6. 6
McAfee: 2014: We estimate that the likely
annual cost to the global economy
from cybercrime is more than $400
billion.
InfoSec Institute 2013: Nearly 80% of
cybercrime acts are estimated to originate
in some form of organized activity. The
diffusion of the model of fraud-as-service
and the diversification of the offerings of
the underground market is also attracting
new actors with modest skills.
in 2011 Russian-speaking hackers alone
took in roughly $4.5 billion from cybercrime
7. 7
Stel je voor:
Cyber-Attack als bedrijf
“Ik wil als bedrijf een hacker inhuren. Hoe doe ik dat?”
14. 14
Levels: Deep Web
• Level 1: This is the conventional web we
(indexed by Google, Bing, other ). Only need a browser
• Level 2: Content removed by search engines.
E.g. movies, books, music , videos. Only need a browser
• Level 3: non-public sites and you need access "Invitation" to and
exclusive access content. Need a browser and an account.
• Level 4: real "Deep Web" Need a special browser.
Decentralized traffic. "The Hidden Wiki“
• Level 5: Need a special browser and accounts.
Purchase Weapons, Drugs, Hackers Services
• Level 6: Unknown: government network and is fully restricted.
15. 15
500 x the Google index
We will literally be shocked, and this is the reaction of those individual who can
understand the existence of the Deep Web, a network of interconnected systems, are
not indexed, having a size hundreds of times higher than the current web, around 500
times.
16. 16
• Dynamic content: dynamic pages which are returned in response to a submitted query or accessed only through a form, especially if open-domain
input elements (such as text fields) are used; such fields are hard to navigate without domain knowledge.
• Unlinked content: pages which are not linked to by other pages, which may prevent Web crawling programs from accessing the content.
This content is referred to as pages without backlinks (or inlinks).
• Private Web: sites that require registration and login (password-protected resources).
• Contextual Web: pages with content varying for different access contexts (e.g., ranges of client IP addresses or previous navigation
sequence).
• Limited access content: sites that limit access to their pages in a technical way (e.g., using the Robots Exclusion Standard, CAPTCHAs, or
no-cache Pragma HTTP headers which prohibit search engines from browsing them and creating cached copies).
• Scripted content: pages that are only accessible through links produced by JavaScript as well as content dynamically downloaded from Web
servers via Flash or Ajax solutions.
• Non-HTML/text content: textual content encoded in multimedia (image or video) files or specific file formats not handled by search engines.
• Text content using the Gopher protocol and files hosted on FTP that are not indexed by most search engines. Engines such as
Google do not index pages outside of HTTP or HTTPS.
17. 17
Deep Internet / Dark Internet
As usually happen, the project was born in military
sector, sponsored the US Naval Research
Laboratory and from 2004 to 2005 it was
supported by the Electronic Frontier Foundation.
A user that navigate using Tor it’s difficult to trace
ensuring his privacy because the data are
encrypted multiple times passing through nodes, Tor
relays, of the network and making is untraceable.
22. 22
Professioneel!!!!
Jan 2014: Blackshades.
The police found that the group was paying
salaries to its staff and had hired a
marketing director to promote its software
to hackers. It even maintained a
customer-support team.
2008 Mpack:
a professionally developed toolkit sold in
the underground economy. Attackers deploy
MPack’s collection of software components
to install malicious code on thousands of
computers around the world and then
monitor the success of the attack through
various metrics on its online management
console.
2008 : Social networking Web
sites are particularly valuable to
attackers since they provide access
to a large number of people, many
of whom trust the site and its
security.
2011 Zeus: We see multi-staged
attacks which consist of an initial
attack that is not intended to
perform malicious activities
immediately, but that is used to
deploy subsequent attacks.
23. 23
Full Cyber-Crime Service provider
Professional, Architecture, Software Lifecycle.
Industry specialization (Logistics, agriculture, manufacturing, financials etc..)
Chain integration (infra, coding, execution, service, banking, money laundering)
Including:
• Cybercrime has their own social networks
• Escrow services
• Malware can now be licensed and gets tech support
• You can now rent botnets by the hour, for your own crime spree
( BotNet as a Service or BaaS)
• Pay-for-play malware infection services that quickly create botnets (automatic
provisioning)
• Quality testing
• No-cure-no-pay for infections, cards, bank accounts…etc..
25. 25
June 2013: Prices for “Attacks-as-a-Service” :
• Consulting services such as botnet setup, $350-$400
• Infection/spreading services, under $100 per a thousand installs
• Botnets and rental, Direct Denial of Service (DdoS), $535 for 5 hours a day for one
week, email spam, $40 per 20,000 emails, and Web spam, $2 per thirty posts.
• Blackhat Search Engine Optimization (SEO), $80 for 20,000 spammed backlinks.
• Inter-Carrier money exchange and mule services, 25% commission.
• CAPTCHA breaking, $1 per a thousand CAPTCHAs, done by recruited humans.
• Crimeware upgrade modules: Using Zeus modules as an example, they range
anywhere from $500 to $10,000.
http://securityaffairs.co/
30. ????????
31
Launch code
Permissive Action Link (PAL), basically
a small device that ensured that the
missile could only be launched with the
right code and with the right authority.
Passcode was 8 characters:
00000000