Full Text of How Cybercriminals Steal Money by Neil Daswani at Google Tech Talks. This presentation event took place on June, 16 2008.
Right click to download the audio:
Neil Daswani – Co-director, Stanford Advanced Security Certification Program
My name is Neil Daswani. I’m a security engineer here at Google. And today I’m going to be talking about how cyber criminal steal money. I’m going to be talking specifically about how cyber criminals use various types of web application vulnerabilities to steal money. And I’m going to start with simple examples and then I’ll go to more complicated examples.
In the course of my talk, I’m may refer to many resources, presentations, reports, books, certification, courses, et cetera. Links to those are all going to be available at my site at neildaswani.com. And at the end of the talk, I’ll be also be giving out couple free copies of security book that I published but you’ll have to answer some trivia questions to get those at the end of the talk.
Before I go ahead and get started, the one additional thing that I wanted to mention is that, given that this is a security talk, if you have any Google specific questions, I’m going to ask you to hold them until the end of the talk, until we stop taping and then you can ask those. But if you have general questions about the presentation or some of the techniques, then I’d be happy to take those either at the middle of –in the middle of the talk or at the end of the talk before or before we stop video taping.
So, let me go ahead and get started. One of the major shifts that occurred over the past three or four years is that the profile of the attackers has changed. So, up until about three or four years ago, when people used to write worms and viruses, they would typically want to — just make names for themselves. They would release their worms out there, it would cause lots of traffics and servers would come down, some pact would get deployed and the game would be over. But the big shift that’s occurred over the past three or four years is that as more and more commerce has started taking place on the internet and as more businesses have started making more money from that commerce activity, the bad guys want to get their share. And so, their end goal is money, actual money. And so, in many of the attacks that I’ll talk about, in the examples that I’ll present, I’ll tell you how these bad guys are working to get at money.
Now, the bad guys may have a set of intermediate goals that may help them get to that money. And so, some of the intermediate goals, for instance, are data theft, they’ll steal identity information, they’ll steal credit card information, they may decide to conduct extortion. So they will launch a denial-of-service attack against a website at say, 8:30 AM, to the point that it’ll take down all that bank servers. They will send in a ransom note to the bank. They will say, “Please pay us X thousands of dollars or we’re going to shut down your servers. By the way, if you check your web server logs at 8:30, you’ll notice that all your web servers were down so I’m not kidding.” And– so extortion’s another goal.
Another goal to make money is to distribute malware. Once the bad guys distribute malware, they can then do all kinds of things with the compromised machines, assemble them into botnets and/or do what they would please with those botnets. So, there’s a number of intermediate goals. To give you a concrete example of such a organized crime networks — so I mentioned that the attacker profile has shifted from amateurs to professionals that want to make money and in many cases those professionals are very organized. It is their full-time job to attack sites. The bad guys, in some cases, will hire other people as mules to transfer money from one place to the other. So, it’s an extensive organized network. We’re not fighting against amateurs anymore. One example of such an organized crime network is the Russian Business Network. If you’ve heard of botnets like Storm which have compromised anywhere from a million to five million machines, depending upon who you want to believe, the real number is probably closer to a million, million and a half. They’re responsible for these types of botnets. Storm for instance is a pair-to-pair based botnets that can be used for denial of service, key-logging, pretty much whatever — whatever one would like. The bad guys will rent out the machines on those botnets. They’ll say, “Hey, I have a botnet. I have these many machines. I’ll rent them to you for X cents per day and you give me a binary, I’ll put whatever binary you give me on those machines and farm them out.”
Another thing that the Russian Business Network is alleged for is a piece of software called malware alarm. So malware alarm is this piece of software which will pop up a dialogue box on your PC and it will say, “We think your computer is infected by malware. Please click here to disinfect.” Of course, if you click here to disinfect, it will infect your computer as opposed to disinfect it. And so, the Russian Business Network is a thoroughly organized group. For those of you that are interested in learning more about the Russian Business Network, come up to me after the talk, I can tell you some fun stories.
So, the goals of cyber criminals have changed over the years. To give you a little bit of data about various pseudo-goals and intermediate goals that the bad guys have, this is a graph that I pulled out from a web hacking incidents database report that was done by Breach Security, they basically looked at a whole bunch of organizations over the course of 2007 and what types of attacks were reported for all of 2007. And so, you can see that what the bad guys were mainly trying to do is steal sensitive information like credit card numbers, identity information. Once they steal that information, they can do various things with it. They could decide to use that sensitive information for their own games. For instance, if they have stolen credit card numbers, they can then burn those credit card numbers onto blank magnet stripes of their own and hand those out to mules who they then tell to go to ATMs and try to do cash advances and what not or use the cards at various points of sale. So that’s one thing they can do with stealing sensitive information.
The other thing that they could decide to do is to just sell the information on the black market. So, the bad guys have a whole bunch of IRC channels as well as other ways of communicating with each other. And there’s an underground economy, there’s a market. So on the underground market, a credit card number might be worth say, $10 per credit card number and they can get bought and sold in bulk. So stealing sensitive information is one thing that the bad guys do.
The next highest category of intermediate goals for the bad guys – that’s what’s on this slide is defacement. So that’s simply – somebody changes what’s on the front page of the website to get their own, say, political messages across. Now, I should mention that this particular –this particular report, queried a lot of government agencies. And so, because the number of government agencies queried in this report tends to be a little bit on the high side, we said defacement is probably a little bit on the high side with regards to other databases that I’ve seen describing incidents.
There’s one final point I want to make about this graph and this graph is based on incidents as opposed to vulnerabilities. So for those of you that are familiar with web application vulnerabilities, you may be aware that Cross-site scripting (XSS) happens to be a major problem on the internet. A lot of vulnerabilities reported are typically Cross-site scripting vulnerabilities. And I’ll chat a little bit about some types of Cross-site types of attacks later in the talk, but the thing to keep in mind is that those are vulnerabilities as opposed to the actual incidents. This graph shows incidents. So, what the attackers are actually trying versus what say, security researchers are trying.
So, this slide summarizes some things about the intermediate goals on the part of the attacker. So, I’ve given you some high level information about trends in the space. I’ll talk a little bit more about trends, but what I’m going to do is start with a simple concrete attack, show you how it works and then I’m going to show some more complicated attacks as well. So I’m going to talk about SQL injections first. Actually, let me just get a quick show of hands, how many of you are familiar with SQL injection? Okay, good. More than half of the room which is great. So I’m going to go through this example relatively quickly.
Basic idea is that a good user might access website in a following way: They have a web browser, they need to authenticate themselves to a web server, they typically supply a username and password, the web server then uses that username and password to allow the user to log in. Of course, before allowing the user to log in, they need to figure out if this user is indeed authentic. So, the web sever might make a query to a database. The database command that gets constructed, may get constructed based on the user input. So, the users supply the username, the web server needs to select the corresponding password from the database and see what the corresponding password is for the username that was entered. Of course, the bad guy is not going to enter your regular run-of-the-mill username, the bad guy is instead going to enter a username like quote, semi-colon, drop table user, semi-colon, hyphen, hyphen and enters something for the password, it really doesn’t matter what. But the idea is that after this input is entered and is substituted into the query, the quote will close off the string literal, the semi-colon will close off the first database command, the rest of the input will make up a second database command, these hyphens will comment out the apostrophe that the web application put in. And in old databases, these actually used to execute just fine and would end up deleting all the information about all the users in the database in one shot. So this would be an example of a denial-of-service attack that occurs based on SQL injection.