[MARCH 2016]
Group No. 1: 1. Ngo Thi Mai Lan 2. Nguyen Ngoc Hao 3. Nguyen Thi Tho 4. Mai Thị Thu 5. Nguyen The Tu

ASSIGNMENT FOR E-COMMERCE

Questions: 1. What’s difference between the virus, worm, and Trojan horse? 2. How would you protect your firm against a Denial of Service (DoS) attack? 3. Explain why an e-commerce site might not want to report being target of cybercrimals? 4. Is a computer with anti-virus software protected from viruses? Why or why bother? 5. Why the value of stolen information which prices range in underground marketplace is so wide? Answer: 1. The difference between the virus, worm, and Trojan horse Viruses, Worms, and Trojan are all part of a class of software called malware. Malware or malicious code (malcode) is short for malicious software. It is code or software that is specifically designed to damage, disrupt, steal, or in general inflict some other “bad” or illegitimate action on data, hosts, or networks. There are many different classes of malware that have varying ways of infecting systems and propagating themselves. Malware can infect systems by being bundled with other programs or attached as macros to files. Others are installed by exploiting a known vulnerability in an operating system (OS), network device, or other software, such as a hole in a browser that only requires users to visit a website to infect their computers. The vast majority, however, are installed by some action from a user, such as clicking an e-mail attachment or downloading a file from the Internet. Some of the more commonly known types of malware are viruses, worms, Trojans, bots, back doors, spyware, and adware. Damage from malware varies from causing minor irritation (such as browser popup ads), to stealing confidential information or money, destroying data, and compromising and/or entirely disabling systems and networks. Malware cannot damage the physical hardware of systems and network equipment, but it can damage the data and software residing on the equipment. Malware should also not be confused with defective software, which is intended for legitimate purposes but has errors or bugs. Two of the most common types of malware are viruses and worms. These types of programs are able to self-replicate and can spread copies of themselves, which might even be modified copies. To be classified as a virus or worm, malware must have the ability to propagate. The difference is that a worm operates more or less independently of other files, whereas a virus depends on a host program to spread itself. These and other classes of malicious software are described below. a) Viruses A computer virus is a type of malware that propagates by inserting a copy of itself into and becoming part of another program. It spreads from one computer to another, leaving infections as it travels. Viruses can range in severity from causing mildly annoying effects to damaging data or software and causing denial-of-service (DoS) conditions. Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program. When the host code is executed, the viral code is executed as well. Normally, the host program keeps functioning after it is infected by the virus. However, some viruses overwrite other programs with copies of themselves, which destroys the host program altogether. Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected e-mail attachments. b) Worms Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. To spread, worms either exploit a vulnerability on the target system or use some kind of social engineering to trick users into executing them. A worm enters a computer through a vulnerability in the system and takes advantage of file-transport or information-transport features on the system, allowing it to travel unaided. c) Trojans A Trojan is another type of malware named after the wooden horse the Greeks used to infiltrate Troy. It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). Trojans are also known to create back doors to give malicious users access to the system. - Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Trojans must spread through user interaction such as opening an e-mail attachment or downloading and running a file from the Internet. Tips to Combat Viruses, Worms and Trojan Horses on Your Computer: * Keep The Operating System Updated: The first step in protecting your computer from any malicious there is to ensure that your operating system (OS) is up-to-date. This is essential if you are running a Microsoft Windows OS. Secondly, you need to have anti-virus software installed on your system and ensure you download updates frequently to ensure your software has the latest fixes for new viruses, worms, and Trojan horses. Additionally, you want to make sure your anti-virus program has the capability to scan e-mail and files as they are downloaded from the Internet, and you also need to run full disk scans periodically. This will help prevent malicious programs from even reaching your computer. * Use a Firewall: You should also install a firewall. A firewall is a system that prevents unauthorized use and access to your computer. A firewall can be either hardware or software. Hardware firewalls provide a strong degree of protection from most forms of attack coming from the outside world and can be purchased as a stand-alone product or in broadband routers. Unfortunately, when battling viruses, worms and Trojans, a hardware firewall may be less effective than a software firewall, as it could possibly ignore embedded worms in outgoing e-mails and see this as regular network traffic. For individual home users, the most popular firewall choice is a software firewall. A good software firewall will protect your computer from outside attempts to control or gain access your computer, and usually provides additional protection against the most common Trojan programs or e-mail worms. The downside to software firewalls is that they will only protect the computer they are installed on, not a network. * It is important to remember that on its own a firewall is not going to rid you of your computer virus problems, but when used in conjunction with regular operating system updates and a good anti-virus scanning software, it will add some extra security and protection for your computer or network. 2. How would you protect your firm against a Denial of Service (DoS) attack? Denial of Service (DoS) attacks is among the most feared threats in today's cyber security landscape. Difficult to defend against and potentially costly, DoS attacks can cause outages of web sites and network services for organizations large and small. DoS attacks can also be lucrative for criminals, some of whom use these attacks to shake down businesses for anywhere from thousands to millions of dollars. Any deliberate effort to cut off your web site or network from its intended users qualifies as a DoS attack. Such attacks have been successfully deployed against major online businesses including Visa and Mastercard, Twitter, and WordPress. DoS attacks effectively knock the services offline, costing lost business and negative publicity. They also force IT staff to expend valuable resources defending against the attackers. If there is a silver lining to DoS attacks, it's this: The objective of the typical DoS attack is not to steal or expose confidential data. Most DoS attacks do not actually breach a company's network, they simply overwhelm it with traffic. In many recent cases, DoS attacks have been used by Anonymous and other hacktivist groups as a form of online protest against corporate and governmental targets whose policies or actions are at odds with the demonstrators. The exception to this is when a DoS attack is used as a distraction to funnel attention and resources away while a targeted breach attack is being launched. Sony claims that Anonymous used that technique against them in a major 2011 attack that ultimately led to the theft of over 12 million customers' credit card data. It makes them look bad, and customers don't trust them. As an example, would you want to do business with a bank if you knew it had been robbed repeatedly, or would you prefer to deal with a bank that you thought seemed safer? The most easily executed type of DoS attack is one that is launched from a single origin. In this attack, a single machine somewhere on the Internet issues a barrage of network requests against a targeted victim machine. The requests themselves can take a variety of forms – for example, an attack might use ICMP flooding via ping requests, or HTTP requests against a web server. Single-origin DoS attacks can be effective against undefended victims, but they have a few key limitations: Victims can block the originating IP address, either at the firewall level (to kill HTTP requests) or further upstream at the ISP level (to kill network-level floods). Security tools now exist to detect and prevent ICMP flood attacks. Web servers can be configured to detect and block HTTP request attacks. Enterprise products can identify and block single origin attacks as soon as they begin. These days, the more nefarious type of DoS is called the DDoS, or Distributed Denial of Service attack. In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address; plus, it is very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin. DDoS: The Rise of the Botnets Where does an attacker even get thousands of machines to launch a DDoS? Distributed Denial of Service attacks are executed by a so-called botnet – a collection of computers around the world infected with an attacker's malware. Malware infections can install silent software on a victim machine which places it under the control of a remote attacker. Successful botnets can be comprised of hundreds of thousands of infected machines, typically without the owners' knowledge. There big money in creating botnets – among other things, botnet creators rent out their creations to criminal enterprises who can use them to launch a DDoS. Large-scale DDoS attacks are not random. The perpetrators choose their victim deliberately, either due to a grudge, revenge, or an attempt to bully them into meeting some demands – possibly including paying extortion. Renting a botnot to launch a DDoS can cost about $100 per day, so the duration of an attack is partially dependent on how well-funded the attacker. Inside a DDoS The specific mechanisms used by a DDoS to "drop" a web site or network can vary depending on the attacker's preferred strategy. One major difference between DDoS implementations is whether they target the computing resources of the victim's machine or the network resources. An attack against a web server based on HTTP flooding – as many as 10,000 requests per second – can overwhelm the server software, eventually consuming the machine's memory, CPU time, and possibly even disk space (if the log files grow out of control). An attack such as a SYN flood instead focuses on the TCP network, overloading it with unacknowledged packets. Depending on how an organization's network is managed, this kind of DDoS can not only overwhelm a server, it also can overload switches or other network resources, potentially impacing a victim's entire network, including casualties unrelated to the victim if they share network space with the same ISP. HTTP and SYN floods are not the only weapons in a DDoS attacker's arsenal but they are among the most common. Other attack mechanisms may include UDP, ICMP and DNS floods, as well as mailbombs. A so-called "mixed DDoS" can incorporate several of these weapons into one attack. Can a DDoS be stopped? Let's start with the bad news: It is very difficult to defend against a sophisticated DDoS attack launched by a determined adversary. Many organizations struck by a DDoS are left to scramble in an effort to stop the attack once it has already begun. Sometimes this requires coordination with the ISP that provides network access. This is especially true when an ISP is forced to "null route" a victim – meaning that to protect other customers, the ISP routes traffic intended for the victim into the trash. This of course effectively prevents all access, including from legitimate users. One of the more well-known countermeasures against a SYN flood is the use of "SYN cookies" either in the server OS or, better yet for network efficiency, in a network security device at the network edge such as the Cisco Guard. SYN cookies provide a more efficient method for tracking incoming TCP connections lessening the chance for a typical SYN flood to overwhelm the stack. An effective defense against an HTTP flood can be the deployment of a reverse proxy – in particular a collection of reverse proxies spread across multiple hosting locations. A reverse proxy is somewhat akin to a bouncer at a nightclub, deciding which guests are allowed into the party, where the real web server is. By deploying many bouncers in different locations, the crush of incoming traffic is split into fractions, lessening the possibility of the network becoming overwhelmed. Deploying this type of architecture can be done in the scramble after an attack has begun, or baked into the network architecture of a web site as a preventative defense. The limitation with these DDoS defenses is that if the attacker can generate network traffic at a higher rate than your network's Internet connection can handle, it will be hard to avoid a meltdown. But what these defense strategies do accomplish is at least force the attacker to get a bigger gun. 3. Explain why an e-commerce site might not want to report being target of cybercrimals? It makes them look bad, and customers don't trust them. As an example, would you want to do business with a bank if you knew it had been robbed repeatedly, or would you prefer to deal with a bank that you thought seemed safer? Some companies are concerned that law enforcement investigations are slow although police often have a view of the larger picture than an individual company. Another common fear is that a company that reports cybercrime will have that information leaked to the media, but rarely do the leaks come from law enforcement agencies, she said Finally it makes them look bad, businesses are concerned about shareholder value, the reputation of their organizations, customers don't trust them. As an example, would you want to do business with a bank if you knew it had been robbed repeatedly, or would you prefer to deal with a bank that you thought seemed safer?

4. Is a computer with anti-virus software protected from viruses? Why or why bother? Most people believe that they’re totally protected because they have an anti-malware program.Unfortunately, that’s simply not true. The answer is partly the nature of anti-malware software… and partly the nature of “the race.” In the lead are malware writers looking for vulnerabilities and writing malware to exploit them. Coming in second are the anti-malware software vendors looking for ways to detect new malware as it appears as well as figure out the correct way to eradicate it when found. Next are the software vendors looking to plug the security holes that the malware exploited in the first place. Lastly are folks like you and me, hopefully keeping our systems up-to-date with the latest updates to both our anti-malware products as well as the systems and software that having vulnerabilities. As you can see, virus writers are almost always in the lead. You and I? We’re dead last – hopefully close to the pack, but still – last. As a result, the first answer boils down to simple bad luck. It’s possible to be doing everything as right as you can and still get infected if: * Your anti-malware software has not yet been updated to know how to detect it. * Your system or application software has not yet been patched to fix whatever vulnerability the virus exploits. * All anti-virus software is the same, only different. Sadly, as far as I can tell, there is simply no “best” anti-virus or anti-malware package. Almost all of the name brands are good, but I’ve not run into one that really stands out above the crowd at detecting absolutely positively everything. In other words, no matter what anti-virus package you run, it may miss something. Different packages may miss different things, but there’s no single package that you can count on to catch everything. So it’s possible to still get infected even though your anti-malware tools are completely up-to-date. Some classes of viruses exploit operating system vulnerabilities that are present simply by connecting to the internet. You don’t even have time to download your operating system update, or anti-virus software, before your machine is once again a victim. Firewalls help, particularly hardware firewalls such as routers. That’s one of the reasons why folks like me harp on putting your computer behind some sort of a firewall. Firewalls understand the difference between certain types of legitimate internet traffic and types that you’d never need. They block out the unwanted stuff before your computer ever really sees it or has a chance to be infected by it. The good news here is that most operating systems now either come with a software firewall turned on by default or strongly encourage you to turn it on as you perform your initial install. The harsh reality. All malware is not created equal, which is why there are so many different terms to describe the variations. Some exist merely to propagate. Others exist to do damage. Some exist to silently send spam. Still others start to blur the line between virus and spyware as they install monitoring or additional vulnerabilities on your system. Some travel by email. Others travel by downloaded applications. As we just saw, others can travel from unprotected computer to unprotected computer directly through the internet. No anti-malware tool can protect you from yourself. For example, if you open an email attachment that you don’t recognize and run it, you may install a virus before your anti-virus software has a chance to act. When downloading a file, if you choose to ignore a warning that your anti-virus package or firewall displays, you’re telling the software that you know better than it does what is or is not safe. If you choose to connect without a firewall or choose not to use automatic updating tools to keep your system as up-to-date as possible … it’s on you to know what you’re doing. It’s hard to say. Ask 10 people and you’ll get 10 different answers: hackers with too much free time, operating systems that aren’t robust enough, success in the marketplace that makes for a bigger target, and more. Of late, there’s more money to be made by infecting large numbers of machines with spam-sending bot software. For whatever reason, it is like this and will be for the foreseeable future. That’s why you and I are each responsible for keeping our computers safe on the internet. 5. Why the value of stolen information which prices range in underground marketplace is so wide? For your information Because stolen information allows a business to make informed decisions, attain long term business especially in this digital age. Making right decision in 21st century need Speed and accuracy, every successful organization has to go through a comprehensive market research process which enables management to make the right decision. Information is the plain facts and statistics collected during the operations of a business throughout many years with high cost. They can be used to measure/record a wide range of business activities - both internal and external. It is the basis for all reporting and as such is crucial in business. Example, customer data are the metrics that relate to customer interaction. It can be the number of jobs, the number of enquiries, the income received, the expenses incurred, In this context, customer information would be useful in providing metrics surrounding client/customer engagement to determine new ways to engage or work with your completion’s clients.

The Underground Hacker Marketplace Imagine walking through a marketplace with vendors lining both sides of the street.
As you look at all the displays, you notice a wide range of products and services, from high-end to low-end offerings, with something for everyone. Many vendors you walk by provide discounts for bulk purchases and promise money-back guarantees if you are not happy with the product. As you examine the products you become inspired and ask yourself, “Why can’t I learn to make these products myself and use them?” Just as this thought bubble dissipates from your brow, you turn the corner and find a row of vendors offering classes on how to build and use these products in the comfort of your own home. Truly a one-stop-shop! Why can’t more businesses have such a forward thinking strategy? Welcome to the underground hacker marketplace. The imagery described above is an accurate depiction of today’s marketplace for cybercriminals: a world of commerce with goods, tools and training to enable hackers to breach unsuspecting individuals, groups, and companies. Dell SecureWorks’, Director of Malware Research Joe Stewart and Network Security Analyst David Shear visited this dark market during November 2014 to see how the underground market was evolving. They found a larger selection of stolen goods and tools for hacker enablement, along with a new level of business strategy and sophistication. Stolen Goods for Hacker Enablement The underground hacker marketplace is a haven for purchasing stolen personal data, credit cards and bank accounts. Shopping is easy in this dark market. Shoppers can obtain these illicit goods with a simple click of a button, in the comfort of their home.
All the dirty work of obtaining the stolen credentials and accessing accounts has already been done. One of the most notable additions in the market is an increase in the number of fake credentials for sale. These fake credentials include new identity packages, passports, driver’s licenses and social security cards. These documents can enable criminals to defraud, deceive and cheat victims out of money via false bank loan applications, counterfeit checks and fake credit cards. According to one US Law Department, three scammers were producing and selling fake driver’s licenses and using them for “cash out” schemes. These schemes involved stolen credit card information, usually obtained through hacking or ATM skimming operations, which are encoded onto counterfeit credit cards and then used to steal cash from victims’ accounts. According to the FBI, from December 30, 2013 to June 23, 2014, the conspirators sold 1,514 fake driver’s licenses for $232,660. This is just one example of how cybercriminals commit fraud. For the more tech-savvy criminal shopper, online banking credentials are for sale. These electronic stolen goods provide the username and password for a “High Value” online bank account with a “verified” balance between $70,000 and $150,000 for approximately six percent of the account balance. Smart criminals would pay this rate only to a seller who had a reputation for providing solid credentials for premium verified accounts. For a $70,000 account that payoff would run approximately $4,200. The hacker marketplace carries a wide array of products at different price points. New types of bundled illicit goods are continually being adding to upsell and cross-sell, resulting in increased profitability for cybercriminals. Below is the typical going rate for stolen credentials, credit cards and bank accounts. Source: Dell SecureWorks, Underground Hacker Markets Report December 2014

Tools and Training for Beginner Hackers An easy way to begin a career in cybercrime and commit other acts of fraud is by simply purchasing the goods necessary to perform the fraudulent act. For hackers who have higher aspirations and are ready to take a deeper plunge, there are readily available training and tools for sale. In this section of the underground market, both malware and infected computers can be quickly and easily purchased for “off-the-shelf” cybercrime. Hacker Tutorials train eager-to-learn beginners, and hacker services are easily obtained for more advanced cybercrime. Malware in this section of the market ranges anywhere from $20 for basic Remote Access Trojans (RATs) to $1,800 a month for more advanced exploit kits. Many common RATs for purchase include: Darkcomet, *Blackshades, Cybergate, Predator Pain and Dark DDoser. RAT prices have dropped during the past 12 months, likely due to the fact that there are numerous RATS available which are free because the source code has been leaked. Hackers like a RAT that is easily available for purchase or for free because they can run it through a Crypter which makes it undetectable to anti-virus and anti-malware programs. A popular Crypter such as Aegis, Sheikh Crypter or xProtect cost a criminal shopper somewhere between $50 and $150, depending on how well it encrypts the malware and makes it fully undetectable. Advanced hackers know how to code their own Crypters, so many of those buying Crypters are unskilled “script kiddies” looking to make a quick hit. The two most common types of exploit kits for sale are Nuclear and Sweet Orange which can be leased by day, week or month. The cost in the underground market for a month of Nuclear runs around $600, and Sweet Orange runs approximately $1,800 a month.
A new feature in the hacker marketplace is geographically focused products and services. Compromised computers or bots for sale, are now located in specific countries so that they can access region-specific financial sites. This improvement has increased the price of bots substantially. Bots located in the US are priced higher than many other regions. It is theorized that US bots would potentially have access to financial sites that people in other countries don’t have access to. For example, if the hackers’ intention is to steal Coinbase bitcoin accounts, they would need access to compromised US computers because Coinbase only does business with US-based customers. Likewise, European-issued credit cards are more secure due to the use of chip and pin technology mandated by EMV, a technical standard for smart payment cards and payment terminals. They are more difficult to hack, resulting in a lower price for European bots. In the underground market, the going rate for a thousand US bots is $140-$190 but only $100-$120 for a thousand UK bots, and a nominal$4-$12 for Asia bots. For novice hackers or “newbies,” as they are often called by established hackers, the underground marketplace is a great avenue to learn from experienced hackers who sell Hacker Training Tutorials. The topics span from how to do “Basic Carding” to “Cashing Out Fullz or Credit Cards via Online Shopping” to “How to do ATM Hacks and Get Much More Money that you Withdraw” to “How to have 100% Successful Bank Transfers.” Manuals containing handfuls of tutorials explain a variety of cybercriminal activities can be purchased for a mere $30, while individual training tutorials can run as low as one dollar. Tutorials on exploit kits, Crypters, DDoS attacks, Spam attacks and phishing are also available. These tutorials not only explain what a Crypter, Remote Access Trojan (RAT) and exploit are but also how their used, popularity and typical purchase price. For hackers who don’t want to do the dirty work themselves, hacker services are available for hire. Some common services include: hacking into a website, Distributed Denial or Service (DDoS) Attacks and Doxing. The purchase price for website hacking varies depending on the reputation of the hacker. The higher the price, the more reputable the hacker. It is common to see prices range $100 -$300. The cost of a hacking service that knocks a website offline has remained stable. Pricing is established by number of attacks for a specified period of time. For example, a Dodos attack will run $3- $5 per hour, $90- $100 per day, and $400 - $600 per week. Lastly, Doxing is available and used when someone is seeking intel on a target. A hired hacker will get all the information on the target by searching through social media sites, public information sites, social engineering manipulation and information-stealing malware. Doxing Services are priced $25 - $100. Conclusion: Continuous Improvement to Products and Services The underground marketplace continually evolves. These virtual storefronts of illegal commerce are well-oiled machines offering 100% Satisfaction Guarantees and bundled deals on numerous offerings. It’s important to remain aware of the sophistication of this changing marketplace to make better decisions about the best security measures to protect against known and evolving threats. This short visit to the illegal underground hacker bazaar, has provided you a brief snapshot of the thriving cybercriminal world of commerce. As long as there is valuable data available to steal, the Underground Hacker Marketplace will continue to boom. This underscores the importance of a layered security approach. “According to the FBI, from December
30, 2013 to June 23, 2014, the conspirators sold 1,514 fake driver’s licenses for $232,660.” “These virtual storefronts of illegal commerce are well-oiled machines offering 100% Satisfaction Guarantees and bundled deals on numerous
offerings.”