Tag Archives: cybercriminal

Extortion on the Internet : the Rise of Crypto-Ransomware

abstract:
This article highlights the transition from traditional ransomware threats (ransomware 1.0) to new and more complex attacks (crypto-ransomware) targeting desktop computers. The article suggests that cybercriminals will capitalize on malicious codes and target emerging and less-secured areas: mobile devices, M2M and the Internet of Things

Keywords:
Crypto-ransomware, Cybercrime, Malware, Internet of Things, M2M.

***

We all know the ransom mechanics: a hacker threatens an online business to flood its website with requests, thus resulting in a Denial of Service—which means the website will become unavailable and the online business will not be able to sell its products. Kshetri (2013) describes the story of an online CD and DVD retailer that “paid a ransom of US$40,000 to a hacker based in Balakov, Russia […] the fund was wired to 10 accounts in Latvia. [Money] mules then rewired the money to St. Petersburg and Moscow. Another set of mules brought the money to Balakov. The computer server used to launch the attacks was in Houston” (p.9).
However, this case involves what we could term as a ‘manual,’ ‘targeted’ and ‘dedicated’ attack and management: the attack is focused on one target, involves a specific threatening action and a relationship with the target (exchange, negotiation, etc.).
What we will discuss today is ransomware and its evolution: malicious software spread en masse and ‘industrialized’ (Richet, 2013). The hacker just needs to spread the malware, and all the other processes will be automated (fund reception through bitcoin, automated delivery of the decryption key through email, etc.).

There is a lot of ‘basic’ ransomware on the internet; spread through drive-by downloads, torrent, scams, etc., these common pieces of ransomware aim to scare users. Some are just scams and fear appeals, with no impact on data—for instance, fake antivirus warnings showing annoying pop-ups everywhere with messages like “you have been infected by a dangerous malware, we are currently protecting your files, but sooner or later they will be deleted by the virus if you don’t act. Click here to buy our antivirus and solve all your issues.” Other ransomware can restrict computer use, preventing access to some programs or files—for instance, fake US government messages, again, through annoying pop-ups, with messages like “you have downloaded copyright-protected content. We have restricted the use of your computer. Click here to pay your fine.” In 2006-2007, ransomware attack processes were quite straightforward—it simply stored selected files in a compressed archive, then password-protected these archives (Luo & Liao, 2007).

Gazet (2010) studied the wave of ransomwares spread in the summer of 2007, and made the following conclusion: “Code is most often quite basic, no armoring, no pure jewel of low level assembly or nothing of this kind. […] The kind of ransomware we have analyzed for this study is clearly intended for mass propagation and we should not forget that ransomwares’ strength comes from the fear they generate into lambda-user mind, not from their technical skills. […] The ransomware phenomenon is a reality that has to be monitored but in some ways it is not a mature and complex enough activity that deserves such communication around it. Ransomwares as a mass extortion means is certainly doomed to failure. Their extinction […] means that criminals have evolved to something else and other sources of income.

However, should we review this conclusion in the light of current trends in the cybercrime underworld?

 

In their report, Fossi & al. (2015) highlight this emerging issue: ransomware attacks more than doubled in 2014, from 4.1 million in 2013, up to 8.8 million. While describing eHealth security in the context of Australia, Foster and Lejins (2013) outlined the threat of ransomware targeting small Australian health organizations.

 tox-crimeware-kit-jean-loup-richet

Image description: Crimeware-as-a-service and ransomware: Tox is a ransomware construction kit that allows cybercriminals to create crypto-ransomware in a few clicks.

Moreover, ransomware codes have become more sophisticated and shifted from basic programs to well-designed crypto-ransomware. I define crypto-ransomware as the following: “A crypto-ransomware is a type of malware that encrypts a users’ data. Data access is restricted until a ransom is paid to decrypt it.” Virlock is a good example of current ransomware sophistication; this crypto-ramsomware locks its victims’ screens, encrypts specific files (such as images, documents, musics, executable and so on) but has also self-spreading capabilities. What makes it stand out is the fact that this malware is polymorph (meaning the code changes each times it runs and is different for each infected host).

According to Fossi & al. (2015), crypto-ransomware expanded from 8,274 in 2013 to 373,342 in 2014.

What would be new areas of expansion for crypto-ransomware and their ‘basic’ counterparts?

My best guess is that cybercriminals will be taking advantage of the security loopholes of smartphones, as well as emerging IT trends such as M2M & the Internet of Things.

The number of mobile malware threats has exploded in 2013, and multiple mutated ransomware appeared in the Android application ecosystem (Apvrille, 2014)—what works on desktop computers could be easily mimicked in a mobile environment (Becher et al., 2011). According to Oberheide and Jahanian (2010), ransomware attacks have already targeted mobile users en masse in China.

As vehicles become increasingly connected in this Internet of Things era, they will also face the threat of ransomware in the years to come. Zhang, Antunes and Aggarwal (2014) highlighted this security challenge: “ransomware could allow an attacker to remotely disable selected vehicle functions (e.g., lock the doors or the in-car radio, immobilize the engine) in a way that the vehicle owner’s car keys can no longer activate them. The attackers can then demand ransom to be paid before reenabling these functions” (p.14).

To sum up, we are experiencing the transition from traditional ransomware threats (ransomware 1.0) to new and more complex attacks (crypto-ransomware) targeting desktop computers.
However, I believe cybercriminals will capitalize on malicious codes and target emerging and less-secured areas: mobile devices, M2M and the Internet of Things.

References:

Apvrille, A. (2014). The evolution of mobile malware. Computer Fraud & Security, 2014(8), 18-20.
Becher, M., Freiling, F. C., Hoffmann, J., Holz, T., Uellenbeck, S., & Wolf, C. (2011). Mobile security catching up? revealing the nuts and bolts of the security of mobile devices. In Security and Privacy (SP), 2011 IEEE Symposium on (pp. 96-111). IEEE.
Fossi, M., Egan, G., Haley, K., Johnson, E., Mack, T., Adams, T., & Wood, P. (2011). Symantec internet security threat report trends for 2015. Volume XX.
Foster, B., & Lejins, Y. (2013). Ehealth security Australia: The solution lies with frameworks and standards. Proceedings of the 2nd Australian eHealth Informatics and Security Conference, 2-4 December 2013, Edith Cowan University, Perth, Western Australia.
Gazet, A. (2010). Comparative analysis of various ransomware virii. Journal in computer virology, 6(1), 77-90.
Kshetri, N. (2013). Cybercrimes in the Former Soviet Union and Central and Eastern Europe: current status and key drivers. Crime, law and social change, 60(1), 39-65.
Luo, X., & Liao, Q. (2007). Awareness education as the key to Ransomware prevention. Information Systems Security, 16(4), 195-202.
Oberheide, J., & Jahanian, F. (2010). When mobile is harder than fixed (and vice versa): demystifying security challenges in mobile environments. In Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications (pp. 43-48). ACM.
Richet, J. L. (2013). From Young Hackers to Crackers. International Journal of Technology and Human Interaction (IJTHI), 9(3), 53-62.
Zhang, T., Antunes, H., & Aggarwal, S. (2014). Defending connected vehicles against malware: Challenges and a solution framework. IEEE Internet of Things Journal, 1(1), 10-21.

***
Download this article: ”Extortion on the Internet: the Rise of Crypto Ransomware”

a fraud with bitcoins? Mycoin scandal has nothing to do with Bitcoin

Abstract:
Bitcoin is again drawing scrutiny –media from all over the world titled in February 2015 about “a tremendous fraud with bitcoins”. In wake associated with this scandal, Hong Kong’s central bank informed customers against acquiring virtual currencies. However, we argue that Mycoin scandal has nothing to do with Bitcoin. It is just a bitcoin-based scam that could have been done with any other crypto, digital or physical currency.

Keywords:
Bitcoin, Mycoin, Ponzi scheme, scam, Hong Kong, currency exchange.

 

***

Last summer, local Chinese investors took a trip to Hong Kong for a bitcoin event financed by Mycoin, the Hong Kong company that just all of a sudden closed shop, getting an approximated $390 million along with it.

Today, Mycoin’s business office is vacant, a managing director has supposedly transferred the firm’s financial assets to an Uk Virgin Islands account before leaving, and increasingly more people say that in spite of promoting itself as a hub for currency exchange, Mycoin in fact had no bitcoin at all.

Bitcoin is again drawing scrutiny, and in wake associated with this scandal, Hong Kong’s central bank informed customers against acquiring virtual currencies.

However, this has nothing to do with Bitcoin at all: MyCoin was basically running a Ponzi scheme based on Bitcoins.

This generates negative publicity for this cryptocurrency and contributes to its poor notoriety: nearly anonymous (Reid & Harrigan, 2013), risky and insecure (Moore and Christin, 2013; Eyal and Sirer, 2014).

In 2012, the bitcoin trading platform Mt.Gox froze records of users who possessed bitcoins that could be directly related to theft and fraud (Moser, Bohme, & Breuker, 2013). In spite of this, scamming people with bitcoin hasn’t ceased at all: it even turn out to be a remarkably lucrative business for cybercriminals (Richet, 2013; Tropina, 2014).

In their empirical study of Bitcoin-based scams, Vasek and Moore (2015) identify 192 scams and classify them into four groups: Ponzi schemes, mining scams, scam wallets and fraudulent exchanges. In 21% of the cases, they found the associated Bitcoin addresses, which enables them to track money into and out of the scams. They find that at least $11 million has been contributed to the scams from 13 000 distinct victims. Indeed, the most successful scams depend on large contributions from a very small number of victims…

References:

Eyal, I., & Sirer, E. G. (2014). Majority is not enough: Bitcoin mining is vulnerable. In Financial Cryptography and Data Security (pp. 436-454). Springer Berlin Heidelberg.

Moore, T., & Christin, N. (2013). Beware the middleman: Empirical analysis of bitcoin-exchange risk. In Financial Cryptography and Data Security (pp. 25-33). Springer Berlin Heidelberg.

Moser, M., Bohme, R., & Breuker, D. (2013, September). An inquiry into money laundering tools in the Bitcoin ecosystem. In eCrime Researchers Summit (eCRS), 2013 (pp. 1-14). IEEE.

Reid, F., & Harrigan, M. (2013). An analysis of anonymity in the bitcoin system (pp. 197-223). Springer New York.

Richet, J. L. (2013). Laundering Money Online: a review of cybercriminals methods. arXiv preprint arXiv:1310.2368.

Tropina, T. (2014, June). Fighting money laundering in the age of online banking, virtual currencies and internet gambling. In ERA Forum (Vol. 15, No. 1, pp. 69-84). Springer Berlin Heidelberg.

Vasek, M., & Moore, T. (2015) There’s No Free Lunch, Even Using Bitcoin: Tracking the Popularity and Profits of Virtual Currency Scams.  Financial Cryptography and Data Security 2015 Conference.

***

Download this article: “Bitcoins based-scams”

Laundering Money Online: an Overview

Abstract:
This chapter introduces my research on cybercriminals’ money-laundering methods (Richet, 2013). It is the first of a series of chapters dedicated to current trends in online money laundering. We all know the oldest ‘physical’ placement methods of money launderers: cash smuggling, casinos and other gambling venues, insurance policies, hawalas / fe chi’en or the black market peso exchange, shell corporations, and so on and so forth. But there is also a number of online money laundering schemes currently being used by criminal enterprises to pass illegally received funds through legitimate accounts, and new ones are popping up all the time. Some of the most widespread schemes will be detailed in this series of chapters.

Keywords:
Cybercrime, online gaming, money laundering, micro laundering, black markets.

***
Introduction

Money laundering is a critical step in the cyber crime process which is experiencing some changes as hackers and their criminal colleagues continually alter and optimize payment mechanisms. Conducting quantitative research on underground laundering activity poses an inherent challenge: Bad guys and their banks don’t share information on criminal pursuits. However, by analyzing forums, we have identified two growth areas in money laundering:

• Online gaming—Online role playing games provide an easy way for criminals to launder money. This frequently involves the opening of numerous different accounts on various online games to move money.

• Micro laundering—Cyber criminals are increasingly looking at micro laundering via sites like PayPal or, interestingly, using job advertising sites, to avoid detection. Moreover, as online and mobile micro-payment are interconnected with traditional payment services, funds can now be moved to or from a variety of payment methods, increasing the difficulty to apprehend money launderers. Micro laundering makes it possible to launder a large amount of money in small amounts through thousands of electronic transactions. One growing scenario: using virtual credit cards as an alternative to prepaid mobile cards; they could be funded with a scammed bank account – with instant transaction – and used as a foundation of a PayPal account that would be laundered through a micro-laundering scheme.

Laundering Money Online: a review of cybercriminals’ methods

Millions of transactions take place over the internet each day, and criminal organizations are taking advantage of this fact to launder illegally acquired funds through covert, anonymous online transactions. The more robust and complex the various online marketplaces become the more untraceable methods criminals are finding to pass ‘dirty’ money into online accounts and pull ‘clean’ money out of others. The anonymous nature of the internet and the ever evolving technologies available allow numerous opportunities for online money laundering operations to take place. Many of these methods involve using a ruse to pull unsuspecting participants into their money laundering schemes, often with serious financial and legal consequences for victims. The best way for law abiding citizens to avoid becoming complicit in such illegal activities is to stay informed as to the methods criminals are using to pull them in.

AML Jean loup richet
We all know the oldest ‘physical’ placement methods of money launderers: cash smuggling, casinos and other gambling venues, insurance policies (launderers purchase them and then redeem them at a discount, paying fees and penalties but receiving a clean check from the insurance company), hawalas / fe chi’en or the black market peso exchange (informal value transfer system), shell corporations, and so on and so forth. But there is also a number of online money laundering schemes currently being used by criminal enterprises to pass illegally received funds through legitimate accounts, and new ones are popping up all the time. Some of the most widespread schemes are detailed in this article.

Methodology

Ostensibly, conducting quantitative research on underground laundering activity poses an inherent challenge: Bad guys and their banks don’t share information on criminal pursuits. Our approach utilizes an online ethnography, observing large online hacker forums and communities and researching topics related to money laundering on their databases. We used a large variety of keywords, from those linked with payment solutions to those associated with black markets. After a first review, we filtered our data, and discarded irrelevant forum threads. We then analyzed the content of these threads and synthesize our findings into categories that will be explained in following blog posts.

References:

Richet, J.L. (2012). “How to Become a Black Hat Hacker? An Exploratory Study of Barriers to Entry Into Cybercrime.” 17th AIM Symposium.

Richet, J. L. (2013). Laundering Money Online: a review of cybercriminals methods. arXiv preprint arXiv:1310.2368.

***

Download this article: “Laundering Money Online_an Overview”