 Anyway, I'm going to talk to you about evil on the internet. And I will talk to you about fishing. I'm going to talk to you about money, mule recruitment, the people who move the money for the fishers. I'm going to talk about some things that you may not have seen, like fake auction escrow sites, pharmacy sites, you've almost certainly seen those which are Llew Viagra, and then some fake banks, some totally fake banks. gyda medium phon assistance y gw利! 1 4 5 advised Given this talk to show you some real live sites now, there may not actually work because these are bad sites and people are trying to take them down So they may have taken them down since I actually check they were were there at breakfast time this morning so if everything goes wrong I apologise, I have some slides for all of these things If you manage to compromise and compromise machines around an entire underground economy , then you can go and use your skills to compromise machines. And then you can go and sell or compromise machines. Alternatively, if you go fishing and you can catch the credentials, then you can go and sell the credentials to people and they will catch them out. Basically what we've now got is a great deal of specialisation. Ac o'r chyfnod oedd yn deallael oedd iechyd gweithio'r byw yn ymwysig rydyn ni, ar hyn ymwysig ar y Cynum eu rhwng. Adegar Sfeth gan dysgu'r cynfarcwyr ar Yl-Gwir, ar 17 Ysgrifedd ysgologau, oherwydd mae'r cyfrifwyr yn nosaf yn orsyn yn gwneud hynny yng Nghaerwyr i ddweud y brôn yn weithio, yn bwysig i deallfa'r ar own hynny, i ddweud hynny'n ddweud o'r ddweud y roedd y cwym oedd hynny'n ddweud. ac that is what drove the Industrial Revolution, certainBob the Steen power and things like that as well. The specialisation of tasks was very important in terms of making people more efficient. Since the criminals have created this specialisation around 2003 or so, they have been much more efficient as well. Just to get all on the same page, what do I mean by fishing? Fishing is capture of user credentials by impersonating things. Felly, ydych yn siwf i'r ffishing. A dyna'r dymain, sy'n ffrindio'r dymain, dyna'r dymain gweithio'r dymain, mae'n dymain yn ddyfynol o'r dymain, yn ymddangos gysylltu'r dyn nhw. A'n ddweud ymddangos i'r dymain, ymddangos i'r dymain, ond mae'r dymain, mae'n ddymain, mae'n ddyn nhw'n ffaciblogin. If we go and visit another URL on exactly the same domain, there's a Western Union page, and fifth third bank, nobody ever heard of fifth third bank before they started fishing it, but there you are, if you have some fifth third bank credentials and you type them in there then the criminals will steal your money. How's this actually working? This is one of the most sophisticated fishing gangs out there, which is why I was able to go out and immediately find an example to be able to show you, because these things are ubiquitous, they're sending about two-thirds of all the spam, just this one gang. And what they're actually doing is, this domain is in fact resolving to, at the moment, eight or ten different, we'll do an NS look up on this fine thing, that's where all goes wrong, and we see it's resolving at the moment to six different IP addresses. Those six different IP addresses are part of a botnet, and the Trojans sitting on those IP addresses are merely forwarding HTTP requests to a back-end mothership, which actually contains an Apache server, they're very keen on open source, they're running an Apache server which is serving up all of the pages which we've just looked at. And this is obviously very robust, because if one of those botnet machines goes down, or the owner turns it off, or the owner fixes it, then they can just change what it's resolved to. As a result of which, the only way of dealing with this particular phishing site, if your fifth third bank, and you like this site removed, is you have to get the domain name suspended, which is why they were using a .cz domain name, because I suspect that the registrar who they bought the things off didn't actually know what to do when fifth third bank came knocking at their door saying, hey, you must suspend this domain name, it's bad. So, go back to our, so now I've shown you phishing, now if you go back to 2003, much of the phishing was done using domain names which were meant to confuse, so you'd spell Barclays with two Ls or something like that, so that it looked like Barclays if you read it quickly, but it wasn't really Barclays, that's very unusual just at the moment. About three quarters of all phishing sites by volume are insecure end-user machines which have been hacked into, insecure web servers which have been hacked into because people haven't kept their copy of Jumler or something like that up to date as a result of which there are security vulnerabilities as a result of which people, the bad guys can break in and put extra pages onto a perfectly legitimate web server. About 17% of all of the sites are just stuck on free web hosting, where all you have to do is turn up and over an email address and you can have a web presence and these people turn up and over an email address and they have a web presence and they put up phishing pages for eBay or PayPal or whoever it may be. And then they send out lots of spam pointing at those things, but the specialist attackers who as I say are doing most of the action in terms of how much spam is sent and we think are stealing most of the money are using these fancy things like fast flux botnet systems. So, I don't really want to go into this, but basically we have the way in which their URLs work is that they basically tend to have something to make it unusual and different so we'll get through spam filters. Then you have the name of the bank which is very important because if you don't have the name of the bank why would anybody believe that it really was 5th, 3rd or whatever. And then you have whatever domain name they're using today and then the bit at the end which decides whether or not this is going to be a 5th, 3rd fish or a Visa fish or a Western Union fish or whatever it may be. When we look at the takedown times because I'm really an academic and what we've been doing for about three years now is studying phishing and one of the things we've been looking at is how long the websites last for. Right, because if the websites last for a long time there's the potential for doing a lot of damage. If the websites don't last for a very long time then when you finally get around to opening your email and you see this really convincing email that says that you're bank account is about to be suspended if you don't click in and hand over your credentials immediately then if the websites been taken down then it doesn't matter if you click on that because the websites disappeared. So how long the websites stay up for is a measure of how much damage they do. One of the interesting things we found was that when we looked at how long the websites stayed up for then if the at the moment well in fact this is going back almost two years now the data we had showed that phishing websites were on average taken down in about four hours. Right, with a mean of four hours and a median of zero. The median of zero means that over half of the sites were removed before we had a chance to measure what their lifetime was. They were coming down so fast. But the sites were only taken down that fast when the brand owner, the bank or PayPal or eBay or whoever it was who was being phished, only if they were aware of the websites. If they weren't aware of the websites then they had a lifetime of about four days because the bank didn't try to get them removed. In fact it's still a bit of a puzzle to us why the websites which the bank doesn't know about ever get removed at all. We think what it is is just members of the general public turning up and pointing out to the ISP or the website owner that they have a phishing page and therefore they remove the page and the bank never actually learns that the page existed. Now you might wonder how we know about the sites existing if the bank doesn't know about them. The answer to that is that we get the data from now several more takedown companies, people who collect lists of phishing websites and they collect these lists of phishing websites and if one of their customers, Barclays or eBay or whoever it is, is on that list of things then they take the websites down and they also give the data to us. But if one of those companies sees a Barclays website and Barclays is not their customer then they just make a note of it and tell us but they don't actually do anything about it and they certainly don't tell Barclays because they're competing on how much information they know. So when we measured all of this we found that there was this huge disparity between the four hours when they knew about it and the four days when they didn't. And we said, because we're naive academics, we said wouldn't it be a good idea if you were to share information with each other because then the websites will get taken down faster. And they said wouldn't it be a good idea if Barclays was to come along and buy a service from all of us. This is data a long time ago now, this is three year old data, which basically shows how long websites stay up for on free web hosting. And you'll see that Yahoo is doing really rather better there. And the reason Yahoo is doing rather better is that as soon as you tell Yahoo about one of these sites they take you down in 20 minutes. And why does it say a median of 6.9 hours? That's because that includes all the sites which nobody goes and tells Yahoo about. But one of the things we found when we looked at all of this and some of these very large numbers for how long things came down for is we found an effect which we call the gaining of clue. If we look at all of the websites from the spring of 2007 on alis.it, which is a free web hosting company in Italy, then you'll see that over on the left hand side, the sites which turned up in early May, all of those sites last for 500 hours. And all the sites which turned up say on the 1st of May lasted for about 100 hours. Then after that the time has come less. Now what's actually happened is in fact all the way through the end of April, alis.it got all of these reports about phishing websites and they didn't do anything at all. They left them all up, which is why you get that kind of straight line in terms of how long they're staying up for. And about the 1st of May, so many people had shouted at them that you must remove these websites. They are doing damage. This is very important that you take these websites down. They suddenly removed all of the websites all on the same day. And then thereafter, as soon as the websites were reported, they took them down. And that's why you get a graph looking like that. Now the really interesting thing about this is that this shape, you can find all sorts of other places as well. These are two registrars, one handling dot Hong Kong domains and one handling Chinese domains. And you'll see exactly the same pattern, which is that at the beginning of the graph they have phishing sites. They don't know what to do, so they leave them all up. So the earlier they turn up the longer the lifetime. And then suddenly they gain some clue and they take them all down. And after that they're a little bit more efficient in terms of removing websites. Now this is, having talked about phishing, one of the difficult things about phishing is actually making any money at it. You shouldn't be surprised that some things are more difficult than others because if you think about other crimes like say Kidnap. Kidnap is a really easy crime in terms of if you go along to outside the nightclub at two o'clock in the morning, you can grab the heiress when she comes out of the nightclub, you can bundle her into the back of the car, you can drive her off to the remote farmhouse and you can put blindfolds on and make sure she doesn't know where she is. If you're really keen you can cut off her ear or something in order to send it off. All of that is remarkably easy. What's really difficult about Kidnap is that you have to communicate with the family several times, backwards and forwards, and then you have to arrange that they go and put a suitcase full of money and they leave it somewhere and you have to go and pick up the money and then you'll get caught. So the really difficult thing about Kidnap is not the first bit, it's getting the money and the same thing is with phishing. Getting credentials with phishing is really, really easy. You just have to break into a website. You have to send out some spam saying your bank account is about to be closed down. Please come and fill in your password here and people do. So what's the problem with phishing? The problem is getting the money. So this is a real-life website for getting the money. When it comes up, I hope, it's still there. Excellent. And this website is about a company who does outsourcing. It doesn't really matter what they do, but the important thing is that if we have a look at this, they've got some jobs. And they probably sent you some spam about these jobs. They said, work at home, they said. Are you going to come and talk to me? Excellent. Right. And they have all these really cute jobs. They've got some HR training owner. That's not available at the moment. They've got system administrators. I'm sorry, they haven't got any of those jobs available. What they do have available is they have available a payment processing assistant. Hot, hot it said. And what do you have to do? Sorry, it's only for people from the USA and Canada, so not all of you will be able to reply. But it's a really great job. You have to have internet access, available on the phone, a bank account, no criminal offenses. We don't want bad people. What you do, it's really easy is money is moved into your bank account and then you send it off to Millennium Group, whatever, by Western Union. What's not to like. A couple of hours, you have to answer the phone. They may be checking the money's turned up in your bank account and so forth. They'll give you some training about how to find the Western Union office and all the really difficult things in all of this. And it's a really great job. And what's more, they're paying 8%, they're paying a monthly salary of $2,300. Really not a lot, but it's only a couple of hours a day. And you get 8% on all the money they move through your account. Excellent. Now, of course, what happens in reality is this money is not coming from their clients who are doing outsourcing, which is what they're trying to tell you. This money is coming from compromised bank accounts. And when the money comes from compromised bank accounts, it comes into your bank account, you then go and move the money to Western Union, and eventually the money will be moved out of your bank account again by your bank who has realised that it has been stolen and therefore they will just undo it. So your bank account will now be extremely negative. Well, that's all right, you can go down to Western Union and ask for your money back and they will laugh a lot. I'll point to the thing on the wall that says, never send money over Western Union to anybody you don't know really, really well. And you will say, I know these people really, really well because they're my employer. And I have a signed contract of employment to show that they have employed me. And Western Union will laugh even harder. So anyway, Millennium Group, one of the things you might be interested in in the Millennium Group is where they are. And they're based in 109 Livingston Street in Brooklyn on the 7th floor. So, fortunately, Mr Google, when he comes up, here we go, right at the beginning, Mr Google allows us to have a look at 109. You know, this is not a live webcam, you understand, this is a photo he took earlier. Oh, it's all, there we go. There's Livingston Street. I'm here to tell you that that building there is on number 111 Livingston Street. And this building here is number 85 Livingston Street. So, 109, the 7th floor is somewhere in that bit of thin air. Now, one of the things you can do with these people, right now, the Millennium Group, the reason I picked them is this site's been up for a little while. But these sites don't last forever because various people take them down. But this is the management team of Millennium Group. And in particular, the chief executive, I really like him, because he's a postgraduate of the Higher Educational Institute of England. University of England, well-known place. This gentleman was a commercial director, personal manager of a large corporation engaged in electronics production. So we'll just copy that, and we'll go off to Google, and we'll type in this fine string, and we'll see if we get a number of hits on this. Many of these pages, no, it gets better because Google has realised many of these pages are all the same. If we put in all the pages which were not all the same, this gentleman has been on the board of 120 different sites because they've just been doing cookie cutter, rolling this stuff out. I'm sure they use version control for this stuff. So, basically, that's been a money meal. We'll just go back to the talk which I'm supposed to be doing over here. There's that, payment processing, et cetera. Basically, one of the interesting things about these sites is they get taken down very slowly. This is some data from about three years ago, but it's very much the same today. And you'll see that back in those days, they didn't set up a new... They basically used to set up multiple websites for the same company rather than inventing a new company each time, which is obviously easier. They've obviously improved the tools in order to be able to make a new company every time. But if you look at that, you'll see that those times are considerably longer than four hours, and they're considerably longer than four days as well. What's going on here is that these money meal recruitment sites attack all of the banks, not just one bank. And therefore, since they're attacking everybody, it's no particular one bank's problem to get these sites removed. And therefore, they all leave it to somebody else to get the sites removed, and they don't worry about it. So the only people who are taking these down are basically activist groups like AA419 and people like that who basically spend their evenings doing nothing else but sending off emails to the hosting companies of these websites saying, please, will you remove this? It's a scam, and we think that it should be removed. So the banks, the professionals who can take down sites in four hours just aren't tackling these ones at all, and they're very slow. Okay, here's a different scam. Let's just get rid of that. This is a company called GTS Global. And the reason you'll come across GTS Global is if you go and buy a car, or perhaps a motorbike, on an auction site and you're lucky enough to win the auction, and the next thing you know is that the person selling you the car sends you an email, and the email says, well, not to be terribly rude to you, but I don't entirely trust you. So what I've done is I've given my car to an escrow company and you give the money to the escrow company and then the escrow company will arrange to release the car to you and they will release the money to me. Okay, so we both trust the escrow company in order that we don't have to trust each other on the car and the money. And in particular, you'll be really pleased to hear that this escrow company not only does escrow, but they also do transportation as well. In fact, they're major transportation people. So in fact, the car will be delivered to outside your front door. This is a great new thing. So off you go and you pay them some money. That's it, that's the end of the story. You just pay them some money. So this is a... So basically, a big, great thing so you can fill in the money here and you send them off the money and they actually have some tracking so that you don't realise that you might be able to undo the money transfer if you're really quick so they have some tracking so that you'll be able to see where your car's been moved to and so forth and they'll give you a serial number so you can see where it's gone to and so forth. So it's really quite impressive. It's great. Now, where is... They're one of the largest shipping lines in the world. It says here, one of the leading global shipping lines in the world and they're based at 13, 6, 4, 5 Oldton Parkway. So we'll do a little search for that. I will show you the street view for this but it's rather unconvincing because the buildings in this part of Irvine are set back a fair bit from the road so it's really difficult to tell whether or not it actually says we are one of the biggest global shipping lines in the world here. However, you'll be pleased to see there is actually a trucking service at this address and they are the guys who run it. Now, let's be really clear. Those are perfectly normal Americans. There's nothing wrong with them at all. They just happen to have their address stolen. It's not that those two guys are pretending to be a global shipping line. It's just they were unlucky enough to be at the same address which the guys which the criminals decided to use. Again, if we go off to the page then we can find the string which says that as the most trusted escrow service on the internet. Copy that. You're ahead of me, aren't you? 231 people are the most trusted. In fact, one of the hits there is for AA419 because it's a scam. The top hit is actually for escrow.com who really are an escrow company but they don't do deliveries. Only the bad ones do deliveries as well as doing escrow. In particular, if we go back and we find another phrase from down here which is we protect both the... This is a phrase from the front page of escrow.com and what I showed you before was all of the 231 which came from that particular gang because there's a lot of different gangs do this particular thing but they all have copied escrow.com's simple five-step trust process which is why we get a hit of about 615. Obviously Google keeps on indexing pages but eventually when the sites die so 615 is how many sites that are out there today is still alive. This is a rather popular thing and the reason it's popular is because for not very much effort all you have to do is list a car on an auction site send off a couple of emails and you'll make 8-10,000 euros. Great, isn't it? So if we go off to therealescrow.com you'll notice the realescrow.com has spent all the money in getting one of these green certificates up the top and you'll find the nice... Where's it gone? I'm not on the top page of the reason. Let's go back to... Right up the top you'll see that this is where the... So escrow.com are the people who have the five-step trust process and escrow.com you can trust. Okay, so... Back to the talk. Escrow.com lots and lots of them. Our lifetime is fairly high. One of the interesting things is that when we actually looked at this a few years ago we took some of these well-known phrases and saw how many sites Google could find and how many sites the vigilantes actually knew about and basically only about a quarter or so of the sites will actually be... was any attempt of being made to take them down. I haven't done that figure lately. It's possible that figure has improved. Right. If you had too much beer last night then possibly you'll be interested in a pharmacy site. I will sell you all sorts of useful things for dealing with your hangovers or the side effects thereof. Excellent, it's still there. This is good old Canadian pharmacy which has been around for ages and ages and ages. And... The interesting thing about Canadian pharmacy is that it's run on an affiliate system. So basically the pharmacy is do all the hard work of supplying the pills and that sort of thing. And any entrepreneur who wishes can send out spam and what they do is they put into the spam their own unique domain names or whatever it may be arranged for that domain name to be forwarded back to the MacN system where the real criminals operate the pharmacy. And that's why pharmacy spam is so prevalent and why so much of it gets through your spam filters. Because if you have a really good way of getting email through spam filters then this is what to do. Send out email spam for Viagra because people will actually go and buy Viagra off the internet. And these guys will do all of the hard work of sending out the blue pills and taking the money and so forth and then they will give you a cut. And what this means is that almost all of the innovations we've seen in the sending of spam and getting through spam filters over the last five years or so have all started off with pharmacy. So these people are driving innovation in this space. And you can buy all sorts of really cute stuff from here. Now what I used to do in fact they have changed because I'm going to have to go and show you an older page or just show you quickly Google has about 53,500 hits for the stuff down the left hand the menu down the left hand side if you go and look for those then you get a very large number of hits. Some of these hits are for blog spam some of them are for other material but most of those are just lots of domains which are forwarding to this thing. If we go and look at a rather older one down the bottom of this one we can find some nice seals in particular so we can click on here and we'll get a little pop-up which shows that this is a genuine site. Now you may spot the fact that it's actually been served from the site where I clicked on it and if I clicked on the very signed one this also comes from the same site but it is secure but unfortunately it's expired in fact I think this site is just left lying around because the current sites don't have those seals on at all and we have to rewrite the talks then. I'm running out of time a bit so there's a whole lot of stuff to do with penis enlargements but nobody here needs that anyway but you might like an iPhone here's a nice shopping site and they're offering you an iPhone for 108 euros saving you 172 euros that's good, isn't it? I'm here to tell you if you go off to Google best prices they can find for iPhones that were used a new one, $540 108 euros is a bargain Why is it a bargain? Well, it's a bargain because if we go and pay for it so we'll add it to the cart it's great, off we go so we're going to check out check out it's non-registered there we go 108 I'd get a few gift if I wanted here's all the detail and I'm going to pay how am I going to pay? Good old Western Union they do offer PayPal so you have to swap email with them first and I suspect when you swap email with them that you will find that they don't actually offer PayPal or you can use MoneyGram which is much the same as Western Union you go down there, you hand over your money and that's it or you can do a bank transfer into their bank at the Bank of China and good luck we're getting the money back from that so this is really good however of course you wouldn't go and buy something if you go for a site like this without checking it out first so we'll go off to Site Advisor run by Mr McAfee and he's got a green tick why has he got a green tick? he's got a green tick basically because McAfee understands about drive-by-down loads of malware McAfee doesn't understand about whether or not this is a good place to give your money over however the technical people who built this fantastic site which says it's alright, there's no malware here can't communicate with their marketing people who insist on saying that this green tick means that it's safe to shop there this is a kind of disconnect with the marketing people so it's not really safe at all this one which is a previous incarnation of exactly the same site a few years ago it still has a green tick but you'll notice right down the bottom because I've blogged about all of this various people turned up and shouted at McAfee and it now has a couple of little red things which basically says hey look it's listed at AA419 as a scam site right which basically is a really bad sign about this however it still has a green tick if you go and google search on it you can find this page this is in Dutch but google told me what it said it says I'm thinking of spending some money at this site it's just a good idea and the man at the bottom says no I'm from Italy I gave him some money and I haven't got it back yet it's a scam he says do not send money the Italian police are helping him out so that will be alright okay I've got five minutes left I'm going to be able to show you one more thing which is a bank this is great this is a bank Fleming's merchant bank there used to be a Robert Fleming merchant bank until 2000 when it ran into a bit of trouble and got bought by Chase and they haven't reused the name but the bad guys have reused the name and you can do online banking through this bank by the way do you see all this really cute stuff on the I hope it's coming across nothing better than to do than design really cool websites and you should employ them so you can sign up and so forth but why would you want to sign up for this bank alright here's the contacts for the bank which will show that it's based in Glasgow alright so off we go Google Google will show you the street view actually I've cheated on that in fact the number 11 is over on the other side of the road but it doesn't say Fleming's merchant bank anywhere there at all because of course there's no relationship between this and Fleming's but why would you want to have a bank well supposing that you were helping out an African dictator move all of his money it might be useful for you to be able to go and do a login to see the account which contained all the money also if you've won the Canadian lottery and many people here have won the Canadian lottery one of the things you'd find is that the people at the Canadian lottery have very helpfully taken your money and they put it in a high interest deal bearing account so that you'll have some so that when you get the money it wasn't all to being wasted it's been earning interest all the time but unfortunately when you go and look at your money and the merchant bank where they put it you'll discover that you owe them 500 euros for opening the account and under the bank's obscure rules and they're very sorry about this you can't actually pay for it for the money in your account you'll have to send them some money from elsewhere which is how they make money on the lottery so man they're waving times at me and saying that I'm running out of time so I will finish by showing you this one because I think it's just so fantastic right this is a high yield investment programme and they offer you 110% return after one day now wonder the banks make money if they're only giving you half a percent a year if they can make money at this rate now the really fun thing about these things is that they are the people who take part of them know that they are a scam because what they do is a Ponzi scheme what they do is they take in money today and they pay you your interest owed on what you deposited yesterday on the basis of how much they're taking today's money and using it to pay off yesterday and so forth so this provider you've got new people turning up putting in money then the people at the beginning make a profit and therefore if you know it's a Ponzi scheme then you can then there are people who will tell you lots and lots of sites which will tell you about all of these schemes which ones are new which ones are still paying out and so forth so you can invest your money wisely in the Ponzi schemes which are still on the process of taking off so that you can make some money I'm a little cynical about this I think the only people who are really making money out of this is this guy who's written a book about it and he says the first thing you must do is admit to yourself it's a Ponzi scheme and after that try and make some money so I think I've plugged his book for long enough I'll take that off and say that since I've run out of time I will skip a lot of the rest of it I'll put my topologies and we'll go down to the end where you will see the link to our blog where we put all the cool stuff we do and to my publications page thank you very much I will take questions if people have them