Cyber Crime Task Force, the Netherlands Police Agency, the Security Service of Ukraine, the SBU, and the United Kingdom s Metropolitan Police Service participated in the operation. The cyber thieves targeted small- to medium-sized companies, municipalities, churches, and individuals, infecting their computers using a version of the Zeus Botnet. The malware captured passwords, account numbers, and other data used to log into online banking accounts. This scheme resulted in the attempted theft of $220 million, with actual losses of $70 million from victims bank accounts

22 Key Trend: Fake Malware Detection Software Fake anti-virus, also known as bogus or rogue security software, had a very strong quarter and its growth shows no real signs of slowing. This will remain an actively developing area of malware due to the amount of money cybercriminals can earn with these fake technologies. 400,000 Unique Fake Alert Samples Discovered 350, , , , , ,000 50,000 0

23 Questions? More Info? Read the McAfee Labs Security Blog Listen to the AudioParasitics Podcast Read the Monthly Spam Report Read the McAfee Quarterly Threat Report Read the McAfee Security Journal Watch the Stop H*Commerce Series 23