Phishing the Long Line: Transnational Cybercrime From Eastern
Transcription
Phishing the Long Line: Transnational Cybercrime From Eastern
PHISHING THE LONG LINE: TRANSNATIONAL CYBERCRIME FROM EASTERN EUROPE TO AUSTRALIA Stephen James McCombie B.A. Macq., GDipComp Deakin, MInfoTech Deakin Ph.D. Thesis, June 2011 2 PHISHING THE LONG LINE: TRANSNATIONAL CYBERCRIME FROM EASTERN EUROPE TO AUSTRALIA Thesis submitted for the degree of Doctor of Philosophy in the Department of Computing, Faculty of Science, Macquarie University By Stephen James McCombie B.A. Macq., GDipComp Deakin, MInfoTech Deakin, June 2011 3 TABLE OF CONTENTS List of Figures List of Tables Abstract Declaration Certificate of Originality Acknowledgements CHAPTER ONE: INTRODUCTION AND BACKGROUND 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 Thesis Aims and Scope Thesis Structure Background: Historical Background: Political Background: Technical Background: Legal Significance of the Problem Overview of Problem Cybercrime outside of Eastern Europe Literature Review Conclusion CHAPTER TWO: PHISHING, INTERNET MONEY MULES AND RELATED CYBERCRIME 2.1 2.2 2.3 2.4 2.5 2.6 Introduction Anatomy of Internet Bank Phishing Evolution of Internet Money Mules Profile of Internet Money Mules Analysis of Money Flows Conclusion Aston, M., S. McCombie, et al. (2009). A Preliminary Profiling of Internet Money Mules: An Australian Perspective. Proceedings of the 2009 Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing, IEEE Computer Society: 482-487. CHAPTER THREE: CASE STUDIES AND ETHNOGRAPHIC FEATURES OF EASTERN EUROPEAN CYBERCRIME 3.1 3.2 3.3 3.4 3.5 Introduction Genesis of Phishing Attacks on Internet Banks Alex Mozhey Update Advantageous Environment for Cybercrime Russia in Profile 4 3.6 3.7 Ukraine in Profile Conclusion McCombie, S. (2008). Trouble in Florida: The Genesis of Phishing attacks on Australian Banks. 6th Australian Digital Forensics Conference. Perth. McCombie, S., J. Pieprzyk, et al. (2009). Cybercrime Attribution: An Eastern European Case Study. 7th Australian Digital Forensics Conference. Perth. CHAPTER FOUR: THE CYBERCRIME MARKETPLACE 4.1 4.2 4.3 4.4 4.5 4.6 Introduction The Evolution of the Cybercrime Marketplace Scope and Products Commoditisation of Credentials Analysis Conclusion Watters, P. A. and S. McCombie (2011). "A methodology for analyzing the credential marketplace." Journal of Money Laundering Control 14(1): 32-43. CHAPTER FIVE: FORENSIC ANALYSIS OF PHISHING ARTEFACTS FOR FEATURES OF EASTERN EUROPE 5.1 5.2 5.3 5.4 5.5 5.6 Introduction Methodology Phishing Artefacts Useful in Grouping Ethnographic Features Temporal Analysis of Attacks Conclusion McCombie, S., P. Watters, et al. (2008). Forensic Characteristics of Phishing - Petty Theft or Organized Crime? Fourth International Conference on Web Information Systems and Technologies. Funchal, Madeira, Portugal. 1: pp149-157. CHAPTER SIX: SYNTHESIS: WINNING THE WAR ON PHISHING 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 Introduction The Limitation of Technical Solutions: The Latest Zeus Example (Zitmo) A Theory of Cybercrime Operations Eastern Europe the Engine of Cyber Warfare? The Scale of the Involvement in Phishing and Related Cybercrime in Australia by Eastern European Cybercrime Groups The Weaknesses that Allow Phishing and Related Cybercrime by these Groups to Occur The Background and Modus Operandi of EECGs Future Research Conclusion McCombie, S. and J. Pieprzyk (2010). “Winning the Phishing War: A Strategy for Australia”. Second Cybercrime and Trustworthy Computing Workshop, University of Ballarat. REFERENCES 5 LIST OF FIGURES Figure 1.1: Western Union agency in St Petersburg 2008 Figure 1.2: Commonwealth Bank’s original non-transactional Internet website in the mid 1990s Figure 1.3: Externality mechanisms and feedback systems producing increasing return in cybercrime related activities Figure 1.4: Causal model showing cyber criminal underground economy Figure 2.1: Heat map of blocked Internet transactions from Australia by Country Figure 2.2: Mule Recruitment Figure 2.3: Percentage break down of males and females by age groups from ABS statistics on Internet users compared to Internet Money Mules Figure 2.4: Heat map of blocked Internet Transactions by Country in Europe Figure 2.5: Pie Chart of blocked Internet transactions by Country Figure 2.6: Ethnic Russians in other parts of the Former Soviet Union Figure 2.7: Pie Chart of blocked Internet transactions by City Figure 2.8: St Petersburg, the North East Criminal Hub Figure 3.1: Western Union Russian website 2010 Figure 3.2: Relationship Diagram for Phishing Incidents December 2002 to July 2003 Figure 3.3: LinkedIn Profile of Alex Mozhey 2008 and 2011 Figure 3.4: Internet Users per 100 inhabitants 2010 Figure 3.5: ICT Price Basket across Regions Figure 4.1: Mazafaka Carders Forum Figure 4.2: Transcript of “CC_Power” IRC Channel, on 16 June 2009 Figure 5.1: Grouping Features in Phishing Email Header including +0300 and Windows-1251 Figure 5.2: Email from Group 3 with grouping attributes highlighted Figure 5.3: Email from Group 1 with grouping attributes highlighted Figure 5.4: Windows Character sets from Nazario Phishing corpus 2 & 3 Figure 5.5: Windows Character Set 1251 Figure 5.6: Header from Phishing email on Bank of America 14 May 2003 6 Figure 5.7: Header from Phishing email on Westpac 4 July 2003 Figure 5.8: Time zones of the World Figure 5.9: Selection from Phishing email for Commonwealth Bank 17 March 2003 showing +0300 time zone Figure 5.10: Timing of 63 Attacks in July 2006 by AEST where available Figure 6.1: “We are automating the payment system” Russia cyber gang promotional material Figure 6.2: Zeus html frame inserted into Internet banking session to identify type of phone and phone number Figure 6.3: Zeus SMS with link to Nokia Phone compromise code Figure 6.4: Theory of Cybercrime Operations 7 LIST OF TABLES Table 2.1: Blocked Internet Transactions by Country Table 2.2: Blocked Internet Transactions by City Table 3.1: Gross Enrolment Ratio (GER %) for tertiary education Table 3.2: 2007 Graduates in Science by Country >10,000 Table 3.3: 2007 Graduates in engineering, manufacturing and construction by Country >10,000 Table 3.4: Corruption Perception Index (CPI) for countries 2.4 or lower Table 3.5: Percentage of users of services reporting they paid a bribe to receive attention from at last one of nine different service providers in the past 12 months Table 3.6: Countries of the former Soviet Union estimated Internet users per 100 inhabitants 20002009 Table 3.7: Responses to question, in the past 3 years, how has the level of corruption in this country changed Countries for the for selected countries of the former Soviet Union Table 3.8: Responses to question, how would you assess your current government's efforts to fight corruption Countries for selected countries of the former Soviet Union Table 4.1: Goods and services offered for sale on an underground economy IRC market Table 5.1: Features of Group 1 Table 5.2: Features of Group 3 Table 5.3: Features of Group 4 8 Phishing the Long Line: Transnational Cybercrime from Eastern Europe to Australia. Abstract The purpose of this research is to examine the involvement of Eastern European cybercrime groups (EECGs) in phishing and related cybercrime impacting Australia. Then, given those findings, explore what can be done to reduce the problem. Research focuses on the Australian experience but in the context of what is a global problem. This thesis is organised into six chapters. The first chapter sets out the aims and scope of the study, and the structure of the thesis. It explains the background to the problem from a historical, political, technical and legal perspective. It also reviews the Phishing literature. In the second chapter, the money laundering aspects of this crime are examined. To recover the proceeds of the fraudulent transactions the attacker must direct the funds firstly to an Internet money mule within Australia. The Internet money mule is then directed to wire the money overseas using a service such as Western Union. The demographic profile of Internet money mules that are used for this activity is explored through the examination of archival data. The data was obtained from one Australian financial institution and related to 660 Internet money mule incidents during 2007. Additionally, data was also obtained from the High Tech Crime Operations section of the Australian Federal Police detailing the laundering of proceeds of Phishing in Australia to overseas locations for the period from September 2004 to October 2010. It shows a significant majority of those transactions were directed to Russia and other states of the former Soviet Union. In the third chapter, an ethnographic study of EECGs is conducted including a major case study of the first Internet Bank phishing attacks in Australia in 2003. This identified a number of Ukrainians who were instrumental in these early attacks and their methodology. These attacks were the first of their kind globally. The chapter also examines why these countries have an environment which favours this activity. In the fourth chapter, the cybercrime marketplace, which supports phishing and related cybercrime by providing a market for the various tools needed for phishing and the proceeds of that cybercrime, is examined to further explore the modus operandi of these groups. From analysis of data from two Internet Relay Chat (IRC) channels used for this trade an initial methodology for further understanding of how compromised credentials are traded in online marketplaces is developed In the fifth chapter, phishing artefacts are examined to establish links between attacks and any featurs, which might indicate the source is Eastern Europe. This research looked at data available from one Australian financial institution for July 2006. In this work an e‐mail archive and response records for 71 unique Phishing incidents were examined with a view to ascertain whether incidents could be grouped by attacker. This work revealed that six identified groups accounted for all but two of the incidents. Three of the groups accounted for 61 of the 71 incidents. In addition, an apparent work schedule by day and time was established consistent with a European time zone. In the sixth and final chapter, a phishing attack model of these groups is constructed, a theory of cybercrime operations based on this work is proposed and options capable of being deployed to disrupt the phishing attack model are identified. In particular it identifies that the money laundering 9 aspects of the phishing are the greatest weakness in the Phishing attack model. Methods to focus on the activity of Internet money mules and wire transfer agents, such as Western Union, would be more beneficial than the current reliance on technical controls. 10 DECLARATION I hereby certify that the work embodied in this thesis is the result of original research. This work has not been submitted for a higher degree to any other university or institution. Signed: ____________________ Date: ____________________ 11 CERTIFICATE OF ORIGINALITY Except where otherwise indicated below or in the text herein, the work described in this thesis is entirely my own, and has not been submitted, in any form, for a higher degree at any other institution. The following list summarises my particular contribution to the joint papers in this thesis. Chapter 2: Aston, M., S. McCombie, et al. (2009). A Preliminary Profiling of Internet Money Mules: An Australian Perspective. Proceedings of the 2009 Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing, IEEE Computer Society: 482-487. Conception 40%, data collection 40%, analysis 40%, writing 50% Chapter 3: McCombie, S., J. Pieprzyk, et al. (2009). Cybercrime Attribution: An Eastern European Case Study. 7th Australian Digital Forensics Conference. Perth. Conception 100%, data collection, 100%, analysis 90%, writing 90% Chapter 4: Watters, P. A. and S. McCombie (2011). "A methodology for analyzing the credential marketplace." Journal of Money Laundering Control 14(1): 32-43. Conception 50%, data collection 100%, analysis 50%, writing 30% Chapter 5: McCombie, S., P. Watters, et al. (2008). Forensic Characteristics of Phishing - Petty Theft or Organized Crime? Fourth International Conference on Web Information Systems and Technologies. Funchal, Madeira, Portugal. 1: pp149-157. Conception 90%, data collection 100%, analysis 70%, writing 60% Chapter 6: McCombie, S. and J. Pieprzyk (2010). “Winning the Phishing War: A Strategy for Australia”. Second Cybercrime and Trustworthy Computing Workshop, University of Ballarat. Conception 100%, data collection, 100%, analysis 90%, writing 90% Signed: ____________________ Stephen James McCombie B.A. Macq., GDipComp Deakin, MInfoTech Deakin, June 2011 I certify this to be a true and accurate statement of the originality of the work presented in this thesis. 12 ACKNOWLEDGEMENTS I would like to thank Macquarie University for the opportunity to pursue and complete this PhD. I would also like to acknowledge the National Australia Bank for their financial support and assistance in the research for this PhD. In addition I would like to thank Assistant Commissioner Neil Gaughan of the Australian Federal Police and his team for their invaluable assistance. I would like to thank my colleagues from PICT Julian Droogan and Graeme Morgan for their excellent editing skills as I was writing my chapters and special thanks to my lifelong friend Manny Aston for his proofreading of the finished thesis. I would like to express my thanks for the constant and unwavering support, encouragement and guidance from my supervisor Professor Josef Pieprzyk. I would also like to thank my former supervisor Associate Professor Paul Watters and my adjunct supervisor Dr John Langdale for their support and inspiration. I would like to thank my wife, Kathy and my sons Daniel and Peter for their patience and support while I pursued this “folly”. I would like to dedicate this thesis to the memory of my parents John and Dorothy McCombie, who instilled in me a belief in the value of knowledge, higher education and learning despite never having the opportunity to complete their own schooling. 13 Figure 1.1: Western Union agency in St Petersburg 2008. Phishing the Long Line: Transnational Cybercrime from Eastern Europe to Australia. Chapter One INTRODUCTION AND BACKGROUND 14 CHAPTER ONE: INTRODUCTION AND BACKGROUND 1.1 Thesis Aims and Scope This thesis examines the role that Eastern European cybercrime groups (EECGs) play in Internet bank phishing and related cybercrime in Australia. This is achieved by examining empirical data, archival material and significant case studies to obtain a clear picture of EECGs involvement and modus operandi, particularly those groups that operate out of Russia and the Ukraine. This thesis also identifies options to disrupt this criminal activity and ultimately proffers a broader theoretical understanding of cybercrime drawn from this research. Phishing and cybercrime are certainly not a uniquely Australian problem. Indeed the cause of the problem has little to do with Australia; rather, it is an example of how the globalisation of cyber crime by these criminals based in Eastern Europe has changed the paradigm of crime forever. No longer are criminal groups restricted to where they can physically operate. They can commit crimes without ever being in a country where the crime is perpetrated or even needing an accomplice in that country. They can also leverage the enormous efficiencies of information technology systems and in particular the Internet in every aspect of the crime, from planning to execution. Hence, lessons learnt in this thesis are universally applicable. In 2003 EECGs saw Australia’s Internet banking platform, which was one of the first to allow retail customers to transfer money via the Internet, as an attractive target (McCombie 2008). These groups, some using skills possibly developed for information warfare but privatised after the collapse of the Soviet Union, targeted Australia’s major banks. In fact, Australia was the first country to be impacted by this style of attack which soon became the biggest fraud risk to banks throughout the world (McCombie 2008). These attackers were able to use the Internet to research the victim banks, plan the phishing attacks, execute those plans and finally facilitate laundering of the proceeds of those attacks by transnational electronic transfer. Cybercrime research is a relatively new domain (Lu 2007). Its appreciation involves cross-disciplinary expertise (Broucek 2006), incorporating aspects of computer science, law, criminology, psychology, economics and even international relations within it. Significant research has been conducted looking at the technical manifestation of phishing (Jakobsen 2005; Dhamija 2006) and some technical solutions in browsers, authentication mechanisms and other assurance methods by computer science and information system scholars (Plössl 2005; Topkara 2005; Miyamoto 2005; Susilo 2006; Florêncio 2006; Pamunuwa 2007; del Castillo 2007a; Moura 2009; Devarakonda 2010). Some work has also looked at the human factor, modelled primarily from a victim standpoint by psychologists and others. Other cross-disciplinary work has examined the business model of phishing (Abad 2006; Kshetri 2009, 2010). The thesis fills a gap in the current research by looking at the attackers. Rather than restricting its examination to various technical attacks, it looks at a major part of the underlying cause. This will help in developing more fundamental protections against cybercrime that will be robust and are not immediately subject to an arms race in technology. In the cybercrime domain a defence to one attack often spurs the attacker to find a new style of attack to defeat that defence. This is known as a Machiavellian threat, in that it develops over time in response to defensive actions. 15 Some similar research has looked directly at the activities of Eastern European hackers in on-line chat rooms and discussion groups (Holt 2009, 2010). While this work had been productive it is limited by an overly particularistic approach. Conclusions have been drawn on the set of data available and hence the particular cybercrime groups that used those on-line chat rooms and discussion groups, rather than necessarily data on the most noteworthy cybercrime groups. If the groups monitored are not particularly significant, then the results obtained are more likely to be of limited application. In contrast, where the groups studied play a significant role in transnational cybercrime, the results are likely to be of commensurately greater import. While the limitations of available data is a common problem in research in this area, analytical application can derive considerable focus. The thesis has, where possible, focused on available empirical data and important case studies, such as the first Internet banking attacks in 2003 (McCombie 2008). Thus the analysis relates to hacker groups which are significant and informs us of the broader problem. It is important to understand who these groups are, why they undertake these illegal activities and how they operate. In the military context, understanding the motives and disposition of an enemy has been the key to fighting wars (Keegan 2004) whether you are Alexander the Great or David Petraeus. We need to fundamentally understand the motives and disposition of EECGs if we are to successfully defend against their efforts. The specific aims of this research are to: Identify the scale of the involvement in Phishing and related cybercrime in Australia by Eastern European organised cybercrime groups. Examine the weaknesses that allow Phishing and related cybercrime by these groups to occur. Consider the background and modus operandi of these groups and propose a general theory of global cybercrime. Identify any weaknesses in that modus operandi. Propose options to disrupt this activity. 1.2 Thesis Structure The thesis is organised into six chapters. The first chapter sets out the aims and scope of the study, and the structure of the thesis. It explains the background to the problem from a historical, political, technical and legal perspective. It also reviews the Phishing literature. In the second chapter, the money laundering aspects of this crime are examined. To recover the proceeds of the fraudulent transactions, the attacker must direct the funds firstly to an Internet money mule within Australia. The Internet money mule is then directed to wire the money overseas using a service such as Western Union. The demographic profile of Internet money mules that are used for this activity is explored through the examination of archival data. The data was obtained from one Australian financial institution and related to 660 Internet money mule incidents during 2007. Additionally, data was also obtained from the High Tech Crime Operations section of the Australian Federal Police, detailing the laundering of proceeds of Phishing in Australia to overseas locations for the period from September 2004 to October 2010. It shows a majority of those transactions were directed to Russia and other countries which were part of the former Soviet Union. 16 In the third chapter, an ethnographic study of EECGs is conducted, including a major case study of the first Internet bank phishing attacks in Australia in 2003. This identified a number of Ukrainians who were instrumental in these early attacks and their methodology. These attacks were the first of their kind globally. The chapter also examines why these countries have an environment which favours this activity. In the fourth chapter, the cybercrime marketplace, which supports phishing and related cybercrime by providing a market for the various tools needed for phishing and the proceeds of that cybercrime, is examined to further explore the modus operandi of these groups. From analysis of data from two Internet Relay Chat (IRC) channels used for this trade, an initial methodology for further understanding of how compromised credentials are traded in online marketplaces is developed. In the fifth chapter phishing artefacts are examined to establish links between attacks and any features, which might indicate the source is Eastern Europe. This research looked at data available from one Australian financial institution for July 2006. In this work an e‐mail archive and response records for 71 unique Phishing incidents were examined with a view to ascertain whether incidents could be grouped by attacker. This work revealed that six identified groups accounted for all but two of the incidents. Three of the groups accounted for 61 of the 71 incidents. In addition, an apparent work schedule by day and time was established consistent with a European time zone. In the sixth and final chapter, a phishing attack model of these groups is constructed, a broader theory of cybercrime based on this work is proposed and options capable of being deployed to disrupt the phishing attack model are identified. In particular it identifies that the money laundering aspects of the phishing are the greatest weakness in the Phishing attack model. Methods to focus on the activity of Internet money mules and wire transfer agents, such as Western Union, would be more beneficial than the current reliance on technical controls. This thesis comprises a series of papers either published in conference proceedings (five papers), or in a journal (one paper). The introduction to each chapter summarises the respective papers, reviews additional relevant unpublished material, and provides the context in terms of the overall aims of the thesis for the papers that it contains. 1.2.1 Repetition in Publications Due to each publication requiring its own introduction and background, there is a degree of duplication between the publications. This was unavoidable as each was designed for a separate audience and the context of the topic needed to be set for each publication. Despite this duplication it should be observed that even that background has changed somewhat over time and the change is similarly reflected in the various publications. 1.3 Background: Historical The problem of phishing and related cybercrime needs to be set in its historical context. First, the timing of development of the Internet for commerce and in particular the arrival of Internet banking is important. In 1994 Stanford Federal Credit Union was the first financial institution to offer banking services over the Internet (Stanford Federal Credit Union 2011). Its association with Stanford University (the birthplace of SUN Microsystems and Cisco) and Silicon Valley was instrumental to this evolutionary step into Internet banking. The first Internet-only bank was 17 Security First Network Bank, started in October 1995 (Cronin 1998). Indeed it was “Security First” as time went on: as can be seen, security came to lag well behind useability. Australia’s major banks were early entrants into Internet banking in global terms. The Commonwealth Bank had online banking even before the Internet became mainstream via Telecom’s Viatel service in the late 1980s. The first bank in Australia to offer Internet banking was Advance Bank in December 1995 (Nitsche 1996). Advance was later absorbed into St George Bank in 1997. By 1997 Australia’s four biggest banks, Commonwealth, Westpac, National Australia Bank and ANZ, had Internet Banking sites with transactional capabilities. Figure 1.2: Commonwealth Bank’s original non-transactional Internet website in the mid 1990s (Canstar 2010) By 2003 Australian Internet banks offered greater functionality in their Internet banking solutions, including third party payments, well before banks in the United States and most other countries. While the early solutions were developed with rather strict security models, using in most cases enhanced security over just username and password, eventually the need for greater usability meant that all a customer needed was a username and password to transact online. While “Secure Socket Layer” (SSL) was the standard for securing the data from the user to the bank, the possibility of social engineering and the integrity of the users being compromised were not then envisaged. Deregulation of the Australian banking industry in the late 1980s and early 1990s was a key factor in the development of phishing in Australia. Particularly important was the opening up of the ability to perform international funds transfers with limited regulation. In 1989 Communist Eastern Europe collapsed along with the Soviet Union itself. Out of this breakdown in state authority, organised crime groups grew in numbers and influence. After the 18 early success of the market economy in Russia and Ukraine in 1999, there was a severe economic downturn. In 2003, faced with the need to radically cut government expenditure, the Russian Government disbanded the FAPSI (effectively Russia’s NSA) and many technical staff skilled in information warfare were recruited by organised crime groups (Galeotti 2006). It is within this historical context that we see the first phishing attacks in March 2003 by Eastern Europeans on an Australian bank. 1.4 Background: Political Cross-border law enforcement is a significant challenge for policing agencies which are typically based on geographic jurisdictions. This is made even more difficult when the jurisdiction where the offender is situated is less than cooperative. The Russian federation under Vladimir Putin and more recently Dmitry Medvedev has maintained a foreign policy with the aim to keep their neighbours such as Ukraine and Moldova out of the European Union and NATO. This policy has severely impacted the degree of cooperation Russia and these states share with Western law enforcement. In effect it has created a safe haven for criminals who target the West, particularly for cybercrime. Ultimately a fraud against a Western bank is seen as a very low priority by Russian authorities, if seen as a crime at all (Zenz 2007). 1.5 Background: Technical The technical nature of the World Wide Web has made copying a website a very simple exercise. Once this is done it is simply a matter of directing Internet bank users to these copies of Internet banks and convincing them to enter their Internet banking credentials. Then the same technologies used in legitimate web infrastructure capture those details and are used to commit fraud. With the growth of malware in the late 1990s and early 2000s, the ease by which millions of computers connected to the Internet could be quickly compromised was understood. However, these early efforts such as Melissa in 1999, I Love You and Slammer in 2001, were about announcing themselves and gaining credit for their writers rather than any primary profit motive. However, the new malware starting in 2003 would use the same types of system vulnerabilities but remain hidden and capture account credentials and would ultimately become an even more effective phishing method. 1.6 Background: Legal In Australia, under the common law and legislation of the federal and state parliaments, our system is based around geographical jurisdictions. The Internet and cybercrime create severe challenges for that jurisdictionally-based legal system. What are relatively straightforward investigative activities, such as the execution of search warrants to obtain banking records, become complex and often fruitless exercises when dealing internationally. This is compounded when there is little formal cooperation by the countries such as Russia and Ukraine even if possible. These legal challenges have been identified in the European Convention on Cybercrime which came into force in 2004. It states: Recognising the need for co-operation between States and private industry in combating cybercrime and the need to protect legitimate interests in the use and development of information technologies; (and) Believing that an effective fight against cybercrime requires increased, rapid and well-functioning international co-operation in criminal matters;… 19 The process of ratification in Australia is still underway and the level of cooperation envisaged by the treaty is aspirational at best. 1.7 Significance of the problem Globally, phishing and related cybercrime is responsible for annual losses of billions of US dollars. Gartner reported more than five million United States consumers lost money to phishing attacks in the 12 months ending in September 2008. They have estimated the losses in the United States to phishing were over USD$7.5 billion between September 2005 and September 2008 (Gartner 2009), going from USD$1.2 Billion in 2003/2004 to USD$1.7 Billion in 2007/2008. According to figures from the UK payment clearing association APACS, fraud losses to UK banks from Internet banking fraud from 2004 to 2009 totalled £203 million, going from £12.2 Million in 2004 to £59.7 Million in 2009 (APACS 2010). In a report for the United Kingdom’s Cabinet Office, Dettica (2011) estimated the cost of cybercrime to the UK economy was £27 Billion per annum, with online fraud accounting for £1.4 Billion. Australian banks do not publish figures on their losses to Internet banking fraud. However, in 2008 the Australian Bureau of Statistics estimated that 57,800 Australians had been victims of Phishing and related crime during 2007. Galaxy Research (working on behalf of security vendor VeriSign) estimated that one in ten Australians had lost an average of AUD$1000 to online identify theft in the twelve months to July 2010. They estimated the total Australian losses in that period at AUD$1.286 Billion (Moses 2010). Law enforcement agencies are well aware of the significance of the problem. Assistant Commissioner Neil Gaughan, the head of the Australian Federal Police’s High Technology Crime Operations, stated on the ABC’s 7.30 report in October 2010: The amount of crime taking place in the cyber world is much … greater than what we are seeing now in the real world based on the fact there's less chance of detection. (Australian Broadcasting Corporation 2010) While the losses associated with Phishing may not seem significant in global financial terms, there is a concentration of offenders, and the profits for the individuals are considerable given the minimal risk and effort involved in the crime. For instance, compared to criminals involved in the drug trade, there is little investment or risk associated with the activity. The return is easily converted to cash, which is easily laundered once it leaves Australia. There is no upfront investment for Internet money mules as they are funded via the proceeds of the frauds. Also, many of the criminal associations can be at a safe distance or largely anonymous, thus limiting exposure to informants and undercover operations. In late 2009 and early 2010, agents from the Australian Federal Police ran an undercover operation against an offender based in Russia. The agents took the role of an Internet money mule and received over AUD$1 million from fraudulent transactions. Agents tried at first to draw the offender into a friendly jurisdiction to make an arrest but ultimately applied to the Russian authorities to start a prosecution. After some early optimistic signs from their Russian law enforcement contacts, nothing more was heard (Dix 2010). 20 1.8 Overview of Problem Internet bank Phishing and related cybercrime has been a recent phenomenon dating from 2003. Phishing itself is defined by the Anti-Phishing Working Group as a form of online identity theft that employs both social engineering and technical subterfuge to steal victims' personal identity data and financial account credentials (APWG 2010). Related cybercrime is defined here as the various activities that support phishing. This includes the construction of infrastructure such as botnets, the acquisition of spam lists, research and development of content to trick users, development of malware to capture passwords, Distributed Denial of Service (DDoS) attacks on response organisations and the recruitment and management of Internet money mules. 1.9 Cybercrime outside of Eastern Europe Cybercriminals are not just an Eastern European phenomena. There are active individuals and groups in many countries including Australia. While Australian hackers famously compromised NASA back in the 1989 and even Wikileaks’ founder Julian Assange was arrested for hacking in 1991, cybercriminals in Australia and other Western countries are far more likely to come under notice of law enforcement and be arrested. As a result, much activity is at least directed from outside of Western countries. 1.9.1 Brazil Brazil has an active hacker community (Glenny 2008) and indeed phishing of Brazilian banks has a long history. These groups, however, do not seem to have targeted Australian institutions and seem mainly focused on South American banks. 1.9.2 Nigeria Nigeria is the home of the “419 scam” or advance fee fraud. It is an example of where a physical world crime has turned cyber and in the process gained from the efficiencies and scope of information technology and the Internet. Nigerian letters were originally physical letters mailed using the normal postal system to people to try and trick them into sending money as a transaction fee to release a larger amount back to them. What began as a resource-intensive process has become, with the advent of email and spam lists, highly efficient. Australia is no stranger to this fraud, with Queensland police investigations identifying in 2010 that a majority of Western Union transactions from Queenslanders to Nigeria were these frauds (Hay 2010). Nigerian groups are believed to be involved in phishing attacks on Australian banks in more recent times but figures of money flows show that Eastern Europe gets the majority of the proceeds of phishing (See Chapter 2). 1.9.3 China China is well known for hacker attacks and as a major source of spam. The most prominent hacking activities are site defacements perpetrated both manually and via malware such as Code Red in 2003, and cyber-espionage against dissident groups and sources of industrial secrets (Krekel 2009). Despite this, there are no indications that Chinese groups have targeted Australian banks for phishing. 21 1.9.4 Other The largest group of trained hackers resides in the United States and a number of recent convictions involving individuals from Eastern Europe also involved United States based conspirators such as in the RBS Worldpay case (Menn 2010a). However, the chance of detection and prosecution in the United States is considerably higher than in most countries due the FBI’s and Secret Service’s cybercrime divisions being able to investigate the offences in many cases completely within their own jurisdiction. 1.10 Literature Review The literature on phishing and related cybercrime comes from a number of disciplines. Most significantly, scholars from computer science and information systems have looked at various technical aspects of phishing and suggested numerous technical solutions. However, some papers from other sources have looked at human factors, economic and other non-technical aspects of the problem. 1.10.1 Phishing Attacks Much early work in the computing field looked at the nature of the basic attack (Jakobsen 2005; Dhamija 2006). Other work monitored the developments in phishing over time (Ramzan 2007). More recent work has documented various technical developments such as fast flux networks (Passerini 2008; Holz 2008) used to host phishing sites and other phishing infrastructure. Other recent work has focused on the specific examination of malware (“crimeware”) in the wild (Holz 2008). Pharming, the poisoning of DNS for phishing, has also been examined (Karlof 2007). Jagatic (2007) demonstrated phishing attacks where the alleged source is known to the victim, known as “Social Phishing”, have a higher degree of success. This research in an associated paper also illustrated some of the ethical issues in tricking research participants to do this type of research in the first instance (Jagatic 2007a). 1.10.2 Technical Phishing Countermeasures Significant work has been done in proposing various technical techniques to counter phishing (Jakobsen 2005; Plössl 2005; Topkara 2005; Miyamoto 2005; Susilo 2006; Florêncio 2006; Pamunuwa 2007; del Castillo 2007a; Moura 2009; Devarakonda 2010). Other research has examined a number of these solutions and other commercial phishing countermeasures and questioned their effectiveness (Dhamija 2006; Florêncio 2006; Moore 2007; Jackson 2007; Ludl 2007). 1.10.3 Detecting Phishing E-mails There has been considerable research in exploring various techniques to detect phishing emails as a component of phishing countermeasures (Chandrasekaran 2006; Chandrasekaran 2006a; del Castillo 2007; Abu-Nimeh 2007; Basnet 2008; Gansterer 2009; Dazeley 2010). This work looked at various features which could identify phishing email from legitimate e-mail including email content, metadata and source. While many of the techniques described had high degrees of success, none were a complete solution for phishing emails. This is because phishing emails themselves are often based on legitimate emails sent by financial institutions, thus subject to high levels of false positives and false negatives. 22 1.10.4 Phishing Attribution While much research has been conducted in regard to detecting whether an email is phishing or not, less has been done to attribute those identified phishing emails to a particular group or person. Following on from email authorship analysis research, some work has been done on attribution of phishing by various methods. James (2005) reported that 48 distinct phishing groups were identified by analysing the nature of the phishing emails and the phishing websites over two years. 1.10.5 Human Factors Other computing researchers have looked at the human factor in terms of the victims (Hutchings 2009; Dhamija 2006) and Internet money mules (Florencio 2010). Research by Hutchings indicates that potential victims who undertake high levels of routine activities relating to computer use and internet banking use are more likely to be attacked by motivated offenders. However, other research has found victims do not appear to have common demographic characteristics (Dhamija 2006). Research into Internet money mules found that combating them is central to reducing phishing, as their availability is a key weakness in the Phishing attack model (Florencio 2010). 1.10.6 Significance of Phishing While most of the research has worked on the assumption that Phishing is a significant problem, some research has questioned that position because some estimates used to show the significance may have some methodological issues (Herly 2008). However, this alternate argument is not supported by the vast majority of data available. 1.10.7 Phishing and Cybercrime Economics Some research has been conducted, exploring the business model of phishing. Abad (2006) was first to describe the economy of phishing. He explored the importance of markets that supply all the tools and services to commit phishing attacks and launder the proceeds. Through the examination and monitoring of keyloggers and drop zones, more was learnt about the underground economy (Holz 2008). Kshetri (2009, 2010) outlines the externality mechanisms and feedback systems increasing the return in cybercrime activities (see figure below). While not specifically identifying Eastern European countries or phishing, he identified many of the features of phishing by EECGs. Choo (2008) similarly looks at the operation of cybercrime groups correctly observing, Extraterritoriality, the notion that the internet has no geographic boundaries, has driven the e-commerce revolution. Unfortunately, organised crime groups operate online under the same free market principles, while legislative and law enforcement endeavours launched against them suffer from geographical and cultural restrictions (Choo 2008). Detica (2011), in their report on the cost of cybercrime for the UK Cabinet, developed a causal model of the cyber criminal underground economy to address the complexity of cybercrime (See Figure 1.3) which similarly identified many of the features of phishing by EECGs. Kshetri (2010a) also outlines the structure of cyber crimes in developing economies, in which he includes Russia, Ukraine, Poland and Romania, recognising that the nature of developing nations creates a favourable environment for cybercrime. He also cites a number of sources (mostly anti-virus vendors) who use 23 various methodologies to identify significant countries in terms of cybercrime in which both Ukraine and Russia are listed. Figure 1.3: Externality mechanisms and feedback systems producing increasing return in cybercrime related activities (Kshetri 2009). Figure 1.4: Causal model showing cyber criminal underground economy (Detica 2011). 24 1.10.8 Attacker Profiling Other work has looked at attacker behaviour (Birk 2007; Carr 2010). One approach was to examine online forums where hackers meet. There a degree of profiling on participants was conducted (Holt 2009, 2010). The majority of those examined were from Russia, in particular Moscow and to a lesser extent St Petersburg. While the conclusions of this work are limited due to the fact that an assumption is made on the significance of those studies to the broader cybercrime problem, it is still instructive in understanding the profile of those involved in some of the attacks on Western banks. Identified groups are well connected, and particularly “threatening hackers” are densely connected. The demographic features of the hackers were that they were mostly male (nearly 99%), primarily from, as stated, Russia (52%) but also with significant numbers from the Ukraine (6.6% second highest identified location). The great majority (70%) were considered low risk (Holt 2009, 2010). 1.10.9 Phishing in the Context of Russian Organised Crime Other research focused on Russian organised crime makes mention of cybercrime and even phishing but often with limited specifics (Zenz 2007, 2008; Carr 2010). Galeotti (2006, 2009) has made the link between Russian organised crime and phishing in a number of articles for Janes Intelligence Review. Menn (2010), in his book Fatal System Error, a case study of DDoS blackmail of gambling websites by various Eastern European gangs, indicates groups moved on to carding and phishing when that blackmailing activity became less profitable in the mid 2000s. 1.11 Conclusion This chapter has set out the aims and scope of the study, and the structure of the thesis. The background of the problem has been explained from a historical, political, technical and legal perspective. An overview of the problem has been provided and cybercriminals outside of Eastern Europe also surveyed. Finally this chapter has reviewed the major literature on phishing. The next chapter considers the role of money laundering in phishing, Internet money mules, and examines new data showing the significance of Eastern Europe as the destination of the outgoing proceeds of phishing attacks. 25 Figure 2.1: Heat map of blocked Western Union transactions from Australia by Country (October 2004 to December 2005, October 2006 to March 2007 and January 2009 to November 2010) Phishing the Long Line: Transnational Cybercrime from Eastern Europe to Australia. Chapter Two Phishing, Internet Money Mules and Related Cybercrime 26 CHAPTER TWO: PHISHING, INTERNET MONEY MULES AND RELATED CYBERCRIME 2.1 Introduction This chapter looks at the phenomenon of Internet money mules and the important role they take within the Phishing attack model. It also looks at the broader money laundering aspects of Phishing and examines new data showing the international destinations of transactions relating to the proceeds of Phishing attacks on Australian banks. Phishing is a crime which, while very much based in modern information technology, does rely for its ultimate success on a more established crime-money laundering. Money laundering is the key to the success of any phishing attack and without it the attackers realise no benefit. It is widely accepted there are three stages in money laundering: placement, layering and integration. Placement is where the proceeds of crime are placed within the financial system. Layering is where those proceeds are separated from their source by layers of transactions, which disguise the ownership of funds and makes them more difficult to trace. Integration is where the proceeds of crime re-enter the financial system as apparently legitimate funds (Deitz 2006). Russian organised crime in particular has a history of successful money laundering activities, particularly since the 1990s. The US Government estimated that from 1992 till the late 1990s more than $80 Billion in US currency, the proceeds of crimes committed by the US arm of Russian organised crime, was expatriated using a regular Delta Airlines flight from New York to Moscow (Friedman 2000). 2.2 Anatomy of Internet Bank Phishing Phishing and related cybercrime may have changed significantly in their technical nature since 2003, but the underlying anatomy has barely changed. While the exact method of compromise has varied, once the compromise has occurred the subsequent steps have been consistent. Once the attacker has the users’ credentials and can transact on their account, they will move the money to a third party, known as an Internet money mule, who holds an account in the country where the fraud occurs and receives a fee for handling the transaction. This step can be automated rather than manual as with the banking Trojan Zeus, but essentially the process remains the same. The Internet money mule is then managed by what is referred to as an “executive” (Menn 2010) who will contact them once the money is deposited into their account and get them to draw it out in cash and then wire it overseas via Western Union or Moneygram with minimal delay. This method breaks the transaction up so tracing by the bank ends or at least is delayed with the Internet money mule. If the phishers were to use a normal bank-to-bank transfer, the transaction could be easily identified and may well be stopped or recovered by the investigating bank. Once wired (often as not to Eastern European locations as this research indicates), the money is picked up in local currency by what can be called “local money mules”. These individuals pick up the proceeds from Western Union in cash. In Eastern Europe, carrying cash for others is a very normal business. The proceeds of the crime ultimately end up in the hands of the phishing organisers, either directly or by a system of factoring where the value of the fraud is sold on the cybercrime marketplace (See Chapter 4). With the Internet banking fraud now complete, the Internet bank involved easily identifies the Internet money mule and recovers the 8-10% fee that the Internet money mule was to keep as their 27 payment. The mule may then be subject to prosecution if it can be proven that they laundered the proceeds of crime but this generally requires them to have the requisite guilty knowledge or at least be reckless to the fact. However, the Internet money mule is merely a dupe and is expendable as long as the phishing organisers can recruit new Internet money mules, and so their prosecution is of little consequence to the organisers. In terms of the steps in money laundering, described above, placement is where the funds are moved from the victim’s account to the Internet money mule’s account. Layering then occurs when the mule withdraws the money in cash and then wires it via Western Union or Moneygram. At this point we do not really see integration but presumably after the money is withdrawn from Western Union outside of Australia it is ultimately returned to the financial system. 2.3 Evolution of Internet Money Mules The use of Internet money mules was developed to assist cybercrime groups to repatriate their funds from countries where they had no physical presence. Their genesis can be traced to 2003 when Internet bank phishing started (McCombie 2008). A few early phishing attacks were able to use International funds transfer functionality, such as Westpac’s system in 2003, within Internet banking sites to send funds directly to Eastern Europe but banks quickly closed down this channel or manually monitored each and every transaction (see Chapter 3). Internet money mules themselves are recruited by email, web and instant messaging to what, on the face of it, is a legitimate job as an agent of some sort who is needed to be able to receive payments into a bank account either existing or created for the purpose of the “job”. Figure 2.2 below from the Australian Federal Police explains the process of recruitment. Figure 2.2: Mule Recruitment (Australian Federal Police 2008) 28 2.4 Profile of Internet Money Mules To better understand phishing and related cybercrime, a detailed examination of the profile of Internet money mules was conducted. For the year 2007, 886 individual cases of Internet money mules identified from one Australian financial institution were examined. Each case involved an Internet money mule receiving fraudulent funds from the proceeds of phishing into their bank account. This research used data gathered by bank investigators in the process of investigating those frauds and, as such, the data is largely reliable. In each case the age, sex and postcode of each Internet money mule were given. Other details were withheld to protect the privacy of the individuals. In addition, whether the case was a second or subsequent case involving the same mule was established. In many of these repeat cases the Internet money mule may well be aware what they were doing is not a legitimate job as they have typically already been contacted by bank investigators or law enforcement and informed of the nature of the scam. This profiling, described in detail in section 2.7, indicated males were vastly over represented when compared to Australian Bureau of Statistics (ABS) figures of Internet users. In particular, males in the 25-34 age group were significantly greater in percentage terms in the population of Internet money mules than as Internet users (as Figure 2.3 shows). Figure 2.3: Percentage breakdown of males and females by age groups from ABS statistics on Internet users compared to Internet Money Mules 2.5 Analysis of Money Flows 2.5.1 The Joint Banking and Finance Sector Investigation Team (JBFSIT) and Transaction Blocking In July 2003 the Australian Federal Police in conjunction with the state police forces established the Australian High Tech Crime Centre (Australian Federal Police 2010). One of the first challenges they faced was Internet bank phishing with the first attacks on Australian banks in March, April and July 2003. The first director of the AHTCC, Alastair McGibbon, working with the banks came up with an original approach to deal with phishing. A specialised team was established using staff seconded from a number of the victim banks along with police investigators. It was called the Joint Banking 29 and Finance Sector Investigation Team (JBFSIT). This team’s single focus was to deal with phishing against Australian financial institutions. By 2004 it was working with victim banks to block fraudulent transfers via Western Union and Moneygram. Typically an Internet fraud would be committed and an Australian Internet money mule would be identified either by the victim bank or JBFSIT investigators. Given the speed of the transaction, those funds would typically already been transferred to another country and the money gone. Investigators would then identify the international recipient. Police would then contact Western Union or Moneygram to block any subsequent transactions to that identified recipient. Thus subsequent transfers to those recipients would be blocked and they would no longer remain useful to launder proceeds of phishing. Data detailing each time such a block occurred by JBFSIT has been obtained by researchers including the transaction date, the country and in a majority of cases the city. This data provided to researchers covers the periods October 2004 to December 2005, October 2006 to March 2007 (no city data) and January 2009 to November 2010. In total, 1416 transactions were blocked and details recorded. 2.5.2 Analysis The data was broken down by timing, destination country and in many cases destination city. It is therefore a highly useful indicator of where the proceeds of this crime end up. There is a possibility that the country it is sent to is not its final destination and the proceeds are further laundered from there. However, it remains self evident that if a significant portion goes to Eastern Europe in the first instance, groups responsible for this part of the process have a strong nexus to that part of the world. 2.5.2.1 By Country Analysis of the data by country clearly indicates the prominence of Eastern Europe as the destination of transactions, particularly Russia. If the data is analysed by year, it is evident that Russia has consistently been the highest recipient country with a total of 607 transactions accounting for 42.87% of the total. Ukraine takes overall second place with 139 transactions accounting for 9.82% of the total but its significance has varied over time. Third place is Nigeria with 121 accounting for 8.55%, it is known for “419 scams” or “Nigerian letters” but also is a source of some phishing. It has become more significant recently, ranking second in 2010. Fourth place is the United Kingdom with 86 accounting for 6.07%, coming in second for the period 2006-2008. The next three places are taken by countries which were all part of the former Soviet Union: Tajikistan, Latvia and Estonia. Figure 2.6 shows the ethnic Russians in other parts of the former Soviet Union (CIA 1994). These three countries have significant Russian ethnic populations. While these three countries are well down the list, if the figures are looked at in comparison to their population they are the three most significant, with Estonia having 30.9 transactions per million of population contrasting with Nigeria which has only 0.8 transactions per million of population. Russian organised crime groups such as Tambovskaya (Tambov) in the 1990s expanded into the Baltic and northern Europe, establishing operations in Estonia, Latvia and Lithuania. Latvia has been identified as base for Russian Phishing by St Petersburg organised crime groups such as Tambov (Galeotti 2005). If we are to look at those countries, which were parts of the former Soviet Union, they represent some 66%, or 791, of the total. The data shows a clear nexus to that part of the world, which has remained consistent from 2004 to 2010. 30 Table 2.1: Blocked Internet Transactions by Country (October 2004 to December 2005, October 2006 to March 2007 and January 2009 to November 2010) Blocked Transactions 2006Country 2004 2005 2008 Russia 35 71 104 Ukraine 18 32 14 Nigeria 1 10 United Kingdom 2 13 24 Tajikistan Latvia 16 27 15 Estonia 14 19 7 Poland 2 8 Singapore 2 20 South Africa Germany 6 13 Czech Republic 6 7 2 Philippines 17 Malaysia 2 1 Moldova 7 Israel 13 United States of America 1 3 2 Other < 10 13 27 8 Totals 113 250 219 *Population source: CIA Factbook July 2010 estimate 2009 121 67 65 19 55 14 10 1 4 7 6 16 385 2010 Total 276 607 8 139 45 121 28 86 25 80 58 40 16 40 22 11 21 1 20 3 19 17 8 15 14 13 1 27 449 13 91 1416 Transactions Per Capita (1 Million)* Percentage 4.35468 42.87% 3.06062 9.82% 0.79492 8.55% 1.37934 6.07% 10.68449 5.65% 26.15005 4.10% 30.97965 2.82% 1.03994 2.82% 4.67979 1.55% 0.42762 1.48% 0.24306 1.41% 1.86243 1.34% 0.17017 1.20% 0.53051 1.06% 3.24263 0.99% 1.76775 0.92% 0.04190 0.92% 6.43% 100.00% Figure 2.4: Heat map of Blocked Internet Transactions by Country in Europe (October 2004 to December 2005, October 2006 to March 2007 and January 2009 to November 2010) 31 Figure 2.5: Pie Chart of Blocked Western Union transactions by Country (October 2004 to December 2005, October 2006 to March 2007 and January 2009 to November 2010) 2.5.2.2 By City For the periods in 2004, 2005, 2009 and 2010 the city associated with the transaction was also recorded (911 of the 1196 for these periods) and this provided even greater context to the transaction. The prominence of some cities over others, such as St Petersburg over Moscow, in the Russian figures is of particular interest given other research about the St Petersburg organised crime group Tambov and their activities centred on that city (McCombie 2009; Galeotti 2009). 32 Figure 2.6: Ethnic Russians in other parts of the Former Soviet Union (CIA 1994) 33 Table 2.2: Blocked Internet Transactions by City (October 2004 to December 2005 and January 2009 to November 2010) City Blocked Transactions 2004-2005 2009-2010 Total Percentage of Total Transactions Per Capita (1 Million)* 57 319 376 41.27% 81.73422638 Dushanbe 0 61 61 6.70% 87.74453395 Lagos 0 54 54 5.93% 5.684210526 London 3 36 39 4.28% 5.118244573 Riga 30 0 30 3.29% 42.46807462 Kiev 7 22 29 3.18% 16.84319105 Warsaw 1 21 22 2.41% 12.81412816 Mykolayiv 15 7 22 2.41% 18.49491726 Moscow 10 4 14 1.54% 1.325376279 Novosibirsk 0 11 11 1.21% 7.806196275 Odessa 0 10 10 1.10% 4.182311999 Pretoria 0 10 10 1.10% 9.054042675 Tallinn 10 0 10 1.10% 25.08818497 Saint Petersburg Other < 10 223 Total 911 *Population source: http://www.citypopulation.de and United Nations Population Division Department of Economic and Social Affairs 34 Figure 2.7: Blocked Internet transactions by City (October 2004 to December 2005 and January 2009 to November 2010) 2.5.3 Selected City Profiles 2.5.3.1 St Petersburg St Petersburg accounted for 376, or 41%, of the total transactions where data for the city was available. This was the highest by a factor of six and second highest per capita, with 81 transactions per million of population. St Petersburg is known as a hub for criminal activity. In reference to St Petersburg, the Europol 2009 EU Organised Crime Threat Assessment stated: St Petersburg is an important logistical nexus, feeding the North East (Organised Crime) hub. It amasses various (illegal) commodities, which are then re-directed to the Russian, Nordic, Baltic and Western European markets. (Europol 2009) 35 Figure 2.8: St Petersburg, the North East Criminal Hub (Europol 2009) St Petersburg is a power base of the well connected Tambov gang (see Chapter 3). St Petersburg is Russia’s former Tsarist capital on the Baltic, a major tourist attraction and Vladimir Putin’s former home and location of his early days in local politics. Galeotti in a recent article in a Janes Intelligence Review, noted in regard to Tambov and St Petersburg, [Tambov’s] deep penetration of the St Petersburg, and therefore Russian, economy has helped ensure the Tambov network also has the means and opportunity to engage in a wide range of financial crimes. … the Tambovskaya may be looking to expand its moneylaundering operations, which could also make it the major provider of these services in Russia. (Galeotti 2009) In contrast, Moscow, the largest city in Russia and its capital, only represents 14 transactions, or fewer than 2% of the total. This further demonstrates the significance of St Petersburg as a major hub for this money laundering activity in Russia, and indeed globally. 2.5.3.2 Dushanbe Dushanbe is the capital of Tajikstan and accounting for 61 or 7% of the transactions. It was also the highest per capita with 87 transactions per million of population. It only appeared in figures for 2009-2010 so its importance would appear to be a more recent phenomenon and it may have replaced other States of the former Soviet Union that are now members of the European Union and/or NATO and thus less attractive due to links with Western law enforcement. 2.5.3.3 Kiev Kiev is Ukraine’s largest city and capital, it accounts for 29, or 3%, of the transactions and per capita it has 16 transactions per million of population. Its population belongs primarily to the Russian speaking minority. 2.5.3.4 Odessa Odessa is Ukraine’s second city after Kiev, accounting for 10, or 1%, of the transactions and four transactions per million of population. Its population belong to the primarily Russian-speaking 36 minority. It is also the registered address of Alexander Mozhey and other Ukrainians who were involved in the first phishing attacks on Australia in 2003 (see Chapter 3). 2.5.3.5 Mykolayiv Mykolayiv is a smaller city in the Ukraine near Odessa with 22 transaction, or 2% of the total transactions. and was third highest per capita with 41 transactions per million of population. During the late 1990s, Mykolayiv was considered the Ukraine's hard-drug capital (Evans 2007). Mykolayiv is in the primarily Russian-speaking eastern part of the Ukraine. 2.5.3.6 Riga Riga is the capital of Latvia with 30, or 3.29%, of the total transactions and was third highest per capita with 41 transactions per million of population. Latvia has a large ethnic Russian population and has the influence of Russian organised crime groups as described above (Galeotti 2005). It only appears in the figures from 2004-2005 so seems to no longer be used as a drop-off point for these transactions. One potential cause may be that, after joining the European Union and NATO in 2004, transactions have been brought under closer surveillance by local authorities working co-operatively with Western law enforcement. 2.6 Conclusion This chapter has looked at the phenomenon of Internet money mules and the important role they take within the Phishing attack model. It examined the broader money laundering aspects of Phishing and analysed new data showing the destination of transactions relating to the proceeds of phishing attacks within Australia has a strong link to Russia, Ukraine and Eastern Europe. The prominence of Eastern Europe in these transactions is clear and consistent. The prominence of St Petersburg in particular is of note given its links to Tambov and money laundering. In the next chapter, we will look in detail at those first Internet bank phishing attacks in 2003, what we can learn about their source and the methodology of the attackers, and how this changed the crime paradigm. We will also look at what makes Eastern Europe particularly suited to this activity. These factors include an organised crime tradition, high education levels, high corruption perception and a large Internet-connected community. 2.7 References Aston, M., S. McCombie, et al. (2009). A Preliminary Profiling of Internet Money Mules: An Australian Perspective. Proceedings of the 2009 Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing, IEEE Computer Society: 482-487 37 Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing A Preliminary Profiling of Internet Money Mules: An Australian Perspective Manny Aston, Stephen McCombie, Ben Reardon, Paul Watters Cybercrime Research Lab, Macquarie University m.aston@uws.edu.au, mccombie@comp.mq.edu.au, ben@cybercrime.com.au, p.watters@ballarat.edu.au Abstract banking website [8]. The criminals then use these credentials to log onto the victims accounts and illegally withdraw funds. While the criminals can easily access Internet Banks and perform transactions from the other side of the world they cannot necessary get the money into their own hands so easily. Some early Internet fraud used the Overseas Telegraphic Transfer (OTT) functionality of some Internet Banks to repatriate the fraudulently obtained funds directly to other countries. However the Internet Banks with this facility quickly began to limit this functionality or tightly scrutinize any transactions that did occur looking for suspicious recipients and the countries being used by criminals to receive funds. This created a problem for the criminals - how to get the money out of the victims’ country. Out of this problem the “Internet money mule” was born. One of earliest known cases was in Australia. On Monday 17 March 2003 an email was sent out purporting to be from “admins at Commonwealth Bank” directing customers to a Florida hosted copy of the Commonwealth Bank Of Australia website, which is now known as a phishing site. A number of customers gave up their credentials to the website. Shortly after the credentials were used to transfer money to the account of a Tasmanian man who had been recruited on a Croatian Community website to receive the money and then transfer it to Eastern Europe. The Australian Federal Police subsequently arrested this man when he tried to draw some of the fraudulently obtained funds out of his own account. The man escaped prosecution at the time as he claimed he was unaware that the moneys were illegally obtained [7]. When the Internet fraud is investigated the Internet money mules are generally easily identified and any fraudulently obtained funds that may have been kept as the “commission” fee are recovered. It does not matter whether the Internet money mule is fully aware of the crime being committed or ultimately is just an innocent Along with the massive growth in Internet commerce over the last ten years there has been a corresponding boom in Internet related crime, or cybercrime. According to research recently released by the Australian Bureau of Statistics in 2006 57,000 Australians aged 15 years and over fell victim to phishing and related Internet scams. Of all the victims of cybercrime, only one group is potentially subject to criminal prosecution: ‘Internet money mules’ – those who, either knowingly or unknowingly, launder money. This paper examines the demographic profile – specifically age, gender and postcode – related to 660 confirmed money mule incidents recorded during the calendar year 2007, for a major Australian financial institution. This data is compared to ABS statistics of Internet usage in 2006. There is clear evidence of a strong gender bias towards males, particularly in the older age group. This is directly relevant when considering education and training programs for both corporations and the community on the issues surrounding Internet money mule scams and in ultimately understanding the problem of Internet banking fraud. 1. Introduction With the massive growth in Internet commerce in the last ten years there has been a corresponding boom in Internet crime. Criminals are using the borderless Internet to reach far from their home countries. Since 2003 a large portion of this crime has been fraud against Internet banks and their customers. Criminals compromise users credentials for various Internet Banks capturing their credentials by either getting the user to visit a fake banking site called a Phishing site or by using some malicious computer code (called a Trojan or crimeware) placed on the victim’s machine to capture those details when victims go the real 978-0-7695-3737-5/09 $25.00 © 2009 IEEE DOI 10.1109/UIC-ATC.2009.63 482 38 agent as they rarely benefit from the crime. The criminals that recruit them do not care as the mules have served their purpose and pose no threat to the criminal enterprise. Thus in most cases the Internet money mules are expendable dupes for overseas criminals. There is little meaningful data to show the extent of the problem of Internet money mules in Australia. A recent data source in regard to fraud more generally in Australia is the Australian Bureau of Statistics (ABS) Personal Fraud Survey [2], conducted throughout Australia during July to December 2007. According to the survey a total of 806,000 Australians aged 15 years and over were victims of at least one incident of personal fraud in the 12 months prior to interview. This equated to a victimisation rate for personal fraud of 5% of the population aged 15 years and over. There were 453,100 victims who lost money in the 12 months prior to interview, incurring a combined financial loss of almost one billion dollars ($977 million). Of the victims who lost money to personal frauds, the median financial loss was $450 per person, while the mean loss was $2,156 per person. While no other demographic research is available for incidences of Internet money mules there is data relating to fraud offenders more generally. In 2007 international tax and audit consultancy, KPMG, selected 360 cases of white collar fraud against the company identified by its own forensic division for analysis. Their findings were published in the "Profile of a Fraudster Survey 2007." [6] The survey concluded that in the corporate world, 70 per cent of white collar crimes are committed by people between 36 and 55 years; over 80 per cent of fraudsters are male; and members of senior management, including board members represent 60 per cent of all fraudsters. While Internet money mules are not necessarily fraudsters per se they may share some of the characteristics of them. This paper examines the demographic profile – specifically age, gender and postcode residence – of 660 cases of confirmed money mule incidents during the calendar year 2007, for one major Australian financial institution. We compare them against 2006 ABS statistics of Internet usage [1] using as a null hypothesis the assumption that the age, gender and state of residence of money mules will mirror that of general Internet usage. for onward forwarding to the overseas based criminals [9]. These criminals advertise for Internet money mules through spam email, Internet messaging and both fraudulent and legitimate employment web sites. They claim to be legitimate employment opportunities with mules receiving between 7% to 10% of funds transferred via their accounts as a commission. In Western Australia, the Department of Consumer and Employment Protection’s ‘WAScamNet’ database recorded 1,709 employment and money mule email offers reported by consumers in October 2006 alone. This was 59 percent of all scam emails reported. This category represented the largest category of scam emails reported to the Department each month [3]. 3. Anatomy of an Internet Banking Fraud Figure 1 shows the relationship of the money mule to Internet banking fraud, and is an example of a typical Internet banking fraud. The first Phase in the Internet banking fraud involves the criminal sending a phishing email or Trojan infected or lure email to thousands of potential victims. A small percentage of those receiving a phishing email actually respond, usually by confirming their account details or in the other case are infected with a Trojan and have these details compromised when they conduct a real session with their Internet bank (Phase 2). Our victim in this example has ‘clean money’ (c$) in their bank account. According to the ABS [2] in 12 months over 5.8 million Australians were exposed to phishing emails (this involved people receiving and viewing or reading an unsolicited invitation, request, notification or offer, designed to obtain their personal information or money or otherwise obtain a financial benefit by deceptive means), and of those 5.7% (or 329,000 people) became victims by responding to the scam by supplying personal information, money or both, or seeking more information. In Phase 3, the potential mule is approached with a job offer, which is usually advertised by unsolicited spam email, Internet messaging and both fraudulent and legitimate employment web sites. Mules are recruited using job titles such as “Financial Managers”, “Representatives”, “Agents” or the like, and are typically promised a 7-10% fee for transferring funds. In order for the transfer to take place mules need to supply their current bank account details or if they choose set up a new account for this purpose supply those details (Phase 4). In Phase 5 the criminal transfers money from a compromised bank account into the mules account. The mule, simply doing what their ‘job’ requires, transfers this ‘dirty’ money (d$) – minus their fee – via financial transfer services such as 2. A Background to Internet Money Mule Scams Online criminals who conduct phishing and Trojan attacks need Internet money mules to receive the fraudulently obtained funds into their bank accounts 483 39 Western Union to an overseas address (Phase 6). The Internet banking fraud now complete typically the Internet bank involved identifies the Internet money mule and recovers the fee from the mule. The mule may then be subject to prosecution if it can be proven that they laundered the proceeds of crime however this generally requires them to have the requisite guilty knowledge or at least be reckless to the fact. The ABS Patterns of Internet Access in Australia Survey 2006 data represents numbers of people who have access to the Internet, based on the 2006 Census [1]. As the Internet money mule activity referred to in this paper involves those who have access to the Internet it is assumed that the demographic profile of money mules would mirror that of the general Internet user. Another hypothesis that they may otherwise mirror other Internet banking customers was discounted as investigators advised many of the Internet money mules were in fact new customers. [5] The age categories selected were based on those used in the ABS survey. In the data set obtained by the financial institution there was a total of 130 people where the age was unknown. There ages were distributed in the sample population in the same ratio as the distribution for those with known age as 79 male and 51 female. 5. Results A total of 660 accounts received illegally obtained funds. Of these 26 were in the name of joint account holders. For the purpose of this paper it was assumed that both account holders were money mules making the total number of money mules, 686. Table 1 represents the 686 money mules identified by the financial institution. In 71 cases there were multiple deposits made on different days. Figure 1. Anatomy of an Internet fraud 4. Methodology The data used in this paper has been obtained from de-identified database material gathered by the Internet fraud investigation team of a major Australian financial institution. As a basis of comparison, the ABS Patterns of Internet Access in Australia Survey 2006 [1] was used. The data supplied by the financial institution is particularly relevant as it represents actual cases of Internet money mule activity – where the mules had willingly given their account details for the receipt of illegally obtained funds. Unlike survey data it is not subject to possible bias that is often evident in selfreport statistics. It also represents a complete set of data, as it includes every case investigated by that financial institution for a calendar year (2007). While no doubt the financial institution’s investigation database on money mules is extensive, the fields supplied to the authors were less detailed to maintain confidentiality: gender (male, female or joint account holder), age in years (whole numbers), and postcode. According to fraud investigators at the financial institution, each case was entered in the investigation database chronologically as each incident of fraud was discovered or reported to bank staff. [5] Table 1. Internet money mules by age and gender by number Of the 686 money mules, 429 were male and 257 were female (Table 1). This meant in percentage terms males comprised 62.39% and females 37.61% (Figure 2). Of the 71 multiple instance of money mule activity, 53 were male and 21 were female. 484 40 female mules (all other things being equal) would be 35 each. Using a Pearson chi-square analysis, 2=7.08, df=1, p=0.0078, so there are significantly more multiple instances male mules than female mules. 6. Discussion Naturally there are statistical limitations to this work however the significance of the raw data cannot be underestimated. It is rare to obtain archival data sets such as this, and with this in mind, we seek to find any preliminary statistical trends and patterns, which emerge, many which warrant further investigation. There is a strong gender bias towards Internet money mules being males. This is even greater when the element of potential criminal intent is introduced with multiple instances (In multiple instances the mules have usually been advised the nature of the fraud already). The bias progressively increases as the age of the money mule increases. The proposition that males are more prone to this type of risky endeavour is partly supported by the KPMG Survey [6], which indicated that in 85 percent of profiles fraudsters were male. However this survey was heavily influenced by frauds against the company often by insiders who were senior management or executives (roles where men often predominate). Figure 2. Percentage break down of males and females from ABS statistics on Internet users compared to Internet Money Mules 5.1. Categorical Analysis of Mule Data 5.1.1. Sex Differences. The expected occurrence of male and female mules (all other things being equal) would be 343 each. Using a Pearson chi-square analysis, 2=21.91, df=1, p = <.0001, so there are significantly more male mules than female mules overall. 5.1.2. Age x Sex Differences. A Pearson chi-square analysis was performed within the different age bands shown in Table 1. The results are summarized below: • < 15: 2=0.00, df=1, p = 1.00, so there are no differences between males and females in this age range. • 15-24: 2=7.11, df=1, p = 0.0077, so there are significantly more male mules than female mules in this age range. • 25-34: 2=5.48, df=1, p = 0.0192, so there are significantly more male mules than female mules in this age range. • 35-44: 2=0.83, df=1, p = 0.3623, so there are no differences between males and females in this age range. • 45-54: 2=1.24, df=1, p = 0.2655, so there are no differences between males and females in this age range. • 55-64: 2=4.86, df=1, p = 0.0275, so there are significantly more male mules than female mules in this age range. • 65-74: 2=6.03, df=1, p = 0.0141, so there are significantly more male mules than female mules in this age range. • 75+: 2=3.61, df=1, p = 0.05, so there are significantly more male mules than female mules in this age range. Figure 3. Percentage break by age group from ABS statistics on Internet users compared to Internet Money Mules Figure 3 shows a comparison of the financial institutions mule data against the ABS statistics for Internet usage across the various age categories. Of the money mules, people between 25 and 34 represented 32.94 percent of the total, while those aged between 35 and 44 a represented 22.45 percent. Over 55 percent of all money mules were aged between 25 and 44. The 5.1.1. Multiple Instances Sex Differences. The expected occurrence of repeat offender male and 485 41 low representation (1.75 percent) of young people aged between 5 and 14 (even though they are a significant percentage of the total internet users – 17.22 percent) is expected as it would be more difficult for minors to open bank accounts without parental or guardian consent. In the 45 – 54 year old category the total number of mules are roughly consistent with the number of Internet users (16.65 percent versus 15.16 percent respectively). In the over 55, 65, and 75 categories mules are proportionally less then Internet users for the same categories. Figure 5. Postcodes of Internet money mules accounts mapped on Australia Figure 4. Percentage breaks down of males and females by age groups from ABS statistics on Internet users compared to Internet Money Mules Figure 4 shows the ABS and mule data age categories with gender highlighted. Apart from the equal distribution of mules in the Under 15 age group, there are significantly more males represented in every age category of the mule data. This difference is particularly evident in the 15 – 24 age range and in the 25 – 34 age groups. Of further interest is the complete absence of female mules in all age groups over 65. Figure 6. Postcodes of Internet money mules accounts mapped on Sydney 6.1. Analysis of Mule Postcodes Figure 7 shows the results of that comparison. While Queensland has a very similar percentage of mules to Internet users 20.09% to 20.69% the two most populous and with the largest urban centres NSW and Victoria account for a larger portion of the mules than Internet users. With NSW being 34.76% of the mules compared to 32.59% of the ABS Internet users and more significantly Victoria being 33.19% of the mules to 24.73% of the ABS Internet users. All the remaining states and territories representing fewer Mules than the ABS Internet users. Western Australia In the data set supplied to researchers by the financial institution was the postcode of the Internet money mule accounts involved in 660 incidents in 2007. Using that data the percentage breakdown between States and Territories was calculated. Researchers then compared these percentages to the 2006 ABS figures for Internet users by State and Territory. 486 42 being 6.42% of the mules compared to 10.17% of the ABS Internet users. South Australia being 3.29% of the mules compared to 7.49% of the ABS Internet users. Tasmania being 0.94% of the mules compared to 2.20% of the ABS Internet users and finally Northern Territory being 0.16% of the mules compared to 0.75% of the ABS Internet users. conjunction with similar profiling such as the work by KPMG [6]. While the size of the sample is small (some 660) it is the first look at Internet money mules as a group and is actual incident data rather than based on surveys. When compared to other human factors research in the cybercrime area such as Dhamija’s “Why Phishing Works” [4] where the sample size was a paltry 22, the sample is actually quite large. The geographical data itself needs further analysis and this will also form the basis of future research. Whether the differences in locality between the ABS Internet users and Internet money mule data are significant still needs to be shown. Of particular interest would be looking at whether there are any differences between urban and rural communities. The key lessons from this research and subsequent work is to better understand Internet money mule profiles so education can be targeted to those individuals and to better educate bank staff to identify those setting up accounts to be Internet Money Mules. While this demographic data does clearly help in this regard other profile elements need to be looked at in future research. These could include such things as profiling how Internet money mule accounts are established and operated in contrast to other account establishments. Figure 7. Percentage break down by state and territory from ABS statistics on Internet users compared to Internet Money Mules 8. References While one needs to exercise caution with drawing broad conclusions from this it does raise the possibility that those in populous states with large urban centres like Sydney and Melbourne are more prone to becoming mules. This will however require further research to establish. Further work is currently underway to create a heat map of these postcodes and to examine trends between urban and rural areas of each state and territory and of Australia as a whole. To illustrate the potential of this future work Figure 5 maps the mule postcodes on a map of Australia and Figure 6 on a map of the Sydney metropolitan area. [1] Australian Bureau of Statistics, “Patterns of internet access in Australia, 2006”, ABS, Canberra, 2007. [2] Australian Bureau of Statistics, “Personal Fraud, 2007”, ABS, Canberra, 2008. [3] Australian Institute of Criminology, "Money Mules", High Tech Crime Brief 16, 2007, Retrieved 23 March, 2008. [4] Dhamija, R., Tygar, J.D., and Hearst, M. “Why Phishing Works.” In Proceedings of the CHI 2006. Montréal, Québec, Canada, 2006 [5] Interview with subject Financial Institutions Internet Security Team (2008). Conference call phone interview. [6] KPMG, “Profile of a Fraudster Survey 2007”, KPMG International, Location, 2007. Retrieved 20 January, 2009. [7] S. McCombie, "Trouble in Florida: The Genesis of Phishing attacks on Australian Banks", 6th Australian Digital Forensics Conference Perth 2008. [8] S. McCombie, P. Watters, A. Ng, B. Watson, “Forensic Characteristics of Phishing - Petty Theft or Organized Crime?” Proceedings of WEBIST, 149-157 [9] A. Stabek, S. Brown, & P. Watters, “The Case for a Consistent Cyberscam Classification Framework (CCCF)”, Proceedings of the Cybercrime and Trustworthy Computing Workshop (CTC-2009). 7. Conclusion While this analysis is really preliminary and there is more work to be done to fully exploit the data it already does present a number of areas for future research. A clear trend is the over representation of males particularly in the 25-34 age group and in older age ranges where males predominate. The Internet money mule data needs to be further investigated in 487 43 Figure 3.1: Western Union Russian website 2010 Phishing the Long Line: Transnational Cybercrime from Eastern Europe to Australia. Chapter Three CASE STUDIES AND ETHNOGRAPHIC FEATURES OF EASTERN EUROPEAN CYBERCRIME 44 CHAPTER THREE: CASE STUDIES AND ETHNOGRAPHIC FEATURES OF EASTERN EUROPEAN CYBERCRIME 3.1 Introduction The previous chapter looked at the role and profile of Internet money mules, money laundering and examined new data on money flows out of Australia relating to the proceeds of phishing. Eastern Europe figured heavily in those transactions, particularly Russia, the Ukraine and other countries that were part of the former Soviet Union. This data is corroborated by a number of case studies including the first attacks on Internet banks in 2003 (See section 3.8). This chapter looks in detail at those first Internet Bank phishing attacks, what can be learnt about their source and the methodology of the attackers, and how this changed the crime paradigm. It also examines what makes Eastern Europe particularly suited to this activity; factors which include an organised crime tradition, high technical education levels, a high incidence of corruption and a large Internetconnected population. This chapter also examines the background of the Russian Federal Agency for Government Communications & Information, which appears to have aided the rise of EECGs. 3.2 Genesis of Phishing Attacks on Internet Banks While phishing as a term itself dates from the 1990s (Ramzan 2007) with attacks designed to compromise America On Line (AOL) accounts, Internet bank phishing did not start until 2003. Even though there were some isolated attacks on payment services Paypal and eGold in 2002, the first attack against a fully-fledged Internet Bank occurred in March 2003 (McCombie 2008). That bank was Australia’s formerly government owned, Commonwealth Bank of Australia. At the time it was Australia’s leading bank and its largest Internet Bank as measured by the number of customers who had Internet accounts. On Monday, 17 March, 2003, an email was sent out purporting to be from “admins at Commonwealth Bank”. The attack, when examined in retrospect, has a number of features associated with later attacks by EECGs : poor grammar, Windows character set 1251 (Cyrillic) and +0300 time zone (Eastern European Summer Time and Eastern Russia Standard Time). These particular features are dealt with in detail in Chapter 5. However, a unique feature of this and five other early attacks between March and early July 2003 was that they were all hosted at one particular provider in Florida. In contrast later attacks were widely distributed on compromised hosts across the world (McCombie 2008; McCombie 2009). The Florida provider was E-Biz Web Hosting Solutions LLC and had at the time as its Chief Technology Officer, Alex Mosh, alias Alex Mozhey. Mosh is a well known spammer and is listed in the Spamhaus Register of Known Spam Organisations (ROKSO). In 2007 he was listed as number one in the top spamming organisations worldwide (The Spamhaus Project 2007). As of 1 February 2011 he is listed as number three (The Spamhaus Project 2011). According to a number of his online profiles, he is a Russian speaking Ukrainian living in Odessa (McCombie 2009). Within the Phishing site for Westpac on 4 July 2003, the metadata of the page showed its directory path. This indicated that the username for the system, presumably on which the site was coded, was Alex Gnom. An Alex Gnom is listed on the Internet as a free lance programmer and web developer based in Lvov in the Ukraine on http://www.hightechhire.com. 45 Figure 3.2: Relationship Diagram for Phishing Incidents December 2002 to July 2003 (McCombie 2008) It would appear these first phishing sites were set up on dedicated infrastructure rather than on compromised systems as would later be the case. This may have been because the design and operation of these sites was, at this point, experimental. They therefore needed to be more closely monitored and controlled than a compromised host would allow. To achieve their aim the phishers need to create a replica of the real Bank website and have the capacity to capture user credentials. They then either store them locally for later retrieval or email them to a drop email account for use (often an anonymous account with Hotmail or Yahoo). While this would have been a relatively trivial programming exercise, it would still require some testing to work efficiently in disparate environments. In time, compromised hosts were used, presumably once the phishers became comfortable with the phishing site build and it could be easily set up in various environments without full access. These early attacks are of considerable interest for a number of reasons. They were created from scratch and did not utilise already created content. The phishers did not go to great lengths to hide their identities nor their methodology (as can be seen above) as would be the case later. There were only a handful of incidents over a number of months and thus they are easier to study in some detail. Amongst other things, significantly it reveals that, with the entire Internet connected world to choose from, Eastern European cybercriminals chose Australia as their first target. 3.3 Alex Mozhey Update Since the publication in December 2009 of “Trouble in Florida” (Section 3.8), which identified the connection between Alex Mozhey, Alex Mosh, Pilot Holding LLC and E-Biz Hosting Solutions LLC, the Linked-in page of Alex Mozhey has been updated by the removal of details of his working at those two businesses. That paper is easily found on the Internet under a simple Google search for ”Alex Mozhey”. It is not known why the Linked-in entry was amended but the possibility that Mozhey became aware of the paper and made these changes is likely (See figure 3.3 below). 46 Figure 3.3: LinkedIn Profile of Alex Mozhey 2008 and 2011. Note absence of Pilot Holding LLC and EBiz Hosting Solutions LLC. 3.4 Advantageous Environment for Cybercrime An examination of the factors that make Eastern Europe an advantageous environment for cybercrime requires an assessment of what unique features exist within this environment. Using available data on Internet usage and penetration, education levels, corruption perception index and scholarship on the organised crime tradition in those countries, a rather unique environment favouring the development of cybercrime was identified in the countries that comprised the former Soviet Union and in particular Russia and the Ukraine. This is also dealt with in Section 3.8 in the paper “Cybercrime Attribution: An Eastern European Case Study” but additional and more recent material is included here. 3.4.1 Education Levels To plan and commit Phishing and related cybercrime, a level of technical knowledge is required. As such, a relevant factor in a country’s profile for phishing and related cybercrime is the level of technical education. The United Nations Educational, Scientific and Cultural Organisation (UNESCO) and the World Bank publish details of tertiary education levels for most of the world’s nations. The figures include the Gross Enrolment Ratio (GER) for tertiary education. Tertiary GER is the number of pupils enrolled in tertiary education, regardless of age, expressed as a percentage of the population of the five-year age group following on from the secondary school leaving age (UNESCO 2007); see Table 3.1 below. 47 Table 3.1: Gross Enrolment Ratio (GER %) for tertiary education. Countries of the former Soviet Union in yellow (UNESCO 2007) Country GER % Country GER % Country GER % Korea, Rep. 96 Lebanon 49 Bermuda 22 Finland 94 Serbia 48 Cayman Islands 20 Greece 91 Mongolia 48 Tajikistan 20 Slovenia 85 Switzerland 47 Indonesia 18 United States 82 Croatia 47 Guatemala 18 Denmark 80 West Bank and Gaza 46 Brunei 15 New Zealand 79 Thailand 46 Azerbaijan 15 Ukraine 76 Panama 45 India 13 Norway 76 Kyrgyz Republic 43 Guyana 12 Lithuania 76 Hong Kong 42 Lao PDR 12 Russia 75 Moldova 41 South Asia 11 Australia 75 Bolivia 38 Morocco 11 Sweden 75 Jordan 38 Qatar 11 Iceland 72 Turkey 37 Myanmar 11 Latvia 71 Georgia 37 Yemen, Rep. 10 Spain 68 Cyprus 36 Uzbekistan 10 Belarus 68 Macedonia, FYR 36 Cape Verde 10 Argentina 68 Ecuador 35 Cote d'Ivoire 8 Hungary 67 Armenia 34 St. Lucia 8 Italy 67 Bosnia Herzegovina 34 Guinea 8 Poland 67 Aruba 33 Cameroon 7 Estonia 65 Malta 33 Bangladesh 7 Uruguay 64 Colombia 33 Senegal 6 Belgium 62 Malaysia 32 Ghana 6 Ireland 61 Tunisia 32 Bhutan 5 Israel 60 Saudi Arabia 31 Mali 5 Netherlands 60 Liechtenstein 31 Cambodia 5 United Kingdom 59 Brazil 30 Togo 5 Romania 58 Iran, Islamic Rep. 30 Pakistan 5 Japan 58 Egypt, Arab Rep. 29 Congo 4 Portugal 57 Paraguay 29 Mauritania 4 Macao 55 American Samoa 28 Ethiopia 4 France 55 Mexico 26 Madagascar 4 Czech Republic 54 World 26 Djibouti 3 Chile 52 Algeria 24 Burkina Faso 3 Kazakhstan 51 El Salvador 24 Burundi 2 Austria 50 Mauritius 23 Tanzania 1 Slovak Republic 50 Oman 23 Niger 1 Bulgaria 49 China 22 Malawi 0 48 UNESCO also produces data on tertiary graduates by discipline. The two discipline areas of interest are on the one hand science and on the other engineering, manufacturing and construction. Computer science and information technology cut across both these areas depending on the degree but the information is still a good indicator of the level of relevant technical education. Unfortunately, data is not supplied for China or India but all other major nations are represented in the data. All countries with greater than 10,000 graduates in those two areas are listed below in Table 3.2 and 3.3. Table 3.2: 2007 Graduates in Science by Country >10,000. Countries of the former Soviet Union in yellow (UNESCO 2007) Country Graduates in Science United States of America 234312 Russian Federation 115320 United Kingdom 85692 Brazil 57705 Republic of Korea 44984 Mexico 43517 Poland 42931 Myanmar 39681 Turkey 33322 Iran (Islamic Republic of) 33306 Japan 31711 Malaysia 31195 Italy 26638 Spain 26223 Saudi Arabia 21069 Ukraine 19970 Argentina 16892 Algeria 14499 Morocco 13422 Romania 10665 Portugal 10350 49 Table 3.3: 2007 Graduates in engineering, manufacturing and construction by Country >10,000. Countries of the former Soviet Union in yellow (UNESCO 2007) Country 3.4.2 Graduates in engineering, manufacturing and construction Russian Federation 428803 Japan 189417 United States of America 189247 Republic of Korea 159559 Ukraine 113475 Iran (Islamic Republic of) 106205 Mexico 67587 Turkey 56454 Italy 55538 United Kingdom 54883 Malaysia 51092 Viet Nam 49529 Spain 46906 Poland 46328 Brazil 46042 Romania 29728 Belarus 25758 Colombia 25193 Portugal 16290 Algeria 15190 Chile 15099 Argentina 12866 Czech Republic 12445 Sweden 10345 Corruption Levels Similarly relevant to the commission of these crimes is the level of corruption in the particular society. Corruption in the society means crime may be more acceptable and efforts to combat those crimes less effective. In a more corrupt society the likelihood of arrest is lower, as long as protection money is payed either via a gang (known as a “roof” in Eastern Europe) or direct to law enforcement. Transparency International produce an index of countries based on a series of surveys called the Corruption Perception Index (CPI). The CPI ranks almost 200 countries by their perceived levels of corruption, as determined by expert assessments and opinion surveys. It is a survey of surveys. A low score represents a higher perception of corruption. 50 Table 3.4: Corruption Perception Index (CPI) for countries 2.4 or lower. Countries for the former Soviet Union in yellow (Transparency International 2010) Rank out of 178 Country CPI Rank out of 178 Country CPI 134 Bangladesh 2.4 154 Congo-Brazzaville 2.1 134 Honduras 2.4 154 Guinea-Bissau 2.1 134 Nigeria 2.4 154 Kenya 2.1 134 Philippines 2.4 154 Laos 2.1 134 Sierra Leone 2.4 154 Papua New Guinea 2.1 134 Togo 2.4 154 Russia 2.1 134 Ukraine 2.4 154 Tajikistan 2.1 134 Zimbabwe 2.4 164 Democratic Republic of Congo 2.0 143 Maldives 2.3 164 Guinea 2.0 143 Mauritania 2.3 164 Kyrgyzstan 2.0 143 Pakistan 2.3 164 Venezuela 2.0 146 Cameroon 2.2 168 Angola 1.9 146 Côte d´Ivoire 2.2 168 Equatorial Guinea 1.9 146 Haiti 2.2 170 Burundi 1.8 146 Iran 2.2 171 Chad 1.7 146 Libya 2.2 172 Sudan 1.6 146 Nepal 2.2 172 Turkmenistan 1.6 146 Paraguay 2.2 172 Uzbekistan 1.6 146 Yemen 2.2 175 Iraq 1.5 154 Cambodia 2.1 176 Afghanistan 1.4 154 Central African Republic 2.1 176 Myanmar 1.4 154 Comoros 2.1 178 Somalia 1.1 Transparency International in their 2010 survey examined the percentage of users of services reporting they paid a bribe to receive attention from at least one of nine different service providers in the previous 12 months. Services included: education, judiciary, medical services, police, registry & permit services, utilities, tax revenue and customs. A list of response percentages is below in Table 3.5. They also asked, in the past three years, how has the level of corruption in this country changed. List of response percentages for selected countries for the former Soviet Union is below in Table 3.7. 51 Table 3.5: Percentage of users of services reporting they paid a bribe to receive attention from at last one of nine different service providers in the past 12 months, 7% or greater (Transparency International 2010A). Countries for the former Soviet Union in yellow. Country Percentage Country Percentage Country Percentage Liberia 89% Lithuania 34% Indonesia 18% Uganda 86% Lebanon 34% Greece 18% Cambodia 84% Turkey 33% Serbia 17% Sierra Leone 71% El Salvador 31% Philippines 16% Nigeria 63% Mexico 31% Luxembourg 16% Afghanistan 61% Bolivia 30% Kosovo 16% Senegal 56% Romania 28% Vanuatu 16% Iraq 56% Belarus 27% Latvia 15% India 54% Papua New Guinea 26% Poland 15% Cameroon 54% Russia 26% Czech Republic 14% Palestine 51% Hungary 24% Italy 13% Pakistan 49% Colombia 24% Argentina 12% Mongolia 48% Thailand 23% Fiji 12% Azerbaijan 47% Bosnia & Herzegovina 23% China 9% Kenya 45% Armenia 22% Malaysia 9% Vietnam 44% Peru 22% Austria 9% Zambia 42% FYR Macedonia 21% Japan 9% Ghana 37% Chile 21% Singapore 9% Moldova 37% Venezuela 20% Bulgaria 8% Ukraine 34% Solomon Islands 20% Taiwan 7% 3.4.3 Organised Crime Tradition Eastern Europe and in particular Russia have an organised crime tradition dating back to the days of the Tsar. While the popular image of Russian “Mafiya” is a somewhat fanciful Hollywood view of machine gun-toting goons, the reality is highly organised and sophisticated crime operations mixed with legitimate business enterprises which are particularly adept at money laundering. See Section 3.8, Cybercrime Attribution: An Eastern European Case Study, for more detail. 3.4.4 Corruption of State Security: Federal Agency for Government Communications & Information As noted in the introduction, the 2003 disbanding of the Russian Federal Agency for Government Communications & Information (FAPSI) led to a number of highly trained information warriors going to work for Russian organised crime (Galeotti 2007). The functions of FAPSI had been originally under the KGB prior to the devolution of the Soviet Union and many of their staff were originally with the KGB. While not a lot is known about the operations of FAPSI, in 1997 Vladimir Markomenko, the then deputy director of FAPSI, stated that the "information war" concept comprised four components: 1. The suppression of components of the infrastructure of state and military administration (destruction of command and control centres); electromagnetic pressure on components of the information and telecommunications system (electronic warfare) 52 2. Acquisition of intelligence through intercepting and deciphering information flows transmitted via communications channels, also though spurious radiation, and through electronic information intercepting devices especially planted in premises and in technical systems (electronic intelligence) 3. Unauthorised access to information resources (by the use of software and hardware for penetrating systems for the protection of enemy information and telecommunications systems) with subsequent distortion, destruction, or theft, or a disruption of the normal operations of these systems (hacker warfare) 4. Formation and mass dissemination by enemy information channels or global data interaction networks of disinformation or tendentious information for influencing the opinions, intentions, and orientation of society and decision makers (psychological warfare). (Argentura 2011) Component 3 (hacker warfare) could well include Phishing. Even in theearly 1990s when the commercial Internet was relatively limited Waller (1994) made the startling observation of FAPSI and organised crime that: FAPSI poses a new threat to legitimate businesses in Russia and the West, and is a potential window for the secret police and organized crime to enter the information highway on an unprecedented scale. (Waller 2004) In 1998 testimony to the United States Congress Joint Economic Committee by Victor Sheymov, a former KGB Major and head of the Cipher division, he observed a change in priorities for FAPSI with the end of the Cold War: ...the end of the Cold War somewhat shifted goals, objectives, and some targets of the FAPSI toward a heavier emphasis on intercept of technological, commercial and financial information. (Joint Economic Committee United States Congress 1998) This interception of financial information could well have included early Internet banking data, and plans to defraud Western Banks developed as either State sanctioned information warfare or in a criminal conspiracy with Russian organised crime. In 1996 FAPSI with its commercial arm created an Internet service provider called “Business Network of Russia” (Argentura 2007). While it is not known if it is linked to the notorious Russian Business Network (Zenz 2007) (See section 3.8), the similarity in the name is worth further investigation. 3.4.5 Internet Penetration The availability and cost of Internet access is also a key factor in the ability to commit phishing and related cybercrime. Thus the penetration of Internet and the total population with access to the Internet is relevant. The International Telecommunications Union (ITU) is the lead United Nations agency for information and communication technology issues. They produce global statistics for Internet usage. This includes total and per capita Internet users and per capita Internet subscribers. 53 Table 3.6: Countries of the former Soviet Union estimated Internet users per 100 inhabitants 2000-2009 (ITU 2010) Country Armenia Azerbaijan Belarus Estonia Georgia Kazakhstan Kyrgyzstan Latvia Lithuania Russia Tajikistan Turkmenistan Ukraine Uzbekistan Estimated Internet users per 100 inhabitants 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 1.30 0.15 1.86 28.58 0.48 0.67 1.04 6.32 6.43 1.98 0.05 0.13 0.72 0.48 1.63 0.31 4.30 31.53 0.99 1.01 3.00 7.22 7.18 2.94 0.05 0.18 1.24 0.60 1.96 5.00 8.95 41.52 1.59 1.67 3.00 21.94 17.69 4.13 0.06 0.30 1.87 1.08 4.58 16.22 45.32 2.56 2.00 3.91 26.98 25.91 8.30 0.06 0.43 3.15 1.91 4.90 24.95 53.20 3.89 2.65 5.09 38.58 31.23 12.86 0.08 0.75 3.49 2.59 5.25 8.03 26.49 61.45 6.08 2.96 10.53 46.00 36.22 15.23 0.30 1.00 3.75 3.34 5.63 11.99 63.51 7.53 3.27 12.31 53.63 43.90 18.02 3.77 1.32 4.51 6.39 6.02 14.54 66.19 8.26 4.02 14.03 59.17 49.90 24.66 7.20 1.41 6.55 7.49 6.21 17.08 70.58 23.78 11.00 15.70 63.41 55.22 26.83 8.78 1.49 10.55 9.08 6.75 27.40 27.43 72.50 30.51 18.20 40.03 66.84 59.76 29.00 10.07 1.57 17.00 17.06 Figure 3.4: Internet Users per 100 inhabitants 2010 (ITU 2010) 54 ITU also calculated relative costs for information and communication technology (ICT) access known as the ICT Price Basket. It found that relative costs for ICT were similar for Russia and other countries of the former Soviet Union (CIS) to that in the America despite the significantly higher Gross National Income (GNI) per capita (See figure 3.5 below). Figure 3.5: ICT Price Basket across Regions (ITU 2008) 3.5 Russia in Profile Russia has a population of 139,390,205 and its per capita GDP is USD$15,900 (CIA Factbook, July 2010). It has a very low CPI of 2.1, ranking it in the bottom 15% of countries, at 154 of 178; the same score as Laos and the Central African Republic. In 2010, 26% of users reported they paid a bribe to receive attention from providers in at least one of nine service categories (education, judiciary, medical services, police, registry & permit services, utilities, tax revenue and customs) in the previous 12 months. In the same survey 39% said the level of corruption was the same as it was 3 years prior, 53% said it had increased and only 8% said it had decreased. Assessing Russia’s government efforts to fight corruption, 52% of respondents said those efforts were ineffective. Table 3.7: Responses to question, in the past 3 years, how has the level of corruption in this country changed Countries for the for selected countries of the former Soviet Union (Transparency International 2010A) Country Decreased Same Increased Azerbaijan 28% 20% 52% Belarus 24% 49% 27% Georgia 78% 13% 9% Moldova 12% 35% 53% Russia 8% 39% 53% Ukraine 7% 63% 30% Russia’s tertiary GER is very high at 75% and within the top 10% of countries, the same as Australia and Sweden. It ranks second in the world in number of graduates in science (115,320) and first in the number of graduates in engineering, manufacturing and construction (428,803). 55 In 2008 Russia had more than 30 million Internet subscribers with a penetration of over 26 users per 100 of population (ITU 2010). Table 3.8: Response to question how would you assess your current government's efforts to fight corruption Countries for selected countries of the former Soviet Union (Transparency International 2010A) Country 3.6 Ineffective Neither Effective Armenia 53% 20% 27% Azerbaijan 26% 9% 66% Belarus 26% 35% 39% Georgia 12% 11% 77% Moldova 52% 30% 18% Russia 52% 22% 26% Ukraine 59% 24% 16% Ukraine in Profile Ukraine has a population of 45,134,707 and its GDP is USD$6,700 (CIA Factbook, July 2010). It has a low CPI of 2.4, but higher than Russia, putting it at 134 of 178 countries; the same as Zimbabwe. In Ukraine 34% of users of services report they paid a bribe to receive attention from one of nine (education, judiciary, medical services, police, registry & permit services, utilities, tax revenue and customs) service providers in the previous 12 months. In 2010, 63% said corruption was the same as it was three years previous and 30% said it had increased. Only 7% said it had decreased. Assessing the Ukrainian government's efforts to fight corruption, 59% of respondents said those efforts were ineffective, seven points higher than Russia. Ukraine’s tertiary GER is very high at 76%, eighth highest in world. While it only ranks 16th in the world in number of graduates in science (19970), it is fifth in the number of graduates in engineering, manufacturing and construction (113475). By 2008 Ukraine had over 6 million Internet users and Internet penetration of over 10 users in 100 (ITU 2010). 3.7 Conclusion As can be seen Russia and the Ukraine are uniquely suitable for the growth of cybercrime. They have a tradition of organised crime, high levels of corruption, high levels of technical education and relatively good access to the Internet. The first phishing attacks on Internet Banks from March to July 2003 can be attributed to Ukrainian spammers with Eastern European groups responsible for a significant portion of subsequent attacks. Chapter Five examines other supporting data for this attribution, namely the features within phishing artefacts, in particular phishing emails. The next chapter examines the online market for compromised credentials, compromised systems, exploit code, crimeware and other resources to support phishing and credit card fraud. 3.8 References McCombie, S. (2008). Trouble in Florida: The Genesis of Phishing attacks on Australian Banks. 6th Australian Digital Forensics Conference. Perth. McCombie, S., J. Pieprzyk, et al. (2009). Cybercrime Attribution: An Eastern European Case Study. 7th Australian Digital Forensics Conference. Perth. 56 Edith Cowan University Research Online Australian Digital Forensics Conference Security Research Centre Conferences 3-12-2008 Trouble in Florida: The Genesis of Phishing attacks on Australian Banks Stephen McCombie Macquarie University Originally published in the Proceedings of the 6th Australian Digital Forensics Conference, Edith Cowan University, Perth Western Australia, December 3rd 2008. Recommended Citation McCombie, Stephen, "Trouble in Florida: The Genesis of Phishing attacks on Australian Banks" (2008). Australian Digital Forensics Conference. Paper 48. http://ro.ecu.edu.au/adf/48 This Article is brought to you by the Security Research Centre Conferences at Research Online. It has been accepted for inclusion in Australian Digital Forensics Conference by an authorized administrator of Research Online. For more information, please contact c.burnop@ecu.edu.au. 57 Trouble in Florida: The Genesis of Phishing attacks on Australian Banks Stephen McCombie Cybercrime Research Lab, Macquarie University mccombie@ics.mq.edu.au Abstract Today Phishing of Internet banks is a well know problem and globally is responsible for more than US$3 billion in fraud annually. To date there has been limited research into the individuals and groups responsible for these attacks. Considerable anecdotal evidence exists to suggest that transnational organised crime groups are involved in Phishing. The involvement of these groups, particularly those operating out of Eastern Europe, is of concern given their sophistication and resources. Earlier work by CRL@mq looked at a month of Phishing against one Australian financial institution and clustering indicative of a small number of groups being responsible was seen. To get a better picture of the nature of the groups behind Phishing we now look back to the genesis of attacks against Internet banks. The first attacks against Australian banks started in March 2003 and were in fact the first attacks of this kind against Internet banks globally. We examine these incidents as a case study and look at the individuals and organisations involved. The circumstances behind these attacks are clearer now than might be imagined given none of the perpetrators were indentified at the time. We then briefly examine how much Phishing has changed in the intervening 5 years. KEYWORDS Computer crime case studies, cybercrime, Phishing, money laundering, e-crime, e-fraud, Internet banking fraud. INTRODUCTION Phishing is a well-known problem, accounting for as much as 1 out of every 281 Internet email messages in September this year (Messagelabs 2008). Gartner estimated that annual losses from Phishing attacks in the US alone went from USD$928 Million in 2005 (Litan 2005) to USD$3.2 Billion in 2007 (Gartner 2007). APACS, the UK payments association, reported UK online banking fraud was GBP£21.4 million in the first six months of 2008 (APACS 2008). Phishing attacks today are so frequent and numerous it is difficult to understand their true scope or to understand the actors behind them except in isolation. Earlier work at the Cybercrime Research Lab @ Macquarie University (CRL@mq) looked at Phishing against one Australian financial institution in July 2006 and examined the archival data available in that case (McCombie 2008). In that case study some clear indicators of a discrete number of attackers being involved in multiple was observed. That archival study examined data that covered just one organisation in one country over one month and as such a tiny portion of the total. Given that, this work is aimed at looking at an earlier time when Phishing was not an everyday occurrence against financial institutions, was little known and therefore relatively discrete. This time is very late 2002 to the middle of 2003. Examining archival material and other work from this period we get a picture of the circumstances behind this early Phishing and some insight into how and why it began the way it did. Surprisingly the participants behind the scenes may be easier to identify than we would expect given no one has been arrested for these early attacks. However at that time the nature of the problem was little known and certainly not well understood. What now seem rather suspicious associations may have been completely missed by responders and law enforcement at the time. The rise of Phishing has seen the “Black Hat” hacker community in recent years transformed from a culture based largely on youthful exploration to one focused on criminal profit. With that shift markets for “Phishing” tools, for “Botnets”, for zero day vulnerabilities and compromised credentials have been established to support this highly organised criminal trade. Spammers, malware writers, hackers and organised crime have come together as never before. Extensive efforts to facilitate the laundering of the illicit earnings of these crimes have also been observed with third parties known as “mules” utilised along with the services of various companies, such as Western Union, which perform international wire transfers. These mules, often unwittingly, act as agents to forward and launder proceeds of Internet banking fraud using their own accounts. The money is then drawn out in cash by the mule and then wired overseas. 58 Considerable anecdotal evidence exists to suggest that transnational organised crime groups are involved in this “Phishing”. Their alleged involvement in these attacks has received extensive coverage in the press with headlines like “Dutch Botnet Trio Reportedly Connected To Russian Mob” (Keizer 2005), “Return of the Web Mob” (Naraine 2006). The US President’s Identity Theft Task Force, set up to combat Phishing and other identity, theft reported in 2007, “Law enforcement agencies also have seen increased involvement of foreign organized criminal groups in computer - or Internet-related identity theft schemes (The President’s Identity Theft Task Force 2007).” Groups from Russian Federation, the Ukraine and Romania were identified by the US Secret Service as being responsible for a number of the attacks (The President’s Identity Theft Task Force 2007). The involvement of transnational crime groups, particularly those operating out of Eastern Europe, is of concern given their sophistication and resources. For example, Galeotti (2006) suggests that former members of the Russian Federal Agency of Governmental Communication and Information (FAPSI) - whose role was similar to that of the US National Security Agency - were recruited by organised crime groups as computer hackers when FAPSI was disbanded in 2003. Notably, this was around the same time Phishing became a significant problem and this case study relates. Galeotti also suggests other former USSR states such as Latvia are being used by Russian gangs to commit phishing attacks (2005). In February 2007, Microsoft's Chief Security Advisor in the UK, Edward Gibson (a former FBI Agent), was quoted by Viruslist.com saying, “it’s not the hacker crackers you have to worry about, but the Ukrainian mafia” (Kornakov 2007). Some of the organised crime groups are believed to use legitimate enterprises they are involved in to support illegal activities. The large Russian organised crime group Tambov was believed to have used its petrol distribution company PTK’s IT division to commit phishing attacks (Galeotti 2008). Some Russian IT organisations are also suspected of being purely being vehicles for Internet crime such as the now infamous Russian Business Network (Zenz 2007). Russian organised crime first entered the United States in numbers in the 1980s and set up significant bases in Brighton Beach New York and in Miami Florida (Friedman 2000). This case study concerns three businesses based in Florida. To date there has been limited research into the individuals and groups behind “Phishing”. To effectively combat this problem we need to better understand the disposition and motives of these criminals. This paper aims to be a further step in delivering this important analysis to help government and industry address this problem. PHISHING HISTORY The term Phishing originated in 1996 to refer to a practice of tricking users into giving up their America OnLine (AOL) accounts to be used to distribute warez (pirated software) and other misuse. Originally the attacker would use instant messaging and purport to be an administrator from AOL. They would then ask users to provide their credentials. Later emails were used in a similar fashion. AOL actively policed the problem and by 2000 it all but disappeared (Ramzan 2007). A NEW TYPE OF PHISHING Starting in late 2002 a new style of Phishing attack began. The AOL phishers in the process of taking over AOL accounts had also got access to bank credit card details and they sometimes used them to use them to pay for services on the net (Ramzan 2007). Now taking the concept one step further, the target would be the banks themselves. In 2000 despite the significant growth of Internet banking in a number of countries Internet banking fraud was virtually non-existent. Its notable that originally Commonwealth Bank of Australia’s NetBank used a fat client and National Australia Bank’s Internet Banking used client side certificates. These measures had been dropped by both these organisations by 2003. While a number of observers have spoken of this change to Phishing most seem to indicate it started in the second half of 2003 or later (Grigg 2005)(Youl 2004)(James 2005)(Harley 2007) this research shows it was clearly happening in the first six months of 2003. The below timeline by Grigg shows Phishing switching to online banks in the end of 2003. It should be noted Grigg makes mention of two earlier attacks in his paper against e-Gold but this author was unable to find any references that support this or any other material to help understand the style of those early attacks (Grigg 2005). 59 Figure 1 The Battle of Online Banking (Grigg 2005) THE VICTIMS E - GOLD The first victim of new style of Phishing was Florida based E-Gold not an Internet Bank per se. E-Gold, who in recent years has seen its’ directors charged with money laundering (Broache 2007), is an Internet global payment provider who backs each transaction in gold. Customers hold their balances in gold rather than currency. E-Gold is believed to have had organised crime figures as customers prior to the attack and this may be part of the reason they became the first victim of this style of phishing attack. Jeffrey Taylor, U.S. Attorney for the District of Columbia, would later characterise them as having, "Criminals of every stripe gravitated to E-Gold as a place to move their money with impunity (Department of Justice 2007)" On Saturday 28 December 2002 during the quiet Christmas New Year period an email purporting to be from EGold support was spammed out to a large number of Internet users. It’s said, “Dear Valued Customer - Our new security system will help you to avoid frequently fraud transactions and to keep your capitals in safety. - Due to technical update we recommend you to reactivate your account. Click on the link below to login and begin using your updated e-gold account. (Riley 2003)” An email message like this is now a red flag to indicate a Phishing email, however despite the poor grammar, at the time it was a clever hook to get E-Gold credentials from customers. The web server hosting the Phishing page belonged to the IP range of 3d Wizards Hosting in Winter Park Florida on the address https://64.46.113.69/login.htm. The https certificate for that page belonged to cyberinvestigation.net, allegedly issued by ebizhostingsolutions.com (Riley 2003). E-Biz Hosting Solutions used some of the IP space of 3d Wizards and were also located in Winter Park Florida. One of the email samples seen by the author seems to have originated from a system at lsanca1-ar13-4-60-133-139.lsanca1.dsl-verizon.net [4.60.133.139] (Riley 2003). This appears to be a compromised system in the USA belonging to Verizon’s DSL network. COMMONWEALTH BANK OF AUSTRALIA The next victim was as different an organisation from E-Gold as one could find. Commonwealth Bank of Australia (CBA) formerly a wholly government owned bank in Australia. It is the largest Australian bank with a $58.2 billion market capitalisation as of October 2008 (Zappone 2008). The one thing it did share in common with E-Gold is its early presence on the Internet and its more advanced functionality for users to transfer their money. On Monday 17 March 2003 an email was sent out purporting to be from “admins at Commonwealth Bank”. It used much of the same text as the attack on E-Gold and was again hosted on an IP belonging to 3d 60 Wizards in Winter Park Florida on the address http://64.46.113.74/netbank/bankmain.htm. The Head of Security of the CBA was the former head of the Electronic Services Section of the Australian Federal Police (AFP) and he took no time in getting the AFP involved in investigating the matter. AFP agents from the Sydney office were assigned and in conjunction with NSW Police started an investigation. The law enforcement response was to follow the money. When compromised credentials were used and money transferred to a Croatian man recruited on a Croatian community website in Tasmania to be what would be later referred to as a “money mule”. He was arrested by Police picking up the proceeds of one compromised account at a branch but as with money mules today was not able to identify the ultimate beneficiary of the fraud (Colley 2003). At the same time an apparent good citizen, Kevin Searle, who posted using the name Wombat to the news.admin.netabuse.email newsgroup detailing the attack. He had contacted CBA indicating that this site was hosted on Florida and he also alerted Sydney Police and the Florida Computer Crimes Unit. Searle later told his story to Sam Varghese from the Sydney Morning Herald (Varghese 2003). Figure 2 CBA email 17 May 2003 (Searle 2003) 61 ANZ The Commonwealth Bank incident was publicised in the Australian and International media. Other Australian banks started to look at their vulnerability to similar attacks. They did not have to wait long. On 10 April 2003 another Phishing email was sent, this time targeting ANZ bank and coming from from “newzs at anzbank.com”. ANZ Bank (Australia and New Zealand Bank) is Australia’s third largest bank. The samples seen by the author originated from 0x50a104ef.virnxx9.adsl-dhcp.tele.dk [80.161.4.239] and d141-107-221.home.cgocable.net (d141-107-221.home.cgocable.net [24.141.107.221], which appear to be compromised systems in Denmark and the USA. The site was again hosted by 3d Wizards in Florida at the address http://64.46.114.91/ and used similar text the attacks of CBA and E-Gold. On its ftp port the server at that IP responded as server2013.ebizhostingsolutions.com. Another good citizen informed ANZ and passed on details of the hosting company and Adam Kling from E-Biz Hosting Solutions as a contact. ANZ contacted Adam Kling and asked for the site to be removed, which happened a few days after. Figure 3 ANZ Phishing Email 10 April 2003 (Scheid 2003) BANK OF AMERICA While other Australian Banks became increasingly concerned about a potential attack the next Phishing incident moved offshore. On 12 May 2003 a Phishing email was sent out targeting Bank of America. It again used similar text to the attacks on E-Gold, CBA and ANZ. The site this time was hosted by Verio a large hosting provider registered in Colorado and Florida at the address http://198.173.235.126/index.htm. 62 Figure 4 Bank of America Phishing Email 12 May 2003 (Jennings 2003) WESTPAC Australia’s fourth-largest bank at this time was Westpac but was the second most popular on-line bank which had watched the recent events against its competitors Commonwealth Bank and ANZ closely. On 4 July 2003, US Independence Day they become subject of a Phishing attack. Again the same text was used as the previous banks and a site on IP space managed by 3d Wizards was involved using a domain belonging to E-Biz Hosting Solutions at the address http://d308902.website29.ebizdns.com/login.htm. A Westpac graphic was used in the html version of the email. Westpac reported the matter to the Australian Federal Police who were already engaged in the earlier ANZ and Commonwealth Bank incidents. Contact was made with E-Biz Hosting administrators via ICQ who turned out to be in Ukraine and the site was shut down after two days. 63 Figure 5 Westpac Phishing Email 4 July 2003 (Clapperton 2003) Date 28-Dec-02 17-Mar-03 11-Apr-03 12-May-03 4-Jul-03 4-Jul-03 Victim e-Gold CBA ANZ Bank Of America Westpac ANZ Subject Security Server Update Netbank Security Server Update Security Server Update Security Server Update Security Server Update Security Server Update Phishing Site IP 64.46.113.69 64.46.113.74 64.46.114.91 198.173.235.126 64.46.100.64 64.46.113.208 Table 1 Selected List of Phishing Attacks 28/12/2002 to 4/7/2003 OTHER PHISHING ATTACKS IN THIS PERIOD Two other Internet banks had Phishing attacks during this period. On 19 May 2003 after the Bank of America incident there was an attack on Citibank using a site at http://209.97.63.225/cgi-bin/webforms.pl (Rohrich 2003). Also in May there was an attack on First Union Bank part of Wachovia Corporation another large US Bank (Fisher 2003). There are limited details of these attacks available so it is unknown whether they are related to the six phishing attacks described above. 64 THE HOSTING COMPANIES 3D WIZARDS 3d Wizards owned the IP space for five of the Phishing sites in this period and were part of DataColo, which was managed by Carlos Rego. The company was also known as Relio Ltd. It was based in Winter Park Florida. DATACOLO DataColo owned the larger block in which 3d Wizards block resided and similarly was managed by Carlos Rego. It was also based in Winter Park Florida. E-BIZ HOSTING SOLUTIONS E-Biz Hosting Solutions is also based in Winter Park Florida. It uses 3D Wizards IP space and was the domain owner of the domain used in the Westpac and both ANZ sites and appeared to have issued the https certificate for the e-Gold web site. It may well have used the other IPs associated the attacks that were part of 3d Wizards hosting space but this is unable to be confirmed. Adam Kling is listed in various documents as the President but the Vice-President is listed as Maxim Unger from Odessa Ukraine. Alex Mosh also from Odessa Ukraine is mentioned as CTO and employee in a number of newsgroup postings and is described in more detail below. A number of other Ukrainians or expatriate Ukrainians also seem to be associated with E-Biz Hosting Solutions in admin and sales roles according to Internet posts, including Tim Rogovets, Constantin Pogorelov and Kate Foteva. Figure 6 Florida Department of Commerce Filing for E-Biz Hosting Solutions (http://www.sunbiz.org) THE INDIVIDUALS ADAM KLING Adam Daniel Kling is listed as the President of E-Biz Hosting Solutions. On a number of the incidents 3d Wizards administrators and other upstream providers gave his name and contact number to responders and he was contacted to shut both the ANZ Phishing sites down. He appears to be a resident of Florida. How he came 65 to be working with Maxim Unger, Alex Mozhey (see below) and a number of others from the Ukraine is unknown. ALEX MOZHEY, ALEX BLOOD, ALEX MOSH, ALEX POLYAKOV Listed in a number of Internet news postings as an employee and CTO of E-Biz Hosting Solutions is Alex Mosh. Alex Mosh is listed on the spamhaus Register of Known Spam Organisations (ROKSO) top ten list as of spammers, currently No.3 as of 6 October 2008 (http://www.spamhaus.org/statistics/spammers.lasso). In 2007 he was listed No.1. He has a number of aliases including Alex Blood and Alex Polyakov. The name Alex Polyakov is a Russian spy character from John Le Carre’s novel Tinker, Tailor, Spy, which may explain its use. Alex Mosh used an ICQ address when working for E-Biz Hosting Solutions, which now is used by an Alex Mozhey who lists in his linked-in profile that he indeed worked for E-Biz Hosting Solutions as CTO. In his profile Mozhey also lists being the CTO for Pilot Hosting, which is also associated with Alex Mosh and listed frequently by ROKSO in connection with spamming. Mozhey and Mosh are likely to be the same person. Figure 7 Alexander Mozhey’s Linked-in profile (http://www.linkedin.com) Mosh’s ROKSO record also connects him with money laundering or money mules and now acknowledged as a key part of Phishing. Mosh’s ROKSO record lists website Verimeraustralia.com used in 2005 for recruiting money mules in Australia and is connected with the entities and pseudonyms used by Alex Mosh. 66 Figure 8 Alex Polyakov Internet Operation (http://spamtrackers.eu/wiki/index.php?title=Alex_Polyakov) Mozhey in his linked-in profile amongst his skills are, “Good knowledge of Payment/Billing Systems, CC (credit card) processing, Merchant Gateways”. He also indicates past experience in “Abuse management”. Both he names Alex Mozhey and Alex Mosh are also connected with the nickname Deir that uses the same ICQ address and in some places Mozhey’s actual name. Deir is a member a Parallels Forum. Below Deir signs himself as Alex Mosh CTO Ebiz Hosting Solutions LLC in that forum. Figure 9 Posting by Alex Mosh to Parallels Forum (http://forums.modernbill.com/member.php?u=757) 67 CARLOS REGO Carlos Rego was the CEO of 3dWizards Hosting and DataColo and in 2003 lived in Florida. He has a blog and uses the handle nullmind. Amongst his postings he refers to the day in September 2003 when the FBI came to the DataColo office apparently in connection with the aforementioned Phishing incidents. “Today the FBI came by the office to pickup some logs on a scammer that was hosting with us, after taking his site down we kept all the info and logs on him .. I hope they catch the sucker. Basically the user had a fake egold site, he would send emails out to people saying they need to verify their e-gold accounts, people then would go to HIS site and enter their details and pin numbers :p ouch .. Null (http://nullmind.com/2003/09/)” Rego only mentions E-Gold but it is believed this FBI visit was also a result of an international mutual assistance application from the AFP on behalf of the Australian banks impacted by these early Phishing attacks. According to Carlos’s linked-in profile and Internet news items since leaving DataColo he has worked for Comodo, Positive Software and successful virtualisation software maker Parallels. All these organisations seem to have strong links to Russia and/or Ukraine. For instance Parallels CEO Serguei Beloussov studied for his Ph.D. in Computer Science at the Moscow Institute of Physics and Technology and the company has development centres in Russia and Ukraine. There is nothing suspicious in this but clearly Rego has a large degree of contact with Ukrainians and Russians in his business life. Again it is not known how Rego who was born in Portugal and now lives in the United Kingdom came to be working with these individuals from Eastern Europe. Figure 10 Relationships with Internet Bank Phishing Attacks Late 2002 to July 2003 WHAT HAPPENED AFTER JULY 2003? Detailed figures on Phishing attacks were only collected towards the end of 2003. Judging from press reports and the documented histories of Phishing attacks; they did increase in numbers from August to the end of 2003 with more brands being targeted, including numerous UK and US Internet Banks. The earliest statistics from APWG Anti Phishing Working Group (APWG) show 21 phishing incidents in the month of November 2003 68 (APWG 2004). The phishing sites at this time were primarily located at large web hosting providers whose systems were apparently compromised and used to set up the sites. This method continued for some years even being the main method observed during the examination of phishing attacks in July 2006 on one Australian financial institution (McCombie 2008). The number of attacks increased into 2004 and has continued to increase to date, see below for the most recent figures. Figure 11 Unique Phishing Attack Trend Nov 2003 to Jan 2003 (APWG 2004) HOW IS PHISHING DIFFERENT IN 2008? Today many aspects of Phishing have changed. Phishing sites are now almost always found on Botnets. While Botnets certainly existed in 2003 they were far less common. Their use provides greater redundancy and is also more resilient to take down requests by the victim banks and their service providers. There is also a greater use of password stealing malware (crimeware as it is now described) to compromise users of Internet banks, which is again delivered using Botnets. Since 2004 the significance of crimeware has grown. For the month of March 2008 APWG reported 356 new unique password stealing malicious code applications (APWG 2008). The ability of the Phishing sites to dupe unwitting users has reduced over time as user education and the shear volume of Phishing emails made knowledge of Phishing mainstream. However the attacks continue as they rely on only a small rate of success. In 2006 APACS the UK payments association working on behalf of the banking industry commissioned research agency Canvasse Opinion from Experian to poll a representative sample of 1,835 adults aged 18 and over, who have access to the Internet across the United Kingdom. Their results were, “If we extrapolate for the 15.7 million people (in the UK) who regularly use the Internet to access their current, savings and credit card accounts as: - 3.8% (an estimated half a million people) said they would still respond to an unsolicited email asking them to follow a link and re-enter personal security details, supposedly from their bank, unwittingly giving fraudsters access to their account (this is slightly down from 4% in 2004).” Despite the fact that at the time of this survey Phishing had been widely known for 3 years a return of 3.8% shows us why Phishing sites still appear, in fact, APWG reported over 25,000 unique Phishing attacks attacking 139 different brands in February 2008 alone (APWG 2008). WHAT CAN WE LEARN FROM THIS CASE STUDY While not conclusive this case study shows there is some evidence to support the thesis that East European groups involved in spamming branched into Phishing and other online crime in 2003. Further research into the involvement of East European IT companies in on-line crime is needed. The trend in traditional Eastern European organised crime and indeed other transnational organised crime to move illegal profits into legitimate enterprises may well have extended to the cybercrime area but further work is needed to confirm this. Regardless there is clearly availability of IT skills within Eastern Europe to support both legal and illegal IT 69 businesses and the challenge for those countries and the broader European community is to ensure organised cybercrime groups do not get a foot hold in legitimate industries. Why did Australian Banks figure so significantly in these attacks? One likely reason is that Australian Internet banks had much greater functionality for payments than those in the US and most of the rest of the world at that time. Westpac for instance actually allowed Overseas Telegraphic Transfers (OTTs) to overseas banks direct from their Internet Banking in 2003. This allowed phishers to move the money straight from compromised accounts to banks in Eastern Europe. So Australian Internet banks were indeed world leading but in ways that were not intended. CONCLUSION Further work is required to better understand these early attacks but we hope this will start further research in this area. The author would have liked to interview more individuals involved but many were either unreachable or unable to comment on the events so this case study has been developed looking mostly at news reports and archival material available on the Internet from a number of sources and from the author’s personal knowledge of events. While this approach has its shortcomings it was felt this case study was worth relating even on this limited information. We hope in future research to conduct further interviews with those involved and obtain more archival data on the organisations involved for more in depth analysis of these events. REFERENCES APACS (2008) APACS announces latest fraud figures. Retrieved 20 March 2007 from http://www.apacs.org.uk/APACSannounceslatestfraudfigures.htm APWG (2004) Phishing Attack Trends Report January, 2004. Retrieved 9 October 2008 from http://www.antiphishing.org/reports/APWG.Phishing.Attack.Report.Jan2004.pdf APWG (2008) Phishing Activity Trends Report Q1/2008. Retrieved 9 October 2008 from http://www.antiphishing.org/reports/apwg_report_Q1_2008.pdf Broache, A. (2007) E-Gold charged with money. Retrieved 9 October 2008 from http://news.cnet.com/2100-1017_3-6180302.html Clapperton, D. (2003) [Oz-ISP] Westpac online banking scam in progress. Retrieved 15 October 2008 from http://archive.humbug.org.au/aussieisp/1057285342.54415.28.camel%40inferno Colley, A. (2003) NetBank suspect nabbed in Sydney. ZDnet Australia. Retrieved 9 October 2008 from http://m.zdnet.com.au/120273072.htm Department of Justice (2007) Digital Currency Business E-Gold Indicted For Money Laundering And Illegal Money Transmitting. DOJ press release. Retrieved 9 October 2008 from http://www.usdoj.gov/criminal/cybercrime/egoldIndict.htm Fisher, D. (2003) First Union Hoax on the Loose. Retrieved 15 October 2008 from http://www.eweek.com/c/a/Messaging-and-Collaboration/First-Union-Hoax-on-theLoose/ Friedman, R. (2000) Red Mafiya: How the Russian Mob has invaded America, New York. Penguin Putnam 70 Gartner (2007) Gartner Survey Shows Phishing Attacks Escalated in 2007; More than $3 Billion Lost to These Attacks. Retrieved 9 October 2008 from http://www.gartner.com/it/page.jsp?id=565125 Galeotti, M. (2005). Russian mafiya become more active in Eastern Europe. Jane's Intelligence Review - June 01, 2005 Galeotti, M. (2006). The Criminalisation of Russian State Security. Global Crime Volume 7 (Number 3-4): August-November 2006. Galeotti, M. (2008) Interview with the Author. Grigg, I. (2005) GP4.3 - Growth and Fraud - Case #3 – Phishing. Retrieved 9 October 2008 from http://www.financialcryptography.com/mt/archives/000609.html Harley, D. (2007) A Pretty Kettle of Phish. Retrieved 9 October 2008 from http://www.eset.com/download/whitepapers/Phishing(June2007)Online.pdf James, L. (2005). Phishing Exposed, Rockland MA Syngress Publishing. Jennings, I. (2003) [fraud?] Security Server Update. Retrieved 15 October 2008 from http://groups.google.com.au/group/news.admin.netabuse.sightings/browse_thread/thread/b2cbf3154a916d14/41aabb11fdcc8067?hl=en)aa bb11fdcc8067 Keizer, G. (2005). Dutch Botnet Trio Reportedly Connected To Russian Mob. Retrieved 24 January 2007 from http://www.techweb.com/article/showArticle.jhtml?articleId=173600331&pgno=1 Kornakov (2007) Gibson offers sneak peek into his world. Retrieved 2 March 2007 from http://www.cambridge-news.co.uk/business/news/2007/02/06/ca10f0fb-fa50-4e49b8d4-51b8c359075a.lpf Litan, A. (2005). Increased Phishing and Online Attacks Cause Dip in Consumer Confidence. Gartner Research. Gartner. McCombie, S., Watters, P.A., Ng, A. & Watson, B. (2008) Forensic Characteristics Of Phishing – Petty Theft or Organized Crime?, Proceedings of the 4th International Conference on Web Information Systems and Technologies (WEBIST), Madeira, Portugal. Naraine, R. (2006) Return of the Web Mob. Retrieved 20 March 2007 from http://www.eweek.com/article2/0,1895,1947561,00.asp Ramzan Z. (2007) A Brief History of Phishing: Part I, Retrieved 9 October 2008 from https://forums.symantec.com/syment/blog/article?message.uid=306505 Rohrich R. (2003) CRIME Fwd: Your account is On Hold. Retrieved 15 October 2008 from http://lists.jammed.com/crime/2003/05/0044.html 71 Riley D. (2003) Security Server Update. Retrieved 15 October 2008 from http://groups.google.com/group/news.admin.netabuse.sightings/browse_thread/thread/c3c46036499f48f7/95565cf69675334d?hl=encf6 9675334d Searle, K. (2003) Netbank Security Server Update (Commonwealth Bank scam Australia) host in FL. Retrieved 15 October 2008 from http://groups.google.com/group/news.admin.netabuse.email/msg/11f128a770befb15?hl=en Scheid E., (2003) FW: Security Server Update. Retrieved 15 October 2008 from http://mailman.anu.edu.au/pipermail/link/2003-April/049438.html Schultz, E. (2003) Email hoaxes continue to deceive users. In Computers & Security,Volume 22, Issue 5, July 2003, Pages 368-377 The Presidents Identity Theft Task Force. (2007) Combating Identity Theft: A Strategic Plan. Retrieved 10 May 2007 from: http://www.idtheft.gov/reports/StrategicPlan.pdf. Varghese, S. (2003) NetBank scam: why didn't Commonwealth Bank do the obvious? Sydney Morning Herald. Retrieved 9 October 2008 from: http://www.smh.com.au/articles/2003/03/19/1047749811735.html Youl, T. (2004) Phishing Scams: Understanding the latest trends. Retrieved 9 October 2008 from http://www.fraudwatchinternational.com/pdf/report.pdf Zenz, K. (2007) Uncovering Online Fraud Rings: The Russian Business Network. Retrieved 9 October 2008 from http://labs.idefense.com/intelligence/researchpapers.php COPYRIGHT Stephen McCombie © 2008. The author/s assign Edith Cowan University a non-exclusive license to use this document for personal use provided that the article is used in full and this copyright statement is reproduced. Such documents may be published on the World Wide Web, CD-ROM, in printed form, and on mirror sites on the World Wide Web. The author also grant a non-exclusive license to ECU to publish this document in full in the Conference Proceedings. Any other usage is prohibited without the express permission of the author. 72 Edith Cowan University Research Online Australian Digital Forensics Conference Security Research Centre Conferences 3-12-2009 Cybercrime Attribution: An Eastern European Case Study Stephen McCombie Macquarie University Josef Pieprzyk Macquarie University Paul Watters University of Ballarat Originally published in the Proceedings of the 7th Australian Digital Forensics Conference, Edith Cowan University, Perth Western Australia, December 3rd 2009. Recommended Citation McCombie, Stephen; Pieprzyk, Josef; and Watters, Paul, "Cybercrime Attribution: An Eastern European Case Study" (2009). Australian Digital Forensics Conference. Paper 66. http://ro.ecu.edu.au/adf/66 This Article is brought to you by the Security Research Centre Conferences at Research Online. It has been accepted for inclusion in Australian Digital Forensics Conference by an authorized administrator of Research Online. For more information, please contact c.burnop@ecu.edu.au. 73 Proceedings of the 7th Australian Digital Forensics Conference Cybercrime Attribution: An Eastern European Case Study Stephen McCombie1 Josef Pieprzyk2 Paul Watters3 Macquarie University mccombie@science.mq.edu.au1 josef@science.mq.edu.au2 University of Ballarat p.watters@ballarat.edu.au3 Abstract Phishing and related cybercrime is responsible for billions of dollars in losses annually. Gartner reported more than 5 million U.S. consumers lost money to phishing attacks in the 12 months ending in September 2008 (Gartner 2009). This paper asks whether the majority of organised phishing and related cybercrime originates in Eastern Europe rather than elsewhere such as China or the USA. The Russian “Mafiya” in particular has been popularised by the media and entertainment industries to the point where it can be hard to separate fact from fiction but we have endeavoured to look critically at the information available on this area to produce a survey. We take a particular focus on cybercrime from an Australian perspective, as Australia was one of the first places where Phishing attacks against Internet banks were seen. It is suspected these attacks came from Ukrainian spammers. The survey is built from case studies both where individuals from Eastern Europe have been charged with related crimes or unsolved cases where there is some nexus to Eastern Europe. It also uses some earlier work done looking at those early Phishing attacks, archival analysis of Phishing attacks in July 2006 and new work looking at correlation between the Corruption Perception Index, Internet penetration and tertiary education in Russia and the Ukraine. The value of this work is to inform and educate those charged with responding to cybercrime where a large part of the problem originates and try to understand why. Keywords Cybercrime. Phishing. Eastern European Organised Crime. INTRODUCTION Phishing and related cybercrime is responsible for annual losses of billions of US dollars. Gartner reported more than 5 million U.S. consumers lost money to phishing attacks in the 12 months ending in September 2008. They have estimated the losses in the US alone were over USD$7.5 Billion between September 2005 and September 2008 (Gartner 2009). While the claims by a US treasury official that global cybercrime is more lucrative than illegal drugs and was estimating at USD$105 Billion in 2004 are rather difficult to assess (Reuters 2005) there is clearly a large illegal and successful criminal industry online. The United States Government’s October 2007 International Organized Crime Threat Assessment (US Department of Justice 2008) saying, “International organized criminals use cyberspace to target U.S. victims and infrastructure, jeopardizing the security of personal information, the stability of business and government infrastructures, and the security and solvency of financial investment markets.” This paper looks at the part in this that individuals and groups based out of Eastern Europe play and whether the majority of organised phishing and related cybercrime indeed originates in Eastern Europe rather than elsewhere and why. With the end of communism, Eastern Europe has seen massive changes and with the resulting power vacuum in many countries organised crime have gained prominence. The Russian Mafiya in particular has been popularised by the media and entertainment industries to the point where it can be hard to separate fact from fiction. While hard data is limited on this phenomenon, there is considerable anecdotal evidence to suggest that transnational organised crime groups from Eastern Europe are significantly involved in Phishing and related cybercrime. Their alleged involvement in these attacks has received extensive coverage in the press with headlines like “Dutch Botnet Trio Reportedly Connected To Russian Mob” (Kreizer 2005), “Return of the Web Mob” (Naraine 2006). However a leading security researcher and vendor Eugene Kaspersky (from Russia himself) charged that the view of the Russian Mafiya and Russians more generally being behind cybercrime was a “myth” (Sturgeon 2006) and that most attacks came from China and the US. While the authors agree there is a degree of mythology around the issue there is some solid information pointing to the significant role Eastern Europeans’ particularly Russians and Ukrainians play in the cybercrime world. This paper consists of a survey of information available on this area build from case studies where there is some nexus to Eastern Europe including 41 | P a g e 74 Proceedings of the 7th Australian Digital Forensics Conference looking at the first phishing attacks on Internet Banks in 2003 (McCombie 2008). We also look at other indicators including the identity of leading spammers who are key part of the cybercrime business and other information such as the views of law enforcement, which also seems to support this thesis. We then re-examine some archival data on 77 phishing attacks on one Australian institution in July 2006 used in work published in 2008 (McCombie 2008). Lastly we examine the correlation of a low corruption perception index, high Internet penetration, high tertiary education levels and Eastern European cybercrime. In this work we take a particular focus on cybercrime from an Australian perspective and a lot of our data relates to the Australian experience. While this is convenient for Australia based researchers it also is relevant to understand that Australia was one of the first places where Phishing attacks against Internet banks were seen. This attack as we will discuss was, rather than a home grown problem, suspected to have originated from the Ukraine by a known spammer. To date there has been little research into the individuals and groups behind Phishing and related cybercrime. To effectively combat this problem we need to understand the disposition and nature of these criminals. This paper aims to be one step in delivering this important analysis to help government and industry address this problem. A SURVEY OF EASTERN EUROPEAN ORGANISED CRIME & CYBERCRIME A SHORT HISTORY OF EASTERN EUROPEAN ORGANISED CRIME While this paper is focused on cybercrime, Eastern European crime is a much broader and more complex topic. However any examination of Eastern European cybercrime would be incomplete without some background of this broader issue. The Hollywood image of the ruthless Russian mafiya man who unlike the Italian Mafiosi is happy to kill not just opponents but their family members too is truly fiction but one retold so often it is almost treated as fact (Serio 2008). However there is a long history of organised crime in Russia and Eastern Europe. In the times of the Tsar well before the October Revolution of 1917 organised crime groups stole horses and moved them all over the then Russian empire for sale. After the revolution these early groups while imprisoned, sort to differentiate themselves from the political prisoners whose numbers during Bolshevik rule grew substantially. By the 1930s this Russian criminal class were known as the Vory v Zakone “Thieves in Law” and is well documented (Varese 2001). They flourished under the often corrupt Communist system where bribery and the black market were key elements of the society. With the end of communism and the privatisation of government enterprises these traditional crime gangs, along with groups of Afghan war veterans and some former state security agents became what is now collectively known as the Russian Mafiya. According to the Ministry of Internal Affairs of the Russian Federation, between 1990 and 2001 the number of organised groups and criminal societies (criminal organisations), increased almost 16-fold, from 785 to approximately 12,500 (Abramova 2007). These new groups used force where the lack of the rule of law meant this was an important business tool. They also provided real protection where law enforcement was either corrupt or simply disinterested to protect new business entities. In fact many of the leading gangs such as Tambov in St Petersburg became a legitimate security providers to business (Volkov 2002). By 2005, it was estimated by a Council of Europe Organised Crime Situation Report (2005) that there were 300–400 really important criminal groups within the Russian Federation, with 15 of them operating significant criminal network structures (Ridley 2007). THE CRIMINALISATION OF RUSSIAN STATE SECURITY A feature of Eastern European organised crime is the criminalisation of the state security apparatus as their influence has grown. This has occurred partly by convenience and as many former state security agents actually joined the Mafiya themselves some while keeping their day jobs. Tambov, mentioned above, is known to have close links with Prime Minister Vladmir Putin’s security detail (Volkov 2002). Mark Galeotti (Galeotti 2006) suggests that former members of the Russian Federal Agency of Governmental Communication and Information (FAPSI) - whose role was similar to that of the US National Security Agency - were recruited by organised crime groups as computer hackers when FAPSI was disbanded in 2003. Notably, this was around the same time phishing became a significant problem. Interviews conducted by IDefense indicated that Russian and other Eastern European police had little interest in pursuing cybercriminals who commit no crimes at home (Zenz 2007). In 2000, the FBI lured two Russian hackers (who tried to blackmail Michael Bloomberg) to Seattle with job offers, then arrested them. Agents involved in the case later downloaded data from the duo's computers, located in Chelyabinsk, Russia, over the Web. Rather than assist the investigation two years after that, Russia filed charges against the FBI agents for hacking alleging the downloads were illegal (Grow 2005). The 2007 arrest of Vladimir Earsukov, aka Vladimir Kumarin, of the Tambov crime family, was handled by top-level FSB officials due to concerns about local police collusion with organised crime in St Petersburg (Overseas Security Advisory Council 2009). A high ranking member of the Ukrainian Ministry of Internal Affairs noted that although the number of Ukrainian organized crime groups had steadily decreased the remaining groups were difficult to eradicate because of their strong connections with state officials (Finckenauer and Schrock 2004). 42 | P a g e 75 Proceedings of the 7th Australian Digital Forensics Conference MODERN TRADITIONAL RUSSIAN SPEAKING ORGANISED CRIME Russian organised crime is more correctly Russian speaking organised crime. Gangs exist outside of the Russian Federation in other former Soviet Union countries such as Ukraine, Latvia and Moldova where many ethnic Russians live. With its relatively large ethnic Russian population Latvia's underworld is dominated by gangs rooted in this ethnic Russian community, typically linked with larger gangs in Moscow and St Petersburg. Latvia is reported to be an increasingly important location for computer-based criminal activities, including phishing attacks (Galeotti 2005). In Russia one of the most prominent gangs is led by Sergei Mikhailov. The Moscow-based Mikhailov’s Solntsevskaya Organization owns banks, casinos, car dealerships, and even an airport. Solntsevskaya is believed to be behind many cyber-related online crime activities (Nomad 2005). In St Petersburg the Tambov, Kazan, and Malyshev crime families are the three major criminal organizations. Organised criminal activity in St. Petersburg extends into business, banking, public services, natural resources, and even art and culture. Virtually all businesses in St. Petersburg have a roof (protection scheme) provided by organised crime (Overseas Security Advisory Council 2009). Some of the organised crime groups are believed to use legitimate enterprises they are involved in to support illegal activities. Tambov is believed to have used its petrol distribution company PTK’s IT division to commit phishing attacks (Galeotti 2008). PTK itself is a massive enterprise and was awarded its contract to supply St Petersburg when the current Prime Minister Vladmir Putin was Deputy Mayor of the city government such is the high level influence of Tambov (Belton 2003). Figure 1 shows the structure of Russian Organised Crime groups as described by Vadim Volkov (Volkov 2002). This is probably more a stylised view than the strict reality as these Russian speaking organised crime groups are often known for their lack of hierarchical structure and ability to mould to the task required. However that said it is interesting to note the technical sub-divisions within the structure one for weapons and the other communications and cars etc. Such a subdivision could well include the former FAPSI hackers mentioned by Galeotti (Galeotti 2006). The involvement of these groups has been recognized by numerous governments, the US President’s Identity Theft Task Force, set up to combat phishing and other identity, theft reported in 2007 (The Presidents Identity Theft Task Force 2007), “Law enforcement agencies … have seen increased involvement of foreign organized criminal groups in computer- or Internet-related identity theft schemes.” Figure 1. Structure of the (Russian) Organized Criminal Group (Volkov 2002). Groups from the Russian Federation, the Ukraine and Romania were identified by the US Secret Service as being responsible for a number of the attacks (The Presidents Identity Theft Task Force 2007). In February 2007, Microsoft's Chief Security Advisor in the UK, Edward Gibson (a former FBI Agent), warned “it’s not the hacker crackers you have to worry about, but the Ukrainian mafia” (Kornakov 2007). INTERNET CYBERCRIME We now look more specifically at Internet Cybercrime and Eastern Europe. In September 2009 Neil Gaughan the head of the Australian High Tech Crime Centre (AHTCC) told a parliamentary enquiry that the majority of cybercrime in Australia is driven by organised crime gangs in Russia. Nigel Phair a team leader from the AHTCC saying in his book (Phair 2007), “A significant amount of internet-enabled crime including Phishing and denial of service attacks … is perpetrated from within the states which comprise the former Soviet Union.” These views are well founded as can be seen from the following case studies. 43 | P a g e 76 Proceedings of the 7th Australian Digital Forensics Conference Spam Kings Since the expansion in usage of e-mail into the mainstream, spam or unsolicited email has been a problem. In June 2009, according to MessageLabs the global ratio of spam in email traffic was 90.4% or 1 in 1.1 emails (Messagelabs 2009). In phishing the sending of spam is essential both to compromise bank customers and to recruit Internet Monet Mules to launder the money obtained. While claims that most spam comes from the US and China are true (Sturgeon 2006), the groups behind that spam are not necessarily in those countries. Spamhaus produce the Register of Known Spam Operations (ROKSO) and they rank the top ten spamming operations based upon the ROKSO database that collates information and evidence on known professional spam operations that have been terminated by a minimum of 3 Internet Service Providers for spam offenses. If we look at this top 10 (Table 1) we see three entries for the Russian Federation, two for the Ukraine and one for Estonia. Notably Russia and the Ukraine are the only countries to have more than one entry (The Spamhaus Project 2009). Table 1. ROKSO list of top ten spamming operations (21 July 2009) (The Spamhaus Project 2009) Internet Money Mules ‘Internet money mules’ are those who, either knowingly or unknowingly, launder money obtained from Internet fraud and are a key part of phishing and related cybercrime. While the criminals who steal credentials can easily access Internet Banks and perform transactions from the other side of the world they cannot necessary get the money into their own hands so easily. They advertise for Internet money mules through spam email, Internet messaging and both fraudulent and legitimate employment web sites. They claim to be legitimate employment opportunities with mules receiving between 7% to 10% of funds transferred via their accounts as a commission. The cybercriminal transfers money from a compromised bank account into the mules account. The mule, simply doing what their ‘job’ requires, transfers the fraudulently obtained funds – minus their fee – via financial transfer services such as Western Union to an overseas address (Aston 2009). Data collected by the Australian Federal Police indicate that over 50% of these transactions relate to the former Soviet Union with Russia being the largest single recipient country (Martin 2007). Australian police have had some success in arresting Internet money mules who are aware of the illegal nature of the transactions. One of the largest investigations occurred in 2005 involving NSW and Federal Police (Walker 2006). In that particular case the recruitment method involved a company called World Transfers Incorporated. IDefense did some investigation in their profile of Internet Money Mules (iDefense 2006) and looked at this case. WHOIS data for the former World Transfers Inc. domain provides a clues as to the operation's source. Contact information for http://www.world-transfers.biz follows: Domain Name: WORLD-TRANSFERS.BIZ Billing Contact Name: Alex Polyakov Billing Contact Organization: Pilot Holding LLC The Ukrainian Polyakov is as earlier stated one of the Spamhaus top ten and allegedly the man behind the first attacks on Internet Banks in Australia (see below). This phenomenon is not just an Australian problem. In 2004 in the United Kingdom Detective Superintendent Mick Deats, Deputy Head of the National High Tech Crime Unit, said: "Organised Crime is targeting Internet users, and specifically Russian-speakers, in the UK to launder money stolen from online bank accounts where people have been duped into handing over their account details. We believe … (they have in this particular case) sent hundreds of thousands of pounds back to Russia … This is a sophisticated operation involving false identities…(Parsons 2004)” CYBERCRIME CASE STUDIES Russian Business Network Some Russian IT organisations are suspected of being purely vehicles for Internet crime such as the now infamous Russian Business Network. A scan of RBN and affiliated ISPs’ net space conducted by VeriSign iDefense analysts failed to locate any legitimate activity. Instead, They identified phishing, malicious code, botnet command-and-control, 44 | P a g e 77 Proceedings of the 7th Australian Digital Forensics Conference denial of service attacks and child pornography on every single server owned and operated by RBN. To date, significant attacks on the financial sector continue to emanate from RBN and its affiliated organizations according to iDefense (Zenz 2007). Hangup Gang The HangUp Team is based in Archangelsk in Russia. In 2000 the alleged original members of the team, Alexei Galaiko, Ivan Petrichenko, and Sergei Popov, were arrested for infecting two local computer networks with malicious code. But Russian authorities let them off with suspended sentences. In 2003 the gang released the viruses Berbew and Webber. In 2004 the group infected online stores with the Scob worm. Scob waited for Web surfers to connect, then planted a keylogging trojan and relayed thousands of passwords and credit-card numbers to a server in Russia (Grow 2005). TJ Max/Dave & Busters Restaurant In 2007 three men have been indicted for hacking into a number of cash registers at Dave & Buster's restaurant locations in the US stealing data from thousands of credit and debit cards. That data that was later sold and caused more than $600,000 in losses. Maksym Yastremskiy of the Ukraine and Aleksandr Suvorov of Estonia hacked into cash register terminals at 11 Dave & Buster's locations and installed "sniffer" programs to steal payment data as it was being transmitted from the point-of-sale terminals to the company's corporate offices. Later the same men were charged with similar a breach at TJMax. Some Analysts estimated the losses at TJ Max at more than USD$1 Billion (Kerber 2007). Doug Bem, an inspector with the U.S. Postal Inspection Service alleged Yastremskiy was a major reseller of stolen credentials (Krebs 2008). Notably both Yastremskiy and Suvorov were arrested while visiting two countries, which actively co-operate with US law enforcement Turkey and Germany and not at home in Eastern Europe. E-Biz Hosting Incident 2003 On Saturday 28 December 2002 during the quiet Christmas New Year period an email purporting to be from E-Gold support (an online Gold trading company) was spammed out to a large number of Internet users. The next victim of this phishing attack was Commonwealth Bank of Australia (CBA) a former government owned bank in Australia. This was the first such phishing attack against a major Internet Bank. On 10 April 2003 another Phishing email was sent, this time targeting ANZ. On 12 May 2003 a Phishing email was sent out targeting Bank of America. It again used similar text to the attacks on E-Gold, CBA and ANZ. On 4 July 2003, US Independence Day Westpac Bank become subject of a similar Phishing attack and at the same time ANZ received its second attack (McCombie 2008). E-Biz Hosting Solutions was the domain owner of the domain used in the Westpac and both ANZ sites and appeared to have issued the https certificate for the e-Gold web site and managed the IP space for the CBA site. The Vice-President of the company was listed as Maxim Unger from Odessa Ukraine. Alex Mosh also from Odessa Ukraine was listed as CTO (McCombie 2008). Alex Mosh AKA Alex Polyakov is listed on the spamhaus Register of Known Spam Organisations (ROKSO) top ten list as of spammers above. Ruslan Ibragimov Ruslan Ibragimov is a Russian based in Moscow. Spamhaus credit him as “One of the largest criminalmethods/botnet/proxy hijack spamming operations around.” Apart from his own spamming operations he and his group authored the spam sending tool send-safe mailer. He is also believed to be the author of the malware Sobig in 2003 (Author Travis Group 2005). It was released in August 18, 2003 and infected hundreds of thousands of computers within just a few short hours. W32.Sobig.F@mm was a mass-mailing, network-aware worm that sent itself to all the email addresses it could find, worldwide. Within two days after Sobig was released, an estimated $50 million in damages were reported in the US alone. China had reported over 30% of email traffic had been infected by Sobig, equivalent to over 20 million users. After interrupting freight operations and grounding Air Canada, Sobig went on to cripple computing operations within even the most advanced technology companies, such as Lockheed Martin (Author Travis Group 2005). BlueSecurity DDoS In 2006 Blue Security was an anti-spam company based in Israel and California. It had an original idea to stop spam. They would send requests to stop sending spam to spammers each time they sent spam to their customers. This caused a lot of problems for the spammers who found they were having serious capacity issues with Blue Security sending these messages on behalf of more than 500,000 customers. While this virtual vigilante system of spamming the spammers was controversial it was apparently quite legal. The response from the spammers was a DDoS attack. Blue Security responded effectively initially but with the time the attack grew in size and sophistication. BlueSecurity had to turn to others for support. When Blue Security got the Prolexic DDoS protection which washed their traffic the spammers merely turned their DDos on Prolexis’ DNS which shut them down and many of their customers who used their service. The result was Blue Security had to go it alone. Shortly after and as a result the CEO decided to shut the company down (Krebs 2006). Both Polyakov and Ibragimov are suspected to have been behind these attacks. 45 | P a g e 78 Proceedings of the 7th Australian Digital Forensics Conference Estonia DDoS On 26 April 2007 the Estonia government moved a Soviet WW2 memorial from the centre of its capital to a cemetery on its outskirts. To Russians at home and in Estonia it was an outrage. Russians treat the memory of the war dead from WW2 as sacred. Amongst other protests Estonian systems came under DDoS attack from large amounts of ICMP traffic. While the Estonian Government claimed the attack was lead by the Russian Government it appears more that a number of technically savvy members Russian ethnic community within Estonia and elsewhere urged on by a number of Internet posting were responsible (Lesk 2007). NAB, Westpac, AusCERT, Malaware DDos Attacks While the Estonian and BlueSecurity DDoS attacks would appear to have little nexus to Australia, DDoS as a tool of retribution has been seen in Australia a number of times. In October 2006 National Australia Bank (NAB) suffered a DDos as result of its efforts to frustrate phishing gangs in Eastern Europe and some claimed the infamous RBN were responsible for the attacks (Zenz 2007). Information from law enforcement officials to Janes Intelligence indicated the attacks were from Russia by groups also responsible for a number of blackmail DDoS attacks on online betting houses (Karrstrand 2007). Shortly after AusCERT and Malaware who both assist in anti-Phishing and anti-trojan efforts for Banks were DDosed. Then in September 2007 Westpac Bank suffered an attack with similar traffic patterns not long after their new cybercrime response team was established and operating against phishing gangs (Winterford 2007). PHISHING EMAIL ANALYSIS In work published in 2008 (McCombie 2008) email data from one month of Phishing attacks against one Australian financial institution in July 2006 were examined. This consisted of 77 discrete attacks on that organisation. Each attack involved a different URL set up at a different time and spammed out to extensive spam lists. The work examined the email source of the hooks, the phishing pages where available and other archival data stored by the organisation or otherwise archived on the Internet. The main purpose of the exercise was to see if grouping was feasible. This proved to be the case with 6 particular profiles or groups which accounting for all but 2 of the attacks (McCombie 2008). The authors using unpublished data from that work looked at timezone data in a number of the emails in that dataset. Timezone Analysis The timezones GMT + 3 (22 incidents) or GMT + 2 (14 incidents) were present in 36 of 62 incidents where a time zone was present. Many of these instances involved Group 1 identified in the study (McCombie 2008) who accounted for 42% of the 77 incidents. GMT +3 is the time zone of Ukraine in summer (EEST) and GMT + 2 (EET) the rest of the year. The time zone value was set by the email client in the body of the email rather than in the header by the SMTP server. The SMTP time zone value while interesting merely indicates the location of the mail server used to send the email which in most cases is a compromised system or open mail proxy and not the location of the sender which the mail client may well indicate. Figure 2. Timing of 63 Phishing Incidents against Australian Financial institution in July 2006. Also during that study a virtual work day was established based on the header time set by the receiving SMTP server. That study examined Tuesday 18 July 2006 in detail when 12 phishing incidents were observed, starting at 4.01am and continuing to 8.59am, then followed by a break of about ten hours, followed again by three attacks from 6.44pm to 7.39pm. This may be deliberate targeting of the victim users when they access their systems in the morning and first thing in the evening, or may again indicate the working schedule of the phishers themselves (McCombie 2008). The authors examined unpublished header data for 63 of 77 incidents from that study. If we know look at those 63 incidents across July we see a similar pattern of activity. In the time from midnight to 9.37am AEST and we see 45 incidents. From 6.37pm to midnight AEST we see 12 further incidents. However from 9.37am to 6.37pm AEST we see only 6 46 | P a g e 79 Proceedings of the 7th Australian Digital Forensics Conference incidents (3 of which occur within 17 minutes). Clearly in this period there is significantly less activity. If we convert to EEST these 63 incidents we can see how busy times map to mid morning and to very early morning for EEST, potentially the waking hours of the perpetrators. An argument also could also be made for later timezones such as GMT but clearly the timing does not match the waking hours in Australia. Windows-1251 Unpublished character set data was also examined from the July 2006 study. The Windows-1251 character set is associated with the Cyrillic character set used in Russia and Eastern Europe. In the 5 instances where any value was seen, 4 were Windows-1251 (the remaining was Windows-1252 the standard Latin text). All these instances involved Group 3, which accounted for 18% of the 77 incidents. We then looked at a different Phishing Corpus, which has made available by Jose Nazario of phishing incidents from 7 August 2006 to 7 August 2007 (Nazario 2007) to see if we could see this value. In that corpus there were 2279 different phishing attacks, of those 904 had a value for the Windows character set and for 693 of these the value was Windows-1251. Future research will look at this and other larger email corpus of Phishing attacks to further assess this value to see its pre-eminence. CORRUPTION PERCEPTION INDEX, EDUCATION AND CYBERCRIME INTERNET PENETRATION, TERTIARY Russia and other parts of the former Soviet Union have suffered from a high level of corruption for some time. The Transparency International Corruption Perceptions Index (CPI) is based on a number of surveys conducted globally (Transparency International 2008). When trying to understand why Russia and Ukraine in particular seem to figure in cybercrime incidents we decided to look for a possible correlation between high corruption, high Internet penetration and high levels of tertiary education. As you will see this certainly shows the unique position of Russia and the Ukraine both on in terms of absolute numbers and per capita in these areas when compared with other countries with poor (low) CPI scores. The Transparency International CPI ranks countries in terms of the degree to which corruption is perceived to exist among public officials and politicians. It is a composite index, a poll of polls, drawing on corruption-related data from expert and business surveys carried out by a variety of independent and reputable institutions. The CPI reflects views from around the world, including those of experts who are living in the countries evaluated. The lower the score the worse the perception of corruption in that country (Transparency International 2008). We then added information relating to Internet penetration gathered by International Telecommunications Union (International Telecommunication Union 2008) for each country for listed in the CPI ranking. We then added data relating to the level of Tertiary Education from the World Bank (World Bank 2007). The CPI rating and Internet data relate to 2008 and the Tertiary education data relates to 2007. In 2008 Russia has more than 30 million Internet subscribers with a penetration of over 20 users in 100. Ukraine while considerably smaller still has over 6 million Internet users and penetration of over 13 users in 100. At the same time they are both listed in bottom 25% of countries by corruption perception, Russia scoring 2.2 being 147/181 and Ukraine scoring 2.5 being 134/181. They also have very high levels of enrolment in tertiary education. Russia having over 9 million enrolled and 72.3% of students enrolled of the relevant age group or Gross Enrolment Ratio (GER). Ukraine has nearly 3 million and 72.8% GER. While countries like China have far higher numbers of Internet subscribers (150 million) their CPI sits a lot better at 3.6 at 72/181 with a GER of a mere 21.6%. This makes Russia and Ukraine relatively unique. Even Nigeria with its reputation as the home of the 419 scams and West African Crime actually sits higher on the CPI at 121/181 scoring 2.5 but with only 115 thousand Internet subscribers and a tiny penetration of 0.08 users in 100 and a GER of 10.2%. In Table 2 shows all countries ranked by CPI score with greater than 1.5 million Internet Subscribers by CPI including tertiary figures. This shows the unique position of Russia and the Ukraine. 47 | P a g e 80 Proceedings of the 7th Australian Digital Forensics Conference Table 2. Countries ranked by CPI Score (lowest to highest), Internet Subscribers (>1.5 Million) showing enrolment in Tertiary Education 48 | P a g e 81 Proceedings of the 7th Australian Digital Forensics Conference CONCLUSION It is acknowledged that the above discussed data analysis work is not alone conclusive as to the source of phishing and related cybercrime. However if viewed in conjunction with the survey information and other supporting material it certainly presents a compelling argument of the major role played in Phishing and related cybercrime by Eastern European individuals and groups. Eastern Europe’s situation has made it particularly suited to the development of cybercrime groups. High levels of technical education reflected in the high GER, a period economic uncertainty and downturn, a breakdown of state institutions, and an established tradition of criminal gangs have all contributed. It is interesting to note Romania, which was identified in association with EBay auction fraud (Warne 2007), has now improved its situation with the prosecution of a number of cybercriminals in that country (Goodin 2008). Romania now has a healthy CPI of 3.8, by Eastern European standards, up from 2.8 in 2003. Both these developments seem to have been a result of the closer ties with the European Union, the USA and the west generally. It however seems that as long as Ukraine and Russia remain outside of this type of influence it is going to be difficult for western governments and more particularly western law enforcement to have much impact on individuals and groups in these countries committing cybercrime. The Russian and Ukrainian Governments would appear to have the capacity to deal with the problem just not the incentive. REFERENCES Abramova, I. (2007). "The Funding of Traditional Organised Crime in Russia." Economic Affairs 27(No.1): 18-21. Aston, M., McCombie S., Reardon B., and Watters P. (2009). A Preliminary Profiling of Internet Money Mules: An Australian Perspective. Cybercrime and Trustworthy Computing. Brisbane. Author Travis Group. (2005, September 2005). "Who Wrote Sobig? ." from http://authortravis.tripod.com/. Belton, C. (2003, 2003). "New Book Poses Question of http://www.sptimes.ru/index.php?action_id=2&story_id=11164. Putin's Links with Underworld." from Finckenauer, J. O. and J. L. Schrock (2004). The prediction and control of organized crime : the experience of postSoviet Ukraine. New Brunswick, N.J., Transaction Publishers. Galeotti, M. (2005, 24 May 2005). "Russian mafiya become more active in Eastern Europe." from http://www.janes.com/security/law_enforcement/news/jir/jir050524_1_n.shtml. Galeotti, M. (2006). "The Criminalisation of Russian State Security." Global Crime 7(Number 3-4). Galeotti, M. (2008). Interview with Author. Gartner. (2009). "Gartner Says Number of Phishing Attacks on U.S. Consumers Increased 40 Percent in 2008." from http://www.gartner.com/it/page.jsp?id=936913. Goodin, D. (2008). "Notorious eBay hacker arrested in Romania." from http://www.theregister.co.uk/2008/04/18/vladuz_arrested/. Grow, B. (2005). "Hacker Hunters: An elite force takes on the dark side of computing " Retrieved 20 August, 2009, from http://www.businessweek.com/magazine/content/05_22/b3935001_mz001.htm. iDefense (2006). Money Mules: Sophisticated Global Cyber Criminal Operations Verisign. International Telecommunication Union. (2008). "Internet indicators: subscribers, users and broadband subscribers: 2008." from http://www.itu.int/ITUD/icteye/Reporting/ShowReportFrame.aspx?ReportName=/WTI/InformationTechnologyPublic&RP_intYear =2008&RP_intLanguageID=1. Karrstrand, K., Jonsson, M. (2007). "The Baltic connection - Money laundering in the Baltic region ." Janes Intelligence Review. Kerber, R. (2007). "Suspect named in TJX credit card probe: Ukrainian's arrest seen as break in record fraud case." from http://www.boston.com/business/globe/articles/2007/08/21/suspect_named_in_tjx_credit_card_probe/. 49 | P a g e 82 Proceedings of the 7th Australian Digital Forensics Conference Kornakov, P. (2007). "Gibson offers sneak peek into his world." from http://www.cambridgenews.co.uk/business/news/2007/02/06/ca10f0fb-fa50-4e49-b8d4-51b8c359075a.lpf. Krebs, B. (2006). "In the Fight Against Spam E-Mail, Goliath Wins Again." from http://www.washingtonpost.com/wp-dyn/content/article/2006/05/16/AR2006051601873.html. Krebs, B. (2008). "Three Charged With Hacking Dave & Buster's Chain ", from http://voices.washingtonpost.com/securityfix/2008/05/three_charged_with_hacking_dav.html. Kreizer, G. (2005). "Dutch Botnet Trio Reportedly Connected To Russian Mob." Lesk, M. (2007). "The New Front Line: Estonia under Cyberassault." IEEE Security and Privacy 5(No.4 July/Aug. 2007): pp.76-79. Martin, S. (2007). International Field Report : Australia. 2007 APWG General Members Meeting. Pittsburgh PA. McCombie, S. (2008). Trouble in Florida: The Genesis of Phishing attacks on Australian Banks. 6th Australian Digital Forensics Conference. Perth. McCombie, S., Watters, P. , Watson, B. & Ng, A. (2008). Forensic Characteristics of Phishing - Petty Theft or Organized Crime. WEBIST Conference Funchal Portugal pp149-157 Messagelabs. (2009). "MessageLabs Intelligence: July 2009." from http://www.messagelabs.com/resources/mlireports. Naraine, R. (2006). "Return of the Web Mob." from http://www.eweek.com/article2/0,1895,1947561,00.asp. Nazario, J. (2007). "Phishing Corpus." from http://monkey.org/~jose/wiki/doku.php?id=PhishingCorpus. Nomad, S. (2005). "Organized Cybercrime." from http://www.dc214.org/notes/june_2005/dc214_sn_orgcrime.ppt. Overseas Security Advisory Council (2009). Russia 2009 Crime & Safety Report: St. Petersburg, Overseas Security Advisory Council. Parsons, M. (2004). "Twelve arrested for laundering phished funds." Retrieved 1 September, 2009, from http://news.zdnet.co.uk/security/0,1000000189,39153687,00.htm. Phair, N. (2007). Cybercrime : the reality of the threat. Kambah, A.C.T., Nigel Phair. Reuters. (2005, November 29, 2005). "Cybercrime now bigger than the drug trade." from http://www.smh.com.au/news/technology/cybercrime-now-bigger-than-the-drugtrade/2005/11/29/1133026443366.html. Ridley, N. (2007). "Financial Crime Trends in Central and Eastern Europe." Economic Affairs 27(No. 1 March 2007): pp. 22-26. Serio, J. D. (2008). Investigating The Russian Mafia. Durham NC, Carolina Academic Press. Sturgeon, W. (2006). "Analysis: A globetrotter's guide to cyber crime." Retrieved 30 July, 2009, from http://www.silicon.com/research/specialreports/ecrime/0,3800011283,39158777,00.htm. The Presidents Identity Theft Task Force (2007). Combating Identity Theft: A Strategic Plan. 2007. The Spamhaus Project. (2009). "The 10 Worst ROKSO Spammers." Retrieved 21 July, 2009, from http://www.spamhaus.org/statistics/spammers.lasso. Transparency International. (2008). "Corruption Perceptions Index 2008." from http://www.transparency.org/policy_research/surveys_indices/cpi/2008. US Department of Justice (2008). Strategy to Combat International Organized Crime. 50 | P a g e 83 Proceedings of the 7th Australian Digital Forensics Conference Varese, F. (2001). The Russian mafia : private protection in a new market economy. Oxford, England ; New York, Oxford University Press. Volkov, V. (2002). Violent entrepreneurs : the use of force in the making of Russian capitalism. Ithaca, Cornell University Press. Walker, F. (2006). Gone phishing ... gangs using Aussie kids to steal millions. Sydney Morning Herald. Sydney. Warne, D. (2007). "Romania a global hotspot for eBay fraud." APC Magazine May 2007. from http://apcmag.com/romania_a_global_hotspot_for_ebay_fraud.htm. Winterford, B. (2007, 19 June 2007). "Westpac hit by DoS attacks." from http://www.zdnet.com.au/news/security/soa/Westpac-hit-by-DoS-attacks/0,130061744,339278748,00.htm. World Bank. (2007). "Education Statistics 2007 Version 5.3." 2007. from http://web.worldbank.org/WBSITE/EXTERNAL/TOPICS/EXTEDUCATION/EXTDATASTATISTICS/EXT EDSTATS/0,,menuPK:3232818~pagePK:64168427~piPK:64168435~theSitePK:3232764,00.html. Zenz, K. (2007). Global Threat Research Report: Russia. iDefense Security Report. iDefense, Verisign. Zenz, K. (2007). Uncovering Online Fraud Rings: The Russian Business Network. iDefense Security Report. IDefense, Verisign. COPYRIGHT Stephen McCombie, Josef Pieprzyk, Paul Watters ©2009. The author/s assign SECAU & Edith Cowan University a non-exclusive license to use this document for personal use provided that the article is used in full and this copyright statement is reproduced. The authors also grant a non-exclusive license to the SECAU & ECU to publish this document in full in the Conference Proceedings. Such documents may be published on the World Wide Web, CD-ROM, in printed form, and on mirror sites on the World Wide Web. Any other usage is prohibited without the express permission of the authors. 51 | P a g e 84 Figure 4.1: Mazafaka Carders Forum (Simple Nomad 2005) Phishing the Long Line: Transnational Cybercrime from Eastern Europe to Australia. Chapter 4 THE CYBERCRIME MARKETPLACE 85 CHAPTER 4 THE CYBERCRIME MARKETPLACE 4.1 Introduction The previous chapter looked in detail at the first Internet bank phishing attacks, how this phenomenon changed the crime paradigm and what features make Eastern Europe an ideal base from which to instigate transnational cybercrime. This chapter explores the cybercrime market, which supports phishing and related cybercrime by providing a market for the various tools needed for phishing and for laundering the proceeds of that cybercrime. With hacking for profit becoming the dominant motive for cybercrime in the early 2000s, an active online market was established for trade in compromised credentials, compromised systems, exploit code, crimeware and other resources facilitating phishing and carding (Cox 2002). In 2002, United States law enforcement undertook “Operation Firewall”, a significant operation infiltrating online markets and resulting in the prosecution of a number of involved US residents. Efforts to pursue Eastern European suspects were less successful (Menn 2010) due some prevailing legal and political issues which are further explored in Chapter 6. 4.2 The evolution of the cybercrime marketplace In the hacking world, well before the Internet became mainstream, interaction between members of the hacking community was an important method to learn new skills, exchange information on technical exploits and even recruit accomplices to compromise systems. Early hackers, who were often also skilled phreakers (hackers of phone systems), used the telephone system to communicate with each other (often across the globe) but soon moved to the digital realm and Internet Relay Chat (IRC) became the standard method of communication in the hacking community. During one of the bombing resumptions against Iraq in February 1998 the US Air Force found many of its bases under an electronic attack by an unknown enemy. At first it was thought to be some Iraqi information warriors. The source of the attacks turned out to two Californian teenagers. Investigations also revealed an Israeli citizen had met, then encouraged and assisted them in their cyber attacks using Internet Relay Chat, never having met them in person (Power 2000). 4.3 Scope and Products While early use of IRC related to coordinating, collaborating and teaching new skills, some IRC channels eventually became markets for various illicit goods and services. One of the earliest commodities made available (still available today in significant volumes) was credit card numbers. Credit card numbers in large quantities, often compromised from poorly secured E-Commerce servers, could be readily bought and sold, if not sometimes even just simply given away. Many online services and products could be purchased using no more than such stolen credentials. At the time, various counter-measures, such as the ability to check billing addresses and CVCs, were either not available or only available in some countries. Indeed, there are many cases of phishing websites having themselves been established with legitimate webhosting companies using compromised credit cards. Commonly, by the time these frauds were discovered the site had already served its illicit purpose. Other than IRC, web forums were used as marketplaces for trade in cybercrime tools. One such example can be seen on the title page for the Mazafaka Carders Forum (Simple Nomad 2005). By late 2003, the growth and success of Internet Bank phishing attacks brought the phishers 86 difficulties in themselves illicitly using all the captured credentials they had obtained and so, like credit card numbers, these too were on-sold in the cybercrime market. The rise of banking Trojans (particularly the less discriminating ones which key logged all sorts of credentials) brought the availability of an even greater number of Internet banking credentials. Drawn from the customers of Banks all over the world (sometimes not targeted by the phishers), phishing groups, to whom they became available, sold them in the cybercrime market. Other items of use for phishing attacks and other cybercrime were also bought and sold, including email lists for spamming, e-mail servers for sending the spam, proxies to hide the source of activity and other compromised systems. More technical products such as new exploit code, Trojan code and assembled botnets were also bought and sold. Table 4.1 below shows an example of the pricing of various goods and services offered for sale. Table 4.1: Goods and services offered for sale on an underground economy IRC market (Herly 2010) 4.4 Commoditisation of Credentials In the cybercrime marketplace, captured credentials became a common commodity for trade. What in effect had been established was a factoring business in credentials. As in debt factoring, phishers came to sell credentials for a portion of the potential total proceeds their illicit use could deliver. On some estimates, sales prices were as little as 5% of the face value (Holt 2006; Franklin 2007; Herly 2008) to someone who will cash in the credentials using Internet money mules and a transfer agent like Western Union to repatriate the funds. Other research (Herly 2010) suggests because the bottleneck is in recruiting Internet money mules and this part of the process is key to its success, it should be the focus of response efforts. Chapter 6 examines this and other similar strategies suggested as more effective counter-measures than the technical controls where a majority of resources are currently directed. 4.5 Analysis To better understand phishing and related cybercrime this chapter looks more closely at some of the channels where stolen credentials and other items are traded. For the research, titles of IRC channels on the undernet.org (a popular underground IRC server) were obtained. From earlier research it was known the channels were often rather obviously named, with names like #bank, #creditcards etc. From these channels, the “nicks” (nicknames) of users advertising cybercrime goods and services were identified. Other channels where these nicks operated were then examined. Using this method, two highly active channels “#cc power” and “#cashers” were 87 identified and logged in full for a 24 hour period. Figure 4.2 below shows a selection of “#cc power” IRC channel on 16 June 2009. From analysis of this data an initial methodology for further understanding of how credentials are traded in online marketplaces was developed and is described in section 4.7 under the title "A methodology for analyzing the credential marketplace". While only English and Romanian messages were present, it is assumed Russian speakers communicate in English on these channels due to incompatibility of their character set and may also use Russian-only language channels for other trade. Further research could look for features of English spoken by native Russian speakers in these channels to see if this assumption holds true. Figure 4.2: Transcript of “#cc power” IRC Channel, on 16 June 2009 4.6 Conclusion This chapter has examined the online cybercrime marketplace and its role in supporting phishing and related cybercrime. The factoring of credentials is an important aspect of phishing as it allows for greater specialisation. Specialisation facilitates more research into circumventing various bank authentication systems by phishing groups, while “Executives” worry about the human factors, the 88 Internet money mules and the movement of money via Western Union and Moneygram. It also means a lower entry price as groups coming into Phishing do not require all the skills required and can focus on one area and purchase or trade for the other services. The operation of the cybercrime market means some bank credentials are worth more than others, if they are more easily cashed and thus a higher portion of the face value can be realised. Abad (2006) observes: It is no surprise that Washington Mutual, Key Bank, and various other institutions are at the top of phishers’ lists. The tracking algorithms for these financial institutions are easily obtained from within the phishing economy, while Bank of America, a huge financial institution, is nearly off phishers’ radar because their encoding algorithm is very hard to obtain or crack. According to statements by phishers, it may be based on Triple–DES, a strong encryption algorithm. (Abad 2006) A measure of the effectiveness of a bank’s counter measures would therefore be its credentials are worth less in the cybercrime market. Measuring these values may well help validate the effectiveness of the counter-measures each institution takes. The next chapter examines further supporting data for the attribution of phishing and related cybercrime to Eastern Europe, by examining the features within available phishing artefacts and, in particular, within phishing emails. 4.7 References Watters, P. A. and S. McCombie (2011). "A methodology for analyzing the credential marketplace." Journal of Money Laundering Control 14(1): 32-43. 89 The current issue and full text archive of this journal is available at www.emeraldinsight.com/1368-5201.htm JMLC 14,1 A methodology for analyzing the credential marketplace Paul A. Watters 32 Internet Commerce Security Laboratory (ICSL), University of Ballarat, Ballarat, Australia, and Stephen McCombie Centre for Policing, Intelligence and Counter Terrorism (PICT), Macquarie University, Sydney, Australia Abstract Purpose – Cybercrime has rapidly developed in recent years thanks in part to online markets for tools and credentials. Credential trading operates along the lines of a wholesale distribution model, where compromised credentials are bundled together for sale to end-users. Thus, the criminals who specialize in obtaining credentials (through phishing, dumpster diving, etc.) are typically not the same as the end-users. This research aims to propose an initial methodology for further understanding of how credentials are traded in online marketplaces (such as internet relay chat (IRC) channels), such as typical amounts charged per credential, and with a view to preliminary profiling, especially based on language identification. Design/methodology/approach – This research proposes an initial methodology for further understanding of how credentials are traded in online marketplaces (such as IRC channels), such as typical amounts charged per credential, and with a view to preliminary profiling, especially based on language identification. Initial results from a small sample of credential chatroom data is analysed using the technique. Findings – The paper identified five key term categories from the subset of the 100 most frequent terms (bank/payment provider names, supported trading actions, non-cash commodities for trading, targeted countries and times), and demonstrated how actors and processes could be extracted to identify common business processes in credential trading. In turn, these elements could potentially be used to track the specific trading activities of individuals or groups. The hope in the long-term is that we may be able to cross-reference named entities in the credential trading world (or a pattern of activity) and cross-reference this with known credential theft attacks, such as phishing. Originality/value – This is the first study to propose a methodology to systematically analyse credential trading on the internet. Keywords Fraud, Theft, Crimes Paper type Research paper Journal of Money Laundering Control Vol. 14 No. 1, 2011 pp. 32-43 q Emerald Group Publishing Limited 1368-5201 DOI 10.1108/13685201111098860 I. Introduction Transational and organized crime represent a serious threat to the social and political norms of nation-states and their structural cornerstones, such as banks and other financial institutions. Typically, such groups avoid politics to focus on generating revenue and profit, the impact of their operations is far from victimless – corruption, conflict and unchecked violence can lead to the collapse of civil society (Sullivan and Bunker, 2002). Organized crime entrepreneurs such as the Russia Mafiya have been This work was supported in part by the Australian Federal Police, Westpac Banking Corporation, IBM, the State Government of Victoria and the University of Ballarat. 90 quick to identify opportunities for fraud the now ubiquitous internet provides (McCombie et al., 2009). Early cybercrime was about youthful exploration and “bragging rights” but now the motive is criminal profit (McCombie et al., 2008). Organized crime can target victims anywhere in the world while remaining based in their home countries outside of the reach of western law enforcement. They do this by taking advantage of the weaknesses in the nature of internet, cross-border policing and the relatively open nature of global financial systems (McCombie and Pieprzyk, 2010). Cybercrime is supported by extensive markets for goods and services to support this criminal activity. You can go online and purchase vulnerabilities, exploit code, botnets and other tools to commit cybercrime. In addition, the fruits of this cybercrime are also available in these online markets (McCombie et al., 2008). Compromised credentials are a commodity. Such is the specialization some individuals and groups focus just on “cashing out” compromised credentials. That is using those credentials to commit online fraud and launder the proceeds back to another jurisdiction..This paper concerns the analysis of one of the most insidious “products” that are bundled and sold openly through internet-based marketplaces – those sets of credentials that can be used to operationalize identity theft and subsequent identity fraud on a large-scale. The credential marketplace provides a mechanism for “suppliers” of credential “products” the means to on-sell these at a wholesale level to interested parties. The marketplace is extremely liberal and attractive to suppliers: it is largely anonymous, operates transitionally, and there are no fees, charges or taxes levied. The structure can evolve rapidly in response to law enforcement operations, and provide an excellent example of an asymmetric threat, operated by small numbers of players through a network structure, which can resist hierarchically organized nation-states and coalitions (Arquilla and Ronfeldt, 2001). The wholesale trade in credentials is a serious concern for law enforcement, as it provides a mechanism for large-scale attacks to be undertaken against sets of typically aggregated targets. Credential trading can potentially occur on any online forum; in this paper, we focus on trading activity conducted through internet relay chat (IRC) channels, since IRC provides a ready and somewhat anonymous means for suppliers and consumers to interact and “meet” each other, although social networking, web sites and secure portals are all potential sources for “dealing”. On IRC, users identify themselves using an arbitrary “nick” (name) (Bechar-Israeli, 1995) and connect to a specific channel, where public messages can be broadcast to all members of the channel who are monitoring it. Private messaging is also supported. The goal of this paper is to outline a methodological approach for analyzing the credential marketplace. Given the ever-shifting nature of the marketplace, it is difficult to provide definitive answers to who trades credentials, but we believe that – by using a systematic methodology – at least some of the parameters of credential trading can be estimated over time. II. Procedure for analysis A. Approach The methodological approach is based on simple text analysis, and integration between a number of different analytical tools. We believe that the functional requirements for each sub-system can be articulated; however, the accuracy of each sub-system will affect The credential marketplace 33 91 JMLC 14,1 34 the overall performance of the system, and our preliminary results indicate that further refinement is required, especially in the area of language identification from small samples. The approach begins with a log of IRC samples from channels known to be involved in credential trading. Once these channels have been identified, all public activity can be logged. Once sufficient data have been logged from the channels, three key pieces of data can be extracted: (1) the user’s “nick”; (2) time/date of posting; and (3) message content. This modest data segmentation can be used to analyze the data in any number of ways, including: . Counting the number of times a specific “nick” has posted any message during a certain time period. . Counting the number of times a specific “nick” has posted the same message during a certain time period. . Counting the number of times a specific entity is named during a certain time period, such as a bank name, or credit card name. . Identifying which terms are likely to characterize credential trading activity using term frequency analysis. . Examining lexical patterns in messages to determine the highest frequency combinations of terms that might indicate specific types of trading. . Identifying the language(s) used in each message, and determining the proportion that certain languages were used during a certain time period. In the following sections, we outline some approaches to applying several of these techniques to credential trading from IRC logs, before illustrating how they can be applied to real data. B. Term frequency analysis Term frequency analysis involves translating each message into a message £ term matrix, and incrementing the appropriate matrix entry each time a token matching that term is encountered after parsing each message (Spärck Jones, 1972). By adding all frequencies for each message, a term-frequency list can be generated and sorted in descending order. The frequency of terms will likely follow Zipf’s Law (Eftekhari, 2006), i.e. the rank of the term will be inversely proportional to its frequency. After words from a “stop list” are applied to this list, the residual most frequent terms can be considered to characterize the terms involved in credential trading. If these terms are compared to term lists from non-credential trading activity, it may be possible to establish prior probabilities and employ Bayes’ Theorem to build a reliable classifier (Ho and Watters, 2004). Such a classifier could be used as part of a crawler to flag web sites, IRC logs or other unstructured text databases which may be related to credential trading. 92 C. Lexical pattern analysis Lexical analysis goes beyond term frequency analysis and investigates term collocation, where various statistical measures (such as the log-likelihood score) can be used to determine whether collocated terms are of interest. In the context of credential trading, we propose to examine the most significant n-grams of the most frequent terms extracted from the term frequency analysis. This should provide more syntactic insight into the mechanics of the offer process that traders are utilizing. For example, if the term “BankX” is frequent, then examining a 5 gram might reveal patterns of trading such as “cashout BankX for money orders” or “5,000 BankX cardnumbers for $10,000”. If sufficient data can be aggregated, over specific time periods, then the details of the trading activity could be potentially be characterized quite accurately. In addition, it may be possible to derive business processes by extracting terms that represent static feature elements as proposed by Stabek et al. (2009). For example, if the terms “scam”, “money transfer”, “bank” and “phishing” were collocated, then these could potentially be sequenced to infer a standardized business process. D. Geographic profiling If we can profile the type of “trades” that occur using n-gram analysis, a further extension to the methodology would be to begin determining the geographic distribution of the traders. This technique has been successfully used in Australia to build a preliminary geographic profile of money mules (Aston et al., 2009). While it may be possible to gather IP addresses, the use of anonymization techniques makes it difficult to trace these with any level of reliability. However, by observing IRC logs, we have noted that there is a diverse range of language groups represented; by performing automatic language identification, it may be possible to link the messages to specific region(s) where that language is spoken. This may be important in understanding the threat profile for “BankX” and could assist with their decision making with regarding to more targeted intelligence gathering, counter-measures and/or prosecution. For example, expected geographic and/or linguistic profiles could be generated from close examination of the structure and operating bases of known organized crime groups (McCombie et al., 2009). III. Results A. Data To illustrate the utility of this methodology, preliminary data were obtained from eight known IRC credential trading channels which were monitored for a period of two days, providing a total of 3,165 messages. The logged output from these channels was then aggregated and analyzed using the techniques described in Section II. B. Term frequency analysis The top 100 terms are shown in Table I, along with their respective frequency counts. No stopwords were removed from the list, but literal numbers have been deleted. A simple categorization scheme can be derived from examining the most frequent terms: (1) names of banks or payment providers {egold, chase, WellsFargo, boa, paypal}; (2) actions supported in trading {cashout, billpay, split, selling}; (3) non-cash commodities {logins, root’s, uid, gid}; The credential marketplace 35 93 JMLC 14,1 36 Table I. Term-frequency analysis Frequency Term 2,398 2,336 1,847 1,845 1,254 1,251 1,137 1,124 1,053 891 791 746 728 703 700 675 661 652 649 624 610 610 608 597 595 592 587 585 585 574 566 563 563 562 561 561 561 561 561 561 561 561 473 385 383 286 275 271 261 254 I also cashout can has for US UK me msg in share your need is bank fresh info or joined IRC quit deal egold logins good more minutes us uk sell w billpay cvv’s BANKS tf supplier longterm 300 þ msr206 fulls plasticards email net split ebay care extractor and , Bankers . (continued) 94 Frequency Term 248 240 227 226 223 222 187 185 175 165 150 138 138 137 129 126 122 121 118 112 107 107 105 105 105 103 103 103 103 100 99 99 99 99 99 98 97 96 95 95 93 92 91 87 87 84 82 81 78 78 urgent are any Dany^user ` cumpar sa , Bankz . chase de prv visa pe si php WellsFargo , Spay . boa with full sets mode mid scot america day BLACKMARKET if cashier com root’s uid up gid , Trader . e b11Selling pick name b 11 by of out pm paypal zumer cu mail U TheAnt Crowler The credential marketplace 37 Table I. 95 JMLC 14,1 38 (4) targeted countries {US, UK}; (5) credentials to be traded {cvv’s, visa, zumer, ebay}; and (6) time {pm, urgent, minutes, longterm}. C. Lexical pattern analysis Taking the terms that fall under each of the categories identified in the previous section, we now analyze lexical patterns using n-grams for key terms, and extracting the top 5 items (based on frequency). Initially, though, it is useful to take a global view of phrases and their frequencies in the data. Table II shows the top 5 n-grams for n ¼ 1, 2, . . . 5. (1) Names of banks or payment providers. Bi-grams were calculated for the terms {egold, chase, WellsFargo, boa, paypal}. As an illustration, Table III shows the top 5 n-grams for n ¼ 5 and the term “paypal”. It is interesting to note the collocation Frequency Table II. Lexical pattern analysis Table III. Lexical pattern analysis – banks or payment providers n¼2 2,319 1,138 822 727 634 n¼3 1,122 634 610 585 577 n¼4 567 567 561 561 561 n¼5 567 561 561 561 561 Collocation I also also cashout msg me your share share is I also cashout your share is has quit irc in 15 minutes can cashout fresh me for more info msg me for more cashout fresh us uk fresh us uk cvv’s also cashout bank logins msg me for more info need good supplier for longterm good supplier for longterm deal is 80 I also sell longterm deal msg me for Frequency Collocation 21 21 13 13 13 chase paypal ccbill com scam paypal ccbill com scam page mailer ccvs paypal wu bugs ccvs paypal wu bugs drops paypal wu bugs drops im Note: n ¼ 5 96 of terms and how they suggest scam business processes: compromised bank or payment provider accounts associated with means of communication (e.g. im) and/or means of cashing out (e.g. drops). (2) Actions supported in trading. Taking the terms that fall under each of the categories identified in the previous section {cashout, billpay, split, selling}, we now analyze lexical patterns using n-grams. As an illustration, Table IV shows the top 5 n-grams for n ¼ 5 and the term “sell”. In this example, a magentic stripe reader (MSR206) is being offered for sale with 300 plastic card blanks. (3) Non-cash commodities. Taking the terms that fall under each of the categories identified in the previous section {logins, root’s, uid, gid}, we now analyze lexical patterns using n-grams. As an illustration, Table V shows the top 5 n-grams for n ¼ 5 and the term “root’s”. Here, the seller is trying to trade access to compromised webserver accounts with full root (UID ¼ 0) access, typically of interest to phishers. (4) Targeted countries. Taking the terms that fall under each of the categories identified in the previous section {US, UK}, we now analyze lexical patterns using n-grams. As an illustration, Table VI shows the top 5 n-grams for n ¼ 5 and the term “uk”. Frequency Collocation 561 561 561 561 561 is 80 I also sell 80 is also sell msr206 i also sell msr206 w also sell msr206 w 300 sell msr206 w 300 plasticards Note: n ¼ 5 Frequency Collocation 99 99 4 4 2 selling root’s with php and root’s with php and uid 22 31 selling root’s with 31 selling root’s with php 22 36 selling root’s with Note: n ¼ 5 Frequency Collocation 561 561 561 561 561 uk us banks uk can logins uk us banks uk bank logins uk us banks cashout bank logins uk us also cashout bank logins uk Note: n ¼ 5 The credential marketplace 39 Table IV. Lexical pattern analysis – supported actions Table V. Lexical pattern analysis – commodities Table VI. Lexical pattern analysis – countries 97 JMLC 14,1 40 Here, the trader is looking to trade UK and US bank logins and offering to cashout illicit funds transfers. (5) Credentials to be traded. Taking the terms that fall under each of the categories identified in the previous section {cvv’s, visa, zumer, ebay}, we now analyze lexical patterns using n-grams. As an illustration, Table VII shows the top 5 n-grams for n ¼ 5 and the term “visa”. This group of n-grams is notable because of the use of Romanian as the means of communication; our observation is that Romanian is most commonly used alongside English to conduct these transactions. “pentru orice fel de visa” means “for any visa”, as an example. (6) Time. Taking the terms that fall under each of the categories identified in the previous section {pm, urgent, minutes, longterm}, we now analyze lexical patterns using n-grams. As an illustration, Table VIII shows the top 5 n-grams for n ¼ 5 and the term “pm”. Clearly, there is usually a sense of urgency associated with each mention of pm – “same day”, “mail”, etc. all highlight the pressing need to convert compromised credentials into cash. D. Geographic profiling As an example, we analyzed one of the channel session logs, during which there 39 unique entries, of which 71 per cent were English, and 29 per cent were Romanian (using manual identification, to create a labeled dataset). For each entry, we used a leading commercial language identification tool to identify the language. In 52.5 per cent of the cases, the language was correctly identified, and in 47.5 per cent of the cases, an incorrect identification was made. The average accuracy (as self-reported by the tool) was 42.3 per cent, which is less than the actual accuracy. Although only Romanian and English messages were present, Yapese, Interlingue, Flemish and Somali were also identified. The results are shown in Table IX, including details of the actual language, the identified language, the accuracy, and whether the assessment of the language was correct. Table VII. Lexical pattern analysis – credentials Table VIII. Lexical pattern analysis – time Frequency Collocation 69 37 37 37 37 visa full info dar sa pentru orice fel de visa orice fel de visa full fel de visa full info de visa full info dar Note: n ¼ 5 Frequency Collocation 73 73 70 70 70 in same day pm fast clean in same day pm pm fast or mail me day pm fast or mail same day pm fast or Note: n ¼ 5 98 Actual language Identified language English English English English English English English English English English English English English English English English English English English English English English English English English English English English Romanian Romanian Romanian Romanian Romanian Romanian Romanian Romanian Romanian Romanian Romanian None Ateso Ateso Somali None Yapese Interlingue Flemish None English English English English English English English English English English English English English English English English English English English English English English English English English English English English English English Accuracy (%) 0 14 14 15 0 21 25 16 0 49 56 53 81 45 32 45 63 37 53 44 55 48 46 65 53 79 98 41 55 55 55 55 55 32 55 23 35 27 55 Correct? No No No No No No No No No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No No No No No No No No No We have no doubt that the language identification tool we selected was robust and in wide use. However, given that the entries for analysis are typically around 10-30 words in length, it may be that this tool (or any tool) is only suitable for use with messages of this length (approximately Twitter-length). Clearly, there is a need for tools which can perform linguistic profiling on short texts, and there is currently some work in this area which shows promising results (Layton et al., 2010). IV. Discussion In this paper, we have presented a preliminary methodology for automatic analysis of credential trading systems, with a view to identifying the major types of activity present The credential marketplace 41 Table IX. Language identification analysis 99 JMLC 14,1 42 in the data, as well as investigating how the data could be used to identify business process elements, including geographic profiling of actors (such as traders and sellers). By using term frequency analysis, we were able to extract highly frequent terms from an IRC credential trading corpus, and use these terms as seeds for collocation analysis using n-grams. We identified five key term categories from the subset of the 100 most frequent terms (bank/payment provider names, supported trading actions, non-cash commodities for trading, targeted countries and times), and demonstrated how actors and processes could be extracted to identify common business processes in credential trading. In turn, these elements could potentially be used to track the specific trading activities of individuals or groups. The hope in the long term is that we may be able to cross-reference named entities in the credential trading world (or a pattern of activity) and cross-reference this with known credential theft attacks, such as phishing. Indeed, we have had some success in manually identifying highly discriminating features from phishing e-mails, such as time periods and timezones, which could enhance criminal profiling (McCombie et al., 2008). However, these techniques rely on manual feature extraction; we must be able to automate such processes to make them effective. Following from the term-frequency analysis, we also investigated automated language identification of IRC credential trading messages. In this analysis, we identified a major issue for automating the process – the accuracy of language identification in messages of short length. This will continue to be a significant barrier to the automation of profiling messages of this nature; however, it may be possible to build more accurate language classifiers using a Bayesian approach, where the prior probabilities of languages being present can be estimated. For example, in the logs we have manually analysed, we have only ever found English and Romanian messages, so a classifier could be seeded with the expectation that mostly English and Romanian text will be seen (and not Yapese or Somali). References Arquilla, J. and Ronfeldt, D. (Eds) (2001), Networks and Netwars: The Future of Terror, Crime, and Militancy, RAND, Santa Monica, CA. Aston, M., McCombie, S., Reardon, B. and Watters, P.A. (2009), “A preliminary profiling of internet money mules: an Australian perspective. uic-atc”, Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing, Brisbane, Australia, pp. 482-7. Bechar-Israeli, H. (1995), “From , Bonehead . to , cLoNehEAd . : nicknames, play and identity on internet relay chat”, Journal of Computer-Mediated Communication, Vol. 1 No. 2, available at: www.usc.edu/dept/annenberg/vol1/issue2/bechar.html Eftekhari, A. (2006), “Fractal geometry of texts”, Journal of Quantitative Linguistics, Vol. 13 Nos 2/3, pp. 177-93. Ho, W.H. and Watters, P.A. (2004), “Statistical and structural approaches to filtering internet pornography”, Proceedings of the IEEE Conference on SMC, Hague, pp. 4792-8. Layton, R., Watters, P. and Dazeley, R. (2010), “Authorship attribution for Twitter in 140 characters or less”, Proceedings of the 2nd Cybercrime and Trustworthy Computing Workshop, pp. 1-8. McCombie, S. and Pieprzyk, J. (2010), “Winning the phishing war: a strategy for Australia”, Proceedings of the 2nd Cybercrime and Trustworthy Computing Workshop, pp. 76-86. 100 McCombie, S., Pieprzyk, J. and Watters, P.A. (2009), “Cybercrime attribution: an eastern European case study”, Proceedings of the 7th Australian Digital Forensics Conference, WA. McCombie, S., Watters, P.A., Ng, A. and Watson, B. (2008), “Forensic characteristics of phishing – petty theft or organized crime?”, Proceedings of WEBIST, pp. 149-57. Spärck Jones, K. (1972), “A statistical interpretation of term specificity and its application in retrieval”, Journal of Documentation, Vol. 28 No. 1, pp. 11-21. Stabek, A., Brown, S. and Watters, P.A. (2009), “The case for a consistent cybercrime classification framework”, Proceedings of the 2009 Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing, Brisbane, pp. 523-30. Sullivan, J. and Bunker, R. (2002), “Drug cartels, street gangs and warlords”, Small Wars & Insurgencies, Vol. 13 No. 2, pp. 40-53. To purchase reprints of this article please e-mail: reprints@emeraldinsight.com Or visit our web site for further details: www.emeraldinsight.com/reprints The credential marketplace 43 101 Figure 5.1: Grouping Features in Phishing Email Header including +0300 and Windows-1251 Phishing the Long Line: Transnational Cybercrime from Eastern Europe to Australia. Chapter Five Forensic Analysis of Phishing Artefacts for Features of Eastern Europe 102 CHAPTER FIVE: FORENSIC ANALYSIS OF PHISHING ARTEFACTS FOR FEATURES OF EASTERN EUROPE 5.1 Introduction The previous chapter examined the cybercrime market which supports phishing and related cybercrime by providing a market for the tools and proceeds of cybercrime. This chapter analyses phishing emails and other phishing artefacts in an effort to group them and also identify any ethnographic features which support the view that phishing and related cybercrime against Australia is primarily an Eastern European phenomenon. Initial research in 2006 and 2007 focused on seeing if empirical data collected on phishing attacks supported the view that they primarily came from Eastern Europe. The first step, however, was to see if there was any correlation between attacks at this level or whether they appeared to be all discrete attackers. For that research an archive of attacks against one Australian financial institution (which wishes to remain anonymous) was obtained, which detailed every known Phishing attack against that organisation during July 2006. As this chapter describes, ultimately that collation and analysis, supplemented by subsequent research, identified particular grouping features commonly-used and other strong indicators in confirmation that the majority of those attacks had in fact originated in Eastern Europe. The most revealing features in this sense were the Windows Character Set-1251 and the +0200, +0300 and +0400 time zones. 5.2 Methodology The initial research focused on incidents targeting one financial institution in Australia in July 2006. That data was gathered by the bank’s response team, the Internet banking support team, from customers’ reports, reports from other banks and from law enforcement. While it can not be claimed every attack against the institution during that month was included, it is reasonable to assume the great majority were captured by one of these methods. Apart from reports from directly affected customers and other email users, the response team monitored a number of other sources of information on potential attacks. These included the email gateway for undeliverable messages from phishing emails sent to non-existent addresses, e-mail to all of the institution’s domains and from e-mail accounts subscribed to spam lists with various webmail providers specifically for the purpose of monitoring phishing. Data collected included multiple copies of the phishing e-mails including the full header information, details of the phishing site (including the html of the pages in many cases) and the date and time and source of detection. A total of 71 incidents, occurring between 1 July 2006 and 31 July 2006, were examined. An incident was defined when a unique phishing URL was used. Thus each Phishing URL, whether used twice or subsequent times, was considered a single incident. While attacks observed after July 2006 sometimes used multiple URLs, at this time that was not the practise and each attack was relatively discrete from an attacker and victim viewpoint. The archival research, examining closely the incidents of one month for one institution, effectively provided a more accurate picture of the scope of attacks than would have any 103 attempt to cover the attacks on all institutions over the same or a longer period which, practically, could only hope to examine no more than a small percentage of the total. 5.3 Phishing Artefacts Useful in Grouping When planning the research exercise, items such as the e-mail source IP and specific content features of the phishing sites were envisaged as key to grouping. However, they ended up being largely irrelevant or of limited significance in the process. The X-Mailer type in the email header, which is designed to designate the email client software used to create the email type, was particularly important. Ironically, with Group 3 the X-Mailer type was obviously faked, which can often be the case with spamming programs such as Sendsafe (McCombie 2009), however, they used a non-existent designation for the type of email client. Thus this invalid X-Mailer became a signature of that group. Examples of features used to group the e-mails seen in July 2006 are shown in Figure 5.2 below. Even valid but rare X-Mailer types seen repeatedly were useful for grouping. Another useful feature was common misspelling or typographical errors, tending to indicate that English was not the first language of their authors. Another key grouping value was the URL itself, which often used the same file name and directory path. This was despite the Phishing sites being located on completely different servers and domains, e.g. http://randomserver.randomdomain/secure/index.php, being a feature of Group 4. The common attributes of the three major groupings, groups one, three and four, which accounted for 61 of 71 incidents, are described in the below tables. For more detail, see section 5.7. 104 Figure 5.2: E-mail from Group 3 with grouping attributes highlighted 105 Figure 5.3: E-mail from Group 1 with grouping attributes highlighted 106 Table 5.1: Features of Group 1 Base 64 Encoded Subject ContentType Regular verification of text/plain Internet Banking Account X-Mailer Type: Body Time Zone Common Typo Error Frequency Microsoft Outlook Express V6.00.2900.2180 +0300 bellow 30/71 Table 5.2: Features of Group 3 Common URL Structure ContentType Common Typo Error Character Code Frequency /somebank.com. au text/html We have asked few additional information Windows-1251 13/71 Table 5.3: Features of Group 4 Common Sender Subject SomeBank Online Access <access@someba Agreement nk.com.au> Update 5.4 Common URL Structure ContentType Sending MTA Type Frequency /secure/index.php text/html Exim 18/71 Ethnographic Features 5.4.1 Windows Character Set Amongst the values already discussed is the character set Windows-1251 which is significant from an ethnographic perspective. Windows-1251 was developed for the Russian version of Windows 95 by Microsoft (Microsoft 2000) to deal with the Cyrillic alphabet, used in a number of Eastern European countries including Russia and the Ukraine (See Figure 5.5). While it was a value not seen in any great quantity in the July 2006 attacks, it was feature of Group 3. In addition, where any character value did appear, it was in the majority of cases Windows-1251. A different Phishing e-mail corpus made available by Jose Nazario of Phishing incidents from November 2005 to August 2007 was examined to see if this value was present. In particular, examination occurred of what is described by Nazario as “Phishing Corpus 2”, which contains 1423 phishing email messages from November 15, 2005 until 7 August, 2006 and “Phishing Corpus 3”, which contains 2279 phishing email messages from 7 August 2006 to 7 August 2007 (Nazario 2008). As can be seen in Figure 5.4, character set Windows-1251 accounts for the significant majority in both Phishing Corpus 2 and 3, accounting for 693 of the 904 phishing emails with any Windows character value in “Phishing Corpus 3” and for 376 of the 402 phishing emails with any Windows character value in “Phishing Corpus 2”. It should be noted, however, the Nazario corpus was gathered within the United States and made no effort to focus specifically on Australian banks, although they are included. 107 Figure 5.4: Windows Character sets from Nazario Phishing corpus 2 & 3 Figure 5.5: Windows Character Set 1251 (Microsoft 2010) A re-examination of the phishing artefacts from the first incidents in 2003 also showed this feature. Figures 5.6 and 5.7 illustrate examples of the character set Windows-1251 being used in an email in those first attacks on Internet Banks. The two emails are from the phishing attack on the Bank of America which occurred on 12 May 2003 and the attack on Westpac on 4 July 2003. 108 Figure 5.6: Header from Phishing email on Bank of America 14 May 2003 (McCombie 2008) Figure 5.7 Header from Phishing email on Westpac 4 July 2003 (McCombie 2008) 5.4.2 Time Zone When sending emails, an email client programs often place the time zone at the end of the “Date:” field, i.e. “Date: Wed, 27 Apr 2011 10:05:57 +1000”. While this does not happen in every case, when it does, the time zone set by the originating system can be instructive. Of course, as with many other email features this can be faked but, on the other hand, it is also not obvious to the sender. Figure 5.8 shows the world time zones. Of particular interest are the times used in Eastern Europe and western Russia. They are +0200 (Eastern European Time), +0300 (Eastern European Summer Time, Moscow Standard Time) and +0400 (Moscow Daylight Time). In the examination of the time zones in the July 2006 Phishing incidents, “+0300” was present in 32 incidents, “+0200” in 4 incidents and “+0400” in 4 incidents. The three values accounted for 40 of 62 incidents where a time zone was present. As that was during the period when summer time was invoked, the time zone +0300 was applicable for Eastern Europe and +0400 for western Russia. 109 Figure 5.8: Time zones of the World (http://www.lib.utexas.edu/maps/world_maps/time_zones_ref_2005.pdf) The +0300 time zone was also present in the first phishing attack in 2003 on the Commonwealth Bank of Australia. An extract of an email used in the first Internet bank attack on Commonwealth Bank on 17 March 2003 is in figure X. Being March, when summer time is not effective, the expected time zone would be +0200 for Eastern Europe and +0300 for western Russia. Figure 5.9: Selection from Phishing email for Commonwealth Bank 17 March 2003 showing +0300 time zone. 5.5 Temporal Analysis of Attacks For the July 2003 data the time of day that the 63 attacks occurred, where the time was available, was examined (see figure 5.10 below). This was based on the receiving time of the SMTP server to which they were sent, as recorded in the e-mail header, which is relatively reliable. In the time from midnight to 9.37am Australian Eastern Standard Time (AEST) there were 45 incidents and from 6.37pm to midnight AEST, a 12 further incidents. However from 9.37am to 6.37pm AEST (covering AEST normal business time, only six incidents occurred, (three within 17 minutes). If we convert to Eastern European Summer Time (EEST) this means the less active period was between 2.37am (EEST) to 11.37am (EEST). The logical conclusion is obvious. Most of the attacks on Australians took place during normal waking hours and the least during normal sleeping times on the opposite side of the world, in Eastern Europe. 110 Figure 5.10: Timing of 63 Attacks in July 2006 by AEST where available 5.6 Conclusion The various features found in emails from the July 2006 incidents, the first Internet Bank Phishing attacks in 2003 and the Phishing corpus from Jose Nazario, illustrate empirically that the Phishing attacks have a strong nexus to Eastern Europe. Obviously, the techniques used for this analysis can be equally employed more broadly, affording equally informative intelligence in the pursuit of attribution of transnational cyber attacks. In the final chapter a phishing attack model of these groups is presented, a broader theory of cybercrime operations based on this work is proposed and options capable of being deployed to disrupt the phishing attack model are identified. And, importantly, the greatest weakness in the Phishing attack model is identified and it is argued a focus on this weakness is proffered to be more beneficial in countering this problem than the current reliance on technical controls. 5.7 References McCombie, S., Watters, P. , Watson, B. & Ng, A. (2008). “Forensic Characteristics of Phishing - Petty Theft or Organized Crime?” Fourth International Conference on Web Information Systems and Technologies. Funchal, Madeira, Portugal. 1: pp 149-157. 111 FORENSIC CHARACTERISTICS OF PHISHING Petty Theft or Organized Crime? Stephen McCombie, Paul Watters, Alex Ng and Brett Watson Cybercrime Research Lab, Macquarie University, NSW 2109, Australia {mccombie, alexng, brett}@ics.mq.edu.au, p.watters@nshd.mrc.ac.uk Keywords: Phishing, Attack Grouping, Organized Crime, Computer Crime, eCrime Forensics. Abstract: Phishing, as a means of pilfering private consumer information by deception, has become a major security concern for financial institutions and their customers. Gartner estimated losses in 2006 to phishing in the US were approximately USD$2.8 Billion. Little has been published on the forensic characteristics exhibited in phishing e-mail. We hypothesize that shared features of phishing e-mails can be used as the basis for grouping perpetrators using at least a common modus operandi, and at most, a level of criminal organization – i.e., we suggest that phishing activities are carried out by a small number of highly specialized phishing gangs, rather than a large number of random and unrelated individuals using similar techniques. Analysis of repeated phishing e-mails samples at a major Australian financial institution – using a criminal intelligence methodology - revealed that 6 groups, from a sample of 500,000 spam e-mails, could be uniquely classified by constructing simple decision rules based on observed feature sets, and that 3 groups were responsible for 86% of all incidents. These results suggest that – at least for the institution concerned – there appears to be a level of criminal organization in phishing attacks. 1 INTRODUCTION The hacking scene has, with the rise of phishing, been transformed in recent years from a culture based largely on youthful exploration, to one focused on criminal profit (Stamp et al,2007). APACS, the UK payments association, reported UK online banking fraud was GBP£33.5 million in 2006 (APACS, 2007). In January 2006, the Bulgarian National Services to Combat Organized Crime (NSCOC) agency arrested an organized ring of eight individuals who allegedly operated an international “phishing” operation (Technology News Daily, 2006). Considerable anecdotal evidence exists to suggest that other transnational organized crime groups are involved in phishing activities (Naraine, 2006). To date, there has been little research into the individuals and groups behind phishing, how they are organized, and what methods they use. To effectively combat organized (rather than petty) criminals, a greater understanding of the means, motives and opportunities is required. Of course, phishing may not be a major concern for organized crime, and even if there were specific criminal “signatures” that indicated a level of organization, these may simply reflect a common modus operandi, as much as the sharing of intelligence and coordination of activities. The goal of this paper is to present a first attempt at a new criminal intelligence methodology that aims to answer the question of how organized phishing groups are, in terms of modus operandi and coordination of attacks. To this end, we have investigated phishing attacks at a major Australian financial institution for two time periods (July and October 2006). The aim was not do a “breadth first” search of all targets of phishing, but to examine the characteristics of attacks against a specific target. The results presented below present a level of support for our hypothesis that there is a high level of organization in phishing attacks – at least for the institution concerned – but further will be needed to see if the results are generalizable to financial institutions as a group, and to other organizations at large. The first data set used in this study comprised a subset of identified phishing e-mails from a monthly “spam collection” in excess of 500,000 messages in July 2006. 71 unique phishing incidents were then 149 112 WEBIST 2008 - International Conference on Web Information Systems and Technologies identified. By examining these incidents using the method described below, we attempted to determine the level of organization for each attack, by examining their timing, and the relationship between each other. The method was then repeated for the October 2006 sample. 2 RELATED WORK The majority of existing research phishing has focused on areas such as studying user response to phishing e-mails (Dhamija et al, 2006)((Jagatic et al 2005), tools to model phishing attacks (Jakobsson 2005), and e-mail content filtering defense mechanisms against phishing activities such as the Barracuda Spam Firewall, Microsoft Phishing Filter and Symantec Brightmail Anti-Spam software. Abad (2005) studied the economy of phishing networks by analyzing e-mails and instant messages collected from key phishing-related chat rooms. However, his work did not look into the forensic information of those phishing e-mails. In regard to the research in analyzing the content of phishing e-mails for detection and classification purposes, both Chandrasekaran et al. (2005) and Fette et al. (2000) have focused on determining whether an e-mail is a phishing attempt or not. Ramzan and Wừest (2007) have focused on the trends seen in phishing attacks throughout 2006. The closest work to this research is reported by James (2005) that 48 distinct phishing groups were identified by analyzing the nature of the phishing emails and the phishing websites. The analysis framework, as it stands, relies primarily on characterizing and determining the frequency of certain features in the phishing e-mails using a type of authorship analysis, to determine forensic signatures. 3 METHODS Casual observations to date have been that incidents seem to be able to be grouped due to a large number of common characteristics. One well publicized group known as the “RockPhish” (McMillan, 2005) is well known by responders because of their distinctive style of attack. Thus, to answer our research question regarding the level of organization of phishing attacks, we have sought to make use of these distinctive features in developing a criminal 150 intelligence methodology for phishing, based on authorship analysis. Research in the mining of e-mail content for authorship analysis has a carried a long history since the advent of e-mail in the 1990s (de Vel, 2005). The application of authorship analysis is usually focused on collecting authorship characteristics to be used in the context of plagiarism detection. However, authorship analysis can also be applied to identify a set of characteristics that remain relatively constant and unique to a particular author – in this case, the hypothesized phishing gangs. To minimize systematic error and bias in making general observations across a range of different target sites, we focused on understanding the phishing attacks occurring at a major Australian financial institution. Two sets of e-mail spam data, of which phishing forms a subset, were analyzed (from July and October 2006). We initially applied the authorship analysis to the July data set, with the intention of testing the reliability from this sample to a later October sample. We were interested here in both the variation in techniques used as a function of time, and whether discrete groups could still be identified. In developing the criminal intelligence methodology, we primarily followed James’ (2005) work by investigating the following key items for identification: • Bulk-mailing tool identification and features. • Mailing habits, including, but not limited to, their specific patterns and schedules • Types of systems used for sending the spam (e-mail origination host) • Types of systems used for hosting the phishing server • Layout of the hostile phishing server, including the use of HTML, JavaScript, PHP, and other scripts • Naming convention of the URL used for the phishing site • IP address of the phishing site • Assignment of phishing e-mail account names • Choice of words in the subject line • The time-zone of the originating e-mail Building on this approach for each incident, where the data was available, the following features were also examined: 113 FORENSIC CHARACTERISTICS OF PHISHING - Petty Theft or Organized Crime? • The e-mail source including text used, metadata and header information in common across incidents were used to allocate an incident to a group. • The web pages and web hosts used including directory structure and files The grouping exercise identified six groups comprising 69 of the 71 incidents. The 6 groups were designated Group 1 to 6, and for the purposes of illustration, some general descriptions of the criteria that were used to select the groups are given below: • Any other characteristics which may have identified a link between separate incidents Based on feature similarity, the incidents were assigned a group number for each identified characteristic for the July dataset. Consideration was given to other causes of similarity, such as coincidental use of shared “phishing kits” (which might be the phishing equivalent of a rootkit), and spam-generating tools that may have produced similar footprints. Sets of rules based on these characteristics were used to produce a set of Perl scripts to analyze the October dataset. The data examined for each incident included the full e-mail header and body. The content and structure of the phishing site, WHOIS information for each IP and domain used, details of web server software, operating system and port banners for other services running, were then obtained. Gathering together all of the potentially relevant information – from common DNS registrants to spelling mistakes – allowed us to build up a highly detailed case file for each incident, which in turn provided a rich data source for unique classification of each incident by a hypothesized criminal group. 4 RESULTS The results below are presented with an ethical preface, in that some details of the investigative methodology have been simplified or omitted for the purpose of not revealing the exact modus operandi of the perpetrators. The goal here is to prevent alerting of the groups concerned (who may then change their techniques), and also to prevent other groups from adopting these techniques. Thus, in some cases, representative results that could be used to group the incidents have been presented, rather than compromising ongoing criminal investigations. 4.1 • The presence of distinctive phrases (especially spelling errors) in the message text. • The presence of HTML hyperlinks in the message text, with a URL matching a specific pattern. • The DCC checksums of the message text (indicative of identical text). • The presence of certain exact strings in header fields (such as "From", "X-Mailer", and "X-Priority"). • The matching of a specific pattern in header field values (such as the subject, messageID, and various e-mail address fields). • The structure of given header fields, where more than one element was available for use (such as "Received" and "To"). • The overall MIME structure of the message (such as "text/plain" and then "text/html" enclosed in "multipart/related"). Figure 1 shows the relative composition of each group, and indicates that two incident were unable to be grouped using our methodology. Significantly, 61 of the 71 incidents were attributed to just three groups 1, 3 and 4. Those three groups in percentage terms accounted for an astonishing 86% of all incidents. Group 5, 3, 4% Group 6, 2, 3% Unclassified, 2, 3% Group 1, 30, 43% Group 4, 18, 25% Grouping of Phishing Gangs A number of attributes including structural features, patterns of vocabulary usage, stylistic and substylistic features are common attributes being used in authorship analysis, were used to define groups in this study (de Vel et all, 2000). In all instances, at least three otherwise unrelated elements being used Group 3, 13, 18% Group 2, 3, 4% Figure 1: Distribution of Phishing Incidents among Groups in July 2006. 151 114 WEBIST 2008 - International Conference on Web Information Systems and Technologies 4.2 Values that Enabled Grouping Sub-groups within the spam corpus were identified by selecting several distinctive features of the kind described in Section 3. In this section we describe some of those criteria in more detail, and our quantitative findings. 4.2.1 Structure of Phishing Site The URL structure was one of the elements used to group the incidents. Initial grouping by e-mail header data was often confirmed in phishing site structure. It was initially thought that web elements of each attack may have been more useful in grouping. However, on reflection, many of the noncontent web site elements were dependant not on the phishing groups themselves, but the victims whose sites are compromised to host the phishing sites. We considered the possibility that phishing kits which consisted primarily of web content may be responsible for some similarities in URL structure and web content, but we would not expect to see similarities in e-mail values as well, as a result of using these kits. Based on the information available from the July corpus, we investigated the contents of 86 phishing sites such as: details of the phishing site’s URL, host IP address, domain registrant, domain registrar, country, NINS, CIDR, operating system, Web server type, the Web content and Charset used, and so on. Table 1: Commonly used words in the URLs of July 2006 phishing incidents. Commonly Used Words Occurrence Percentage Index 58 67% victimbank 48 56% (total 86 URIs) victimbankib 41 48% victimbankal 37 43% victimbankib/index.htm* 36 42% Php 24 28% Secure 18 21% Online 15 17% Cgi 13 15% agreement 12 14% Login 9 10% Table 1 summarizes some of the commonly used words found in the URLs of phishing sites. In 152 this example, the legitimate URL of the target’s website was victimbank.com. As expected, the word “victimbank” (56%) had a high occurrence. However, variations such as “victimbankib” (48%) and “victimbankib/index.htm” (42%) were also observed. The use of this particular pattern “victimbankib” suggests a common nomenclature originating from a specific group of phishers. To substantiate this claim, we examined other details such as IP address, OS, Web server type, etc. collocated with the “victimbankib” pattern, and found the following: • A particular range of class C IP subnet addresses range were frequently being used (28%). The result from a whois-search shows the IP range was managed by a particular Regional Internet Registry (RIR) in Europe. • There are also many IP addresses used were in the class A subnet range (34%). China 2% Germany 2% Russia 4% Canada 2% others 5% Korea 6% MultipleSites 11% USA 49% GreatBritain 19% Figure 2: Phishing sites by hosting country July 2006. Figure 2 shows that the USA (47%) and Great Britain (19%) were the top two most popular countries hosting phishing sites for the July 2006 sample. This indicates that ISPs in the USA and the UK are either more prone to hosting phishing attacks due to insufficient defense against phishing activities, or due to the vast numbers of ISPs available in these two countries. Additionally, in some 11% of cases, multiple sites were used. We believe this indicates a trend towards the nextgeneration of botnet-style hosting for phishing sites, which have been growing seen since this sample was gathered. Time of day is another possible fingerprint, When we examined Tuesday 18 July 2006 in detail (Table 8), 12 phishing incidents were observed, starting at 4.01am and continuing to 8.59am, then followed by a break of about ten hours, followed 115 FORENSIC CHARACTERISTICS OF PHISHING - Petty Theft or Organized Crime? again by three from 6.44pm to 7.39pm. This may be deliberate targeting of the victim users when they access their systems in the morning and first thing in the evening, or may again indicate the working schedule of the phishers themselves. through the compromised PC to the correct phishing Web page, depending on a special code specified in the e-mail link. The methodology resembles that used by the “RockPhish” group mentioned earlier. 4.2.2 E-mail Header Information Linux, 3, 6% Win32, 4, 8% Microsoft CDO for Exchange 2000, 2 ( 5%) Microsoft Outlook Express 5, 3 (7%) Microsoft Express 6.00, 7 (17%) Unix, 46, 86% Figure 3: Operating system used by the phishing sites July 2006. Time of day is another possible fingerprint, When we examined Tuesday 18 July 2006 in detail (Table 8), 12 phishing incidents were observed, starting at 4.01am and continuing to 8.59am, then followed by a break of about ten hours, followed again by three from 6.44pm to 7.39pm. This may be deliberate targeting of the victim users when they access their systems in the morning and first thing in the evening, or may again indicate the working schedule of the phishers themselves. Microsoft, 3, 5% Others, 2, 3% Apache, 61, 92% Figure 4: Web server types used by the phishing sites July 2006. In the October corpus, a new style of attacks were identified for a particular phishing group not seen in July. The group used a URL that spoofed "victimbank.com" and had a hostname component of "confirmationpage". They assigned each individual phishing URL a subdomain that was tied to an Internet address of a compromised computer under the phisher’s control. When a victim clicked on a link in the phishing e-mail, they would be routed Invalid Value 30 (71%) Figure 5: X-Mailer values used in the July 2006 phishing incidents. Our analysis showed that while values such as IP address source were interesting, they did not prove to be useful for classifying groups. However, some less obvious features were unexpectedly more useful for grouping. Two particular values associated with a particular group, the X-Mailer and the Date field time zone were observed only in phishing e-mails and never in any valid e-mail in the sample data (which included more than 500,000 spam messages). Figure 5 shows that Microsoft Outlook Express version 5 and 6 were the most widely used X-Mailer platform in the July phishing incidents. This result was confirmed in the October corpus, as shown in Table 2. One abnormality observed in the July corpus was the frequent occurrence of an invalid value (71%). 7,291 messages in the October corpus with this particular value and 3,680 of those messages targeting other victim organizations and were associated with other illegal activities, such as job scams. Thus, the X-Mailer value appeared to be the main fingerprint of the spam tool used by this particular group. Google searches using the X-Mailer values were subsequently used to identify other phishing messages posted to the web and newsgroups. As these values are still in use by phishing groups today, we are precluded from providing further details. 153 116 WEBIST 2008 - International Conference on Web Information Systems and Technologies Table 2: X-Mailer values in the October 2006 corpus. X-Mailer Microsoft Outlook Express Microsoft Office Outlook Internet Mail Service MIME-tools 5.503 (Entity 5.501) SquirrelMail/1.4.3a Calypso Version 3.30.00.00 Frequency Percentage 210,958 27.36% 58,339 7.57% Base64 string 8,885 1.15% 4,102 2,971 0.53% 0.39% 2,181 0.28% 4.2.3 E-mail Subject, Sender and other Text Values Table 3: Some commonly used Sender Address. Commonly used Sender address Table 4: Commonly used words in the subject line in the July 2006 phishing incidents. Frequency Percentage victimbank 53 75% access@ 14 20% Support@ 12 17% Security@ 8 11% Account@ 4 6% internet@ 2 3% Other e-mails values examined and used for grouping were the subject and sender values. While many phishing e-mails spoof the victim institution, some do use other e-mail addresses. As shown in Table 3, when spoofing the organization’s e-mail domain, there were many choices of username to spoof from the victim institution e.g.. support@victimbank.com, admin@victimbank.com, security@victimbank.com, or access@victimbank.com. While all these values are subject to copycatting, they can be used in conjunction with other more highly discriminating values to facilitate grouping. Table 4 shows the result of our analysis in the Subject line from the July corpus. A majority of the phishing e-mail subject lines used a Base-64 encoded character string (41%). This indicates a program-generated subject line. Commonly used word in the subject line Frequency Percentage 29 41% Update 21 30% Access 15 21% Agreement 15 21% Account 13 18% Victim Bank 11 15% Security 11 15% Internet 7 10% encoded Another commonly used word is “update” (30%) as contained in the subject: “Security Update Request” and “Agreement Update”. The third most commonly used word is “access” (21%), as contained in the subject: “Online Access Agreement Update”. The other commonly chosen words were “Account” (18%), “victim-bank Internet banking security message” (15%). 220,494 distinct subject line values out of the total 770,998 e-mails were found in the October 2006 corpus. 43% of the total corpus contains a delivery failure notification in the subject line. The October 2006 corpus also confirmed that phishing Group 1 was active in launching the attack with 3,611 messages (0.5% of the corpus) were identified targeting this particular financial organization. Table 5: Job offer scam launched by Group 1 in the October 2006 corpus. Subject # of Instances Job offer from BestTrade Group Job offer from SelfTrade Group Job offer U.F.I.S. PE Job offer from BidsTrade Group Job offer from BidsLoan Group Job offer from UnelTrade Group 108 101 96 59 44 35 Job offer from SelfPower Group Job offer from MetaBrand Group Job offer from XepsTrade Group 28 14 3 Interestingly, by using the signatures left by Group 1 in their phishing messages, another 3,280 154 117 FORENSIC CHARACTERISTICS OF PHISHING - Petty Theft or Organized Crime? messages were identified targeting other financial organizations including CitiBank, PayPal and Bank of America. It is logical to expect that money mule job scams of a kind have been perpetrated in conjunction with phishing attacks, again indicating a high level of organization through diversified criminal activity. This was confirmed with another 488 messages that started with "Job offer" in the message subject (Table 5). Moreover, we have also identified 238 ‘Nigerian 419 scam’ messages having the same signatures that belong to Group 1. These results indicate that phishing attacks are related to other crimes committed using e-mail. We also found 6,523 (0.9%) messages contained the subject line: “victim Bank official message”. This matched one of the key characteristics of the Group 6 phishers, although the subject lines found in the October corpus differed slightly with those found in the July corpus. Further investigation confirmed that these emails were originated from the same group. Other characteristics that confirm our grouping for this particular Group 6 are: • The e-mail structure is text/html; • The DCC Fuz2 value for the e-mail content is equal to a particular value; • The From field contains the common plain text “victimbank security”; and • The Sender field contains a particular user value. 4.2.4 DCC Fuz2 Checksum The Distributed Checksum Clearinghouse (DCC) is an anti-spam content filter (http://www.dccservers.net/dcc/) used by SMTP servers and mail user agents to detect spam messages. We applied DCC Fuz2 checksum on all messages in the October corpus and identified 560,801 distinct values. Some of the most frequent messages are listed in table 6. We found that both Group 1 and Group 2 phishing gangs were active in October 2006. Group 2 had launched separate attacks against this organization and another victim bank. Table 6: Most frequent messages identified by DCC Fuz2 checksum in the October 2006 corpus. Most frequent messages in October corpus Group 1 messages targeting this victim bank Group 2 messages targeting the victim bank "Replica" Spam messages Group 2 messages targeting another victim bank ED Spam Frequency 3611 2842 1657 1626 1395 4.2.5 Spelling and other Typographic Errors Another interesting aspect of many phishing e-mails is their grammar and spelling. A standard feature of many early phishing e-mails were their very poor grammar and spelling. Common errors include “statment”, “acount”, “fullfil” and “automaticly”. Many of these errors have now disappeared, but they are still a useful value to identify groups. In addition to clear spelling, grammatical errors and other typographic errors, unusual terminology is another useful grouping value. An example of this is a reference found in one group’s e-mails to a fictional entity the “National Anti-fraud Organisation of Australia” (Group 4). We found that a specific typographical error occurred in many phishing messages e-mails that could not be identified by a spellchecker. This is a strong indicator for the grouping of phishing messages to a particular group. Using that particular word to search in Google found that this particular word appeared in e-mails related to other activities such as the Nigerian 419 Scam and the eBay (VOLUME 2 of 3 Share) scam. 4.3 Phishing Incidents by Date and by Group Table 7 shows that phishing incidents seemed to occur at the midweek dates (Tuesday, Wednesday and Thursday), and the peak value occurred at a Tuesday (12 incidents). Most of the weekly peakincidents occurred on Thursdays. From Table 7 and Figure 6 we observed that some groups concentrated their attacks over shorter periods. For example, of Group 1’s 30 attacks, 29 occurred over two weeks in a period of five days, followed by a period of four days in the following week. In contrast, Group 3’s 13 attacks occurred over nearly the whole month on 11 different days. 155 118 WEBIST 2008 - International Conference on Web Information Systems and Technologies Table 7: Numbers of phishing incidents by day from Saturday 1 July 2006 to Monday 31 July 2006 categorized by identified groups. DATE 1-Jul-06 2-Jul-06 3-Jul-06 4-Jul-06 5-Jul-06 6-Jul-06 7-Jul-06 8-Jul-06 9-Jul-06 10-Jul-06 11-Jul-06 12-Jul-06 13-Jul-06 14-Jul-06 15-Jul-06 16-Jul-06 17-Jul-06 18-Jul-06 19-Jul-06 20-Jul-06 21-Jul-06 22-Jul-06 23-Jul-06 24-Jul-06 25-Jul-06 26-Jul-06 27-Jul-06 28-Jul-06 29-Jul-06 30-Jul-06 31-Jul-06 DAY 1 Saturday Sunday Monday Tuesday Wednesday 1 Thursday Friday Saturday Sunday Monday Tuesday Wednesday Thursday Friday Saturday 4 Sunday 4 Monday 6 Tuesday 2 Wednesday 1 Thursday Friday Saturday Sunday 3 Monday 2 Tuesday 4 Wednesday 3 Thursday Friday Saturday Sunday Monday Group Totals 30 2 3 4 5 6 UNCLASSIFIED DATE TOTALS 0 0 0 1 1 1 1 1 3 2 1 4 1 1 0 0 1 1 1 1 4 1 1 2 2 1 1 1 1 4 0 0 1 3 8 4 8 1 2 3 12 2 1 0 0 0 1 4 2 4 1 4 0 1 2 3 1 1 1 1 2 3 13 18 3 2 2 71 Another interesting aspect is the virtual weekend enjoyed by the phishers. While there are attacks on Saturdays and Sundays, there appears to be a break between weeks for most attacks because of the 11 incident free days for the month, they all fall in the Friday to Monday period. This indicates an organized work schedule, confirming the result obtained by Ramzan and Wừest (2007). Figure 6: Numbers of phishing incidents by day from Saturday 1 July 2006 to Monday 31 July 2006 categorized by identified groups. 156 Time of day is another possible fingerprint, When we examined Tuesday 18 July 2006 in detail (Table 8), 12 phishing incidents were observed, starting at 4.01am and continuing to 8.59am, then followed by a break of about ten hours, followed again by three from 6.44pm to 7.39pm. This may be deliberate targeting of the victim users when they access their systems in the morning and first thing in the evening, or may again indicate the working schedule of the phishers themselves. Table 8: Phishing incidents on 18 July 2006 by header received time (converted to AEST), date and phishing group. TIME 4:01:01 4:35:04 6:03:03 6:43:27 7:09:24 7:49:56 8:06:37 8:32:51 8:59:10 18:44:45 19:25:13 19:39:39 5 DATE 18-Jul-06 18-Jul-06 18-Jul-06 18-Jul-06 18-Jul-06 18-Jul-06 18-Jul-06 18-Jul-06 18-Jul-06 18-Jul-06 18-Jul-06 18-Jul-06 GROUP 1 1 1 1 4 4 3 2 4 3 1 1 CONCLUSIONS In this paper, we have shown how a criminal investigation methodology based on authorship analysis and fingerprinting can be used to classify phishing e-mails into a small number of discrete groups. While most spam e-mails do not aim to misrepresent their identity, this is the goal for phishing e-mails. To summarize, some 6 distinct groups were responsible for the overwhelming majority of attacks identified in both sets of data. 86% of all attacks originated from of these groups. In many cases, the distinguishing features of phishing e-mails were found in other e-mail crimes such as money laundering and 419 scams. This indicates that phishing groups are diversified criminal enterprises, each using their own distinctive modus operandi to commit crimes across a wide spectrum. Other indicators of organized work activity included taking breaks at weekends, and launching attacking during daytime hours from the geographical source regions. On the technical side, the use of multiple servers to provide fail-over during attacks indicates a growing trend for a sophisticated distributed computing 119 FORENSIC CHARACTERISTICS OF PHISHING - Petty Theft or Organized Crime? capability on the same level as legitimate organizations. As discussed in the introduction, only data from a single target in the financial services area was used to develop the investigation methodology. However, anecdotal evidence suggests that most banks and financial institutions are experiencing qualitatively similar attacks. Our first task in generalizing our findings will be to replicate the results across data sets from other institutions. Of course, practical difficulties exist in obtaining this data from organizations that keep their operational security issues secret. A second major challenge is to validate the findings across further time periods, and get a sense of the variation in both group composition and features used. One can anticipate a high-level of turnover in the features used, however, if they are not revealed in the public arena and/or incorporated into anti-spam signature databases, then our experience is that the values are not altered. We are also investigating methods that enable automated profiling of phishing attacks by groups in real time and be built in to commercial tools for law enforcement based on classification techniques from natural language processing (Watters,2002). We intend to extend the approach by utilizing hierarchical clustering to identify more complex patterns of heredity among the different techniques being used by each group. ACKNOWLEDGEMENTS This work was funded by a major Australian financial institution that wishes to remain anonymous for operational security reasons. Conference on Knowledge Discovery and Data Mining (KDD'2000). 2000 de-Vel, O., Anderson, A., Corney, M., et al., Mining Email Content for Author Identification Forensics. SIGMOD: Special Section on Data Mining for Intrusion Dection and Threat ANalysis, 2001 Dhamija, R., Tygar, J.D., and Hearst, M. Why Phishing Works. In Proceedings of the CHI 2006. Montréal, Québec, Canada, 2006 Fette, I., Sadeh, N., and Tomasic, A. Learning to Detect Phishing E-mails. In Proceedings of the 16th international conference on World Wide Web (WWW 2007).p.649 - 656:ACM Press, 2007 Jagatic, T., Johnson, N., Jakobsson, M., et al., Social Phishing, School of Informatics Indiana University, 12 December, 2005 Jakobsson, M., Modeling and Preventing Phishing Attacks, School of Informatics Indiana University at Bloomington, 27 October, 2005 James, L., Phishing Exposed. Rockland MA: Syngress Publishing, 2005 McMillan, R. 'Rock Phish' blamed for surge in phishing, (on-line) http://www.infoworld.com /article/06/12/12/HNrockphish_1.html Naraine, R. Return of the Web Mob, April 10, 2006 (online) http://www.eweek.com/article2/0,1895,1947561,00.as p Ramzan, Z. and W¨uest, C. Phishing Attacks: Analyzing Trends in 2006. In Proceedings of the Fourth Conference on E-mail and Anti-Spam (CEAS 2007). 2007 Stamp, P., Penn, J., Adrian, M., et al., Increasing Organized Crime Involvement Means More Targeted Attacks, Forrester Research, October 12, 2005 Watters, P.A., Discriminating English word senses using cluster analysis. Journal of Quantitative Linguistics. 9(1): 77-86,2002 REFERENCES Alleged Phishing and Organized Crime Group Arrests. Technology News Daily 2006. Card fraud losses continue to fall 14 March 2007 (on-line) http://www.apacs.org.uk/media_centre/press/07_14_0 3fraud.html Abad, C., The Economy of Phishing: A Survey of the Operations of the Phishing Market, 2005. Chandrasekaran, M., Narayanan, K., and Upadhyaya, S. Phishing E-mail Detection Based on Structural Properties. In Proceedings of the NYS Cyber Security Conference. 2006 [de-Vel, O. Mining E-mail Authorship In Proceedings of the Workshop on Text Mining, ACM International 157 120 Figure 6.1: “We are automating the payment system” Russia cyber gang promotional material (VeriSign 2007) Phishing the Long Line: Transnational Cybercrime from Eastern Europe to Australia. Chapter 6 SYNTHESIS: WINNING THE WAR ON PHISHING 121 CHAPTER SIX: SYNTHESIS: WINNING THE WAR ON PHISHING 6.1 Introduction The previous chapter examined phishing emails and other phishing artefacts in an effort to group them and identified ethnographic features, which support the view that phishing and related cybercrime against Australia is primarily an Eastern European phenomenon. In this final chapter a theory to explain EECGs operations is developed. This theory will assist in understanding and addressing future threats from not only other groups or organisations involved in cybercrime but also in other facets of cyber threats such as cyber espionage and information warfare. The chapter also examines the weaknesses that allow phishing to flourish. It also examines the weaknesses in the Phishing attack model and through that examination a number of options capable of being deployed to disrupt the phishing attack model are identified. In particular it is observed that the role of money transfer agents such as Western Union and MoneyGram deserve closer attention of law enforcement and regulators. 6.2 The Limitation of Technical Solutions: The Latest Zeus Example (Zitmo) As observed in Section 6.10, there is a limitation in the current and potential technical solutions to Phishing. Essentially, any information that can be socially engineered from the user will be. At the same time the solution needs to have a level of useability; otherwise it is impractical for the average bank customer. Since 2003, Australian banks have responded to Internet banking phishing by looking at more robust authentication systems than simple username and password. A recent example of an attack is related here that not only demonstrates the limitation of technical solutions to Phishing but the sophistication of the Phishing attacks being developed by EECGs. One of the most widely used and seemingly secure two-factor authentication methods used by Australian banks is employing a separate mobile phone to communicate a one-off transaction code via Secure Messaging Service (SMS). This message often includes details of the requested transaction to combat where the computer being used is compromised and is misrepresenting the nature of the transaction being authorised. The security of this method is based on the assumption that, to defeat both devices (the computer and mobile phone), both need to have been compromised, something that would seem so difficult to be largely impractical. In late 2010 an ingenuous attack was developed as part of the Zeus Internet banking Trojan family. Already capable of “man in the middle” and “man in the browser” attacks it has graduated to a “man in the mobile attack”. The variant is known as Zitmo (Zeus in the mobile) and it works by the following steps. The attacker compromises the user’s PC (perhaps using a web browser vulnerability). Malware is then loaded that injects a frame into the next Internet banking session of the victim asking for phone type and number used for SMS authentication (See figure 6.2) and key logs the victim’s username and password. Using the information entered into the injected frame by the victim the attacker infects the victim’s mobile device by SMSing a link to a web-based file which when downloaded compromises the phone (See Figure 6.3). With both devices now compromised, the attacker logs in with the stolen credentials using the user's computer as a proxy and performs a specific operation that needs SMS authentication. The SMS is sent to the victim's mobile device with the authentication code. The malicious software running in the mobile phone forwards the SMS to another mobile phone controlled by the attacker without the knowledge of the victim. The attacker then uses the authentication code and completes the transaction successfully (Baroso 2010). 122 Figure 6.2: Zeus html frame inserted into Internet banking session to identify type of phone and phone number (Spanish Version)(Baroso 2010). Figure 6.3: Zeus SMS with Web-link to Nokia Phone compromise code (Spanish Version) (Baroso 2010). This is a more efficient method than it may seem at first. Only users who have accounts with the particular banks targeted will see the inserted frame asking for the additional details. Only those who enter their phone details and have a phone type which can be compromised will be sent an SMS to compromise their phone. Once the steps are complete the attackers can complete transactions without alerting the victim. In fact the victim will only become aware of fraudulent transactions when checking their balances and even that could be altered by determined attackers if the system it is being checked on is compromised. This is an excellent example of how a well resourced adversary such as EECGs can respond to seemingly secure counter-measures. While technical solutions definitely have their place, in the end we need to put more focus on weaknesses of the Phishing attack model, the money laundering elements and in particular the role of money transfer agents such as Western Union and MoneyGram deserve closer attention by law enforcement and regulators (see Section 6.10 for detailed discussion). 123 6.3 A Theory of Cybercrime Operations Given the observations of the activities of EECGs impacting Australia, one can formulate a theory of cybercrime operations. Because their operations are focused overseas, EECGs operate within safe havens from prosecution, both due to corruption and the tyranny of distance (and jurisdiction) for their victims. $ EECGs Jurisdiction & Political Issues Internet Cloud Internet Money Mules N W E S Victim Bank Customer Figure 6.4: Theory of Cybercrime Operations EECGs not bound by legality are able to utilise the global connectivity of the Internet to launch attacks and direct activities in an efficient and timely manner to reach those victims using the Internet and other information technologies. They also use the efficiencies of Internet Banking and the extensive network of ATMs against Banks in committing these frauds and laundering the proceeds. Thus the strength and scope of Western banking and information technology is used in effect as in Judo (Kodokan Judo Scientific Research Group 2009), where the strength and weight of the opponent is used against him. Apart from the banks’ technology, EECGs also use the largely deregulated international financial environment to their advantage. Western Union and MoneyGram’s networks are used to repatriate funds back to Eastern Europe. In addition EECGs exploit the limitations of technical security solutions where, as observed, any information that can be socially engineered from the user will be, and any security solution needs to useable for the average bank customer. Innovation is always on the EECGs’ side and banks can merely respond to new attack methods and vectors. Ironically, the innovation that banks can drive is often opening up new avenues for attack such as with banking on mobile platforms. The unrestricted tactical operations 124 that EECGs can now wage against Australians is one example of a broader theory of cybercrime which might predict that there would be an increase in such activities given that the Internet makes cross-jurisdictional theft as easy as stealing next door, but where jurisdictional protections make these attackers relatively untouchable. It is an arms race with each side escalating in turn; the banks on one side to overcome a new style of attack and the Phishers on the other to overcome a new counter-measure. However, the EECGs will always find a way to exploit legal and technical frameworks. Future research could compare the Australian research with other Western nations (or advanced economies) to see if the same predictions hold true; or, we perhaps could take a counter-example like China and see how it is responding to the cybercrime threat, given the more extensive technical and social controls that the Chinese Government is able to wield. 6.4 Eastern Europe the Engine of Cyber Warfare? The transition in 2003 from hacking as a hobby (albeit illegal) to one with a profit motive has driven much innovation in cybercrime. Phishing in particular with its high return on investment has supported extensive cybercrime research and development. The EECGs have been central to this with their access to excellent technical resources. Similar to the impact of World War 2 on technology, many new attack vectors and methods have been developed in a short period at a speed far greater than prior to 2003. The sophistication of botnets, vulnerability exploits, malware code and social engineering methods are evidence of this. Zitmo is just a recent example. While cybercrime is clearly an issue of significance for Western governments, since 2009, issues of information warfare and cyber espionage have caused even greater concern in national security circles. Developments in cybercrime like those technical developments during World War 2 have impacted other areas but most particularly information warfare and cyber espionage. 6.4.1 Other Cyber Attacks Quite apart from Phishing attacks on Internet banks, a lot of interest has been focused on cyber espionage often attributed to China. If we are to examine the techniques documented in a number of these attacks, they have great similarity to attacks used first in Internet bank phishing. This includes the use of phishing e-mail hooks to download Trojans (Information Warfare Monitor 2010) in attacks on Tibetan independence groups and use of Adobe PDF vulnerabilities to compromise Gmail accounts of dissidents (Naraine 2010). Apart from espionage, cyber tools also can be used for information warfare. The targeted attack on an Iranian nuclear reactor by the Stuxnet worm (Greengard 2010) is similarly an extension of techniques and tools used in the phishing context by EECGs. Phishing itself may have been developed by Russia’s Federal Agency for Government Communications & Information (FAPSI) for information warfare purposes, and privatised with FAPSI’s disbanding in 2003. 6.5 The scale of the Involvement in Phishing and Related Cybercrime in Australia by Eastern European Cybercrime Groups The scale of EECGs’ involvement has been demonstrated in this thesis by a number of methods. In the second chapter the money laundering aspects of this crime were examined. In particular, data was examined detailing each time the Australian Federal Police blocked an international transaction which was the proceeds of phishing. The data covered the periods October 2004 to December 2005, 125 October 2006 to March 2007 and January 2009 to November 2010. In total 1416 transactions were blocked and details recorded. Russia was consistently the highest recipient country with a total of 607 transactions accounting for 42.87% of the total. Ukraine took overall second place with 139 transactions accounting for 9.82% of the total. If we are to look at those countries, which were parts of the former Soviet Union, they represent some 66%, or 791, of the total. The data shows a clear nexus to that part of the world, which has remained consistent from 2004 to 2010. St Petersburg accounted for 376, or 41%, of the total transactions where data for the city was available. This was the highest by a factor of six and second highest per capita, with 81 transactions per one million of population. St Petersburg is known as a hub for criminal activity (Europol 2009) and the home of one of Russia’s major organised crime groups, Tambov. In the third chapter we examined the first Phishing attacks on an Internet Banks starting in March 2003. Those early attacks involved Florida provider E-Biz Web Hosting Solutions LLC that had at the time as its Chief Technology Officer, Alex Mosh, alias Alex Mozhey. The Ukrainian Mosh is a well known spammer and was listed as number one in the top spamming organisations worldwide in 2007 and has also been identified as hosting Internet money mule recruiting sites (Spamhaus 2007). In the fifth chapter we examined features of Phishing emails from an ethnographic perspective. That examination showed the majority of time zone, character set and time of day data examined was consistent with Eastern Europe being the source. Given this extensive analysis, there can be no doubt that EECGs are responsible for the majority of Phishing and related cybercrime in Australia. 6.6 The Weaknesses that Allow Phishing and Related cybercrime by these Groups to Occur In Section 6.10 we determine the weaknesses that allow Phishing and related cybercrime by these groups to occur. These include the borderless Internet, the free flow of funds via the global financial system, the limitations of technical solutions, Russia and Ukraine as a safe haven for cybercrime and the law enforcement challenge in cross-jurisdictional operations. 6.7 The background and modus operandi of EECGs In the various chapters on this thesis, we have examined the background and modus operandi of EECGs including the history of phishing, the cybercrime marketplace and the features that have made Eastern Europe a supportive environment for cybercrime. In Chapter Two we examined the role of Internet money mules and other money laundering in phishing, which is key to the success of the exercise. In the third chapter we examined the first Phishing attack on an Internet Bank in March 2003 and a number of other early attacks. In these experimental attacks the phishers did not go to great lengths to hide their identities or their methodology, as would be the case later. In that chapter we also examined ethnographic aspects of Eastern Europe including the role of the Russian Federal Agency for Government Communications & Information (FAPSI) in the development of cybercrime. In Chapter Four we examined the cybercrime marketplace, which facilitates Phishing attacks and allows for significant specialisation within and amongst Phishing groups. This work has given a clear picture of the background and modus operandi of EECGs and more broadly that of other cybercrime groups. 126 6.8 Future Research 6.8.1 Cyber Attack Attribution One challenge in the research completed for this thesis was the difficult task of cybercrime attribution or more broadly cyber attack attribution. This thesis has used data of international money flows from the proceeds of Phishing from Australia, the examination of Phishing emails for ethnographic artefacts, various business records registrations to identify individuals, and other case studies to inform the process. Other attribution such as examples used by Kshetri (2010a) typically relies on one of these factors in isolation and, while such examination is valid, it may indicate that part of the activity has a nexus to that country but not much more, i.e. the United States hosts more Phishing sites than Russia but that does not mean Americans are the perpetrators. Future research should look at more formal models for attribution using multiple data points across various information domains. Models used within intelligence analysis and other similar disciplines could inform this research. 6.8.2 The Role of Tambovskaya (Tambov) in Phishing While there is clear evidence of the involvement of Tambov in St Petersburg-based cybercrime, further research could look at links between known Tambov entities and Phishing attacks on Australia and other Western countries. This could be achieved using various methods, but given the large business footprint of Tambov and a number of well known individuals associated with it, researchers with access to Russian and St Petersburg business records may be able to demonstrate clear links between Tambov and enterprises involved in Phishing attacks. 6.8.3 The role of Russian State Security Past and Present in Cybercrime Even the limited information and research about Russian state security past and present involvement in cybercrime, as summarised in Chapter Three, indicates this is an area that requires further investigation. The activities of FAPSI prior to its disbandment and the ongoing actions of former members of FAPSI recruited by organised crime and those now within the FSB could be examined to identify the scope of their involvement in cybercrime. 6.8.4 Eastern European Local Money Mules As described in Chapter Two once the proceeds of Phishing are sent via Western Union to Eastern Europe, they are picked up by what can be described as “local money mules”. While there has been research into Internet money mules and data of blocked Western Union transactions made available, no research which closely examines this part of the Phishing attack model has been conducted. The names and addresses for many of these people have been recorded (some may well be assumed names) in the process of investigating many of these attacks, so there would be opportunities to study them in more detail. This would help complete the picture of how the proceeds of Phishing attacks are laundered. 6.8.5 Measuring the Effectiveness of an Institutions’ Controls by the Value of its Compromised Credentials As observed in Chapter Five, the operation of the cybercrime market means some bank credentials are worth more than others, if they are more easily cashed and thus higher portion of the face value 127 can be realised. A measure of the effectiveness of a bank’s counter measures would therefore be its credentials are worth less in the cybercrime market. Future research could examine these values which may validate the effectiveness of the counter measures each institution takes. 6.9 Conclusion This thesis has examined what is a complex, poorly understood and cross-disciplinary topic. The research has been made more difficult by the need for operational security for law enforcement and bank investigations. In addition many aspects of EECGs have limited sources available and much is based on limited data or data of unknown quality. Also, EECGs themselves are by their nature secretive. Despite this, the thesis has clearly added to the research in this area by identifying and analysing a number of sources of empirical evidence for the scale of the involvement in Phishing and related cybercrime in Australia by EECGs. It also provides important analysis of those activities including modus operandi of these groups, explains the causes, placing it into its political and historical context, develops a theory of cybercrime operations and proposes concrete options to disrupt the activities on EECGs. The cross-disciplinary nature of the problem has inhibited comprehensive applied research in this area, but it is hoped this research has advanced understanding of the broader problem rather than just focusing on a specific technical aspect or solution. However, one very specific message from this research is that transnational organised criminal activity based around St Petersburg needs to have closer attention of Australian law enforcement, particularly the Australian Federal Police and the Australian Crime Commission, if there is any hope of protecting Australians from phishing and related cybercrime in the future. 6.10 References McCombie S. Pieprzyk J. (2010) Winning the Phishing War: A Strategy for Australia, 2nd Workshop on Cybercrime and Trusted Computing, University of Ballarat. 128 2010 Second Cybercrime and Trustworthy Computing Workshop Winning the Phishing War: A Strategy for Australia Stephen McCombie Josef Pieprzyk Centre for Policing, Intelligence & Counter Terrorism Macquarie University North Ryde, Australia stephen.mccombie@mq.edu.au Department of Computing Macquarie University North Ryde, Australia josef@science.mq.edu.au can update themselves dynamically [15] to beat new enhanced authentication methods used by Internet banks such as Tokens and SMS codes. These new Trojans can even automate the money laundering process. Other than the method of compromise the modus operandi of the attacks and the underlying attack model has changed little. While a few early attempts tried to directly send the money overseas via Overseas Telegraphic Transfers (OTTs), the method has either been removed or is so heavily monitored it is no longer a viable option. The standard approach now is the use of Internet money mules (further described below) who transfer the money overseas via Western Union or Moneygram. It is proposed a strategy, which firstly places more focus by Australian law enforcement upon transactions via Western Union and Moneygram in an effort to detect this money laundering, would significantly impact the success of the Phishing attack model. This combined with a technical monitoring of Trojan technology and education of potential Internet money mules to avoid being duped would provide a winning strategy for the war on phishing for Australia. Abstract—Phishing, a form of on-line identity theft, is a major problem worldwide, accounting for more than $7.5 Billion in losses in the US alone between 2005 and 2008. Australia was the first country to be targeted by Internet bank phishing in 2003 and continues to have a significant problem in this area. The major cyber crime groups responsible for phishing are based in Eastern Europe. They operate with a large degree of freedom due to the inherent difficulties in cross border law enforcement and the current situation in Eastern Europe, particularly in Russia and the Ukraine. They employ highly sophisticated and efficient technical tools to compromise victims and subvert bank authentication systems. However because it is difficult for them to repatriate the fraudulently obtained funds directly they employ Internet money mules in Australia to transfer the money via Western Union or Moneygram. It is proposed a strategy, which firstly places more focus by Australian law enforcement upon transactions via Western Union and Moneygram to detect this money laundering, would significantly impact the success of the Phishing attack model. This combined with a technical monitoring of Trojan technology and education of potential Internet money mules to avoid being duped would provide a winning strategy for the war on phishing for Australia. II. Keywords: Cybercrime, Phishing, Eastern European organised crime, Money laundering. I. A. The Phishing War Avi Litan first used the term ‘War’ in this context declaring in 2009, “The War on Phishing Is Far From Over” [13]. It is rather apt to describe it as a war. The forces behind phishing and those charged with fighting it are at war. In this war there are battles and campaigns. There is also an arms race with techniques and technology developed by cyber criminals to subvert Internet banks and in turn by the banks and law enforcement to respond. Both sides are highly organized and bring considerable resources to the fight. There are tactics and strategy for both sides. What the authors are proposing is a strategy to win this war. A real strategy is not just following the logical but a bold choice to target something others, in the same position, may ignore. The US Department of Defense define a strategy in the military context as, INTRODUCTION Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal victims' personal identity data and financial account credentials [2]. Australia’s Internet banks have been subject to phishing attacks since early 2003. The problem has continued to this date without abatement. Globally phishing and related cybercrime is responsible for annual losses of billions of US dollars. Gartner have estimated the losses, just in the US, were over USD$7.5 Billion in the three years to September 2008 [13]. The first phishing attacks against Internet banks globally were against Australian Banks. However this was not a home-grown problem. It is suspected those first few attacks in 2003 were the work of Ukrainian spammers [22]. Eastern European cyber criminals continue to play a major role in phishing attacks against Australia and indeed are significant factor in the global problem [23]. The early phishing attacks of 2003 were fake bank websites and were created on commercial web hosts. Those early methods have now been replaced by fast-flux attacks using Botnets [3] and sophisticated key loggers which 978-0-7695-4186-0/10 $26.00 © 2010 IEEE DOI 10.1109/CTC.2010.13 BACKGROUND OF PHISHING “A prudent idea or set of ideas for employing the instruments of national power in a synchronized and integrated fashion to achieve theater, national, and/or multinational objectives [27].” At this point the phishing war is not being won and is at best a stalemate with little end in sight. It is hoped the 79 129 sends a phishing email or Trojan lure email to thousands perhaps millions of potential victims. A small percentage of those receiving a phishing email actually respond by confirming their account details in the fake banking website. A greater percentage but still a small minority follow the link in a Trojan lure email (e.g. Subject: Prime Minister survived a heart attack) and have their personal computers compromised and a key logging Trojan is loaded. When they then conduct their next real session with their Internet bank their credentials are captured (Phase 2). The victim has ‘clean money’ (c$) in their bank account. In Phase 3, the potential Internet money mule is approached with a job offer, which is usually advertised by unsolicited spam email, Internet messaging and both fraudulent and legitimate employment web sites. In order for the transfer to take place mules need to supply their current bank account details or if they choose set up a new account for this purpose and supply those details (Phase 4). suggested strategy will target the weakness in the phishing attack model just as phishing attacks the weaknesses in Internet banking and cross border policing. B. Phishing 2003 and afterwards While the term phishing dates from the early 1990s, Internet bank phishing began in 2003. The first Internet bank to be attacked was the Commonwealth Bank of Australia in March 2003. It was quickly followed with attacks on ANZ, Bank of America and Westpac. These attacks are suspected to have been the work of Ukrainian spammers and in particular Alex Mosh [22]. Spamhaus produce the Register of Known Spam Operations (ROKSO) and they rank the top ten spamming operations based upon the ROKSO database that collates information and evidence on known professional spam operations that have been terminated by a minimum of 3 Internet Service Providers for spam offenses. According to Spamhaus, Mosh’s gang have figured in the top 10 spammers globally for more than five years and are currently listed as number 5 [26]. Mosh has also been identified with Internet Money Mule recruitment and other associated criminal activity [16][22]. Between March and early July 2003 there were only 7 discrete attacks globally [22], however by late 2003 a large number of banks in Australia, United Kingdom, the United States and New Zealand were being targeted. By early 2004 banks from all over, Western Europe, Canada and South Africa became targets. The earliest statistics from the Anti Phishing Working Group (APWG) show 21 phishing incidents in the month of November 2003, 156 in December 2003 and 136 in January 2004 [1]. The phishing sites at this time were primarily located at large web hosting providers whose systems were apparently compromised and used to set up the sites. This method continued for some years even being the main method observed during the examination of phishing attacks in July 2006 on one Australian financial institution [23]. But this changed not long after with the use of botnets to host phishing web sites becoming the dominant method. Figure 1. Anatomy of an Internet Banking Fraud [4] In Phase 5 the criminal transfers money from a compromised bank account into the mules account. The mule, simply doing what their ‘job’ requires, transfers this ‘dirty’ money (d$) – minus their fee – via financial transfer services such as Western Union to an overseas address which is often as we will see in Eastern Europe (Phase 6) [4]. By December 2009 some 249 different brands were targeted by traditional phishing attacks (phishing email directing victim to a fake website) with over 46,000 individual phishing web sites detected. In the fourth quarter of 2009 Panda Labs identified over 3 million computers with password stealing banking Trojans [2] the newer style of phishing. A study in 2008 over seven months looking at a small sample of seventy credential drop zones of Trojans identified over 10,000 compromised banks accounts and estimated their value on the black market to be as high as $USD10 million [15]. In 2007 in a two-week period the Trojan Zeus was responsible for losses of USD$6 million from banks in the USA, Italy and Spain. III. B. Internet Money Mules ‘Internet money mules’ are those who, either knowingly or unknowingly, launder money obtained from Internet fraud. They are a key part of phishing and related cybercrime. While the criminals who steal credentials can easily access Internet Banks and perform transactions from the other side of the world they cannot necessarily get the money into their own hands so easily. They advertise for Internet money mules through spam email, Internet messaging and both fraudulent and legitimate employment web sites. They claim to be legitimate employment opportunities with mules often receiving between 7% to 10% of funds transferred via their accounts as a commission. The cybercriminal transfers money from a compromised bank account into the mules account. The mule, simply doing what their ‘job’ requires, transfers the PHISHING ATTACK MODEL A. Anatomy of a Phishing Attack The phishing attack model is fairly simple. A number of the steps are able to be executed from anywhere in the world with an Internet connection. While the precise method of compromise has developed over time this attack model remains largely unchanged. The first Phase in the Internet banking fraud involves the targeting of the victim. The cyber criminal 80 130 fraudulently obtained funds – minus their fee – via financial transfer services such as Western Union or Moneygram to an overseas address [1]. Data collected by the Australian Federal Police indicate that over 50% of these transactions relate to the former Soviet Union with Russia being the largest single recipient country [13]. In a number of Internet banking frauds in the United States communication between the Internet money mule and the organisers of the fraud has been obtained [17][18][19] see figures 2-4. Internet money mules are told to direct the money via the local Western Union office back to addresses in these cases in the Ukraine. Figure 4. Payment Instructions for Internet Money Mule [19] Figure 2. Instruction to Internet Money Mule [17] Figure 5. Internet Money Mule Registration [19] Interestingly upon recruitment see figure 5 [19] Internet Money Mules are asked to certify there is a local Western Union office they can access. C. Money Laundering Money laundering is defined in Criminal Code Act 1995 (Cth) as dealing with money or property that is the proceeds of crime. Under that legislation the penalties vary depending on the level of culpability. There is similar legislation in each state and territory with the exception of the Northern Territory. While the actus reus (guilty act) for money laundering is clearly present with Internet Money Mules the question arising is the mens reas (guilty mind) present and is whose mind. Clearly the architects of the transaction are culpable but what about the mules themselves and the money transfer agents such as Western Union and Moneygram? It is widely accepted there are three stages in money laundering. They are placement, layering and integration. Placement is where the proceeds of crime are placed within the financial system. Layering is where those proceeds are separated from their source by layers of transactions, which disguise the ownership of funds, and makes it more difficult to Figure 3. Welcome to Internet Money Mule [18] 81 131 time to go to the Internet money mules account rather than the intended recipient. Lastly whatever method is devised it needs to have a good level of usability. Therefore having to key in detailed transaction information into a small handheld token device to obtain a unique authorisation code (which would foil most of the current attacks) is not practical for the average Internet bank user. trace. Lastly integration is where the proceeds of crime re-enter the financial system as apparently legitimate funds [10]. If we look at the phishing attack model, placement is where the funds are moved from the victim’s account to the mules account. Layering then occurs when the mule withdraws the money in cash and then wires it via Western Union or Moneygram. At this point we do not really see integration but presumably after the money is withdrawn from Western Union it is ultimately returned to the financial system. C. The Safe Haven If we examine the criminal network that supports Phishing and related cybercrime we can see that it takes advantage of a number of vulnerabilities in the way Internet Banking and Law Enforcement operate. Cyber criminals operating anywhere in the world can compromise Internet banking users and then operate those victims’ accounts using Internet connections. Banks who report these crimes to local Law Enforcement are immediately frustrated. Law enforcement, which is based around specific jurisdiction, is at best unwieldy across national boundaries. This is even more the case where countries have little formalised relationships at this level. Russia for instance does not even allow for offenders to be extradited to the country where the offence has been committed under any circumstances. Offenders can be tried locally that requires a significant commitment by a number of levels of the local criminal justice system. Typically in the case of frauds against foreign banks, which are viewed at the less serious end of crime, this commitment is lacking. John Pironti, a banking security expert, claims that as long as long as A-Z (the alleged author of Zeus) remains in Russia, he is effectively beyond the rule of law, since cybercrime against the West is such a low priority for Russian Police [30][31]. In response to a question about organized crime networks involved in phishing AHTCC Commander Neil Gaughan, said, D. Eastern Europe and Phishing The involvement of Eastern European gangs, such as Mosh’s, did not end in 2003. As recently as September 2009 Neil Gaughan the head of the Australian High Tech Crime Centre (AHTCC) told a parliamentary enquiry that the majority of cybercrime in Australia is driven by organised crime gangs in Russia [7]. Nigel Phair former team leader from the AHTCC saying in his book, “A significant amount of internet-enabled crime including Phishing and denial of service attacks … is perpetrated from within the states which comprise the former Soviet Union. [25]” Previous research has demonstrated the significant role Eastern Europeans play in phishing and related cybercrime particularly those from Russia and Ukraine [11][23]. These groups are highly organised, entrepreneurial and experienced in money laundering. While they are not alone in this space with groups from Nigeria and Brazil also identified they are by far the largest and best organised cyber criminals. Because of this they make responding to this crime all the more difficult for banks and law enforcement. IV. THE WEAKNESSES THAT ALLOW PHISHING TO SUCEED “We have done some mapping in relation to money laundering and issues such as that. We use the internet (sic) to map where these sites have gone and most of them are going back to Eastern Europe. When you have the difficulty of jurisdictional type discussions.[7]” A. The Borderless Internet The Internet has changed the paradigm of crime forever. Now criminals and criminal groups have global reach in a way that Italian Mafia and Asian Triads could only have dreamed in the past. Not only are they free to target victims throughout the world they can co-ordinate their activities across multiple countries as well all from the comfort of their Dacha on the outskirts of Kiev. East European groups with their high level of technical education [22] and resources have been particularly quick to embrace the Internet. This has combined with the opening up of the world economy and the relatively free flow of funds globally. So while the source of the problem is recognized the problem of what has become a virtual safe haven for cybercrime comes into play. It is upon this law enforcement challenge, which the successful attack model is based. D. Law Enforcement Challenge There should be no “legal vacuum” [20] for offences committed from within Eastern Europe. Clearly cybercrimes are not the first offences to have international crossjurisdictional issues. While in those non-cybercrime cases it was more common for offenders to flee jurisdictions than actually commit the offences from the other jurisdiction it still does happen. A particular example is in large international drug conspiracy cases which have been successfully prosecuted for more than 30 years. But it takes time and a degree of commitment by all sides. B. Limitations of Technical Solutions Since 2003 the IT security industry looked for technical solutions to phishing. In the last few years Internet banks have introduced a number of technical security innovations. These include the use of tokens (which provide a one time password), challenge and response mechanisms (using battleship cards) and codes sent to phones via SMS to authorise transactions. While it would seem such methods would prevent these attacks this has not been the case. Essentially any information that can be socially engineered from the user will be. The computer platform itself cannot be trusted and Trojans, like Zeus, will sit in the middle of an authorised transaction and change it in real The model for police law enforcement co-operation internationally has two main elements. There is police-topolice assistance and this relates to things such as general intelligence exchange, and information obtained from voluntary interviews and is generally brokered via Interpol 82 132 took advantage of direct Overseas Telegraphic Transfer banks quickly identified this [4]. The banks then either removed this functionality or delayed payments so they could be manually reviewed. This led to the need for Internet money mules. These mules were needed to draw the money out in cash and then transfer it via Western Union or Moneygram back to the next level. The mules themselves who are ultimately dupes are expendable. However the real weakness is the money needs to be transferred by Western Union or Moneygram. Without Western Union or Moneygram the money would never make it back into the hands of the cyber criminals. Clearly Western Union and Moneygram obey the law and have worked with industry to warn users of being used as Internet money mules. However a review of the material Western Union supply to customers shows they could be a lot more explicit in warning customers and perhaps more proactive in identifying fraudulent transactions. [20]. In addition the Australian Federal Police operate a network of International Liaison Officers (ILOs) worldwide often with some sort of formal co-operation agreement with a law enforcement partner in the other countries. Then there is mutual assistance, which provides for use of coercive powers such as search warrants, which is handled by the Federal Attorney General’s Department liaising with their equivalent in the other country. One of the authors had first hand experience in dealing with both these modes of gaining assistance in the mid 1990s in a large fraud investigation. The police to police inquiry to work out whether an individual (the main suspect) in a major fraud was in Hong Kong took over six months and the mutual assistance application to obtain banking records took nearly two years. Is it any different now with Cybercrime? Let us look at what happened after the first phishing attacks against banks in Australia in 2003. The attack against Westpac Bank occurred on 4 July 2003. Westpac’s lawyers immediately contacted the Australian Federal Police but the matter was left till the following week to go to the ILO in Washington, Federal Agent Kevin Zuccato (by chance a future Australian High Tech Crime Centre Director). He worked hard to get some traction with his FBI colleagues but according to the owner of the company which hosted the hardware the phishing sites were on, FBI agents did not turn up on his doorstep till September 2003 over two months later [13]. From an evidentiary perspective this may well have been fatal to the case. Logging in IT Hosting companies is limited at the best of times and critical data which could identify the source of traffic may be lost forever after even a few weeks. In addition any follow up investigation of data found (such as IP source of those setting up the phishing sites in this case) would in turn be significantly delayed with a similar knock on effect. B. Could Western Union Do More? Western Union was founded over 150 years ago in the United States and has a reputation as a good corporate citizen. To discourage Internet money mules they have issued security bulletins and worked with law enforcement and victim banks. However there is an opportunity for them to do more. On Western Union’s information sheet on job scams, titled “Dream Job Only a Dream?”, it states, “Job scams may vary…The key is this; scam artists will always require some type of payment before employment can take place.” Not so with Internet money mule jobs scams. Mules are not expected to put up any money. This advice relates to victims of scams who are sending their own money overseas and not those acting as “agents” for fraudsters. Western Union have further information sheet titled “When Easy Money Isn’t Easy” which addresses this scenario but its title is somewhat confusing and would seem more about lottery scams and the like. Also customers are not told to voice their concerns to agency staff rather are directed to further educational material or a 1-800 number, which does not work in Australia. The Cybercrime Convention was developed to handle many of these issues including, “Recognising the need for co-operation between States and private industry in combating cybercrime and the need to protect legitimate interests in the use and development of information technologies; (and) Believing that an effective fight against cybercrime requires increased, rapid and wellfunctioning international co-operation in criminal matters;” While Australia and the Ukraine are signatories at present, Russia is not. The authors are not aware whether the treaty has led to a greater degree of co-operation from the Ukraine and to date there have been no arrests in the Ukraine of cyber criminals for crimes in the West. The Ukrainians that have been arrested, it should be noted, were travelling outside of Eastern Europe when picked up. V. THERE IS A WEAKNESS IN THE PHISHING ATTACK MODEL A. Following the Money Thus we have these safe havens for cybercrime where offenders are free to use the Internet to commit crimes but highly unlikely to face arrest and punishment for these crimes. There is a weakness in the criminal network too. To identify it we simply as the old parlance says “Follow the money”. While a few incidents of early Internet banking fraud in 2003 Figure 6. Warning on form states “ Your funds could be at risk” which for Internet money mules is not the case. While Western Union have co-operated with law enforcement and the banks to trace and stop payments, anecdotally it appears the only time that they pro-actively identify fraudulent transactions is when the recipient has 83 133 already been the subject of a previous fraudulent transaction. If they were profile transactions based on recipient country, amount and other values they would be able to identify other fraudulent transactions. In 2007 whilst working for a major Australian bank one of the authors became aware that when transactions from frauds were being stopped upon request of victim banks or law enforcement, Western Union would keep the commission on the transaction. This commission keeping practice was also confirmed by staff at another major bank. Inadvertently Western Union was benefiting from the proceeds of the fraud. It is understood that they have since ceased this practice but Western Union and Moneygram need to do more to help prevent this crime. VI. • • • • • • • WHAT SHOULD WE DO? A. What should the Australian Government do? This definition would certainly describe the Eastern European Cybercrime groups. They should be priority targets of the ACC if they are not already. In addition money laundering is a focus area for the ACC. If the ACC were to specifically focus on the money laundering of these cybercrime groups by using data on Western Union and Moneygram transfers to suspicious countries based on Intelligence readily available form AUSTRAC they would soon build a profile of what is occurring. They could for instance flag any cash transaction going from Australia to Russia, Ukraine and Moldova from a person with a surname, which is not Eastern European in origin. While this may not stop the particular transaction it would provide useable intelligence for law enforcement and data to identify where more due diligence was required by Western Union and Moneygram. Similarly transactions to Nigeria (the home of the 419 scam) by those with non-African names would similarly identify potential level of fraud exposure via this channel. 1) AUSTRAC The Australian Transaction Reports and Analysis Centre (AUSTRAC) are Australia’s anti-money laundering and counter-terrorism financing regulator. One of the main pieces of legislation they operate under is the Financial Transaction Reports Act 1988. That act sets out the requirements of financial organisations such as banks and Western Union in regard to reporting suspicious transactions. “If at any time while dealing with a customer (from the enquiry stage to the actual provision of a designated service or later), a reporting entity forms a suspicion on a matter that they suspect may be related to an offence, tax evasion, or the proceeds of crime, they must provide a report to AUSTRAC[8].” Their regulatory guide on what should be considered when assessing whether a transactions is suspicious includes, 3) Proactive Government Action In Australia these government bodies are specifically tasked with looking at international money laundering. If these bodies took a specific reference on these activities and look at data available from Western Union and Moneygram, as suggested, it may prove to significantly reduce the incidence of money laundering via this method. The difficulty to date is that the individual amounts have been small and opportunities to recover monies for funding anti money laundering operations are limited as the victim banks typically have a claim to funds recovered. “(T)ransactions involving known tax havens, narcotic source or transit countries (and) movements by a customer of large amounts of cash that have no apparent legitimate source[8].” If such a suspicion was formed when an Internet money mule attempted to send cash via Western Union or Moneygram by staff, Western Union should report the matter to AUSTRAC. In addition to suspicious transactions AUSTRAC also gather data on all international funds transfer instructions, which would naturally cover Internet money mule transfers to Eastern Europe. This data is available to various Australian law enforcement agencies and could be used for profiling. 4) Legislative Change It may well be that the current legislation in place is sufficient to proactively combat this money laundering problem. There may however also be scope for specific legislation where there is an increased onus on organisations and individuals that transfer money across national boundaries to establish they are not the proceeds of crime. 2) Australian Crime Commission The Australian Crime Commission (ACC) formed in 2003, essentially to replace the National Crime Authority, the Australian Bureau of Criminal Intelligence and the Office of Strategic Crime Assessment. Amongst its key target areas are high threat organised crime groups. It defines these groups as having the following characteristics. • • have a broader geographical presence and will generally operate in two or more jurisdictions operate in multiple crime markets are engaged in financial crimes such as fraud and money laundering intermingle legitimate and criminal enterprises are fluid and adaptable, and able to adjust activities to new opportunities or respond to pressures from law enforcement or competitors are able to withstand law enforcement interventions and rebuild quickly following disruption are increasingly using new technologies use specialist advice and professional facilitators.[5]” 5) Destroying the Safe Havens While the issues of law enforcement co-operation in Russia and Ukraine may seem apparently insolvable, there are signs of opportunities to remove the safe havens. Romania who have a history as a source of cybercrime have in recent years opened their borders to US law enforcement and the E-Bay Safety team in an effort to reduce this problem. In March this year, have transnational connections have proven capabilities and involvement in serious crime of high harm levels including illicit drugs, large scale money laundering and financial crimes 84 134 did before so you need to make choices. So if we are to focus on the money laundering aspects along with technical surveillance what can we stop doing or at least reduce the effort with? Clearly phishing site shutdowns have limited effect given the various techniques used to frustrate them such as fast flux; a phishing site hosting technique where the nodes in a Botnet are used as the endpoints and the DNS records change frequently [15] [3]. Conversely often still-active phishing sites provide more intelligence to responders. FBI Director Robert Mueller in a speech to the RSA conference said, “And we have worked with the Romanian National Police to arrest more than 100 Romanian nationals in the past 18 months. Four years ago, several American companies threatened to cut cyber ties with Romania because of the rampant hacking originating from that country. And yet today, Romania is one of our strongest partners.[14]” This rapprochement with the west seems to be largely driven by a desire to become part of the European Union (EU), which is not on the agenda of Russia or the Ukraine. Despite this there are some small signs of progress in Russia. In March this year the Russian Federal Security Service (FSB) arrested St Petersburg hacker Victor Pleshchuk in connection with large Cyber-fraud on RBS Worldpay in late 2008, one of first arrests on Russian soil of a cyber criminal wanted in the West [24]. The involvement of the FSB is significant, as these matters would routinely be dealt with by St Petersburg Police or Division K of the Interior Ministry (who are focused on computer crime). This may well indicate the priority placed on this cybercrime by the Russian Government or that at this point the reliability of those other agencies is still in question. D. Difficulties While the strategy proposed is based upon the current threat it is clear the threat itself is Machiavellian, thus it will change to counter preventative strategies. Already the use of Internet money mules is being supplanted in some cases in the United Kingdom. What we could call “International Money Mules” are being sent from Eastern Europe by car into the United Kingdom to withdraw funds directly and return. While this removes Western Union and Moneygram from the picture it does expose the practice to interception at the United Kingdom’s borders and those who unlike the Internet money mule have some criminal culpability in the offence to arrest. Australia is clearly a different case where our remoteness from Europe makes this impractical. B. What Should Industry Do? VII. CONCLUSION 1) Education The Internet money mules themselves are too a key part of this network for without them these transaction would not be able to be completed. Therefore we need to educate potential Internet Money Mules about their involvement in this crime. They will never make any money from being an Internet Money Mule and could potentially be prosecuted. This education needs to be targeted both the point where Internet Money Mules are recruited and at where they operate. Work in this area indicates there is a strong gender bias towards Internet money mules being males and the 24-36 age group. This is even greater when the element of potential criminal intent exists. The bias progressively increases as the age of the money mule increases [4]. In this paper the authors have presented a winning strategy for the war on phishing. This strategy is based on areas where there are weaknesses in the phishing attack model. The proposed strategy is firstly to focus law enforcement efforts on money transfer agents such as Western Union and Moneygram. Secondly, government’s need to bring pressure to bear on the governments of Eastern Europe to ensure there is no “legal vacuum” or safe haven in which cyber criminals can operate. This while largely aspirational has parallels in recent times with efforts to get Romania to clean up its act. Thirdly, a focus by the IT Security community should be on sources of technical intelligence from Phishing infrastructure where there is good scope to recover compromised customer credentials, identify Internet money mule accounts and monitor attack development. Lastly, the banking industry should focus on educating potential Internet Mules Money to prevent them being duped into money laundering. With this focus the authors believe the success rate for these fraudulent transactions will greatly reduce to the point where the practice becomes no longer viable for these cybercrime groups and they look for easier targets, as they look at cost vs. benefit as in the end of the day they are a business, albeit an illegal one. 2) Monitoring the IT threat Another aspect of the problem is the advancing sophistication of the schemes to attack Internet banking organisations and their customers. The Zeus Trojan using a series of configuration files which it downloads when needed to target particular brands and their particular authentication system [7]. It also can download the details of mule accounts to transfer money directly to. But this creates opportunities for both operational and tactical intelligence. Configuration files identify targeted brands, styles of attack and existing Internet Money Mules. This intelligence can be used in interdiction of fraudulent transactions and designing more effective defenses for attacks. While this is often a complex task it is more a matter of using a small number of highly skilled staff rather than a huge number of operations style staff that today are involved in phishing site takedowns and other activities which lend themselves to process style functions. REFERENCES [1] [2] [3] [4] C. A True Strategy A true strategy has a downside. It means you have to redirect your resources. You do not get to do all the things you 85 Anti-Phishing Working Group, “Phishing Attack Trends Report,” 2004; http://www.antiphishing.org/reports/APWG.Phishing.Attack.Report.Feb2004.pdf. Anti-Phishing Working Group, “Phishing Attack Trends Report 4th Quarter 2009,” 2010; http://www.antiphishing.org/reports/apwg_report_Q4_2009.pdf. Arbor Networks, “Global Fast Flux,” 2010. M. Aston, McCombie S., Reardon B., and Watters P., “A Preliminary Profiling of Internet Money Mules: An Australian Perspective,” Book A Preliminary Profiling of Internet Money Mules: An Australian 135 [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] F. Walker, “Gone phishing ... gangs using Aussie kids to steal millions,” Book Gone phishing ... gangs using Aussie kids to steal millions, Series Gone phishing ... gangs using Aussie kids to steal millions, ed., Editor ed.^eds., 2006, pp. [29] D. Warne, “Romania a global hotspot for eBay fraud,” 2007; http://apcmag.com/romania_a_global_hotspot_for_ebay_fraud.htm. [30] K. Zenz, Uncovering Online Fraud Rings: The Russian Business Network., IDefense, Verisign, 2007. [31] K. Zenz, Global Threat Research Report: Russia, iDefense, Verisign, 2007. Perspective, Series A Preliminary Profiling of Internet Money Mules: An Australian Perspective, ed., Editor ed.^eds., 2009, pp. Australian Crime Commission, Organised Crime in Australia, 2009. Australian Crime Commission, Australian Crime Commission Annual Report, Australian Crime Commission, 2010. Australian Government, “Inquiry into Cybercrime,” Book Inquiry into Cybercrime, Series Inquiry into Cybercrime, ed., Editor ed.^eds., 2009, pp. Australian Transactions Reporting and Analysis Centre, “AUSTRAC Regulatory Guide ” 2009; http://www.austrac.gov.au/regulatory_guide.html. BobBear, “Money Laundering and Reshipping Fraud,” 2010. A. Deitz and College of Law (Sydney N.S.W.). Continuing Professional Education Dept., Anti-money Laundering and Counter-Terrorism Financing Act : a presentation for the Continuing Professional Education Department of the College of Law, The CPE Dept. of the College of Law, 2007, p. i, 32 p. M. Galeotti, “Russian mafiya become more active in Eastern Europe,” 2005; http://www.janes.com/security/law_enforcement/news/jir/jir050524_1_n .shtml. M. Galeotti, “The Criminalisation of Russian State Security,” Global Crime vol. 7, no. Number 3-4, 2006. Gartner, “Gartner Says Number of Phishing Attacks on U.S. Consumers Increased 40 Percent in 2008,” 2009; http://www.gartner.com/it/page.jsp?id=936913. D. Goodin, “Notorious eBay hacker arrested in Romania,” 2008; http://www.theregister.co.uk/2008/04/18/vladuz_arrested/. T. Holz, M. Engelberth, and F. Freiling. , “Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones,” ESORICS 2009 LNCS 5789, M. Backes, and P.Ning, ed., Springer, 2009, pp. 1-18. iDefense, Money Mules: Sophisticated Global Cyber Criminal Operations Verisign, 2006. B. Krebs, “More Business Banking Victims Speak Out,” 2009; http://voices.washingtonpost.com/securityfix/2009/09/more_business_ba nking_victims.html. B. Krebs, “'Money Mule' Recruitment Network Exposed,” 2009; http://voices.washingtonpost.com/securityfix/2009/09/money_mule_recr uitment_101.html. B. Krebs, “FDIC: Uptick in 'money mule' scams,” 2009; http://voices.washingtonpost.com/securityfix/2009/11/fdic_uptick_in_m oney_mule_scam.html. D. Lanham, Cross-border criminal law, Pearson Professional, 1997, p. xxxvii, 289 p. S. Martin, “International Field Report : Australia,” Book International Field Report : Australia, Series International Field Report : Australia, ed., Editor ed.^eds., 2007, pp. S. McCombie, “Trouble in Florida: The Genesis of Phishing attacks on Australian Banks,” Book Trouble in Florida: The Genesis of Phishing attacks on Australian Banks, Series Trouble in Florida: The Genesis of Phishing attacks on Australian Banks, ed., Editor ed.^eds., 2008, pp. S. McCombie, et al., “Cybercrime Attribution: An Eastern European Case Study,” Proc. The 7th Australian Digital Forensics Conference, secau - Security Research Centre, School of Computer and Security Science, Edith Cowan University, Perth, Western Australia, 2009, pp. 41 - 51. J. Menn, “Moscow cracks down on cybercrime,” 2010; http://www.ft.com/cms/s/0/371526da-350b-11df-9cfb00144feabdc0.html. N. Phair, Cybercrime : the reality of the threat, Nigel Phair, 2007, p. 179 p. The Spamhaus Project, “The 10 Worst ROKSO Spammers,” 2010; http://www.spamhaus.org/statistics/spammers.lasso. US Department of Defense, “DOD Dictionary of Military Terms,” 2010; http://www.dtic.mil/doctrine/dod_dictionary/. 86 136 REFERENCES Abad, C. (2006). "The Economy of Phishing: A Survey of the Operations of the Phishing Market." Retrieved 23 August 2006 from http://www.firstmonday.org/issues/issue10_9/abad/index.html. Abramova, I. (2007). "The Funding of Traditional Organised Crime in Russia." Economic Affairs 27(No.1): 18-21. Abu-Nimeh, S., D. Nappa, et al. (2007). A comparison of machine learning techniques for phishing detection. Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit. Pittsburgh, Pennsylvania, ACM: 60-69. APACS. (2006). "UK card fraud losses in 2005 fall by £65m - to £439.4m from £504.8m in 2004 " Retrieved 2 March, 2007, from http://www.apacs.org.uk/media_centre/press/06_03_07.html. APACS. (2007). "Card fraud losses continue to fall." Retrieved 20 March 2007 from http://www.apcs.org.uk. Aston, M., S. McCombie, et al. (2009). A Preliminary Profiling of Internet Money Mules: An Australian Perspective. Proceedings of the 2009 Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing, IEEE Computer Society: 482-487. Australia Federal Police. (2010). "High Tech Crime: AFP casts a wide Net." Retrieved 30 March 2011, 2011, from http://www.afp.gov.au/about-the-afp/our-organisation/~/media/afp/pdf/h/high-tech-c rime-afp-casts-a-wide-net.ashx. Australian Bureau of Statistics (2007). Patterns of internet access in Australia, 2006. Canberra, Australian Bureau of Statistics. Australian Bureau of Statistics (2008). Personal Fraud, 2007. Canberra, Australian Bureau of Statistics. Australian Government (2009). Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime. Inquiry into Cyber Crime. House Standing Committee on Communications. Canberra, Parliament of Australia House of Representatives. 137 Australian Institute of Criminology (2007) "Money Mules." High Tech Crime Brief 16, 2007. Author Travis Group. (2005, September 2005). "Who Wrote Sobig? ." from http://authortravis.tripod.com/. Badra, M., S. El-Sawda, et al. (2007). Phishing attacks and solutions. Proceedings of the 3rd international conference on Mobile multimedia communications. Nafpaktos, Greece, ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering): 1-6. Basnet, R., S. Mukkamala, et al. (2008). Detection of Phishing Attacks: A Machine Learning Approach. Soft Computing Applications in Industry. B. Prasad, Springer Berlin / Heidelberg. 226: 373-383. Belton, C. (2003, 2003). "New Book Poses Question of Putin's Links with Underworld." from http://www.sptimes.ru/index.php?action_id=2&story_id=11164. Birk, D., S. Gajek, et al. (2007). Phishing Phishers - Observing and Tracing Organized Cybercrime. Internet Monitoring and Protection, 2007. ICIMP 2007. Second International Conference on. Broucek, V. and P. Turner (2006). "Winning the Battles, Losing the War? Rethinking Methodology for Forensic Computing Research." Journal in Computer Virology 2(1): 3-12. Carr, J. and L. Shepherd (2010). Inside cyber warfare. Sebastopol, Calif., O'Reilly Media, Inc. Chandrasekaran, M., K. Narayanan, S. Upadhyaya (2006). Phishing Email Detection Based on Structural Properties. NYS Cyber Security Conference 2006, New York. Chandrasekaran, M., R. Chinchani, et al. (2006). PHONEY: Mimicking User Response to Detect Phishing Attacks. Proceedings of the 2006 International Symposium on on World of Wireless, Mobile and Multimedia Networks, IEEE Computer Society: 668-672. Cody, J., H. Hughes, et al. (1980). Policies for industrial progress in developing countries. New York, Published for the World Bank by Oxford University Press. Cronin, M. J. (1997). Banking and finance on the Internet. New York, Van Nostrand Reinhold. Dantu, R., S. Palla, et al. (2008). "Classification of phishers." Journal of Homeland Security and Emergency Management 5(1): 138 Dazeley, R., J. Yearwood, et al. (2010). Consensus Clustering and Supervised Classification for Profiling Phishing Emails in Internet Commerce Security. Knowledge Management and Acquisition for Smart Systems and Services. B.-H. Kang and D. Richards, Springer Berlin / Heidelberg. 6232: 235-246. Dean, G., P. Gottschalk, et al. (2010). Organized crime : policing illegal business entrepreneurialism. Oxford, Oxford University Press. del Castillo, M., A. Iglesias, et al. (2007). Detecting Phishing E-mails by Heterogeneous Classification. Intelligent Data Engineering and Automated Learning - IDEAL 2007. H. Yin, P. Tino, E. Corchado, W. Byrne and X. Yao, Springer Berlin / Heidelberg. 4881: 296-305. del Castillo, M., Á. Iglesias, et al. (2007). An Integrated Approach to Filtering Phishing E-mails. Computer Aided Systems Theory – EUROCAST 2007. R. Moreno Díaz, F. Pichler and A. Quesada Arencibia, Springer Berlin / Heidelberg. 4739: 321-328. Devarakonda, A. K., P. Tummala, et al. (2010). Security Solutions to the Phishing: Transactions Based on Security Questions and Image. Information Processing and Management. V. V. Das, R. Vijayakumar, N. C. Debnathet al, Springer Berlin Heidelberg. 70: 565-567. Dhamija, R., J. D. Tygar, et al. (2006). Why phishing works. Proceedings of the SIGCHI conference on Human Factors in computing systems. Montr\&\#233;al, Qu\&\#233;bec, Canada, ACM: 581-590. Fette, I., N. Sadeh, et al. (2007). Learning to detect phishing emails. Proceedings of the 16th international conference on World Wide Web %@ 978-1-59593-654-7, Banff, Alberta, Canada, ACM. Finckenauer, J. O. and J. L. Schrock (2004). The prediction and control of organized crime : the experience of post-Soviet Ukraine. New Brunswick, N.J., Transaction Publishers. Florencio, D. and C. Herley (2010). Phishing and money mules. Information Forensics and Security (WIFS), 2010 IEEE International Workshop on. Florêncio, D. and C. Herley (2006). Analysis and Improvement of Anti-Phishing Schemes. Security and Privacy in Dynamic Environments. S. Fischer-Hübner, K. Rannenberg, L. Yngström and S. Lindskog, Springer Boston. 201: 148-157. Friedman, R. I. (2000). Red Mafiya : how the Russian mob has invaded America. Boston, Little, 139 Brown. Galeotti, M. (2005, 24 May 2005). "Russian mafiya become more active in Eastern Europe." from http://www.janes.com/security/law_enforcement/news/jir/jir050524_1_n.shtml. Galeotti, M. (2006). "The Criminalisation of Russian State Security." Global Crime 7(Number 3-4). Galeotti, M. (2008). Interview with Author. Gansterer, W. and D. Pölz (2009). E-Mail Classification for Phishing Defense. Advances in Information Retrieval. M. Boughanem, C. Berrut, J. Mothe and C. Soule-Dupuy, Springer Berlin / Heidelberg. 5478: 449-460. Gartner. (2009). "Gartner Says Number of Phishing Attacks on U.S. Consumers Increased 40 Percent in 2008." from http://www.gartner.com/it/page.jsp?id=936913. Glenny, M. (2008). McMafia : a journey through the global criminal underworld. New York, Knopf Books. Goodin, D. (2008). "Notorious eBay hacker arrested in Romania." from http://www.theregister.co.uk/2008/04/18/vladuz_arrested/. Gottschalk, P. (2010). Policing organized crime : intelligence strategy implementation. Boca Raton, CRC Press. Herley, C., D. Florencio, et al. (2008). A profitless endeavor: phishing as tragedy of the commons. Proceedings of the 2008 workshop on New security paradigms. Lake Tahoe, California, USA, ACM: 59-70. Herley, C. and D. Florencio (2010). "Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy." Economics of Information Security and Privacy: 33-53 320. Holt, T. J. and A. M. Bossler (2009). "Examining the Applicability of Lifestyle-Routine Activities Theory for Cybercrime Victimization." Deviant Behavior 30(1): 1 - 25. Holt, T. J. and E. Lampke (2010). "Exploring stolen data markets online: products and market forces." Criminal Justice Studies: A Critical Journal of Crime, Law and Society 23(1): 33 50. Holz, T., M. Engelberth, et al. (2009). Learning More about the Underground Economy: A 140 Case-Study of Keyloggers and Dropzones. Computer Security – ESORICS 2009. M. Backes and P. Ning, Springer Berlin / Heidelberg. 5789: 1-18. Hutchings, A. and H., Hennessey (2009). "Routine Activity Theory and Phishing Victimisation: Who Gets Caught in the 'Net'?" Current Issues in Criminal Justice 20(No. 3): 433-451. iDefense (2006). Money Mules: Sophisticated Global Cyber Criminal Operations Verisign. Information Warfare Monitor (2010). Shadows in the Cloud: Investigating Cyber Espionage 2.0, Information Warfare Monitor. International Telecommunication Union. (2008). "Internet indicators: subscribers, users and broadband subscribers: 2008." from http://www.itu.int/ITU-D/icteye/Reporting/ShowReportFrame.aspx?ReportName=/WTI /InformationTechnologyPublic&RP_intYear=2008&RP_intLanguageID=1. Jackson, C., D. Simon, et al. (2007). An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks. Financial Cryptography and Data Security. S. Dietrich and R. Dhamija, Springer Berlin / Heidelberg. 4886: 281-293. Jagatic, T. N., N. A. Johnson, et al. (2007). "Social phishing." Commun. ACM 50(10): 94-100. Jakobsson, M. (2005). "Modeling and Preventing Phishing Attacks." Jakobsson, M. and S. Myers (2007). Phishing and countermeasures : understanding the increasing problem of electronic identity theft. Hoboken, N.J., Wiley-Interscience. James, L. (2005). Phishing Exposed. Rockland MA Syngress Publishing. Juan, C. and G. Chuanxiong (2006). Online Detection and Prevention of Phishing Attacks. Communications and Networking in China, 2006. ChinaCom '06. First International Conference on. Karlof, C., U. Shankar, et al. (2007). Dynamic pharming attacks and locked same-origin policies for web browsers. Proceedings of the 14th ACM conference on Computer and communications security. Alexandria, Virginia, USA, ACM: 58-71. Karrstrand, K. (2007). "The Baltic connection - Money laundering in the Baltic region." Janes Intelligence Review; Serious and Organised Crime. Keegan, J. (2004). Intelligence in War. London, Random House. Kerber, R. (2007). "Suspect named in TJX credit card probe: Ukrainian's arrest seen as break in 141 record fraud case." from http://www.boston.com/business/globe/articles/2007/08/21/suspect_named_in_tjx_cr edit_card_probe/. Kornakov, P. (2007). "Gibson offers sneak peek into his world." from http://www.cambridge-news.co.uk/business/news/2007/02/06/ca10f0fb-fa50-4e49-b8 d4-51b8c359075a.lpf. Krebs, B. (2006). "In the Fight Against Spam E-Mail, Goliath Wins Again." from http://www.washingtonpost.com/wp-dyn/content/article/2006/05/16/AR20060516018 73.html. Krebs, B. (2008). "Three Charged With Hacking Dave & Buster's Chain ", from http://voices.washingtonpost.com/securityfix/2008/05/three_charged_with_hacking_d av.html. Kreizer, G. (2005). Dutch Botnet Trio Reportedly Connected To Russian Mob. Kshetri, N. (2009). "Positive externality, increasing returns, and the rise in cybercrimes." Commun. ACM 52(12): 141-144. Kshetri, N. (2010). "The Economics of Click Fraud." Security & Privacy, IEEE 8(3): 45-53. Kshetri, N. (2010). The global cybercrime industry : economic, institutional and strategic perspectives. New York, Springer. Landgraaf, A. d. (2006). "E-Secure-IT Analysis of the “Rocky” Phish." Retrieved 20 March 2007, from http://ims.co.nz/blog/archive/2006/06/07/1813.aspx. Lesk, M. (2007). "The New Front Line: Estonia under Cyberassault." IEEE Security and Privacy 5(No.4 July/Aug. 2007): pp.76-79. Litan, A. (2005). Increased Phishing and Online Attacks Cause Dip in Consumer Confidence. Gartner Research, Gartner. Lu, C., W. Jen, et al. (2007). Trends in Computer Crime and Cybercrime Research During the Period 1974-2006: A Bibliometric Approach. Intelligence and Security Informatics. C. Yang, D. Zeng, M. Chauet al, Springer Berlin / Heidelberg. 4430: 244-250. Ludl, C., S. McAllister, et al. (2007). On the Effectiveness of Techniques to Detect Phishing Sites. Detection of Intrusions and Malware, and Vulnerability Assessment. B. M. Hämmerli and 142 R. Sommer, Springer Berlin / Heidelberg. 4579: 20-39. Ma, J., Y. Li, et al. (2008). Identifying Chinese E-Mail Documents' Authorship for the Purpose of Computer Forensic. Proceedings of the IEEE ISI 2008 PAISI, PACCF, and SOCO international workshops on Intelligence and Security Informatics. Taipei, Taiwan, Springer-Verlag: 251-259. Martin, S. (2007). International Field Report : Australia. 2007 APWG General Members Meeting. Pittsburgh PA. McCombie, S., P. Watters, et al. (2008). Forensic Characteristics of Phishing - Petty Theft or Organized Crime? Fourth International Conference on Web Information Systems and Technologies. Funchal, Madeira, Portugal. 1: pp149-157 McCombie, S. (2008). Trouble in Florida: The Genesis of Phishing attacks on Australian Banks. 6th Australian Digital Forensics Conference. Perth. McCombie, S. and J. Pieprzyk (2010). Winning the Phishing War: A Strategy for Australia. Second Cybercrime and Trustworthy Computing Workshop, University of Ballarat. McCombie, S., J. Pieprzyk, et al. (2009). Cybercrime Attribution: An Eastern European Case Study. 7th Australian Digital Forensics Conference. Perth. McMillan, R. (2006). "Gartner: Consumers to lose $2.8 billion to phishers in 2006." Retrieved 20 March 2007, from http://www.pcworld.com/article/id,127799/article.html. McMillan, R. (2006). "'Rock Phish' blamed for surge in phishing." Retrieved 2 March, 2007, from http://www.infoworld.com/article/06/12/12/HNrockphish_1.html. Menn, J. (2010). Fatal system error: the hunt for the new crime lords who are bringing down the Internet. New York, NY, PublicAffairs. Messagelabs. (2009). "MessageLabs Intelligence: July 2009." from http://www.messagelabs.com/resources/mlireports. Miyamoto, D., H. Hazeyama, et al. (2005). SPS: A Simple Filtering Algorithm to Thwart Phishing Attacks. Technologies for Advanced Heterogeneous Networks. K. Cho and P. Jacquet, Springer Berlin / Heidelberg. 3837: 195-209. Moore, T. and R. Clayton (2007). Examining the impact of website take-down on phishing. Proceedings of the anti-phishing working groups 2nd annual eCrime researchers 143 summit. Pittsburgh, Pennsylvania, ACM: 1-13. Moura, G. and A. Pras (2009). Scalable Detection and Isolation of Phishing. Scalability of Networks and Services. R. Sadre and A. Pras, Springer Berlin / Heidelberg. 5637: 195-198. Naraine, R. (2006). "Return of the Web Mob." from http://www.eweek.com/article2/0,1895,1947561,00.asp. Naraine, R. and D. Danchev. (2010). "Google-China cyber espionage saga - FAQ." Retrieved 2 May, 2011, from http://www.zdnet.com/blog/security/google-china-cyber-espionage-saga-faq/5259. Nazario, J. (2007). "Phishing Corpus." from http://monkey.org/~jose/wiki/doku.php?id=PhishingCorpus. Nomad, S. (2005). "Organized Cybercrime." from http://www.dc214.org/notes/june_2005/dc214_sn_orgcrime.ppt. Overseas Security Advisory Council (2009). Russia 2009 Crime & Safety Report: St. Petersburg, Overseas Security Advisory Council. Pamunuwa, H., D. Wijesekera, et al. (2007). An Intrusion Detection System for Detecting Phishing Attacks. Secure Data Management. W. Jonker and M. Petkovic, Springer Berlin / Heidelberg. 4721: 181-192. Parsons, M. (2004). "Twelve arrested for laundering phished funds." Retrieved 1 September, 2009, from http://news.zdnet.co.uk/security/0,1000000189,39153687,00.htm. Passerini, E., R. Paleari, et al. (2008). Detecting and Monitoring Fast-Flux Service Networks. Detection of Intrusions and Malware, and Vulnerability Assessment. D. Zamboni, Springer Berlin / Heidelberg. 5137: 186-206. Pfaffenberger, B. and D. Wall (1996). The 10 secrets for Web success : what it takes to do your site right. Research Triangle Park, NC, Ventana. Phair, N. (2007). Cybercrime : the reality of the threat. Kambah, A.C.T., Nigel Phair. Plössl, K., H. Federrath, et al. (2005). Protection Mechanisms Against Phishing Attacks. Trust, Privacy and Security in Digital Business. S. Katsikas, J. Lopez and G. Pernul, Springer Berlin / Heidelberg. 3592: 20-29. 144 PRNewswire. (2006). "Microsoft Praises Bulgarian Authorities on Investigation and Arrest of Alleged Phishing and Organised Crime Group." 2006, from http://www.prnewswire.co.uk/cgi/news/release?id=162256. Ramzan, Z. and C. Wueest (2007). Phishing Attacks: Analyzing Trends in 2006. CEAS 2007 - The Fourth Conference on Email and Anti-Spam. Mountain View, California, USA. Reuters. (2005, November 29, 2005). "Cybercrime now bigger than the drug trade." from http://www.smh.com.au/news/technology/cybercrime-now-bigger-than-the-drug-trade /2005/11/29/1133026443366.html. Ridley, N. (2007). "Financial Crime Trends in Central and Eastern Europe." Economic Affairs 27(No. 1 March 2007): pp. 22-26. Roth, M. P. (2010). Global organized crime : a reference handbook. Santa Barbara, Calif., ABC-CLIO. Ryan, M., S. P. Savage, et al. (2001). Policy networks in criminal justice. Basingstoke, Hampshire England ; New York, Palgrave. Serio, J. D. (2008). Investigating The Russian Mafia. Durham NC, Carolina Academic Press. Smith, R. G., P. N. Grabosky, et al. (2004). Cyber criminals on trial. Cambridge ; New York, Cambridge University Press. Soldatov, A. (2010). "Cyber wars." Retrieved 1 March, 2011, from http://www.agentura.ru/english/equipment/. Stabek, A., S. Brown, et al. (2009). The Case for a Consistent Cyberscam Classification Framework (CCCF). Ubiquitous, Autonomic and Trusted Computing, 2009. UIC-ATC '09. Symposia and Workshops on. Stamp, P. (2005) "Increasing Organized Crime Involvement Means More Targeted Attacks." Forrester Research. Sturgeon, W. (2006). "Analysis: A globetrotter's guide to cyber crime." Retrieved 30 July, 2009, from http://www.silicon.com/research/specialreports/ecrime/0,3800011283,39158777,00.ht m. Susilo, W. and Y. Mu (2006). Separable Identity-Based Deniable Authentication: Cryptographic 145 Primitive for Fighting Phishing. Public Key Infrastructure. A. Atzeni and A. Lioy, Springer Berlin / Heidelberg. 4043: 68-80. The Presidents Identity Theft Task Force (2007). Combating Identity Theft: A Strategic Plan. 2007. The Spamhaus Project. (2009). "The 10 Worst ROKSO Spammers." Retrieved 21 July, 2009, from http://www.spamhaus.org/statistics/spammers.lasso. Thomas, J. H. (2008). Techcrafters and Makecrafters: A Comparison of Two Populations of Hackers. Topkara, M., A. Kamra, et al. (2005). ViWiD : Visible Watermarking Based Defense Against Phishing. Digital Watermarking. M. Barni, I. Cox, T. Kalker and H. J. Kim, Springer Berlin / Heidelberg. 3710: 470-483. Transparency International. (2008). "Corruption Perceptions Index 2008." from http://www.transparency.org/policy_research/surveys_indices/cpi/2008. US Department of Justice (2008). Strategy to Combat International Organized Crime. Varese, F. (2001). The Russian mafia : private protection in a new market economy. Oxford, England ; New York, Oxford University Press. deVel, O. (2000). Mining Email Authorship. KDD-2000 Workshop on Text Mining. Boston. deVel, O., A. Anderson, et al. (2001). "Mining e-mail content for author identification forensics." SIGMOD Rec. %@ 0163-5808 30(4): 55-64. Volkov, V. (2002). Violent entrepreneurs : the use of force in the making of Russian capitalism. Ithaca, Cornell University Press. Walker, F. (2006). Gone phishing ... gangs using Aussie kids to steal millions. Sydney Morning Herald. Sydney. Wall, D. (2001). Crime and the internet. New York, Routledge. Wall, D. (2003). Cyberspace crime. Aldershot, Hants, England ; Burlington, VT, Ashgate. Warne, D. (2007). "Romania a global hotspot for eBay fraud." APC Magazine May 2007. from http://apcmag.com/romania_a_global_hotspot_for_ebay_fraud.htm. Watters, P. A. (2002). "Discriminating English word senses using cluster analysis." Journal of Quantitative Linguistics 9((1)): 77-86. 146 Watters, P. A. and S. McCombie (2011). "A methodology for analyzing the credential marketplace." Journal of Money Laundering Control 14(1): 32-43. Wilson, T. (2010) "More Than 80 Arrested In Alleged Zeus Banking Scam." Darkreading. Winterford, B. (2007, 19 June 2007). "Westpac hit by DoS attacks." from http://www.zdnet.com.au/news/security/soa/Westpac-hit-by-DoS-attacks/0,13006174 4,339278748,00.htm. World Bank. (2007). "Education Statistics 2007 Version 5.3." 2007. from http://web.worldbank.org/WBSITE/EXTERNAL/TOPICS/EXTEDUCATION/EXTDATASTATIS TICS/EXTEDSTATS/0,,menuPK:3232818~pagePK:64168427~piPK:64168435~theSitePK:32 32764,00.html. Zenz, K. (2007). Global Threat Research Report: Russia. iDefense Security Report. iDefense, Verisign. Zenz, K. (2007). Uncovering Online Fraud Rings: The Russian Business Network. iDefense Security Report. IDefense, Verisign. Zheng, R., Y. Qin, et al. (2003). Authorship analysis in cybercrime investigation. Proceedings of the 1st NSF/NIJ conference on Intelligence and security informatics. Tucson, AZ, USA, Springer-Verlag: 59-73.