El Cibercrimen Trasnacional

Presentación del tema: "El Cibercrimen Trasnacional"— Transcripción de la presentación:

1 El Cibercrimen Trasnacional
ISACA 50 AÑOS El Cibercrimen Trasnacional Tendencias Mundiales Adrian ACOSTA

2 El crimen está cambiando
Desde el mundo físico Al Ciberespacio

3

4 Actores detrás de la escena
Criminales Online Hacktivistas Terroristas Intrusos maliciosos Estados Nacionales Actores detrás de la escena

5 Attaques IoT DDoS y Criptoactivos
Robo a Bancos y BEC TENDENCIAS DEL CIBERCRIMEN Ransomware Attaques IoT DDoS y Criptoactivos

6 Ataques IoT DDoS y Criptoactivos
Robo a Bancos y BEC TENDENCIAS DEL CIBERCRIMEN Ransomware Ataques IoT DDoS y Criptoactivos

7 Robo a mano armada de forma tradicional Robo de Bancos Convencionales

8 Estadisticas de Robo a Bancos
En 1992 : 847 casos En 2016 : 75 casos Estadisticas de Robo a Bancos

9 Estadisticas de Robo a Bancos
En 1992 : 115 casos En 2015 : 33 cases Estadisticas de Robo a Bancos

10 Estadistica de Robo a Bancos
En 2003 : 7,644 cases En 2016 : 4,251 cases Estadistica de Robo a Bancos

11 Estadisticas de Robo a Bancos
En total desde 2004 5 casos Estadisticas de Robo a Bancos

12 Fraude Bancario Online

13 Una red segura, estandarizada y fiable
Ciber Robo a Bancos

14 Una red segura, estandarizada y fiable
Ciber Robo a Bancos

15 Referido ataque fue perpetrado empleando el archivo dimens
Referido ataque fue perpetrado empleando el archivo dimens.exe el cual el día del ataque (9 de enero de 2018 ) aún era del tipo día 0, es decir no existían incidencias previas de este malware en las bases de firmas de antivirus o soluciones de seguridad. Este malware denominado TROJ_KILLDISK.IUB, fue alojado el día 09 de enero de 2018 fecha del ataque, en 456 computadoras de un total de 788 (57% afectadas) Pertenecientes a la red bancaria de México, 10 minutos antes de realizar las transacciones ilegítimas, una vez alojado, se ejecuta de manera automática y forzar el reinicio, de esta manera deja inservible el sistema operativo de la máquinas afectadas provocando que la atención principal fuera hacia este incidente pasando en ese momento desapercibidas las transacciones ilegitimas al sistema SWIFT. Ciber Robo a Bancos

16 Una red segura, estandarizada y fiable
Ciber Robo a Bancos

17 SimSwap

18 SimSwap

19 BEC BUSINESS EMAIL COMPROMISED
Comprometiendo el correo electrónico a través de la ingeniería social, el phishing Uso de malware no sofisticado, por ejemplo, Keylogger BUSINESS COMPROMISED Una red de criminales que concreta el plan Monitor de intercambio de correo electrónico o toma de cuenta Comprensión del modelo de negocio, actividades, relaciones, etc. Enviar correo electrónico para solicitar una transferencia de fondos A través de una cuenta de correo electrónico comprometida o correo electrónico falso Dinero transferido a través de la red de mulas monetarias Transferido el pago A la cuenta designada de Criminal BEC So lets look at the anatomy of a business compromise. The essential element is the criminal actors taking advantage of an established relationship rather than sending out s at random as per the traditional 419 scams There are many variations on this but ‘Payment Diversion Fraud’ is what appears to be the most common. In this variant, two companies in different countries are usually involved, one as the supplier and the other as the buyer. Another common variant of BEC is ‘CEO Fraud’ where an account relating to a CEO or senior executive of a company is compromised. Essentially this is a hybrid of both 'pure' cyber crime (an unauthorised access) and fraud. Of course there are still ‘pure’ frauds going on as well but the IDCC is not focusing on them Social engineering to get a buyer or employee to change the normal process slightly Typically we are seeing the case of a seller in India or China and the buyer in a Western country (US, Australia and Europe) with the money transferring through South East Asian banks to China. In every case where we have identified the actors behind these compromises they have turned out to be Nigerians To give an indication of the money involved in these cases, a typical example of a CEO Fraud was referred to the IDCC by the US FBI last month. In that case, the CFO of a Norwegian company, received an purportedly from a US law firm representing the CEO of the Norwegian company, instructing him to transfer funds in the amount of US$62millon to two bank accounts in China and Hong Kong, purportedly for an acquisition. Within a couple of days the Norwegian executives realized the s were fraudulent (sent by unknown criminals instead of the lawyer) and made reports in Norway and US. They were able to cancel one wire transfer of US$23million. However, transfers of US$25million to an account in Hong Kong and US$14million to an account in China were completed. This became a time critical situation, needing to stop the funds from further transfers or withdrawals; otherwise, it would be almost impossible to recoup the money. It was at this stage that the IDCC was contacted. Upon learning of the case, IDCC staff contacted the Hong Kong bank’s Headquarters in Singapore immediately. The bank had their internal Fraud Team in Hong Kong confirm the transfers were invalid and froze the US$25million in full (on a Saturday night).

20 Business E-mail Compromise
Vendedor/Asegurador de confianza Comprador/Empleado Servicio de Lavado de Dinero BEC So lets look at the anatomy of a business compromise. The essential element is the criminal actors taking advantage of an established relationship to commit a fraud rather than sending out scam s at random as per the traditional 419 scams There are many variations on this but ‘Payment Diversion Fraud’ is what appears to be the most common. In this variant, two companies in different countries are usually involved, one as the supplier and the other as the buyer. Another common variant of BEC is ‘CEO Fraud’ where there are ‘trusted’ s from a CEO or senior executive of a company asking for things to be done. Start CLICKING compromise, very believable fraudulent to socially engineer someone to transfer money and a money laundering scheme at the end of the trail. Essentially this is a hybrid of both 'pure' cyber crime (an unauthorised access) and fraud. Of course there are still ‘pure’ frauds going on as well but the IDCC is not focusing on them Typically we are seeing the case of a seller in India or China and the buyer in a Western country (US, Australia and Europe) with the money transferring through South East Asian banks to China but we have seen many different combinations, even a case involving Afghanistan and Turkey. However, in every case where we have identified the actors behind these compromises they have turned out to be Nigerians To give an indication of the money involved in these cases, a fairly typical example of a CEO Fraud was referred to the IDCC by the US FBI last month. In that case, the CFO of a Norwegian company, received an purportedly from a US law firm representing the CEO of the Norwegian company, instructing him to transfer funds in the amount of US$62millon to two bank accounts in China and Hong Kong, purportedly for an acquisition. Within a couple of days the Norwegian executives realized the s were fraudulent (sent by unknown criminals instead of the lawyer) and made reports in Norway and US. They were able to cancel one wire transfer of US$23million. However, transfers of US$25million to an account in Hong Kong and US$14million to an account in China were completed. This became a time critical situation, needing to stop the funds from further transfers or withdrawals; otherwise, it would be almost impossible to recoup the money. It was at this stage that the IDCC was contacted. Upon learning of the case, IDCC staff contacted the Hong Kong bank’s Headquarters in Singapore immediately. The bank had their internal Fraud Team in Hong Kong confirm the transfers were invalid and froze the US$25million in full (on a Saturday night).

21 BEC Country A Country D Country B Country C Country F
Seller/Trusted Insider Buyer/Employee Country B Country A Country D Country F Country C BEC Compounding the ease with which new actors can enter the cyber crime market the jurisdictional issues for this type of cyber crime are about as bad as they get. This reduces another ‘cost’ to the criminals – the likelihood of getting caught and getting locked up and I know professional criminals do assess that cost. Country A: Compromised Business Partner (a pure cybercrime but no financial loss) Typically there will be no police notification let alone an investigation. Assuming the victim even knows they have been compromised. Certainly no Forensic Examination to obtain evidence or retrieve the Malware Country B: Victim of the fraud This is typically the victim that makes a Police Report Beneficiary Account Number Maybe IP address of Fraudulent Country C: Destination of Fund Money Laundering Investigation Only Best Result: Arrest Money Mule. Return Deceived Fund – Our Hong Kong example shows what can be done However, it is not really solving the problem, as there are too many money mules and too many transactions. I know some Legats in certain countries could be doing this as a full time job and not scratch the surface This is further compounded by the money laundering schemes used which may actually involve multiple transit countries for the money Country D: Source of Crime It is often very difficult to link the fraud reported in Country A to the actor in Country D Even worse for the original compromise in Country B Country E: Evidence of Scam Evidence with Private Service Providers Country F: Evidence of Hacking The keyloggers we are will often send stolen data to designated ‘Drop Zone’ Again evidence with Private Service Providers For Countries E and F there will usually be a need for an MLAT to seize accounts, domains Who makes the request to them? Now I need to apologies before the next slide. Anyone who hates puns should look away now.

22 Ataque IoT DDoS y Criptoactivos
Robo a Bancos y BEC TENDENCIAS DEL CIBERCRIMEN Ransomware Ataque IoT DDoS y Criptoactivos

23 Demanda de Rescate Convencional
Secuestro a la “manera tradicional” Demanda de Rescate Convencional

24 Estadisticas Ransomware
Pago Ransomware Rescate Promedio Exigido US$ 1,5 billion (2018) US$ 1000 (2018) x 63 x 3 US$ 24 million (2015) US$ 295 (2015) Estadisticas Ransomware

25 Forma de cobro de Ransomware
Como los Cibercriminales ganan dinero? SMS / CALL a un número de móvil de tarifa superior Generic Ransomware Enero 2008 Apple Itunes gift card Android Ransomware Abril 2016 Amazon Gift Card “TrueCript”Ransomware Abril 2016 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 MoneyPak / Ukash /Paysafe Ransomware de la Policía Febrero 2012 Bitcoins Crypto Ransomware Mayo 2015 Monero “Kirk” Ransomware Marzo 2017 Dash “GandCrab” Ransomware Enero 2018 Forma de cobro de Ransomware

26 IoT DDoS Attack y Criptoactivos
Robo a Bancos y BEC TENDENCIAS DEL CIBERCRIMEN Ransomware IoT DDoS Attack y Criptoactivos

27 IoT

28 Mirai (Malware para IoT)
CCTV Camera TV Video Recorder Router Hay cientos de miles de dispositivos IoT que utilizan los ajustes por defecto de fábrica. Mirai Factory Default Usernames Factory Default Passwords Mirai (Malware para IoT)

29 Ataque DDoS contra el sector bancario
23 Jan 2017 Lloyds bank accounts targeted in huge cybercrime attack Lloyds Banking Group sufrió un ataque en línea de 48 horas cuando los ciberdelincuentes intentaron bloquear el acceso a 20 millones de cuentas en el Reino Unido. Se entiende que en ese momento se le pidió a Lloyds que pagara unas libras esterlinas para que se suspendiera el ataque. El banco no hizo ningún pago a los ciberataques. La red de botnet Mirai se utilizó para perpetrar ataques DDoS contra el banco.. 2017 2016 2015 Ataque DDoS contra el sector bancario Several other major British banks have been hit by service outages. January 2016 (UK) HSBC’s internet banking facility July 2015 (UK) Royal Bank of Scotland’s online service

30 https://criptonoticias
Criptoactivos

31 Criptoactivos 08/12/2019

32 Criptoactivos 08/12/2019

33 Criptoactivos

34 Hola Puede que no me conozca y probablemente este preguntándose por que esta recibiendo este correo electrónico ¿correcto? En este momento piratee tu cuenta. tengo pleno acceso a tu dispositivo! De hecho, coloque un malware en el sitio web de videos para adultos (material pornográfico) y usted sabe que, usted visito este sitio web para divertirse (ya sabe a que me refiero) Mientras estaba viendo clips de video. Su navegador de Internet comenzó a funcionar como un RDP (escritorio remoto) que tiene un registrador de teclas que me proporciono acceso a su pantalla y también a su cámara web. Inmediatamente después, mi programa de software reunión todos sus contactos desde su Messenger, redes sociales y correo electronico Criptoactivos

35 Criptoactivos ¿Qué hice?
Hice un video de doble pantalla. La primera parte muestra el video que estabas viendo (tienes un buen gusto ya veces extraño), y la segunda parte muestra la grabación de tu cámara web. ¿Exactamente que deberías hacer? Buen. Creo que $250 es un precio justo para nuestro pequeño secreto. Realizara el pago con Bitcoin (si no lo sabe, busque “como comprar bitcoin” en Google) Dirección de BTC 1LK3rTeknewch84FtmvMsXGEnque. (Es muy sensible, así que cópielo y péguelo) Criptoactivos

36 Criptoactivos Nota: Tienes 2 días para hacer el pago.
(Tengo un pixel especifico en este mensaje de correo electronico, y en este momento se que ha leído este mensaje de correo electronico) Si no obtengo los Bitcoins, definitivamente enviare su grabación de video a todos sus contactos, incluidos familiares, compañeros de trabajo, etc. Sin embargo si pagas, destruiré el video inmediatamente. Si desea pruebas, responda con “¿SI!” y enviare tu grabación de video a tus 3 amigos. Esta es la oferta no negociable, asi que no pierda mi tiempo personal y el suyo respondiendo a este mensaje de correo electronico La próxima vez ten cuidado Adios.. Criptoactivos

37 Criptoactivos

38 Criptoactivos

39 Criptoactivos

40

41 Malware que generalmente compromete los sitios web públicos para posteriormente obtener el poder de procesamiento de los visitantes del sitio, sin que lo sepan, y utiliza esa potencia para extraer criptoactivos a través de técnicas de minería de datos. Crypto Jacking 08/12/2019

42 II. Crimen del Futuro

43 Smart Car Smart Home Smart City Smart Nation
Futuro brillante