The Underground Economy and Ecosystem of SMS Based Cybercrime Denis - - PowerPoint PPT Presentation

the underground economy and ecosystem of sms based
SMART_READER_LITE
LIVE PREVIEW

The Underground Economy and Ecosystem of SMS Based Cybercrime Denis - - PowerPoint PPT Presentation

Nov 12, 2023 620 likes •1.39k views

The Underground Economy and Ecosystem of SMS Based Cybercrime Denis Maslennikov, Senior Malware Analyst, Kaspersky Lab 15.06.2011, 23 rd Annual FIRST Conference, Vienna, Austria Agenda SMS based threats Ransomware SMS Trojans The

slide-1
SLIDE 1

Denis Maslennikov, Senior Malware Analyst, Kaspersky Lab

15.06.2011, 23rd Annual FIRST Conference, Vienna, Austria

The Underground Economy and Ecosystem of SMS Based Cybercrime

slide-2
SLIDE 2

Agenda

SMS based threats

  • Ransomware
  • SMS Trojans

The ecosystem Underground economy Threats round the globe What should we do?

| June 15, 2011 PAGE 2 | 23rd Annual FIRST Conference

slide-3
SLIDE 3

Lottery

| June 15, 2011 PAGE 3 | 23rd Annual FIRST Conference

slide-4
SLIDE 4

How much have users lost?

| June 15, 2011 PAGE 4 | 23rd Annual FIRST Conference

slide-5
SLIDE 5

Ransomware

slide-6
SLIDE 6

Ransomware

In a nutshell

| June 15, 2011 PAGE 6 | 23rd Annual FIRST Conference

slide-7
SLIDE 7

Ransomware

In a nutshell

| June 15, 2011 PAGE 7 | 23rd Annual FIRST Conference

slide-8
SLIDE 8

Ransomware

Variety

| June 15, 2011 PAGE 8 | 23rd Annual FIRST Conference

slide-9
SLIDE 9

Ransomware

Variety

| June 15, 2011 PAGE 9 | 23rd Annual FIRST Conference

slide-10
SLIDE 10

Ransomware

Variety

| June 15, 2011 PAGE 10 | 23rd Annual FIRST Conference

slide-11
SLIDE 11

Ransomware

Variety

| June 15, 2011 PAGE 11 | 23rd Annual FIRST Conference

slide-12
SLIDE 12

Ransomware

Variety

| June 15, 2011 PAGE 12 | 23rd Annual FIRST Conference

slide-13
SLIDE 13

Ransomware

Variety

| June 15, 2011 PAGE 13 | 23rd Annual FIRST Conference

slide-14
SLIDE 14

Ransomware

Variety

| June 15, 2011 PAGE 14 | 23rd Annual FIRST Conference

slide-15
SLIDE 15

Ransomware

Variety

| June 15, 2011 PAGE 15 | 23rd Annual FIRST Conference

slide-16
SLIDE 16

Psychological tricks

Legal prosecution threats Data corruption threats Malware infection (!) threats Annoying pop-ups

| June 15, 2011 PAGE 16 | 23rd Annual FIRST Conference

slide-17
SLIDE 17

What do they want?

| June 15, 2011 PAGE 17 | 23rd Annual FIRST Conference

slide-18
SLIDE 18

Deblocker

| June 15, 2011 PAGE 18 | 23rd Annual FIRST Conference

slide-19
SLIDE 19

Deblocker

| June 15, 2011 PAGE 19 | 23rd Annual FIRST Conference

slide-20
SLIDE 20

Deblocker service statistics

Launch: January 2010 Current state:

  • More than 5,100,000 unique visitors
  • More than 19,500,000 requests
  • ~60,000 unique visitors per day
  • ~230,000 requests per day

| June 15, 2011 PAGE 20 | 23rd Annual FIRST Conference

Source: Kaspersky Lab

slide-21
SLIDE 21

SMS Trojans

slide-22
SLIDE 22

SMS Trojans

In a nutshell

| June 15, 2011 PAGE 22 | 23rd Annual FIRST Conference

slide-23
SLIDE 23

Statistics

| June 15, 2011 PAGE 23 | 23rd Annual FIRST Conference

50 100 150 200 250 300 350 2006 2007 2008 2009 2010 2011

3 11 116 212 345 336

Number of modifications per year

Source: Kaspersky Lab

slide-24
SLIDE 24

Statistics

| June 15, 2011 PAGE 24 | 23rd Annual FIRST Conference

8% 5% 3% 84%

Platform distribution

Symbian Windows Mobile Android J2ME

Source: Kaspersky Lab

slide-25
SLIDE 25

Primitive: Trojan-SMS.J2ME.Konov

One of the first widespread SMS Trojans:

  • Small (1,5 – 8 kB)
  • No encryption
  • No social engineering tricks

| June 15, 2011 PAGE 25 | 23rd Annual FIRST Conference

slide-26
SLIDE 26

Advanced: Trojan-SMS.J2ME.VScreener

‘Faulty’ video player Must be ‘tuned’ by user

  • Quick left soft key pressing

SMS are sent during ‘tuning’ Premium rate number and SMS text are stored in ‘load.bin’ file File ‘load.bin’ is encoded with ADD and ‘0xA’ key

| June 15, 2011 PAGE 26 | 23rd Annual FIRST Conference

slide-27
SLIDE 27

‘Video player’

Again

| June 15, 2011 PAGE 27 | 23rd Annual FIRST Conference

slide-28
SLIDE 28

‘Video player’

Again

| June 15, 2011 PAGE 28 | 23rd Annual FIRST Conference

slide-29
SLIDE 29

SEO and mobile malware

| June 15, 2011 PAGE 29 | 23rd Annual FIRST Conference

slide-30
SLIDE 30

SEO and mobile malware

| June 15, 2011 PAGE 30 | 23rd Annual FIRST Conference

Blonde porn download

slide-31
SLIDE 31

The ecosystem

The root of all evil

slide-32
SLIDE 32

Trojan-SMS.J2ME.Konov

| June 15, 2011 PAGE 32 | 23rd Annual FIRST Conference

slide-33
SLIDE 33

Trojan-SMS.J2ME.Konov

| June 15, 2011 PAGE 33 | 23rd Annual FIRST Conference

Mobile

  • perator

$10 or $6 per SMS

slide-34
SLIDE 34

Trojan-SMS.J2ME.Konov

| June 15, 2011 PAGE 34 | 23rd Annual FIRST Conference

Mobile

  • perator

Content provider 4460 5537

slide-35
SLIDE 35

Trojan-SMS.J2ME.Konov

| June 15, 2011 PAGE 35 | 23rd Annual FIRST Conference

Mobile

  • perator

Content provider 4460 5537

slide-36
SLIDE 36

Trojan-SMS.J2ME.Konov

| June 15, 2011 PAGE 36 | 23rd Annual FIRST Conference

Mobile

  • perator

Content provider 4460 5537 Subtenant with ID 1290 ‘epbox’ renter ‘epbox’

  • n 4460

& 5537 ‘epbox 1290’ on 4460 & 5537

slide-37
SLIDE 37

Who are ‘epbox’ and ‘epbox 1290’

| June 15, 2011 PAGE 37 | 23rd Annual FIRST Conference

‘epbox’ renter ‘epbox 1290’ subtenant

slide-38
SLIDE 38

Who are ‘epbox’ and ‘epbox 1290’

| June 15, 2011 PAGE 38 | 23rd Annual FIRST Conference

‘epbox’ renter ‘epbox 1290’ subtenant Affiliate network

  • wner(s)

Affiliate A

slide-39
SLIDE 39

Who are ‘epbox’ and ‘epbox 1290’

| June 15, 2011 PAGE 39 | 23rd Annual FIRST Conference

‘epbox’ renter ‘epbox 1290’ subtenant Affiliate network

  • wner(s)

Affiliate C Affiliate B Affiliate A ‘epbox N’ subtenant ‘epbox M’ subtenant

slide-40
SLIDE 40

The root of all evil

Affiliate network registration form

| June 15, 2011 PAGE 40 | 23rd Annual FIRST Conference

slide-41
SLIDE 41

The root of all evil

Affiliate network registration form

| June 15, 2011 PAGE 41 | 23rd Annual FIRST Conference

Name Email Website URL Website name WMZ and WMR ICQ (optional)

slide-42
SLIDE 42

The root of all evil

Affiliate network registration form

| June 15, 2011 PAGE 42 | 23rd Annual FIRST Conference

Name Email Website URL Website name WMZ and WMR ICQ (optional)

No sensitive data! Affiliate ID ‘epbox 1290’

slide-43
SLIDE 43

Typical affiliate website

| June 15, 2011 PAGE 43 | 23rd Annual FIRST Conference

slide-44
SLIDE 44

Typical affiliate website

| June 15, 2011 PAGE 44 | 23rd Annual FIRST Conference

slide-45
SLIDE 45

Typical affiliate website

| June 15, 2011 PAGE 45 | 23rd Annual FIRST Conference

Referrer check Remote server Affiliate ID

slide-46
SLIDE 46

Typical affiliate website

| June 15, 2011 PAGE 46 | 23rd Annual FIRST Conference

SMS Trojan with affiliate ID Referrer check JAR constructor Remote server Affiliate ID

slide-47
SLIDE 47

Typical affiliate website

| June 15, 2011 PAGE 47 | 23rd Annual FIRST Conference

SMS Trojan with affiliate ID Referrer check JAR constructor Remote server Affiliate ID Thousands of websites!

slide-48
SLIDE 48

Ransomware

Same situation

| June 15, 2011 PAGE 48 | 23rd Annual FIRST Conference

slide-49
SLIDE 49

Ransomware

Same situation

| June 15, 2011 PAGE 49 | 23rd Annual FIRST Conference

slide-50
SLIDE 50

Underground economy

…and lottery results :)

slide-51
SLIDE 51

Underground economy

Revenue sharing

| June 15, 2011 PAGE 51 | 23rd Annual FIRST Conference

Infected phone/PC Mobile

  • perator

Content provider The affiliate

  • wner(s)

Affiliate

slide-52
SLIDE 52

Underground economy

Revenue sharing

| June 15, 2011 PAGE 52 | 23rd Annual FIRST Conference

Infected phone/PC Mobile

  • perator

Content provider The affiliate

  • wner(s)

Affiliate

31-50% of SMS price SMS

slide-53
SLIDE 53

Underground economy

Revenue sharing

| June 15, 2011 PAGE 53 | 23rd Annual FIRST Conference

Infected phone/PC Mobile

  • perator

Content provider The affiliate

  • wner(s)

Affiliate

31-50% of SMS price 1-5% of SMS price SMS

slide-54
SLIDE 54

Underground economy

Revenue sharing

| June 15, 2011 PAGE 54 | 23rd Annual FIRST Conference

Infected phone/PC Mobile

  • perator

Content provider The affiliate

  • wner(s)

Affiliate

31-50% of SMS price 1-5% of SMS price 40-67% of SMS price SMS 1-5% of SMS price

slide-55
SLIDE 55

$$$

| June 15, 2011 PAGE 55 | 23rd Annual FIRST Conference

slide-56
SLIDE 56

$$$

| June 15, 2011 PAGE 56 | 23rd Annual FIRST Conference

‘…10 people were arrested…’ ‘…malware which blocks PC…’

slide-57
SLIDE 57

$$$

| June 15, 2011 PAGE 57 | 23rd Annual FIRST Conference

‘…10 people were arrested…’ ‘…malware which blocks PC…’ ‘…half a year…’ ‘…SMS as ransom…’

slide-58
SLIDE 58

$$$

| June 15, 2011 PAGE 58 | 23rd Annual FIRST Conference

‘…10 people were arrested…’ ‘…malware which blocks PC…’ ‘…half a year…’ ‘…SMS as ransom…’ ‘…1 billion rubles…’

slide-59
SLIDE 59

Calculations

1,000,000,000 rubles ~ $30,000,000 $30,000,000/6 ~ $5,000,000 per month

| June 15, 2011 PAGE 59 | 23rd Annual FIRST Conference

slide-60
SLIDE 60

‘Death penalty’

Largest mobile affiliate network was fined: The fine was equal to 25% of the affiliate network weekly income:

  • 1,590,000 rubles ~ $53,000
  • Weekly income ~ $212,000
  • Monthly income ~ $850,000

People were losing at least $1,200,000 per month

| June 15, 2011 PAGE 60 | 23rd Annual FIRST Conference

slide-61
SLIDE 61

Final score

$6,200,000 per month

| June 15, 2011 PAGE 61 | 23rd Annual FIRST Conference

slide-62
SLIDE 62

Threats round the globe

slide-63
SLIDE 63

Ransomware

| June 15, 2011 PAGE 63 | 23rd Annual FIRST Conference

slide-64
SLIDE 64

Ransomware

| June 15, 2011 PAGE 64 | 23rd Annual FIRST Conference

slide-65
SLIDE 65

Ransomware

| June 15, 2011 PAGE 65 | 23rd Annual FIRST Conference

slide-66
SLIDE 66

A long time ago…

| June 15, 2011 PAGE 66 | 23rd Annual FIRST Conference

slide-67
SLIDE 67

Porn SMS senders

‘Nooit spijt’ case

| June 15, 2011 PAGE 67 | 23rd Annual FIRST Conference

slide-68
SLIDE 68

Porn SMS senders

‘Nooit spijt’ case

| June 15, 2011 PAGE 68 | 23rd Annual FIRST Conference

slide-69
SLIDE 69

‘Dating’ apps

If you are from UK

| June 15, 2011 PAGE 69 | 23rd Annual FIRST Conference

slide-70
SLIDE 70

‘Dating’ apps

If you are from UK If you are from US

| June 15, 2011 PAGE 70 | 23rd Annual FIRST Conference

slide-71
SLIDE 71

‘Dating’ apps

If you are from UK If you are from US

| June 15, 2011 PAGE 71 | 23rd Annual FIRST Conference

slide-72
SLIDE 72

‘Dating’ apps

| June 15, 2011 PAGE 72 | 23rd Annual FIRST Conference

slide-73
SLIDE 73

Countries

6343, 1,5 EUR per SMS 66932, $9,99/month, subscription number 80382, 4,5 pounds/week, subscription number 39633, RM3.00 per SMS 8335, 30KES per SMS 41647, R5 per SMS

| June 15, 2011 PAGE 73 | 23rd Annual FIRST Conference

slide-74
SLIDE 74

What should we do?

slide-75
SLIDE 75

What should we do?

Force legislation changes in certain countries Cybercriminals must be punished Provide education and user’s awareness

| June 15, 2011 PAGE 75 | 23rd Annual FIRST Conference

slide-76
SLIDE 76

Thank You

Denis Maslennikov, Senior Malware Analyst, Kaspersky Lab Denis.Maslennikov@kaspersky.com, @hEx63

15.06.2011, 23rd Annual FIRST Conference, Vienna, Austria

The Underground Economy and Ecosystem of SMS Based Cybercrime