2 OVERVIEW 2 1. Cyber Crime Unit organization 2. Legal framework 3. Identity theft modus operandi 4. How to avoid online identity theft 5. Main challenges for investigation 6. Conclusions
3 ORGANIZATION 3 DIRECTORATE OF COUNTERING ORGANIZED CRIME Trafficking of Human Beings Money Laundering and financing the terrorism Central CyberCrime Unit Drugs Trafficking
4 CYBER CRIME UNIT - ORGANIZATION 4 Central Service for Countering Computer Crimes 1 st Bureau: E-Commerce Frauds and Payment card frauds 2 nd Bureau: Computer Forensic 3 rd Bureau: Child Pornography 4 rd Bureau: Computer related crimes 15 BCCO Cyber Crime Unit 7-10 police officers 27 County Offices 1-4 cyber police officers
5 LEGAL FRAMEWORK IN ROMANIA 5 Penal Code! ART. 360 Illegal acces to a computer system! ART. 361 Illegal interception of a computer data transmission! ART. 362 Computer data alteration! ART. 363 Operation disruption of computer systems! ART. 364 Unauthorized data transfer! ART. 365 Illegal operations with digital devices and software! ART. 249 Computer fraud! ART. 374 Child pornography through computer systems! ART. 250 Making fraudulent financial operations! ART. 251 Accepting transactions made fraudulently
6 IDENTITY THEFT MODUS OPERANDI! AUCTION FRAUDS! PHISHING / PHARMING / SPEARPHISHING! VISHING / SMISHING! SOCIAL NETWORK IDENTITY THEFT! MALWARE MOBILE APPS! SKIMMING 6
7 AUCTION FRAUDS 7! Seller account takeover! Posting products for sale! Luring the victim with to good to be true deals! Setting up a money cashing network! Money laundering
8 PHISHING 8 MAIN USES:! obtaining payment card information! obtaining online bank accounts! obtaining usernames and password for different types of accounts (Yahoo, Gmail, Paypal, Facebook, etc )
9 PHISHING 9 BASIC STEPS:! Identifying a target and preparing for the attack! Launch the attack! Data gathering! Checking phished informations! Using phished informations and obtaining money
10 PHISHING identifying a target 10! The phisher usually targets banks or other financial institutions! The phisher will decide on the method of attack, which will often be some combination of phishing, pharming, deceptive downloads, and other available techniques! The beginners collaborate with other phishers, in order to learn how to operate and to carry out the attack! The most experienced ones, recruit accomplices for some parts of the attack
11 PHISHING - launch the attack 11! The attacker has to send out the bait for a phishing attack or find some other way to attack the consumer.! The best-known phishing attack is an that asks the user for personal information.! Other attacks could be deceptive downloads onto user computers, pharming attacks, and recruiting insiders who can help in harvesting personal information.
12 PHISHING - launch the attack! The phishing attack conducted through 12 " Obtaining lists of accounts (millions of accounts) " Using mass sender software and hacked servers, the attacker will send messages to potential victims; " Create or customizing a fake websites " Create an account, used as a dropbox for receiving information; " Upload fake websites on compromised servers or on hosting servers which the attacker has bought using previous stolen credit card information. " Preparing backup servers, in case the first servers will be blocked by ISPs or law enforcement
13 PHISHING - launch the attack! Deceptive downloads: 13! Could turn user system into a zombie where the attacker is able to remotely control system resources, so user computer become part of a BotNet.! Spam perpetuates phishing attacks. BotNets can send spam and launch Distributed Denial of Service attacks (DDOS).! The attacker also try to get search engines to promote their spoofed links by paying for sponsored links or using the BotNets to cheat the rank algorithm.! The most insidious form of deceptive software is a rootkit which installs at or below the level of the operating system to avoid detection! Pharming:! compromises DNS servers which redirect a user to the attacker site even when the user enters or clicks on a trusted link. Rogue software can edit a local hosts file to effect the same action.
14 PHARMING 14 A pharming attack occurs when users are redirected from an authentic to a fraudulent website that replicates the original in appearance
15 PHISHING - data gathering Major ways to harvest the data : 15! user entry of data, such as on a spoofed Web site or in an ;! software capture of data, such as by logging the consumer keystrokes or sniffing traffic in the network.
16 PHISHING checking phished informations! Once the criminals have gathered personal data, they have to decide how to use it. 16! For attacks against a financial institution or online merchant, they have to learn the modus operandi what information is needed for authorization, what sum limits activates alarms.! The criminals also need to select the best users to attack who has the large assets, the good credit score, or other characteristics that make them a profitable target.
17 PHISHING using phished informations! Attackers seek to take advantage of the data they have gathered. 17! Most often the crime is financial fraud, such as:! unauthorized purchase,! hijacking a bank account and transfer funds from it! withdraw cash from ATMs! In other cases the attackers are selling the information they gathered.
19 Phishing attacks Examples 19
20 SPEARPHISHING 20 Spearphishing is an spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data.
21 VISHING / SMISHING 21! VISHING is the illegal access of data via voice over Internet Protocol (VoIP). Vishing is IP telephony s version of phishing and in some cases uses voice messages to steal identities and financial resources.
22 VISHING / SMISHING 22! SMISHING is an identity theft scheme that involves sending consumers text messages containing a link to a fraudulent website or a phone number in an attempt to collect personal information
23 SOCIAL NETWORK IDENTITY THEFT! Social networking sites have the greatest potential for abuse, because of the sensitive information that can be used against you in a variety of malicious ways. The following profile elements can be used to steal or misappropriate your identity: 23 Full name (particularly your middle name) Date of birth (often required) Home town Relationship status School locations and graduation dates Affiliations, interests and hobbies! All the sensitive and apparently unimportant information (pet names, mother's maiden name) provided on social networks sites can be used by an attacker to impersonate the victim of an identity theft in offline situations (e.g. at a bank)
24 MALWARE MOBILE APPS 24! when the app is launched, a fake login form window (e.g. Facebook) is displayed to the user. If victims fell for the scam, their credentials would be sent to the attackers server.! certain apps can transmit the IMEI, IMSI, storage info, and installed app info to a remote server. Then, the server can send a command to uninstall certain apps (such as anti-virus applications), launch other apps, or download and install apps from URLs given by the server. These actions can be used to launch further attacks.
25 MALWARE MOBILE APPS 25 https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html
26 SKIMMING 26! A method used by criminals to capture data from the magnetic stripe on the back of any card, using a card reader which can be disguised to look like a part of the ATM, or installed inside of a POS! Even if this is an offline modus operandi of identity theft, it is one of the most frequent ways to steal credit/debit card information
27 HOW TO AVOID ONLINE IDENTITY THEFT! Be suspicious of any or communication (including text messages, social media post, ads) with urgent requests for personal financial information.! Avoid clicking on links. Instead, go to the website by typing the Web address directly into your browser or by searching for it in a search engine. Calling the company to verify its legitimacy is also an option, too.! Don t send personal financial information via , and avoid filling out forms in that ask for your information.! Use a secure website (https:// and a security lock icon) when submitting credit card or other sensitive information online. 27
28 HOW TO AVOID ONLINE IDENTITY THEFT! Keep A Clean Machine.! Keep security software current.! Automate software updates.! Protect all devices that connect to the Internet.! Plug & scan: Protect Your Personal Information.! Secure your accounts.! Make passwords long and strong: Unique account, unique password.! Write it down and keep it safe.! Own your online presence.! Connect With Care.! When in doubt, throw it out.! Get savvy about Wi-Fi hotspots.! Protect your $$: Be Web Wise.! Stay current. Keep pace with new ways to stay safe online.! Think before you act.! Back it up..! Be an online Law Abiding Citizen.! Safer for me more secure for all.! Help the authorities fight cyber crime 28
29 MAIN CHALLENGES 29 Tracing and Identifying Criminals Undercover Online Investigations Constant Development and Evolution of Technology Digital Forensic Analysis International Co-operation in Cybercrime Investigation
30 TRACING AND IDENTIFYING CRIMINALS 30! Fragmented nature of identity theft! Different suspects may be responsible for various aspects of identity theft crimes, such as providing how-to instructions, helping to set up spoofed sites and sending s, and money laundering! many of the perpetrators targeting consumers in one country operate from foreign countries! Better organization of the criminal groups through structuring and specialization of their members! Use of youngsters with skills in using computer and new technologies, which are organized and coordinated by the leaders of criminal groups
31 TRACING AND IDENTIFYING CRIMINALS 31! Following the money! It s obviously better to disrupt criminal acts as early as possible, before the harm to individuals takes place. However, sometimes the only chance to identify the attacker is in the later stages of an attack. At the stage where the suspect tries to convert the stolen personal information into money, investigators can follow up on these fraudulent transactions and trace the criminals involved in identity theft operations.! Tracing communications! While it is actually occurring! Using data stored by communications providers
32 UNDERCOVER ONLINE INVESTIGATIONS 32! Investigators can enter in chatrooms and other places where potential phishers communicate with each other! Undercover agents can infiltrate the criminal groups! Undercover operations can create the evidence needed for successful prosecutions! Use disinformation when the criminal gathers personal data:! Investigators can cause trouble for phishers by feeding false personal data to the spoof sites. This approach may reduce the economic value of phishing! Investigators can deliberately seed a false name, bank account, etc. to a spoof site. If that false name or number is then used, that is strong evidence that the person using the data is linked to criminal phishing activity.! Disinformation, therefore, can reduce the value of personal information on the black market and create evidence that links the criminal to illegal phishing activity
33 CONSTANT DEVELOPMENT AND EVOLUTION OF TECHNOLOGY 33! Easy acces to new technologies and the possibility to travel abroad faster will make the tracking more difficult.! Permanent concern in finding new modes of operation, the identification of products that can be defrauded and systems that can be compromised;! The suspects started to change the field of action from small phishing /skimming attacks against persons to major frauds (major damagehundreds of thousands/millions) against companies;
34 CONSTANT DEVELOPMENT AND EVOLUTION OF TECHNOLOGY 34! Resources problems - Investigators in law enforcement agencies often lag behind cyber criminals in terms of their understanding of technology and the equipment at their disposal.! As identity theft methods evolve, it is crucial for investigators to keep up-to-date. Yet, sufficient funding is often lacking in the public sector for the ongoing training, hardware and software, and other tools necessary to keep up with the perpetrators! Law Enforcement Needs:! Experts dedicated to high-tech crime! Experts available 24 hours a day! Continuous training! Continuously updated equipment
35 DIGITAL FORENSIC ANALYSIS! New tools and processes capable of locating and recovering sufficient evidence from larger data storage devices quickly, efficiently and in detail! Forensic tools are often commercial products rather than science -based, and do not fulfill all forensic needs! Increasing size of data storage on some personal computing devices, as well as cloud and network storage represents a real challenge to law enforcement! Cloud computing services (which replaces much of the traditional IT hardware) can be hosted and managed by an organization, or by a third-party provider, making it harder for law enforcement to acquire evidence 35
36 INTERNATIONAL CO-OPERATION IN CYBERCRIME INVESTIGATIONS 36! The transborder nature of the cybercrimes will make the investigation more difficult as we need information from authorities from abroad (by means of rogatory letters), an expensive and slow procedure.! Cooperation with the private sector can help! Differences in language, laws, and legal procedures make it very difficult to prosecute the suspects
37 CONCLUSIONS 37! The threats are continuously evolving and blended together by the suspects to form new attacks.! Self awareness is the first step in protecting online identity. It is better to be aware of all of the ways someone could possibly steal your personal information, than to have it happen and wonder how or why.! International and inter-institutional cooperation is a key factor in preventing, controlling and fighting against online identity theft
38 THANK YOU QUESTIONS? Silviu CIOBOTICI