Sunday, September 30, 2018

FBI's Crime Data Explorer: What the Numbers Say about Cybercrime

What do the numbers say about Cybercrime?  Not much.  No one is using them.  

There is a popular quote often mis-attributed to the hero of Total Quality Management, Edward Deming:  "If you can't measure it, you can't manage it."Its one of the first things I think about every year when the FBI releases their annual Crime Statistics Report, as they just did for 2017.   (The "mis-attributed" is because for all the times he has been quoted, Deming actual said almost the exact opposite.  What he actually said, in "The New Economics," was:  "It is wrong to suppose that if you can’t measure it, you can’t manage it – a costly myth.")

Despite being a misquote, I've used it often myself.  There is no way to tell if you are "improving" your response to a crime type if you don't first have valid statistics for it.  Why the quote always pops to mind, however, is because, in the case of cybercrime, we are doing a phenomenal job of ignoring it in official police statistics.  This directly reflects the ability and the practice of our state and local law enforcement agencies to deal with online crime, hacking, and malware cases.  Want to test it yourself?  Call your local Police Department and tell them your computer has a virus.  See what happens.

It isn't for lack of law!  Every State in the Union has their own computer crime law, and most of them have a category that would be broadly considered "hacking."  A quick reference to all 50 states computer crime laws is here:  State Computer Crime Laws - and yet with a mandate to report hacking to the Department of Justice, almost nobody is doing it.

You may be familiar with the Uniform Crime Report, which attempts to create a standard for measurement of crime data across the nation.  UCR failed to help us at all in Cybercrime, because it focused almost exclusively on eight major crimes that were reported through the Summary Reporting System (SRS):

murder and non-negligent homicide, rape, robbery, aggravated assault, burglary, motor vehicle theft, larceny-theft, and arson.

The data for calendar year 2017 was just released this week and is now available in a new portal, called the Crime Data Explorer.  Short-cut URL:

To capture other crime types, the Department of Justice has been encouraging the adoption of the NIBRS - the National Incident-Based Reporting System.  This system primarily focuses on  52 crime categories, and gathers statistics on several more.  Most importantly for us, it includes several categories of "Fraud Crimes"

  • 2 / 26A / False Pretenses/Swindle/Confidence Game
  • 41 / 26B / Credit Card/ATM Fraud
  • 46 / 26C / Impersonation
  • 12 / 26D / Welfare Fraud
  • 17 / 26E / Wire Fraud
  • 63 / 26F / Identity Theft
  • 64 / 26G / Hacking/Computer Invasion

Unfortunately, despite being endorsed by most every major law enforcement advocacy group, many states, including my own, are failing to participate.  The FBI will be retiring SRS in 2021, and as of September 2018, many states are not projected to make that deadline:
In the just-released 2017 data, out of the 18,855 law enforcement agencies in the United States, 16,207 of them submitted SRS "old-style" UCR data.  Only 7,073 (42%) submitted NIBRS-style data.

Unfortunately, the situation when it comes to cybercrime is even worse.  For SRS-style reporting, all cybercrimes are lumped under "Fraud".  In 2016, SRS reported 10.6 Million arrests.  Only 128,531 of these were for "Fraud" of which cybercrime would be only a tiny portion.

Of those eight "fraud type" crimes, the 2017 data is not yet available for detailed analysis  (currently most of state data sets, released September 26, 2018, limit the data in each table to only 500 rows.  Since, as an example, Hoover, Alabama, the only city in my state participating in NIBRS, has 3800 rows of data, you can see how that filter is inadequate for state-wide analysis in fully participating states!

Looking at the NIBRS 2016 data as a starting point, however, we can still see that we have difficulty at the state and local police level in understanding these crimes.  In 2016, 6,191 law enforcement agencies submitted NIBRS-style data.  Of those 5,074 included at least some "fraud type" crimes.  Here's how they broke down by fraud offense.  Note, these are not the number of CRIMES committed, these are the number of AGENCIES who submitted at least one of these crimes in 2017:

type - # of agencies - fraud type description
 2 - 4315 agencies -  False Pretenses/Swindle/Confidence Game
41 - 3956 agencies -  Credit Card/ATM Fraud
46 - 3625 agencies - Impersonation
12 - 328 agencies - Welfare Fraud
17 - 1446 agencies - Wire Fraud
63 - 810 agencies - Identity Theft
64 - 189 agencies - Hacking/Computer Invasion

Only 189 of the nation's 18,855 law enforcement agencies submitted even a single case of "hacking/computer invasion" during 2016!  When I asked the very helpful FBI NIBRS staff about this last year, they confirmed that, yes, malware infections would all be considered "64 - Hacking/Computer Invasion".  To explore on your own, visit the NIBRS 2016 Map.  Then under "Crimes Against Property" choose the Fraud type you would like to explore.  This map shows "Hacking/Computer Intrusion."  Where a number shows up instead of a pin, zoom the map to see details for each agency.

Filtering the NIBRS 2016 map for "Hacking/Computer Intrusion" reports
 As an example, Zooming the number in Tennessee, I can now see a red pin for Nashville.  When I hover that pin, it shows me how many crimes in each NIBRS category were reported for 2017, including 107 cases of Wire Fraud, 34 cases of Identity Theft, and only 3 cases of Hacking/Computer Invasion:

Clicking on "Nashville" as an example

I have requested access to the full data set for 2017.  I'll be sure to report here when we have more to share.

Sunday, September 16, 2018

Dangerous Invoices and Dangerous Infrastructure

One of the things I've learned in twenty-nine years investigating malware is that MOST bad guys are lazy and cheap.  One of the main ways that shows up is in the reuse of infrastructure.  Or as one of my criminology friends says it "most criminals are caught by identifying patterns of habit and convenience."  That's why it can sometimes be useful to examine a malware sample, even if it fails to trigger due to age.  It is likely that OTHER samples are using the same infrastructure or deployment system.

My friends at Cofense published their finding last week that Microsoft Office macros are still the number one way that malware is being delivered via email, accounting for 45% of all malware delivery mechanisms they have recently studied.  Anyone with a spam collection can quickly reach that same conclusion.  A couple such campaigns even showed up in my personal email this week.

Here's three emails from consecutive days last week sent to one of my personal email domains:

A Purchase Order from "ADNOC" (Sep 6, 2018)

A Purchase Order from H&H Nails (Sep 5, 2018)

A Purchase Order from SS Braid (Sep 4, 2018)
The most convincing phish, as PhishMe and later Cofense have repeatedly demonstrated by studying what millions of customers actually click on, are those which imitate a common business practice, such as these Purchase Orders. In an attempt to be helpful, many will open a Purchase Order received in email, even if they don't recognize the company name, often as a means of directing the PO to the appropriate department.  Big Mistake!

Working from oldest to newest: 

SS BRAID PO.doc was recognized as being malicious by 33 of 59 AV vendors at VirusTotal - a helpful analysis from VMRay, linked in the comments section tells us that the sample attempts to download "kc.exe" from the site rollboat[.]tk.
sale contract.doc was recognized as being malicious by 29 of 59 AV vendors at VirusTotal - and in this case, Dr.Web shared their analysis with VirusTotal, also revealing that the action of open the document would launch the same "kc.exe" file from rollboat, as the other file.

As it turns out, in the three consecutive daily email blasts identified above, each sample had two email attachments, and they were all the same attachments only with different names.
The three 386KB files all had the same hashes, and the three 176KB files also all had the same hashes.  So, for at least September 4, 5, and 6, 2018, kc.exe was the target that the malicious actor wanted us to launch on our computer.  The file is no longer available, which could stall the investigation, but let's look at Habit and Convenience.  If the actor is already hosting on rollboat[.]tk, is it not likely he'll keep doing so until someone prevents him?

Each of the subdirectories contained additional malicious files.  By the directory time stamps, its clear that this criminal continued delivering his malware that began on Sep 4, Sep 5, Sep 6, at least through Sep 14th (Friday).  Since everyone needs a weekend, and business-process-imitating malware is most profitable on weekdays, the criminals haven't uploaded any new malware on Saturday September 15th, or Sunday September 16th.  

The leftover cnn.exe file from September 6th is well-detected (32 of 67 at VirusTotal) although Microsoft, Symantec, and TrendMicro all report the executable as "clean."  The more recent ogox.exe file from September 14th has a slightly poorer 1 in 3 detection (20 of 67 at VirusTotal), as is typical for Friday malware only 60 hours later.  (The various AV engines will all tell you that's because blah blah blah.  I'm running their code. I just infected myself with their AV running. Whatever.) 

Invoice.exe = (14 of 67 on VirusTotal)  - (checks and then self-terminates)
Order.exe = (34 of 68 on VirusTotal


ogo.exe = (44 of 68 on VirusTotal

Regardless of what this malware actually does, the two take-aways here?  Malware continues to spread by imitating common business practices, such as processing Invoices and Purchase Orders.  And Criminals continue to rely on Habit and Convenience, which means they are still able to be tracked by looking at their infrastructure choices.


Monday morning, back to work!  Sure enough, we checked the rollboat directory for fresh files this morning:

VirusTotal 19 of 65


VirusTotal 20 of 67 

I'll also note that this morning on my Windows 10 machine running current Chrome, the file downloads were prevented - marked "This file is dangerous, so Chrome has blocked it."  When I told Chrome to let me download one any way, Windows Defender stopped it.  Sharing information DOES help!

Friday, September 14, 2018

Interac: One Phish to Phish Them All

I recently had the pleasure of bumping into some of my Canadian friends at a Law Enforcement conference.  So when I saw someone mention a "National Bank of Canada" phish, I thought I would pull on the string a bit and see if it was actually an "Interac" phish.   Interac is a system for easily sending money between different Canadian banks. The phishers love it, because by imitating Interac, they can steal login information from any Canadian, regardless of where they bank.

By walking up to a higher directory, sure enough, the National Bank of Canada phish was just a tiny part of an underlying Interac phish hosted at 178.128.125[.]127, a Digital Ocean box in Kalívia, Attiki, Greece.

We can tell by the timestamp of the directory that this is a fresh phish - created earlier this morning:

On each of the banks, clicking on their logo would take the visitor to a phishing site for that brand.  (Curiously, HSBC did not work for this author - it took us to the real HSBC website via a Google search?) 

ATB Phish

Desjardins Phish

Laurentian Bank (LBC) Phish

Manulife Bank Phish 

RBC Royal Bank Phish 
Quite a few of the Phish seemed to be formatted for browsing on a Smart phone: 

BMO Mobile Phish 

CIBC Mobile Phish 

Meridian Bank Phish 

Scotiabank Mobile Phish 

Simplii Financial Phish 

Tangerine Phish 

TD Bank Phish 

On most of the phishing pages after entering a Userid and Password, the phish would indicate that the deposit was no longer available by displaying an Interac Error page: 

An Interac Error page displays briefly, then forwards to the real bank
This means that the banks may be able to detect this phishing victims by looking for "referring URLs" coming from pages named "error.html", for example, in this case:


A few of the brands, such as National Bank of Canada, did ask for additional information:

National Bank of Canada Phish Validation page

After "Validating" the phish forwarded to the real site,, which means they also might wish to check for "referring URLs" containing "Validation" in the path, such as this one:


The CIBC Mobile Phish also had some additional questions for their potential victim:

CIBC Mobile Phish Validation page

So, my Canadian friends, if you get an unanticipated request to deposit funds to your account via Interac, you might want to delay accepting that deposit!