How Cybercriminals Steal Money by Neil Daswani (Full Transcript)

Full Text of How Cybercriminals Steal Money by Neil Daswani at Google Tech Talks. This presentation event took place on June, 16 2008.

Listen to the MP3 Audio here: MP3 – How Cybercriminals Steal Money

TRANSCRIPT: 

Neil Daswani – Co-director, Stanford Advanced Security Certification Program

My name is Neil Daswani. I’m a security engineer here at Google. And today I’m going to be talking about how cyber criminal steal money. I’m going to be talking specifically about how cyber criminals use various types of web application vulnerabilities to steal money. And I’m going to start with simple examples and then I’ll go to more complicated examples.

In the course of my talk, I’m may refer to many resources, presentations, reports, books, certification, courses, et cetera. Links to those are all going to be available at my site at neildaswani.com. And at the end of the talk, I’ll be also be giving out couple free copies of security book that I published but you’ll have to answer some trivia questions to get those at the end of the talk.

Before I go ahead and get started, the one additional thing that I wanted to mention is that, given that this is a security talk, if you have any Google specific questions, I’m going to ask you to hold them until the end of the talk, until we stop taping and then you can ask those. But if you have general questions about the presentation or some of the techniques, then I’d be happy to take those either at the middle of –in the middle of the talk or at the end of the talk before or before we stop video taping.

So, let me go ahead and get started. One of the major shifts that occurred over the past three or four years is that the profile of the attackers has changed. So, up until about three or four years ago, when people used to write worms and viruses, they would typically want to — just make names for themselves. They would release their worms out there, it would cause lots of traffics and servers would come down, some pact would get deployed and the game would be over.

But the big shift that’s occurred over the past three or four years is that as more and more commerce has started taking place on the internet and as more businesses have started making more money from that commerce activity, the bad guys want to get their share. And so, their end goal is money, actual money. And so, in many of the attacks that I’ll talk about, in the examples that I’ll present, I’ll tell you how these bad guys are working to get at money.

Now, the bad guys may have a set of intermediate goals that may help them get to that money. And so, some of the intermediate goals, for instance, are data theft, they’ll steal identity information, they’ll steal credit card information, they may decide to conduct extortion. So they will launch a denial-of-service attack against a website at say, 8:30 AM, to the point that it’ll take down all that bank servers. They will send in a ransom note to the bank. They will say, “Please pay us X thousands of dollars or we’re going to shut down your servers. By the way, if you check your web server logs at 8:30, you’ll notice that all your web servers were down so I’m not kidding.” And– so extortion’s another goal.

Another goal to make money is to distribute malware. Once the bad guys distribute malware, they can then do all kinds of things with the compromised machines, assemble them into botnets and/or do what they would please with those botnets. So, there’s a number of intermediate goals. To give you a concrete example of such a organized crime networks — so I mentioned that the attacker profile has shifted from amateurs to professionals that want to make money and in many cases those professionals are very organized. It is their full-time job to attack sites. The bad guys, in some cases, will hire other people as mules to transfer money from one place to the other.

So, it’s an extensive organized network. We’re not fighting against amateurs anymore. One example of such an organized crime network is the Russian Business Network. If you’ve heard of botnets like Storm which have compromised anywhere from a million to five million machines, depending upon who you want to believe, the real number is probably closer to a million, million and a half. They’re responsible for these types of botnets. Storm for instance is a pair-to-pair based botnets that can be used for denial of service, key-logging, pretty much whatever — whatever one would like. The bad guys will rent out the machines on those botnets. They’ll say, “Hey, I have a botnet. I have these many machines. I’ll rent them to you for X cents per day and you give me a binary, I’ll put whatever binary you give me on those machines and farm them out.”

Another thing that the Russian Business Network is alleged for is a piece of software called malware alarm. So malware alarm is this piece of software which will pop up a dialogue box on your PC and it will say, “We think your computer is infected by malware. Please click here to disinfect.” Of course, if you click here to disinfect, it will infect your computer as opposed to disinfect it. And so, the Russian Business Network is a thoroughly organized group. For those of you that are interested in learning more about the Russian Business Network, come up to me after the talk, I can tell you some fun stories.

So, the goals of cyber criminals have changed over the years. To give you a little bit of data about various pseudo-goals and intermediate goals that the bad guys have, this is a graph that I pulled out from a web hacking incidents database report that was done by Breach Security, they basically looked at a whole bunch of organizations over the course of 2007 and what types of attacks were reported for all of 2007. And so, you can see that what the bad guys were mainly trying to do is steal sensitive information like credit card numbers, identity information. Once they steal that information, they can do various things with it. They could decide to use that sensitive information for their own games.

For instance, if they have stolen credit card numbers, they can then burn those credit card numbers onto blank magnet stripes of their own and hand those out to mules who they then tell to go to ATMs and try to do cash advances and what not or use the cards at various points of sale. So that’s one thing they can do with stealing sensitive information.

The other thing that they could decide to do is to just sell the information on the black market. So, the bad guys have a whole bunch of IRC channels as well as other ways of communicating with each other. And there’s an underground economy, there’s a market. So on the underground market, a credit card number might be worth say, $10 per credit card number and they can get bought and sold in bulk. So stealing sensitive information is one thing that the bad guys do.

The next highest category of intermediate goals for the bad guys – that’s what’s on this slide is defacement. So that’s simply – somebody changes what’s on the front page of the website to get their own, say, political messages across. Now, I should mention that this particular –this particular report, queried a lot of government agencies. And so, because the number of government agencies queried in this report tends to be a little bit on the high side, we said defacement is probably a little bit on the high side with regards to other databases that I’ve seen describing incidents.

The next highest is planting malware. So once the bad guys, say, break into a website, they will put some JavaScript and/or Active X object tags on to pages, such that when good users visit those pages, visit these legitimate sites, they have a binary downloaded to their machine and they get infected without even knowing it. So, that’s the next biggest category. You can imagine that as we — if we were to look at more commercial websites as opposed to government websites, the amount of planting malware would increase and the amount of defacement would decrease simply because if a website is highly trafficked and there’s lot of users going there, the bad guys simply want to take advantage of that traffic to deploy their malware and then decide what to do with users after that point.