Transcript Tackling the illegal trade in the Digital world

Cyber-laundering: dirty money digitally launderedTackling the illegal trade in the Digital world
Graham Butler
Special Presentation to the Academy of European Law
Budapest – March 2016
Co-funded by the Justice Programme of the European Union 2014-2020
Graham Butler – Chairman Bitek Group of Companies © 2016
Tackling the illegal trade in the Digital world
Supporting the Cyber-Security agenda

ERA (Academy of European Law) – Lisbon / Trier / Sofia / Brussels
Address: Threats to Financial Systems – VoIP, lawful intercept, money laundering

CTO (Commonwealth Telecommunications Organisation) London
Address: Working group on strategic development for 2016-2020

ITU High level Experts Group – Cybersecurity Agenda – Geneva (United Nations)
Address: VoIP and P2P Security – Lawful Intercept

ENFSC (European Network Forensic and Security Conference) - Maastricht
Address: Risks of P2P in Corporate Networks

CTITF (Counter Terrorism Implementation Taskforce) - Seattle
Address: Terrorist use of encrypted VoIP/P2P protocols - Skype

Norwegian Police Investigation Section - Oslo
Address: Next Generation Networks – VoIP Security (fixed and mobile networks)

IGF (Internet Governance Forum) – Sharm El Sheikh, Egypt
Address: Threats to Carrier Revenues and Government Taxes – VoIP bypass

EastWest Institute Working Group on Cybercrime - Brussels / London
Working Groups: Global Treaty on Cybersecurity / Combating Online Child Abuse

CANTO (Caribbean Association of National Telecoms Org) – Belize / Barbados
Address: Reversing Declines in Telecommunications Revenue

ICLN (International Criminal Law Network) - The Hague
Address: Cybercrime Threats to Financial Systems

CIRCAMP (Interpol / Europol) - Brussels
Working Groups: Online Child Abuse – The Fight Against illegal Content
Graham Butler – President and CEO Bitek © 2013
1
Tackling the illegal trade in the Digital world
The evolution of interception - circuit switched networks
1. Threat to National Security
3. Court application for LI warrant
2. Suspect identified
4. Court issues interception warrant
Court Order Lawful Interception
5. Agency provides warrant to
Operator
6. Operator sends LI data to
agency
Time-Division Multiplexing (TDM)
TDM ‘numbered’ calls
2G / 3G / 4G / 5G
Traditional Circuit Switched Networks
TDM Interconnect
Circuit Switch
Graham Butler – President and CEO Bitek © 2013
2G / 3G / 4G / 5G
2
Next Generation Traffic Challenges (ML)
The evolution of interception - packet switched networks
CLOUD B National IP Network
CLOUD A The World Wide Web
Inbound VoIP / OTT SERVICES
Unlicensed / Bypass / Fraud
SIM Bank
PBX/VoIP Switch
Media Gateway
SIM Bank
PBX/VoIP Switch
Media Gateway
?
Diversity and encryption creates a
‘safe haven’ for crime/terrorism
TDM ‘numbered’ call
TDM ‘numbered’ call
IP Gateway
IP Gateway
2G / 3G / 4G
2G / 3G / 4G
WiFi, WiMax
3G, 4G
A
B
Broadband
Router
WiFi, WiMax
3G, 4G
Broadband
Router
VoIP Packets
(Encrypted Services?)
VoIP/OTT
app call
VoIP/OTT
app call
(Gaming Console)
VoIP/OTT app
VoIP/OTT
app call
(Gaming Console)
VoIP/OTT app
Graham Butler – President and CEO Bitek © 2013
VoIP/OTT
app call
3
Tackling the illegal trade in the Digital world
Diversity of Internet Activity (Intel)
Graham Butler – President and CEO Bitek © 2013
4
Tackling the illegal trade in the Digital world
Unlicensed SIP VoIP (RFC 3261 variants) 373 competitors
aamranetworks.com, Abovenet Communications, Acess Kenya Group, ACN_DSL, Atlantic Broadband, Airtel Broadband, Akamai, ALGX, Amazon.com, AmazonHosting, Angel
Drops, Aruba, ASKTel, ASTA Net, 24/7 Real Media ARTNET, AT&T U-verse, AT&T wireless, Bandcom, Beeline, Beam Telecom, Belgacom Skynet, BellCanada, Bell Mobility,
BellSouth, BTS, Bharti Airtel, Bankstown-Clinical-School , BICS, Blast_Comms , Bluewin, Bouygues Telecom, Bright House Networks, Broadvoice, BSNL, BT Italia, Beyond
The Network America, Cable 1, Cablecom, Cablevision, Cabel Digital Kabel TV, Cable and Wireless Americas Operations, CANTV services, Century Link, Checkbox, Charter
Communications, China Telecom, China Mobile, China Telecom YunNan, China Telecom Jiangsu, China Telecom Sichuan, CJSC Ural Trans Telecom, Completel, Cameroon
Telecommunications Ltd, China Tie Tong, CoLoSolutions, Cogent Communications, CommPeak (Amazon Hosted), Canaca.com, China Unicom, Claro Dominican Republic,
Claro Peru, Clear Wireless, Comnet, CANL, Choopa, Connexions 4 London, Cogeco Cable, Compass , ComCast, Corgi Tech Ltd, Chunghwa telecom, Consejo Hondureno de
Ciencie y Tecnologia, CTBC, Cybercon, CYTA HELLAS, nyc callcenter 1, Datacenter, Dedibox, Dial Telecom, Digital Networks CJSC, Distributel Communications, Dixivox,
Deltathree, DIGI Ltd, Digicel Jamaica, Dooel Kavadarci, Donbass Electronic Communications Ltd, DNA Oy, DODO, DTS Ltd, E Networks, Econocall, Ecatel, Ecuador Telecoms,
EdgeCast Networks, EGNET, Elion Enterprises GANDI, Eircom, Elisa OYJ Mobile, Emirates Telecom, Enterprise Networks, Entertainment Television, Eweka Internet Services,
FibreNet, Fibernetica Corp, FLOW, Fonebee, FORTHnet, Freeport-McMoran, Free SAS, Gateway Communications, Galaxy Communications, Gestora de infraestructursa de
telecomm, GetGeorgeMobile, GCA Telecom El Salvador, GCN/DCN Networks, GIO Moblie Ghana, Globalinx, Global Net Access, Global Village, Globe Telecom, googletalk,
Godaddy.com, GoandCall, GoGent, Golden Lines Cable, Guandong Molile Communications, Hadara, Haiti Networking Group, Haiti Telecom, Hanaro Telecom, H3G Italy,
Home Network Japan, Hong Kong Broadband Networks, Hotwire Communications, Hubei, Hurricane Electric, INDIT Hostings, Infracom Italia, Inphonex, Inei international,
Internap Network Services, Icall, IDT Corporation, iweb, Incapsula.com, Inet Limited, Internetcalls/Freecall, Internet Development Company, IPCommunications,
Lifeisbetteron, Iscon Internet, Isotropic Networks, Ispro Lietisum, IPTelligentLLC, ITIBITI.COM, Jazz Telecom, Joyent, JSC, JSC Kazakhtelecom, Kabel Deutschland,
Kampung Communications, Karib Cable, KEKU (Amazon), Kimsufi.com, Korea Telecom, Krypt Technologies, KPN B>V>, Lankacom, Lbisat, Leaseweb BV, Level 3
Communication, Lexis-nexis, LgDacomCo, Libantelecom, Lightspeed_SBCglobal, Lightyear Network, Limelight Networks, Link Egypt, LG Powercom, LG Telecom, LLP Asket,
LowRateVoIp, Mana S>A>, Magma, Maroc Telecom, Magyar Telecoms, LINODE, MobileOne, Mainehealth Medical Centre, Mauritius Telecom, Mediaserv, Mediaring network
services, Mediacom Communications, Megapath, merkenmarketeers (BICS), MS Hotmail, Microsoft corporation, Microsoft Hosting, MIR Telematiki, M2 Telecomms Group,
Microsoft Ltd, Microsoft Internet data center, MTNBusiness (telkom Hosted), Mobitel, Movistar, Multilink, Multiregional Transit Telecom, MWEB Connect, mycingilar.net, N
Layer, Nec Biglobe, NC Nummericable, Netvision, Net2Wholesale, Net2Phone, Netzquadrat, NexG, Nexgen Networks, Nextgen tel, NetstreamTechnology, NetTalk, Netia SA,
NOC4HOSTS, ntlworld, NTT&Verio, Nymgo, Net 1, OFFRATEL, Open Market, Onavo, Open Computer network, Oi Internet, Oi Velox, OVH SASOOREDOO, OVH Hosting,
Orange Espania, Orange Dominica Power phone, Orange France, Orange Home UK, Orange Palastine Group, OJSC Kyrgyztelecom, OJSC Rostelom, OJSC MegaFon, Ortel
Communications M/S, Pakistan Telecommunications Company, Palastine, Packet Exchange, Rackspace Pixius Communications, Primus, Paetec, Peer1, Pinger, Peru_S.a.c,
PLDT (Philippine Long Distance Telephone), Republican Unitary Telecommunications, RCS & RDS Residential, RNADTA, Quadranet, Reflected Networks, Rodgers Cable, ROM
Telecom, Rostelcom Kaluga, RCN, RSL COM Canada, R Cable y telecomuniciones Galicia ServerCentral, Samjung Data Service, SSDN Communications, sakura internet inc,
SaudiNet, SFR, Sedel, SK Telecom, SKY Broadband, Singlehop, Smart Broadband, Softbank Telecom Corp, Softlayer, SoftlayerMGBlock, STS, SONATEL, Sprint, Speedclick,
Splendor, Spectrmnet, Starnet, Starhub Internet, Subisu Cablenet (pvt ) Ltd, Switchspace, Syrian Telecommunications, TATA Communications, Telefonica USA,
Telecommunications Company, Time Warner Cable, T Mobile, Telebec, Telkom Internet, Telstra Internet, Telecom Algeria, telenet N.V., Telio Holdings, Telefonica De
Argentina, Telus Communications, TPG Internet Pty, TalkFree, Telenor, TeliaCarrier, Tikona Digital Networks Pvt, Telefonica De Espana, Telia Network Services, Telecom
Internet, Telecom Services Trinidad & Tobago, Tiscali, Telecom Malaysia Berhad, Tricom, Talk4Free, Telgua, Telinta VoIP Company, Telefonica Moviles Panama, Tirpitz, Tim
Celular S.A. Telecom Indonesia, TOT Public Company Limited, Turk Telecom, UK Rtelecom, Ubiquity Servers, UCOM, UPC AUSTRIA, UPC Polska, Vonage (Leaseweb.B.V),
Voyager Internet Limited, Verat DOO, Verizon, Verizon Sweden, Vivacom, VideoTron, VDC, VIVO, VOO, Vosox, voxsun.net, ViVox, Vitelity, Virtustream, Vonage,
VolumeDrive, Vaboomz, Voipms, Yahoo, VoX Communications, Voxee, Wave Internet Services, WebNX, Webair, WholeSale Internet, WindTelecom, Windstream
Communications, XO_Communications, Xplornet Communications, YahooSIP, YOU Broadband, ZAMTEL, Ziggo, ZON TV cabo, ZSR-ZT Bratislava, 44Direct, 8 x 8
373 offshore SIP operators (Haiti telecoms)
Unlicensed competition causes false market rates (anti-competitive)
Policy decision to remove fraudulent bypass services
Create a regulatory environment where SIP operators are licensed
SIP operators will pay the appropriate fees and taxes
Fair market conditions will establish correct market rates
What is the financial model behind each operator? Linked to ML?
Graham Butler – President and CEO Bitek © 2013
5
Tackling the illegal trade in the Digital world
The diversity of VoIP protocols and applications
PROTOCOLS
(6)
APPLICATIONS
Commercial
VoIP Operators
VOIP
APPLICATIONS
LARGEST(113)
VOIP– SERVICES
(Example:
US to Caribbean)
SIP (95)
Astra, Asterisk (PBX), AIM Phone, AllfreeCalls.net, Broadvoice, BT-Yahoo, BuddyTalk, Calleasy, Chamaleon, Deltathree, Dialpad,
Dialnow, Cheap calls to India, Cockatoo, Ding-a-Ling, Earthcaller, Ekiga (old GnomeMeeting), Expresstalk, Fonebee, Freeswitch,
Fring, FreeCallPlanet, Free calls to Pakistan, Free VoIP International Calls, FWD.Communicator, Gizmocall, Gizmo Project (Gizmo5),
Globalinx, GrandCentra, iCall, intervoip, iSkoot, Jajah, Jangl, Jaxtr, Justvoip, KCall, Kphone, Kutecom, Lingo VoIP, Linphone,
LowrateVoip, Lycos, MagicJack, MediaRing, Minisip, Mobivox, MrTalk, MSN Messenger, Nettalk, Nonoh, ooVoo, OpenWengo,
PacPhone, Packet8, Paltalk, Peerio, Pennytel, OpenSip, PhoneGaim, PhoneGnome, Sgoope, SightSpeed, SIP Communicator,
SIP
User Agent, SIPCLI, SipXphone, SJPhone, SMSDiscount, Switchspace, Talqer, TalkPlus, Teltub, Tringme,Truphone, Yaka, Yahoo,
VD3Delta, Viber, Vivox, Vonage, Voncp, VoIP Buster, VoIP Cheap, Voipraider, Voipwise, VOX, Voixio, Windows Live Messenger, XLite, X-Pro-Vonage, Yate , 3XC, 8x8, 12voip
H323
NetMeeting, SJPhone, WebTalk, Open H323, CallGen323, Ekiga (old GnomeMeeting), Freeswitch, Yate
TLS
Whatsapp, Skype, SkypeIn, SkypeOut, Viber, ooVoo
Google
Google Talk
Net2phone
Net2Phone
IAX
IAX Phone, Freeswitch, Yate, Kiax, Moziax
OTHER VOIP PROTOCOLS (3)
Megaco (H248), MGCP, Skinny (SCCP)
IM PROTOCOLS (10)
OSCAR, AIM/ICQ, IRC, iChat, Mac OS X, MobileMe, SightSpeed, Skype, Yahoo! Messenger, XMPP/JABBER
E-MAIL PROTOCOLS (3)
POP, SMTP, IMAP
Graham Butler – President and CEO Bitek © 2013
6
Tackling the illegal trade in the Digital world
The diversity of P2P file transfer systems
PROTOCOLS (11) APPLICATIONS (85)
IAX
Astrix PBX, Freeswitch, Kiax, Moziax, Yate
BitTorrent
ABC, AllPeers, Bit Comet, BitLord, BitSpirit, BitTornado, Burst, Deluge, FlashGet, G3Torrent, Halite, Ktorrent, MLDonkey,
Opera, QTorrent, rTorrent, TorrentFlux, Transmission, Tribler, Thunder, µTorrent
Direct Connect
Direct Connect, SababaDC, DC++, BCDC++, ApexDC++, StrongDC++
Ares
AresGalaxy, Warez P2P, Filecroc
eDonkeye
eDonkey2000, aMule, eMule, eMulePlus, FlashGet, Hydranode, iMesh, Jubster, IMule, Lphant, MLDonkey, Morpheus,
Pruna, xMule
Gnutella
Acquisition, BearShare, Cabos, FrostWire, Gnucleus, gtk-gnutella, iMesh, Kiwi Alpha, MLDonkey, Morpheus, Poisoned,
Swapper, XoloX
Gnutella2
Gnucleus, iMesh, Kiwi Alpha, MLDonkey, Morpheus,TrustyFiles
FastTrack
giFT, iMesh, Kazaa, Kceasy, Mammoth, MLDonkey, Poisoned
Napster
Napigator, Napster
Manolito
Blubster, Piolet
OpenNAP
Lopster, Napster , WinLop, WinMX, Utatane, XNap
Graham Butler – President and CEO Bitek © 2013
7
Tackling the illegal trade in the Digital world
Diversity of social networks
URLs
SOCIAL NETWORK APPLICATIONS
Social Websites
(210)
43 Things, Academia.edu, Advogato, aNobii, AsianAvenue, aSmallWorld, Athlinks, Audimated.com, Badoo,
Bebo, BIGADDA, Biip.no, BlackPlanet, Blauk, Blogster, Bolt.com, Busuu, Buzznet, CafeMom, Cake, Financial, Care2, CaringBridge,
Cellufun, Classmates.com, Cloob, CouchSurfing, CozyCot, Cross.tv, Crunchyroll, Cyworld, DailyBooth, DailyStrength, delicious,
deviantART, Diaspora, Disaboom, Dol2day, DontStayIn, Draugiem.lv, douban, DXY.cn, Elftown, Elixio, Epernicus, Eons.com,
Experience Project, Exploroo, Facebook, Faceparty, Faces.com, Fetlife, FilmAffinity, Filmow, FledgeWing, Flixster, Flickr, Focus.com,
Fotki, Fotolog, Foursquare, Fuelmyblog, Friendica, Friends Reunited, Friendster, Frühstückstreff, Fubar, Gaia Online, GamerDNA,
Gapyear.com, Gather.com, Gays.com, Geni.com, GetGlue, Gogoyoko, Goodreads, Goodwizz, Google+, GovLoop, Grono.net, Habbo,
hi5, Hospitality Club, Hotlist, HR.com, Hub Culture, Hyves, Ibibo, Identi.ca, Indaba Music, IRC-Galleria, italki.com, Itsmy, iWiW, Jaiku,
Kaixin001, Kiwibox, Lafango, LAGbook, LaiBhaari, Last.fm, LibraryThing, Lifeknot, LinkedIn, LinkExpats, Listography, LiveJournal,
Livemocha, LunarStorm, Makeoutclub, MEETin, Meetup, Meettheboss, MillatFacebook, mixi, MocoSpace, MOG, MouthShut.com, Mubi
(website), MyHeritage, MyLife, My Opera, Myspace, myYearbook, Nasza-klasa.pl, Netlog, Nettby, Nexopia, NGO Post, Ning,
Odnoklassniki, OneClimate, OneWorldTV, Open Diary, Orkut, OUTeverywhere, Passportstamp, PatientsLikeMe, Partyflock, Pingsta,
Pinterest, Plaxo, Playahead, PureVolume, Playfire, Playlist.com, Plurk, Qapacity, Quechup, Qzone, Raptr, Ravelry, Renren,
ResearchGate, ReverbNation.com, Ryze, ScienceStage, ShareTheMusic, Shelfari, Sina Weibo, Skoob, Skyrock, Social Life, SocialVibe,
Sonico.com, SoundCloud, Stickam, StudiVZ, Students Circle Network, StumbleUpon, Tagged, TalentTrove, Talkbiznow, Taltopia,
Taringa!, TeachStreet, TermWiki, The Sphere, TravBuddy.com, Travellerspoint, tribe.net, Trombi.com, Tuenti, Twitter, Vkontakte,
Vampirefreaks.com, Viadeo, Virb, Vox, Wakoopa, Wattpad, Wasabi, WAYN, WebBiographies, WeeWorld, Wellwer, WeOurFamily,
Wepolls.com, Wer-kennt-wen, weRead, WiserEarth, Wooxie, WriteAPrisoner.com, Xanga, XING, Xt3, Yammer, Yelp, Inc. Zoo.gr,
Zooppa
Many services
encrypted
E-MAIL
APPLICATIONS (PSEUDONYM REGISTRATION)
No ID Required
(23)
AIM Mail, BigString.com Service, Care2 E-mail, Facebook Messages, FastMail, Gawab.com, HotPOP, Inbox.com Service, iCloud Mail,
Lavabit, Mail.com, GMX Mail, My Way Mail Service, MSN Hotmail, MyRealBox, Myspace Mail, Shortmail, Windows Live Hotmail,
Yahoo! Mail, Zapak Mail, Zenbe Personal, IMAP, Zoho Mail
Graham Butler – President and CEO Bitek © 2013
8
Hiding and Trading - Fraud Over VoIP
What is on your national IP network?
Example - Viber Media
“Call, text, and send photos to each other, worldwide - for free!”
• 350m downloads / 105m concurrent users / 550k sign ups each day.
• Viber client will not install unless the user allows access to their contacts list.
• Development centre located in Israel - hosting at Amazon Cloud / Akamai Cloud (US).
• Cloud hosting in liberal jurisdictions allows OTT services to bypass national policies.
• Consistent refusal to provide intercept data to courts and LEAs.
What OTT services are on your network? Are they lawful intercept compliant?
OTT Examples
479
268
210
33
105
73
584
Cyber-currencies
Crypto-currencies
VoIP/P2P/IM
(Chat)
Social Networks
Real-Time
Entertainment
Mobile Money
Transfer Operators
Online Gaming
Operators
Online Gambling
Operators
Graham Butler – President and CEO Bitek © 2013
9
Hiding and Trading - Fraud Over VoIP
Forensic analysis of packet data
Detailed records are individually searchable
•
•
•
•
•
•
•
•
•
•
•
•
•
Actual IP address initiating the call/event
Actual IP address receiving the call/event
Actual Mac address initiating the call/event
(Subject to Protocol*)
Actual Mac address receiving the call/event
*
Actual telephone number initiating the call/event
*
Actual telephone number receiving the call/event
*
Actual email address initiating the call/event
*
Actual email address receiving the call/event
*
Time the call/event was initiated
Time the call/event was disconnected
Traffic statistics to identify signatures of SIM bank, Media Gateway and IBTs
Geographic location of IP addresses/suspect can be produced in some cases through registries
Selective filtering of VoIP traffic on a call-by-call basis. Allow ‘authorised’ and disconnect ‘un-authorised’
Additional Guardian module – URL control
•
Stop access to inappropriate or offensive websites identified on approved blacklists (Interpol)
Graham Butler – President and CEO Bitek © 2013
10
Tackling the illegal trade in the Digital world
Money laundering over VoIP
The Laundering Sequence:
1.
Fraudsters set up as a VoIP operator
2.
Service is typically hosted offshore in a liberal jurisdiction
3.
Offshore shell companies hide ownership and accountability
4.
Services such as calling cards can be purchased for cash
5.
Criminal network can easily insert dirty cash into the system
6.
The receiving operator can charge for bulk voice services
7.
The authenticity of the services provided cannot be verified
Offshore
Banks
Dirty Money
Customers
Criminal Network
VoIP Services / Calling Cards
Shell Co’s
(buffering)
VoIP Operator
VoIP Service Agents
8.
VoIP calls running 24hrs a day offers limitless laundering
9.
Cleaned cash lands in destinations – typically tax havens
10. Hidden model for funding organised crime and terrorism
Criminal Network
VoIP Service Host
Telecommunications
Provider
Graham Butler – President and CEO Bitek © 2013
VoIP Operator
Firewall
Firewall
Internet
Firewall
11
Tackling the illegal trade in the Digital world
Traffic Pumping - toll fraud targeting VoIP switch and apps
VoIP mobile
apps
Toll fraud targeting VoIP
PBX
Traffic Pumping / International Revenue Sharing Fraud (IRSF)
1. Fraudsters hack into corporate PBX/softswitch resources
2. VoIP apps (multiple installs on devices) = multiple lines
3. Once access is gained the information is typically sold
International
Numbers
Premium
Numbers
Premium
SMS
Offshore
Bank
Fraudsters
4. Criminals set up offshore premium rate numbers and SMS
Small $ amounts keeps
below anti-laundering radar
5. Attacks typically take place outside working hours
6. Huge bills can be run up in hours – unnoticed by victims
Zombie Networks
7. The carrier has provided a legitimate service
8. Corporate receives bill for $1000’s
9. Private user receives bill for $1000’s
Customer
Case Study:
Infected
Mobile
SIPPhone
Phone
SIP
Device
•
VoIP calls were directed at premium rate numbers @ $5 per min
•
Fraud remained undetected for 6 hours = $1,800 per line
•
25 exploited VoIP numbers in 6 hours = $90,000
Compromised
OTT VoIP App
Telecommunications
Carrier
Graham Butler – President and CEO Bitek © 2013
Compromised
Firewall
Internet
Firewall
12
Tackling the illegal trade in the Digital world
Traffic Pumping – exploiting Sipvicious to hack SIP
Sipvicious “Friendly-Scanner” (not friendly at all)
1. Sipvicious is a mainstream auditing tool for VoIP systems.
2. Exploited by hackers to take control of VoIP servers for fraudulent
purposes, such as traffic pumping (toll fraud).
3. A type of botnet which scans IP ranges for SIP servers such as
softswitches and PBX which communicate via the 5060 port.
4. If it finds the port open, it attempts to brute force its way into the SIP
server by testing sequential SIP account numbers with common
usernames/passwords.
5. Typically downloaded through a Trojan (jps.exe) which connects to
bot ‘command and control’ servers.
6. Sets User-Agent in the SIP requests to “friendly-scanner” or others.
Bitek monitoring of Sipvicious attacks
Haiti 7th Feb 2016 19.00 to 21.00 GMT (2 hours)
17.5m international inbound registration attempts to IPBBX using Sipvicious
1.0
Graham Butler – President and CEO Bitek © 2013
Suspect User
Agents
• sipvicious
•
•
•
•
•
•
•
•
•
siparmyknife
iWar
sip-scan / sipsak
sundayddr
friendly-scanner
friendly-request
CSipSimple
SIVuS
Gulp / Sipv /
Smap
• VaxIPUserAgent
• VaxSIPUserAgent
13
Tackling the illegal trade in the Digital world
VoIP Missing Trade Intra-Community VAT Fraud (MTIC)
MTIC uses the same model
MTIC VAT fraud example - Italy:
1.
MTIC is essentially the theft of VAT
2.
Fraudsters set up as VoIP operators (buffered)
3.
Involved companies in Italy, UK, US and Finland
4.
EU cross-border B2B transaction is VAT neutral
5.
Fraudsters collected VAT on the sale of domestic VoIP services
Dirty Money
Offshore
Banks
Customers
Criminal Network
VAT
6.
When the tax became due the companies had disappeared.
7.
Cost the Italian economy €400m in non-payment of VAT
8.
Connected to a scheme to launder €2 billion
VAT Paid
VoIP Services / Calling Cards
Shell Co’s
(buffering)
Criminal Network
VoIP Operator
VoIP Service Agents
€ Tax Demand
VoIP Operator
Complexity of case: Fraud committed in 2003–2007; 50 arrest
warrants issued 2010; court hearings 2013.
Europol: MTIC fraud costs the EU €100b a year or €270m a day
Eurojust: Makes MTIC fraud a top priority for 2014-2017 period
VoIP Service Host
Telecommunications
Provider
Graham Butler – President and CEO Bitek © 2013
Firewall
Firewall
Internet
Firewall
14
Tackling the illegal trade in the Digital world
Large scale vishing scams over VoIP
Setting up a vishing scam using VoIP
CALL ID UNKNOWN
Scam
?
1.
Vishing is a phone call scam utilizing phishing, social media and
VoIP
2.
Fraudsters set up spoof companies and websites to support the
scam
3.
Cheap or free VoIP calls allow scammers to set up ‘call centre’
models
4. Anonymity of VoIP/P2P registration avoids LI detection and
Casetracking
Study - Banking
5.
1.
Stolen
identity
data provides
enough
information
genuine
VoIP calls
to landline
numbers
- fraudsters
posingtoassound
bank officials
2.
Vulnerable small business owners and the elderly are targeted
“We have identified active fraudulent behaviour on your account”
“To protect you, we need to transfer your balance into a holding
account”
“Please call the number on the back of your bank card to authorise”
Typical Costs targeting US Citizens
Per attack: $5000 to $30,000
Total per year: $100’s millions
3.
The scammer who has not hung up plays a ‘dialing tone’ and a ‘ringing
tone’
4. Butler
A new
scammer
appears
to answer at the bank – the fraud is
Graham
– President
andthen
CEO Bitek
© 2013
15
Tackling the illegal trade in the Digital world
Spoofing Caller ID – the evolution of cybercrime
+1 800 829 1040
1.
IRS Spoofing
As vulnerable consumers become more wary of scams they know
not to answer calls identified with “Unknown” or “No Caller ID”
2.
Fraudsters can now use a new VoIP services called bitphone to get
around this problem by spoofing the caller ID. Any number can be
used.
3.
Low cost call $0.021 per minute + caller-ID spoofing at $0.0912 per
call.
4.
Payment through Bitcoin or other virtual currencies retains
anonymity.
5.
To help provide legal cover, bitphone includes the FCC’s caller-ID
and spoofing guidelines in its T&C’s that each user must accept.
Graham
– President
and WiFi
CEO Bitek
© 2013
6.Butler
Using
a public
hotspot
adds additional security buffering.
16
Tackling the illegal trade in the Digital world
The global trade in identity theft information
The Times Feb 2016 – Online fraud costs Britain’s economy £27 billion per
year
• 1m stolen bank details discovered for sale on http://bestvalid.cc/session
• Criminals trade with impunity on the internet - not the dark web.
• Sold for as little as £1.67 each
• Stolen Identities from 100,000 Britons
Source: Symantec 2014 Report
Graham Butler – President and CEO Bitek © 2013
17
Next Generation Traffic Challenges (ML)
Spear-Phishing and ransom attacks
Spear-Phishing bypasses spam filters
Source: Symantec 2014 Report
1.
Spear-Phishing is an attack which hacks into
our “trusted” email or social media contacts
lists.
2.
Spam filters accept inbound emails which
appear to be from a work colleague, family or
friend.
3.
We are more likely to click on a link from a
friend – unaware that it is malware.
4.
More than 317 million new pieces of malware
were created last year, nearly a million a day.
5.
Crypto-ransom attacks, where the victim's
files are encrypted and held hostage without
warning, skyrocketed 4,000 percent.
6.
Ransomware attacks grew 113 percent
7.
70 percent of social media attacks rely on the
initial victim to spread the threat to others.
Graham Butler – President and CEO Bitek © 2013
18
Tackling the illegal trade in the Digital world
Abra – the digital version of Hawala
Money transfer without money movement
1.
The Hawala model has been used for
centuries for money transfer without
physical money movement.
2.
Hawaladars are people who collect and
hand out funds on behalf of others over
long distances, settling with each other
via barter transactions.
3.
In the US no one is allowed to hold or
remit funds on behalf of someone else
without being a licensed money
transmitter.
4.
As tellers are always holding their own
money it is extremely difficult to identify
or regulate these activities.
5.
Abra is a Peer to Peer (P2P) smartphone
app designed to bring Hawaladar into
the digital age.
(A) wants to transfer $1000 to (B)
A
B
Hawaladar (Tellers)
1
2
“Trust”
$1000
Teller (1) now owes $1000 to Teller (2)
Reverse money transfers equalise the $ balance between Tellers
Graham Butler – President and CEO Bitek © 2013
19
Tackling the illegal trade in the Digital world
Abra P2P – bypasses the regulated money transfer market
1. Deposit (domestic)
Deposit cash to the app
through an Abra Teller - or
add with your debit card.
A
2. Send (virtual
transfer)
Instantly send any amount
of money directly from the
app to anyone in the world.
3. Withdraw (domestic)
Withdraw cash from the app
via any Abra Teller. Users
rate tellers on website
(trust).
B
“Digital cash” transfers
Abra P2P service bypasses the regulated money transfer industry (virtual infrastructure = low fees)
Graham Butler – President and CEO Bitek © 2013
20
Tackling the illegal trade in the Digital world
The Dark Web – the DIY cybercrime toolkit
Graham Butler – President and CEO Bitek © 2013
21
Tackling the illegal trade in the Digital world
The Dark Web – the DIY financial toolkit
Graham Butler – President and CEO Bitek © 2013
22
Tackling the illegal trade in the Digital world
The Dark Web - terrorist communications and funding
2016
2008
Mumbai Terror Attack
Taliban Communications
ISIL Communications
• VoIP phones purchased in PK
• VoIP enabled handsets
• Edward Snowdon leaks 2013
• Calls via US provider
• P2P Skype used widely
• Jihadi organizations become more
informed about NSA techniques
• Co-ordinated from Pakistan
• Frustrates SIS / NATO intercept
• Lack of digital evidence
frustrated LEA investigations
• Microsoft purchase Skype in 2011
• Microsoft LI patent granted 2012
Graham Butler – President and CEO Bitek © 2013
• Dark web becomes the preferred
communications tool
• VoIP system developed by Pakistan
ISI distributed on dark web by ISIL
23
Tackling the illegal trade in the Digital world
Obama asks congress for $19 billion for Cybersecurity
Obama targets US Cybersecurity
1. $19 Billion includes $3.1 billion for
technology modernization at
various federal agencies.
2. Cyber threats are "among the most
urgent dangers to America’s
economic and national security,”
3. Launch Presidential Commission
on Cybersecurity to strengthen US
cyber-defences over the next
decade.
4. Government’s cyber-defense
system, known as Einstein, is
“ineffective at combating hackers.”
5. Recent high-profile hacks include
Office of Personnel Management,
Sony Pictures and Target that were
Norse cyber-attack data (15 minute sample) – represents a fraction of the total attacks on URLs
“largely met with legislative
24
inaction”
Graham Butler – President and CEO Bitek © 2013
Tackling the illegal trade in the Digital world
The Internet – Cybercrime toolkit (not just the dark web)
Graham Butler – President and CEO Bitek © 2013
25
Hiding and Trading - Fraud Over VoIP
Organized fraud, tax evasion, money laundering
You know Sir, you can do this just as easily online!
Graham Butler – President and CEO Bitek © 2013
26
Thank you for your attention
Graham Butler
Co-funded by the Justice Programme of the European Union 2014-2020
Graham Butler – Chairman Bitek Group of Companies © 2016