Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download KnujOn Presentation here
Transcript
Illicit Distribution Networks: Spam Tactics of Online Criminals KnujOn (“no junk” backwards) http://www.knujon.com Fighting Spam and E-crime with Information and Policy Enforcement KnujOn is… Garth Bruen – [email protected] Dr. Robert Bruen – [email protected] Boston, MA/Wilmington, VT Project opened to public in 2005 KnujOn does… 54,357 confirmed illicit domain terminations 200,000+ unconfirmed terminations 69,111 pending suspensions Accepting 30,000 junk email samples each day from the public Issuing detailed reports to members KnujOn does… Gathering detailed data on illicit networks Testing Internet policy to expose breakpoints and bottlenecks Challenging misconceptions held by the public and the media Making direct connections between spam, illicit websites, registration forgery, and counterfeit products 90% of Illicit Sites are at just 20 Registrars 90% of Illicit Sites are at just 20 Registrars Over 800 ICANN Accredited Registrars 20 Of them have the bulk of illicit sites Fake pharmacies, knockoff sites, pirate software downloads, and phony mortgage institutions clustered at specific providers Lack of standards, poor accountability and no enforcement have created havens Illicit website defined by… Offering bogus, unlicensed, or non-existent products or services Advertised with spam Uses registration forgery as standard practice Policy Enforcement Model “There’s too much junk email to process effectively for enforcement” – Not True The resources to fix this problem currently exist Unused, ignored, and untested procedures lie idle Processes that have been proven to work need more money and personnel to expand Problem and Solution Distribution No single party or sector is completely to blame for the spam epidemic Therefore the different pieces of the answer sit in various locations Streamlining and merging the existing functions produces measurable results Analysis of Compliance Layers ICANN – Issues Registrar Accreditations Registrars – Issue domain names ISPs – Provide Space on the Net Industry – Develop software and hardware Regulatory/Enforcement – The Gov’t Brands – Selling stuff The Public – You, me, private business Why New Direction? Filtering is not a complete solution Deleting spam is destroying data and evidence Current abuse structure helps spammers Spammers are mercenaries – not driving the problem Profits from illicit traffic growing Yahoo and Postini Study of one webmail filter, one network enterprise filter (not singling them out) 332 spam items bypassed Yahoo! filtering in 2007 Postini missed 221 spam items in the same year More or less seeing one piece of spam for every business day of the year “99 out of 100 Pickpockets” Spam from CNN Spam from CNN Spam from CNN Thousands of media sites… There are a number of untapped resources spammers could use… ICANN case study 2003 – 2005: GAO Reports and Congressional testimony by experts outline serious fraud within the Whois Records Critics contend that Whois is largely a “fiction” Little has been done… ICANN Case Study KnujOn files 5 – 10 thousand inaccuracy reports a week, we could do this many a day but ICANN can’t handle it Their process has crashed 4 times because of our reporting, the database has had to be purged and upgraded They are reluctant to engage us or acknowledge the problem Registrar Havoc 10 Registrars have 92% of the domain abuse Rating the Registrars Several metrics: 1. Raw count of reported sites 2. Proportion of reported sites to total held by registrar 3. “Aggression” rate – how many individual spam messages advertise these sites? 4. Proportional aggression 5. Volume of inaccurate records 6. Number of trademark-related sites Privacy for whom? Big debate/point of contention Cultural line between U.S. and Europe Fact: Criminals are flocking to privacy services Privacyprotect.org is the spammer favorite, basically deny all access to domain owner information in violation of ICANN terms Thousands of fake pharmacy sites use this service ISP Spam Site Crop Rotation Few ISPs with Many Illicit Sites 169 IP addresses account for 50% of the illicit sites tracked by KnujOn The typical illicit IP address hosts between one to five thousand domains advertised through spam These extensive operations cannot exist without at least the tacit support of a service provider Registration Fraud Opens Door to Fake Pharmacies Where are the tools? - Industry "Cybercops are drowning in data… we need the industry to create tools to help us investigate large volumes of data." -Jim Christy, Defense Cyber Crime Institute(DCCI or DC3) Where are the tools? - Industry KnujOn participants have developed their own utilities for reporting spam from Thunderbird, Outlook, Yahoo, Gmail, AppleMail Created by dedicated members, not by big software houses or ISPs The Internet industry has in many cases made it more difficult for consumers to report junk email Where is the Enforcement? Lack of data or too much unsorted data No organizational or political will Jurisdiction issues Process and procedure need updating No “victim”: - Brands enforcing trademarks - Buyers of bogus products not stepping up Busting Individuals Not A Solution Spammers are mercenaries Downloadable kits make spamming easy Number of arrests and successful prosecutions small in relation to scope of the problem Spammers don’t have a warehouse of pills and handbags Brands need to enforce trademarks Phishing is brand-related – Anti-phishing push did not come from banks but from LE, consumers, and academics Brand-related spam accounts for approximately 85% of what KnujOn processes Not just luxury brands, but ordinary consumer products Old Model of Network Security Access management Building firewalls Intrusion detection and prevention Countermeasures and proactive actions shunned Internet has drastically changed the nature of the threat… New model… Threats are outside the network! New processing and storage models eliminate complete control and old boundaries of the network Internet commerce means you have to leave the network to do anything Smear/reputation attacks Brandjacking threat not within the network What happened to stock spam? 2005/2006 there was nothing but stock spam Criminals made real profits Security Exchange Commission started project that involved: * Accepting reports from the public * Analyzing the emails and featured stocks * Suspended trading of featured stocks * Froze assets of those who profited * Indicted perpetrators Problem has been minimized and managed Proper policy enforcement works Breaking down the spam campaign ratio Botnet with tens of thousands of machines… Sends millions of spams… To millions of mailboxes… That advertise several hundred links… That redirect to a few hundred real domains… Sitting on a few dozen IPs… Registered at 1 or 2 registrars. Problem explodes, then focuses What do they want? Transactions A transaction could be: * Exchange of money for goods * Surrender of money for nothing * Identity data theft * Compromise account/network * Delivery of malware Sending spam, not a transaction Target the transaction The reasons for spam, what is driving and enabling it. What does it mean to purchase goods sold in spam? Where do the products sold in spam come from? Who profits from merchandise sold in spam? The Path of Fake Goods Sold in Spam Manufacture of these goods is often done using forced, prison, child or under compensated labor The Path of Fake Goods Sold in Spam The illegal factories are usually not inspected and pose serious health, safety and environmental threats The Path of Fake Goods Sold in Spam In order to operate large illegal factories, local government must be bribed or coerced The Path of Fake Goods Sold in Spam The products themselves represent copyright, trademark and intellectual property infringements The Path of Fake Goods Sold in Spam Fake goods must be smuggled out of source countries The Path of Fake Goods Sold in Spam Contraband is often carried by human mules, tying smuggling to human traffic, sexual exploitation, document forgery and other transnational crime The Path of Fake Goods Sold in Spam Taxes are unlikely to be paid on smuggled, counterfeit goods The Path of Fake Goods Sold in Spam Profits from illicit traffic fund criminal organizations, terror groups and bloody conflicts in developing countries The Path of Fake Goods Sold in Spam Substandard counterfeit goods explode, start fires, and poison people The Path of Fake Goods Sold in Spam Profits from illicit traffic must be moved by money launderers Growth of illicit traffic in comparison to Internet Spammers still get customers 650,000 people purchased at least one item sold in spam in a single month surveyed (Consumer Reports) If the average spam “unit” is $75, that is $48,750,000 per month or $585,000,000 per year While the majority of Internet users block and delete spam, the remainder keeps the spammers employed! Engaging the public… Encouraging everyone to report spam Report often and to as many authorities as possible KnujOn shares samples with APWG, StopPhishing, CastleCops and others Supply feedback, re-engage the reporter Send us spam! Forward email to [email protected] Upload bulk junk here: http://www.knujon.com/sendusspam.html Spam Independence Day Between Memorial Day and July 4th, report as much spam as possible to as many services as possible. Focus on your area of expertise if you have one Join KnujOn Go to http://www.knujon.com/htcia Enter: htciaOH2008 for a free KnujOn account
