Laura Post's presentation on cyber crime at MotherG's 2015 Family Reunion Event

2. Agenda
• USSS Dual Mission – Protection/Investigation
• USSS Resources and Assets to Combat Cyber Crime
• Current Trends in Cyber Crime
– Skimming Technology
– Network Intrusions
– Point of Sale
– Targeted Malware
– Data Breaches
• Network Intrusion Case Study

3. Dual Mission - Protection
•President
•Vice-President
•Former Presidents
•Foreign Heads of State
•Major Candidates
•Others as designated

4. Dual Mission - Investigative
•Counterfeit
Currency
Treasury Obligations
•Financial Crimes
Identity Crime
Check Fraud
Access Device Fraud
Bank Fraud
•Electronic Crimes
Computer Crimes
Network Intrusions
Internet Fraud

5.  1865 - U.S. Secret Service created to fight counterfeit currency
 1901 - Assigned Presidential Protection Duties
 1948 - Title 18 USC Section 470-474 (Counterfeiting and Forgery)
 1984 - Title 18 USC Section 1029 (Access Device Fraud)
 1986 - Title 18 USC Section 1030 (Computer Fraud)
 1990 - Title 18 USC Section 1344 (Bank Fraud)
 1996 - Title 18 USC Section 514 (Fictitious Obligations)
 1998 - Title 18 USC Section 1028 (Identity Theft)
 2001 - PATRIOT Act (Expanded Cyber Crime Responsibilities)
 2004 – Title 18 USC Section 1028A (Aggravated Identity Theft)
Jurisdictional History

6. 6
Cyber Safety
• Social Engineering
• Social Networking Vulnerabilities

7. • The act of manipulating people into performing actions
or divulging confidential information for the purpose of
information gathering, fraud, or computer system
access.
Social Engineering

8. 8
Types of Social Engineering skills
Following are the few skills to exploit users to get access to your system.
-Impersonating staff
-Playing on users' sympathy
-Intimidation tactics
-Hoaxing
-Creating confusion
-Dumpster diving
-Reverse social engineering
-Mail
-Phishing
-Spearphising
-A phishing technique that has received
substantial publicity of late is “vishing,” or voice phishing

9. 9
So what do they look like?

10. 10
The link sends you to….

11. Social Engineering Ammo

12. Anything and Everything is Exploitable
on your computer
• Finances
• Pictures of your family
• Personal letters /
correspondence
• Personal & Business Address
Book - contacts (their title,
their address, contact
numbers, emails, personal
info)
• Calendar / Itinerary
• Vacation Logistics, Etc.

13. 13
Location-based Social Networking
• Location-based social networking is quickly
growing in popularity. A variety of
applications are capitalizing on users’ desire
to broadcast their geographic location.
• Most location-based social networking
applications focus on “checking in” at various
locations to earn points, badges, discounts
and other geo-related awards.
• The increased popularity of these
applications is changing the way we as a
digital culture view security and privacy on
an individual level.

14. o Skimming Technology
o Network Intrusions
o Point of Sale Breaches
o Malware
o Data Breaches
Current Trends in Cyber
Crime

15. Skimming Technology

16.  The equipment is available over the Internet.
 The software and hardware are very user friendly and extremely
mobile
 The skimmed information can be transmitted via e-mail anywhere
in the world within hours after it is skimmed
 Cardholders are not aware that they have been victimized until
they receive statements showing the fraudulent charges
Why is Skimming Popular?

17. • Common Skimming Locations
– Restaurants
– Hotels
– Gas Stations (affixed to pumps)
– ATMs (affixed to machine)
• Why are these locations so popular?
– Heavy customer volume
– Credit card is common payment method
– Multiple employees (difficult to identify suspect)
– Employee turnover (co-conspirators easy to recruit / emplace)
– Covertly placed (gas pumps and ATMs)
Skimming Locations

18. Wireless Skimming
 The advent of wireless technology has led to passive wireless
skimming, where perpetrators plant skimming devices that broadcast
account information wirelessly in gas pumps, ATMs, and point of sale
terminals.
 These devices minimize physical interaction with the skimming
device, increasing the odds that the skimmer will operate undetected.
 Even if a wireless skimmer is found, it can be difficult to identify its
owners.
FEATURES
- Wireless access to stored data on all
devices in range
- Remote configuration of reader devices
- Manage multiple devices
- Hardware password protection

19. Handheld Skimming Devices

20. Gas Pump Skimming
Skimming Device

21. PIN hole camera
assembly mount
placed above key pad
to capture PINs
ATM Skimming

22. PIN hole camera
assembly mount
placed above key pad
to capture PINs
Mounted over original
ATM card reader
ATM Skimming

23. NEW SKIMMING TECHNIQUES
• Works Around Anti-Skimming Faceplate on
newer ATMS
• Uses more technologically advanced
methods
• Relies on having access to HDD of ATM

25. POINT OF SALE (POS)
BREACHES

26. POINT-OF-SALE (POS)
SKIMMING
PCI
Compliance
Computer
Security=

27. Point-of-sale Skimming Devices
Point-of-sale terminal Altered with skimming electronics

28. Yellow and green
parasite board. The
yellow board is a
Bluetooth card and
the green board is
the storage board.
Point-of-sale Skimming Devices

29. Network Intrusions
• Breaches stem from hackers wanting two things:
Information Access

30. Anatomy of a Hack
30

31. Point of Sale (POS) System
Port 5631
Port 3389
Ports 5800 & 5900

32. 32

33. Hackers use weaknesses in Remote
Desktop Program configurations to gain
access!!!!
POS
BOH
SERVER
UltraVNC

34. Remote Application Vulnerabilities
• Help desk teams love remote-control software because it allows them to:
-Remotely take control of the user's machine
-Copy over files
-Set all application and operating system wrongs to right.
• Attackers love the software too, because it allows them to:
-Avoid sneaking complex Trojan malware onto a targeted PC
-They use previously installed remote control software to do the heavy
lifting for them
-Run attacks from memory, thus making the exploits more difficult to
detect, trace or investigate.
Mathew J. Schwartz, Unpatched Remote Access Tools: Your Gift To Attackers,
http://www.informationweek.com/security/vulnerabilities/unpatched-remote-access-tools-your-gift/240151523

35. POINT-OF-SALE (POS) Breaches
Problems we have seen with RDP
configurations on POS Servers:
 Weak or no password protection
 Connection remains open all of the time
 Multiple RDPs installed on the Server (sometimes the hacker
installs their own after gaining access)
 No firewall or firewall not configured correctly

36. POINT OF SALE (POS) SYSTEM CONFIGURATION
Front of House Server
Front of House Server
Front of House Server
Switch
I
N
T
E
R
N
E
T
Back of House Server Cable/DSL Router
KEYSTROKE LOGGER
NETWORK
SNIFFER
MEMORY
DUMPER

37. Breach Detection
• 71% of victims did not detect a breach themselve
----------------------------------------------------------------
• 58% Regulatory, card brands, merchant banks
• 29% Self-Detection
• 7% Other 3rd Party
• 3% Public Detection
• 3% Law Enforcement
37

38. Median number of days from initial intrusion
to detection was….
38
87 days
Median number of days from detection to
containment was…
7 days

39. Common Breach Scenario
InfiltrationAggregationExfiltration
1. POS system is located and attacker enters POS system via
pcAnywhere using default-vendor supplied credentials.
− Username: admin
− Password: password
2. Memory dumper malware is installed on the POS system.
Once installed, track data is captured from RAM and written
to an encrypted output file.
− C:WINDOWSsystem32ccdata.txt
3. Attacker returns periodically via pcAnywhere and uploads output
file (ccdata.txt) containing encrypted track data.
- Automatic uploads, emails the data, FTP’s the data.

40.  Malware captures track data from credit/debit cards.
 Stolen credit/debit card information sent to hacker.
 Hacker sells this information online (card dumps).
POINT-OF-SALE (POS) Breaches
 Criminals around the world purchase these card
dumps over the internet to resell them or use the
compromised account numbers.

41. 41
What can you do?
• Use updated virus protection software.
• Weary of emails from strangers, especially downloads or hyperlinks.
(Educate your Employees/Family)
• Firewall protection is essential for high-speed connections that leave
your system connected to the internet.
• Secure browsers enable you to encrypt info that you send.
• Resist using automatic log-in features.
• Change your passwords frequently / Use Complex Passwords
(uppercase / lowercase / number / special character)
• Check for open ports by scanning your public facing IP address (nmap)

42. Incident Response
• Don’t ask “IF” ask “WHEN”
• Have a plan: Know who to involve & call in your initial
responders before it happens:
– Have a central point of contact that has authority to act
• Legal counsel, human resources personnel, corporate security,
IT security
– Establish a smooth flow of communications amongst the
different parties involved
We have learned that cyber crime
investigations must be conducted
quickly. If evidence is not captured
quickly it could be lost and the link to
the suspect can be broken

43. RESOURCES
• FS-ISAC= Financial Services and Analysis
Center
• NCCIC- National Cybersecurity &
Communications Integration Center
• US-CERT= US Computer Emergency
Readiness Team
• Verizon Data Breach Investigations Report
• www.databreachtoday.com
• Trustwave Global Security Report

44. Targeted Malware

45. 45
• Malware collects on-line credentials:
– Usually infects machines using a targeted phishing (spearphishing)
attack.
– E-mails are targeted to users suspected to have access to corporate
bank accounts.
– Some variants can spread to other computers on the network.
• Banking credentials used to generate ACH transfers:
– Transfers to money mules, recruited from on-line job hunting websites.
– Mules sign up for a “work from home” program.
– Mules receive ACH transfers into personal bank accounts, and then
send money overseas by wire or Western Union.
Targeted Malware

46. • Still one of the most widely investigated malware programs by law
enforcement agencies.
– Serving as the model for newer toolkits.
• First detected in early 2007.
• Builder toolkit sold for between $700 - $4,000 on underground forums,
depending on version.
– Older versions usually released for free to the public as advertising for
new versions.
• Modified older versions also sold.
• Capabilities:
– Accessed saved passwords in web browsers.
– Keystroke logging.
– Screenshots (to defeat anti-keystroke logging sites).
– Modification of web sites (can ask for additional information on a bank
login site, such as PIN).
– Installation of additional software.
– Proxy service.
ZeuS

47. 47
• ZeuS is designed to steal more than just
financial data:

48. 48
• Replacing ZeuS as the preferred crimeware toolkit over
the past year.
– ZeuS author turned over code to the author of SpyEye
trojan.
– New ZeuS variants still being developed for VIP
customers.
• Similar in form & function to ZeuS.
• Features:
– Keylogger
– E-mail grabber
– HTTP authentication grabber
– ZeuS-killer module
SpyEye

49. 49
SpyEye
 Gribodemon, creator of SpyEye was interviewed by Malware
Intelligence.
 Claims to make approximately $50 Million per year.
 Sells ONLY SpyEye toolkit.
 Spends 12-13 hours per day coding malware.
 Believes that future versions will include a feature to remove
anti-virus from victim’s computer.
 Does NOT CARE about the financial loss his software causes.
Believes that banks suffer most of the loss.
 Recent trends have seen versions of ZeuS-style
malware written for mobile platforms.

50. Data Breaches

51. DATA BREACH 101
• Recognize when ILLICIT events occur
– At the height of “NOISE”
DROP FILES, EXECUTION OF CODE, DATA HARVESTING
• Identify the problem and level of intrusion
PYRAMID OF ATTACKS – virus to root intrusions
• Know your “Back to Business” ETA
• Mitigation Plan should include a decision maker
not just information gatherers – key to keep
decision makers informed.
• Measure, Improve, Measure again

52. DATA BREACH 101
• How do breaches occur?
– 3rd Party Access (contractor) to systems connected to
servers
– Compromised VPN (ability to login from home)
– Sniffing/Open Ports
– Phishing/Spoof emails targeted to employees (social media
sources)
– Physical Devices (Fake POS terminals with malware injected
onto network)
• Where is your evidence? (local devices, network logs, mobile
devices) -What are your BYOD policies?
-How long do you maintain network logs or back ups?
-Do you maintain a topology of your network?

53. DATA BREACH CASE STUDY
Health System Company
Intrusion Detection System was installed; within days alerted for unencrypted
PII/PHI as outbound TCP/IP traffic to port 80
• Further analysis (IT) of their network logs showed traffic from 2 internal IP
addresses (locations within their network)
• Application (internet) and System logs from these computers were
forensically examined and cross referenced with date/time/location found
the same Security Identifier (SID) was logged in to each location at the time
of the traffic
• IT intelligence confirmed SID assigned to employee
• Employee timesheets showed he was working at the time of the traffic
transmissions
• Notified LEO IMMEDIATELY and continued to monitor SID traffic with
increased level of granularity – captured larger data –including email
addresses of employee and intended recipient(s).
• Investigation revealed employee was selling PII and PHI for profit.

54. • Many Cybercriminals are motivated by financial gain.
• Cybercriminals have the technical ability to severely
damage cyber infrastructure and should not be
dismissed since they do not work for sponsored
organizations.
• Cybercrime can be committed by subjects with varying
degrees of technical capabilities.
• Cybercriminals generally target opportunistically.
• Cyber criminals often specialize in a few areas requiring
them to work with others.
Who are Cybercriminals?

55. Cybercriminal Networks
• Some online criminal networks are highly organized
– Eastern Europe, especially with more than a decade of continued
development and growth
– Certain individuals heading online criminal organizations approaching 15 years
experience and growth
– Wide-ranging ties to real-world financial systems as well as government
structures
• Some online criminal organizations are very sophisticated
– Fielding malware ecosystems on a very high level; some malware systems
survive and even thrive for years (Zeus/SpyEye)
– Repeated successful attacks against financial encryption systems
– No network or institution invulnerable to intrusion from dedicated and
motivated adversary (study of risk/reward)
55

56. Case Study
56

57. How Investigations Start
• Contacted by victim
• Industry tip to USSS
• “Common Point of Purchase” analysis
• Multiple compromised accounts
• Unauthorized purchases at common merchant

58. Special Challenges with Corporate
Data Breach Victims
The problems:
• Need investigative
assistance from victim
– USSS can’t do corporate
“deep dive” forensics
• Victim has incentive not
to investigate
– Civil liability
– Bad press
– Remediation costs
The solutions:
• Recommend hiring
reputable forensics firm
• Recommend hiring
privacy counsel
• Assure confidentiality
– Not named in indictment or
plea
– Not named in press by
USSS
• Consider issuing delayed
notification letter

59. POS-Hacking Scheme
POS system
KSL
Hacked
business
servers
1. Crack admin password & install
keystroke logger on merchant’s POS
2. Log & upload card data to “dump
sites” for temporary storage
4. Encode data onto blank cards for
use in stores, ATMs, casinos
3. Retrieve & sell card data on
black market
Dirty
servers
Legit
servers
Via FTP

60. Summary of Data Breach
60
• 250 Branches
• 800 Other Merchants
• 5 Million Cardholders
• $50 Million Unauthorized Charges

61. Step 1: Investigate Hacked POS
• Network sniffer/image HD and
capture RAM
• Forensics
– Off-the-rack KSL
– Stored card data
– Hard-coded “dump sites”
– Signatures
• File structure & naming
• PWs & usernames (Romanian)
• Matched other POS hacks
• Logs
– ftp “dump site” IPs

62. Step 2: Investigate “Dump Sites”
• Search warrants
– Stored card data
• Business confirmed
– Stored hacker tools
• Pen/trap orders
– Romanian & proxy IPs
– Hacked server IP
– New victim IPs (notify)

63. Step 3: Investigate Hacked Server
• Forensics
– Stored card data
– Stored hacker tools
• Sniffer/full PCAP
– Proxy to access e-mail & chat
accounts
– “dump site” IP
– New victim IPs
• Hiccups: partial encryption,
victim’s substitute server

64. Step 4: Investigate E-Mail/Chat Accounts
• Search warrants
– Stored data on “notepad”
– Transferred stolen card data
• Victim confirmed
– Transferred PWs & tools
– Chat wedding & arrest
– E-mail from hacker acct to
personal account
• Logs show hacker acct = own
personal acct
• Date/time stamp same

65. Cyclical investigative steps
• Dump site logs identify new
victims
• New victim logs identify
new dump sites
• E-mail identifies new targets
• New target’s e-mail
identifies defendants
Hacked
Hacked

66. Step 5: Open-Source Investigation
• Facebook
– “Friends” w/ other targets
– Wedding photo of target
– Gambling interest
• Online auctions
– Mag stripe reader
• Linked-in
– Classmates w/other target

67. Recap of Investigative Steps
What we investigated:
• Step 1: Hacked POS
• Step 2: “Dump sites”
• Step 3: Hacked server
• Step 4: E-mail and chat
accounts
Legal process we used:
• Victim consent
• Search Warrant
• Consent
• Search Warrant

68. Step 6: Finding the Targets
Target A e-mails self
(with .exe & ccs)
from hacker account
to personal acct
Target B chats
about own recent
wedding and prior
arrest
Target A posts
Target B
wedding
photo
++
Three hacker slip-ups

69. Closing in on Target A
– E-mail order for Viagra
• Target A’s name & home address
– E-mail to Target A’s work e-mail
address
– Target A’s FB page
• Gives actual name
• Identified personal e-mail account
• Target B’s wedding photo

70. Closing in on Target B
– Target B chats about his wedding and arrest
• Target A‘s FB post with wedding photo and Target B as
groom
– Romanian LE assistance
• check arrest records in carding cases for Target B
– Has prior arrest
• recognize FB photo as Target B
– Target B’s wife
• Facebook, linked in

71. Post-Script
• Lured Target A lured to U.S.
– Lures require DOJ/OIA approval.
• Full confessions upon arrest
• Target B extradited from Romania
• Target A received a 7.5 year sentence
• Target B was sentenced to 15 year sentence