4. Our environment
Honeypots (http, ftp, ssh, smtp, ...)
Sandboxes + proactive internet “browsing”
End points around the globe
Public discussion groups of interest:
scrapping and indexing
(c) 2011 Armorize Technologies
10. Still live in IRCBOT age
(c) 2011 Armorize Technologies
11. APT
• Kiddies are not very interesting.
Following the APT guys is a bit more
fun
APT – advanced persistent threat
(made lots of noise after Aurora attacks
But, .. how advanced that is.. really :-))
(c) 2011 Armorize Technologies
13. APT: in taiwan
• Targets: academics, post, rail, ..
(c) 2011 Armorize Technologies
14. APT: main characteristics
• Attacks are planned and methodological
• In many instances – the primary aim of an
action is information gathering (i.e.
javascript that collects and posts the user
environment information)
• Malicious content is well-prepared (digitally
signed w/ valid certificates etc etc)
(c) 2011 Armorize Technologies
15. APT Research from xecure-lab guys
(c) 2011 Armorize Technologies
17. Businessmen are fun to
study:)
Traffic Online goods
services
(c) 2011 Armorize Technologies
18. How to steal a million?
(c) 2011 Armorize Technologies
19. Effectiveness
• Old school: steal it from a bank. Make a lot
of noise and either get caught (or run to
South America)
• New school: steal a dollar from a million
people. It is still a million (and no noise).
(c) 2011 Armorize Technologies
20. So, where is the money?
DIRECT SOURCES:
Ads (PPC) Banking credentials
Pharm CC cashing
Pr0nExtortions
“Software” Mobile scam
INDIRECT SOURCES:
TRAFF Credentials Online goods
& services
(c) 2011 Armorize Technologies
21. TRAFFIC..
• You need users to start visiting your “milking
resource” to start with..
(c) 2011 Armorize Technologies
22. TRAF. COST
• AU - 300-550$
• UK - 220-300$
• IT - 200-350$
• NZ - 200-250$
• ES,DE,FR - 170-250$
• US - 100-150$
• RU, UA, KZ, KG .. 10-40$
(c) 2011 Armorize Technologies
38. Ad network dynamic
bidding
• Ad network dynamic bidding system is asking for
abuse :-)
• Decentralized, small players feed data to
bigger guys (doubleclick), verification is mostly
manual, real-time content tampering is easy,
automated target selection, number of
mechanisms that prevent click fraud (and
makes automated analysis hard!!!)
•
(c) 2011 Armorize Technologies
48. Well-operated :)
• Spreads through advertisements (social
engineering and exploits)
• Reboots machine until license is purchased
(80USD)
• Provides support hotline (hosted in India)
• Uses legimate payment gateways (possible
to do refunds)
(c) 2011 Armorize Technologies
49. Another attack:
infrastructure
(c) 2011 Armorize Technologies
61. .. OR A SET
For money of any state of dirtiness
Pack includes
1. Online bank account access
2.ATM card (1000/6000USD
per month withdrawal limit)
3. online access passwords
4. Passport copy of “poor john”
5. SIM card
(c) 2011 Armorize Technologies