Briefing Paper Preliminary Analysis of New Commercial CSAM Website Accepting Payment by Bitcoin

Similar documents
BRIEFING PAPER - Rogue Affiliates Distributing CSAM using Disguised Websites (Public version)

Study of Self-Generated Sexually Explicit Images & Videos Featuring Young People Online

Computer Security Literacy

Virtual Currencies and their Relevance to Digital Forensics PRESTON MILLER

The anatomy of an online banking fraud

Introducing our new Editor: Creator

Man-in-the-Middle Attacks against the chiptan comfort Online Banking System

Protect yourself online

Cloud Services. Anti-Spam. Admin Guide

DON T BE FOOLED BY SPAM FREE GUIDE. Provided by: Don t Be Fooled by Spam FREE GUIDE. December 2014 Oliver James Enterprise

Online Safety for Middle and High School

Everyone s online, but not everyone s secure. It s up to you to make sure that your family is.

THE PROTECTION OF CHILDREN FROM SEXUAL EXPLOITATION IN TOURISM:

Hint: Best actions: Find out more in videos and FAQ: Hint: Best actions: Find out more in videos and FAQ:

How to Identify Phishing s

CYBERSECURITY INESTIGATION AND ANALYSIS

Commercial Sexual Exploitation of Children Online A Strategic Assessment

Basic Security Considerations for and Web Browsing

DATA SHEET. What Darktrace Finds

1 Classified Script. User Guide v1.0

Kentico CMS security facts

E-Safety Issues and Online Safety. Parents Evening

Welcome to the MGA Individual Awards Nomination portal

Scams and Schemes. objectives. Essential Question: What is identity theft, and how can you protect yourself from it? Learning Overview and Objectives

Brock University Content Management System Training Guide

ACCEPTABLE USE AND TAKEDOWN POLICY

14 months on: A combined report from the European Financial Coalition

Guideline on Windows 7 Parental Controls

Cyber Security. Securing Your Mobile and Online Banking Transactions

By Augusta Epuli Anjoh April 2013 Cyber security forum 2013

Malware & Botnets. Botnets

What is FTH 2.0? replacement for

E-Safety Issues and Online Safety

Protecting your business from fraud

Fraud and Abuse Policy

Learn to protect yourself from Identity Theft. First National Bank can help.

E-Safety Issues and Online Safety

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

CEOP Relationship Management Strategy

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

PORTAL ADMINISTRATION

2/24/2010 ClassApps.com

Overview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms

Create a Simple Website. Intel Easy Steps Intel Corporation All rights reserved.

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

Strategic Priorities for the Cooperation against Cybercrime in the Eastern Partnership Region

ICMA Private Wealth Management Charter of Quality

A clean and open Internet: Public consultation on procedures for notifying and acting on illegal content hosted by online intermediaries

CMP3002 Advanced Web Technology

'Namgis First Nation. 1.0 Overview. 2.0 Purpose. 3.0 Scope. 4.0 Policy

Portal Recipient Guide

1. Any requesting personal information, or asking you to verify an account, is usually a scam... even if it looks authentic.

Acceptable Use Policy

DESIGN A WEB SITE USING PUBLISHER Before you begin, plan your Web site

WEB ATTACKS AND COUNTERMEASURES

Laundering Money Online: a review of cybercriminals methods. Executive Summary

Creating Surveys Using SurveyMonkey

STATEMENT OF MYTHILI RAMAN ACTING ASSISTANT ATTORNEY GENERAL CRIMINAL DIVISION U.S. DEPARTMENT OF JUSTICE BEFORE THE

INTRODUCTION DEVELOPMENT AND PHENOMENA

So why is the head of a federal agency with jurisdiction over customs, immigration, and border crimes appearing at a

Your WildBlue Subscriber Portal: A User Guide

Design and print sponsored by

National Cyber Crime Unit

Bad Ads Spotlight: Ad Cloaking Abuses. May TrustInAds.org. Keeping people safe from bad online ads

Cyber Crime ACC Crime

Monitoring mobile communication network, how does it work? How to prevent such thing about that?

Department of Justice and Equality. Request for Tenders (RFT) for an Evaluation of the REACH Project. Closing Date: 12 noon on 9 December 2014

The Digital Divide: How the Online Behavior of Teens is Getting Past Parents

The Underground Economy of the Pay-Per-Install (PPI) Business

Sarah Smythe Youth Community Developer Western Ottawa Community Resource Centre. Genevieve Hupe School Resource Officer Ottawa Police Service

SCHOOL ONLINE SAFETY SELF REVIEW TOOL

Reseller Panel Step-by-Step Guide

Rensselaer Union Club Webhosting CPanel Guide

Transcription:

Internet Watch Foundation Briefing Paper Preliminary Analysis of New Commercial CSAM Website Accepting Payment by Bitcoin Created January 2014 Author Created for Sarah Smith (Technical Researcher, IWF) Fred Langford (Director of Global Operations), SMT, Board Page 1 of 8

CONTENTS EXECUTIVE SUMMARY... 3 THE SPAM EMAIL... 4 THE REDIRECTOR HACKED SITES... 4 THE CSAM HACKED SITES... 4 THE COMMERCIAL CSAM WEBSITE... 5 PAYMENT... 5 CONCLUSIONS / RECOMMENDATIONS... 6 APPENDIX 1 - Sample Spam Email Texts... 7 GLOSSARY... 8 Page 2 of 8

EXECUTIVE SUMMARY Since June 2013, IWF has observed a rise in the number of reports relating to child sexual abuse material (CSAM) appearing in discrete orphan folders on hacked websites. This method of distributing content had not been seen in widespread use since approx. 2010, when the use of free-hosting file stores and image hosting websites (aka cyberlockers) became the more commonly encountered method of hosting large volumes of images which are then hotlinked into numerous third party sites. However, the relatively recent emergence of Hacking as a Service ( HaaS ), commonly used by distributors of phishing scams and malware, may be an influence on the re-emergence in distributing child sexual abuse content via hacked sites. On 23 rd January 2014, a report was received of a URL relating to a webpage on a hacked website. When the URL was accessed, the webpage automatically redirected to a commercial child sexual abuse website located in a folder on a further hacked website. Intelligence provided by reporters shows that the URLs which redirect to the commercial CSAM website are being circulated via spam emails. Commercial child sexual abuse websites are tracked by IWF as part of the Website Brands Project. Since 2009, IWF has identified 1,609 individual Website Brands, which are then further analysed and grouped together based on a variety of criteria including registrant information, common payment mechanisms, hosting patterns and look and feel of the webpage. IWF research into Website Brands indicates that there are approximately 10 top level distributors responsible for the distribution of all of these websites. This commercial CSAM distributor is therefore of particular interest for the following reasons:- The re-emergence of hacked websites as a method for distributing commercial CSAM websites. The commercial child sexual abuse website identified in January 2014 is a Brand which has not previously been observed by IWF. Additionally, the website gives no preliminary indicators to link the site with any of the previously identified top level distributors of commercial CSAM. The format, layout and look and feel of the commercial website is one which has not been commonly in circulation since approx. 2010 The commercial CSAM website is unique amongst the commercial CSAM websites identified by IWF in that it purports to accept payment only in bitcoins. This paper provides a preliminary analysis of this emergent trend including dissemination method, distribution method and payment mechanisms. Page 3 of 8

THE SPAM EMAIL Reporters comments to IWF state that the URLs of the hacked sites which redirect to the commercial CSAM website were received by them via spam email. Some reporters have also provided a copy of the email text and email headers. In accordance with data protection legislation, permission will be sought from the reporters to pass their details together with this information to law enforcement for further investigation as they deem appropriate. The current known texts of the email body appear below at Appendix 1. THE REDIRECTOR HACKED SITES The redirector websites have been hacked with a single.html webpage with an apparently automatically generated name consisting of 7 random characters. An analysis of the page source (screenshot below) shows that it contains only the instructions required to instantly redirect the user to a third party site hacked with the commercial CSAM website. The only difference between the code on each of the redirector sites is the URL to which the user is redirected. This is a current and emerging trend. As at time of writing on 24 th January, only one day after receiving the initial report, IWF has received reports relating to 6 separate hacked sites redirecting users to third party sites hacked with the newly identified commercial CSAM template. These sites are diverse in content and hosting location (North American and EU countries) and there is no preliminary indication that the operators of the sites are aware of the abuse of their websites to redirect to this content. The websites are those of small businesses and voluntary organisations and the most likely explanation for these sites being hacked is that they have poor website security and are therefore vulnerable to compromise. THE CSAM HACKED SITES As with the redirector hacked sites, the websites which have been hacked with the commercial CSAM website are diverse in content and hosting location (North American / EU) Page 4 of 8

and are those of small businesses or private individuals. Similarly, no preliminary indications that these sites are complicit in the distribution of this content have been found. As mentioned above in relation to the redirector hacked sites, the most likely reason for these sites having been compromised is poor website security. As is widely known, a number of tools currently exist in the underground market service which, for a fee, automate the process of hacking websites for use in the distribution of criminal material (see for example http://www.webroot.com/blog/2013/07/31/diy-commercially-availableautomatic-web-site-hacking-as-a-service-spotted-in-the-wild/). THE COMMERCIAL CSAM WEBSITE The commercial CSAM website is previously unknown to IWF. The website differs from other commercial CSAM templates recently observed on hacked websites, which consist of a single page of CSAM images and contain malware downloads. The CSAM website consists of 9 pages all contained within a single folder a front page followed by 6 preview pages containing images of known victims and a join page. The join page indicates that payment for membership of the site can be made only in bitcoins. The format and production quality of this website is consistent with the type of commercial CSAM websites historically observed but which have not been commonly seen since approx. 2010. To date IWF have identified 5 websites which have been hacked with this commercial CSAM website. PAYMENT This commercial website brand is unique in that it is the first which IWF has encountered on the public web which purports to accept payment only in bitcoins. This is significant as while to date this payment mechanism has not been associated with payment for CSAM within the European Union it evidences concerns long held by law enforcement and experts in the field of online child sexual exploitation that this payment mechanism would become subject to abuse (see http://www.europeanfinancialcoalition.eu/private10/images/document/5.pdf) Bitcoin is a borderless peer-to-peer cryptocurrency first introduced in 2009. Bitcoin has been widely criticised due to the perception that it is an anonymous payment method and because of its apparent association with illicit activity. Bitcoins were for example used to make payment on the notorious Silk Road online black market located within the Tor network. However, like any form of payment mechanism it is open to abuse by those with criminal intent and while providing a certain degree of anonymity (by identifying those receiving Page 5 of 8

payment by a Bitcoin address rather than an individual name), it is possible to track the flow of bitcoins to find clues to the identity of the owner. A detailed examination of the operation of Bitcoin is beyond the scope of this paper but further information is available at www.bitcoin.org. CONCLUSIONS / RECOMMENDATIONS The offering of payment in bitcoins by this previously unobserved top level commercial distributor is a newly identified, emergent trend and at time of writing the volume of reports is relatively small. As such, at this stage it is only possible to undertake a preliminary analysis. IWF will continue to monitor the trend for any increase and perform further research to identify possible links with known top level commercial CSAM brands in order to provide information to law enforcement partners and aid in the disruption of CSAM distribution. It is also recommended that this paper be circulated to stakeholders including law enforcement, sister Hotlines and payment providers to raise awareness and enable them to undertake further investigations and formulate procedures for tackling this emerging issue. Page 6 of 8

APPENDIX 1 Sample Spam Email Texts ------------------------------------------------------- Young Models Pics Junior Nude Pics http://xxxxxxxxx.com/xxxxxx.html [URL REDACTED] The next day, all of the grandkids were allowed to go up to see him elan boat model and say our goodbyes. I eyes were more adjusted to the dark, but there was still no sign of which way he went. She stayed in bed most of the time, too scared to venture out into this utterly foreign land. These chicks are dressed in their sexy underware for some cookie licking and fingering. Teen, Movies, Free sex movies, Young teen hardcore www. ------------------------------------------------------ Free Nonude Junior Models Preteen Nonude http://xxxxxxxxxxxxxxxxxxxxx.org/jxhodkr.html For some reasons beyond me, people don't vlad model anya like me' he said. Free Pics and Video Clips Very Cute Preteen Models, Free Picks Of Models 12-17 Y. Wide varieties of shrimps are produced on these farms and most of them are located in Asia. Menchville is a Hell hole! On that ban, when I would try to post it would tell me I was banned, but the reason given was blank. Skinny Girls Nude 62. Other classic feminine names with boyish nicknames that come to mind: Georgiana (Georgie), Josephine (Joey), Martha or Martina (Marty), and of course Samantha (Sam) and Alexandra (Alex). Baron explores the paradox of women's exclusion from political rights at the very moment when visual and metaphorical representations of Egypt as a woman were becoming widespread and real women activists--both secularist and Islamist--were participating more actively in public life than ever before. Page 7 of 8

GLOSSARY Cryptocurrency - A digital or virtual currency using cryptography for security. A defining feature of a cryptocurrency is that it is not issued by any central authority, rendering it theoretically immune to government interference or manipulation. The quasi-anonymous nature of cryptocurrency transactions makes them well-suited for a host of nefarious activities such as money laundering and tax evasion. Cyberlocker A third party website to which users can easily upload content such as webpages, images, data files or videos enabling others to view or download that content. Also known as one click hosting as the content can often be uploaded/downloaded in one click. Hotlinking Displaying an image or video on a website by linking to the same image or video on another website rather than saving a copy of the image or video on the website on which it will be shown. Orphan Folder A folder on a website which is not hyper-linked to from anywhere within the parent website. Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information