Ultrascan KPO

Knowledge itself is power

Attacks on US, Korea Web Sites Leave a Winding Trail - PCWorld

"Going after IP addresses is not really helpful," said Max Becker, CTO of Ultrascan Knowledge Process Outsourcing, a subsidiary of fraud investigation firm Ultrascan. "What we are trying to do is go after the people who set up and pay for these kinds of attacks."

Ultrascan has a network of informants who are closed to organized criminal gangs in Asia, many of which are involved in cybercrime - 11 08 2009

Attacks on US, Korea Web Sites Leave a Winding Trail

The investigation into the attacks against high-profile Web sites in South Korea and the U.S. is a winding, twisty electronic goose chase that may not result in a definitive conclusion on the identity of the attackers.

Computer security experts disagree over the skill level of the DDOS (distributed denial-of-service) attacks, which over the course of a few days in early July caused problems for some of the Web sites targeted, including South Korean banks, U.S. government agencies and media outlets.

The DDOS attack was executed by a botnet, or a group of computers infected with malicious software controlled by a hacker. That malware was programmed to attack the Web sites by bombarding them with page requests that far exceed normal visitor traffic. As a result, some of the weaker sites buckled.

"It's very rare to see a botnet of that size so localized," said Steven Adair of The Shadowserver Foundation, a cybercrime watchdog group. "Large-size botnets do usually take time to build up and a lot of effort from attackers."While there are hundreds of DDOS attacks that occur every day, the one from last month has interesting characteristics. First, it was carried out using a botnet of up to an estimated 180,000 computers that was almost entirely located within South Korea.

And basic questions appear to be unanswered, such as how the attackers were able to infect such a large number of computers in South Korea with the specific code that commandeered the computers to attack a list of Web sites.

The investigation has geopolitical ramifications. South Korea's National Intelligence Service reportedly told the country's lawmakers early last month that it suspected North Korea was involved. Despite no definitive public evidence linking North Korea to the DDOS attacks, the country's hardline demeanor makes it a convenient actor to blame given its prickly relations with the U.S. and South Korea.

The botnet, which is now inactive, appeared to be custom-built for the attacks. Many times people who want to knock a Web site offline will rent time on a botnet from its controller, known as a botnet herder, paying a small fee per machine, such as US$.20. Botnets can also be used for Internet activity, such as sending spam.

Analysts do know that the computers comprising the botnet had been infected with a variation of MyDoom, a piece of malicious software that repeatedly mails itself out to other computers once it has infected a PC. MyDoom debuted with devastating consequences in 2004, becoming the fastest spreading e-mail worm in history. It is now routinely cleansed from PCs that are running antivirus software, though many computers don't have such protective software installed.

The MyDoom code has been called amateurish, but it was nonetheless effective. The command and control structure for delivering instructions to computers infected with MyDoom used eight main servers that were scattered around the world. But there also was a labyrinthine group of subordinate command and control servers that made it more difficult to trace.

"It is difficult to find the real attacker," said Sang-keun Jang, a virus analyst and security engineer with the security company Hauri, based in Seoul.

IP (Internet Protocol) addresses -- which at most can identify approximately where a computer is plugged in on a network but not its precise location or who is operating the computer -- only give investigators so much information to go on. Open Wi-Fi hotspots can allow an attacker to change IP addresses frequently, said Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, a nonprofit research institute.

"Anonymous attacks are going to be a fact of life," Borg said. "That has big policy implications. If you can't attribute quickly and with confidence, then most strategies based on deterrence are no longer viable. There's a big revolution that is already under way and needs to be carried out in our defense thinking."

For the South Korea-U.S. DDOS attacks, one security company is taking the approach of following the money. Many DDOS attacks are actually paid transactions, and where there is money, there is some trail.

"Going after IP addresses is not really helpful," said Max Becker, CTO of Ultrascan Knowledge Process Outsourcing, a subsidiary of fraud investigation firm Ultrascan. "What we are trying to do is go after the people who set up and pay for these kinds of attacks."

Ultrascan has a network of informants who are closed to organized criminal gangs in Asia, many of which are involved in cybercrime, said Frank Engelsman, an investigator with Ultrascan based in the Netherlands. One question is whether it could be proved a criminal group had been paid by North Korea to carry out the attacks, Engelsman said.

That could take a lot of investigative work. But it may be easier than that.

Cybercriminals make mistakes, such as earlier this year when researchers uncovered a global spying network called "GhostNet"that infected computers belonging to Tibetan nongovernmental organizations, the private office of the Dalai Lama and embassies of more than a dozen countries. A Google search by researcher Nart Villeneuve turned up some of the most damning evidence -- an unencrypted server indexed by the search engine.

From spelling mistakes, to e-mail addresses to coding errors, attackers can leave clues that could turn a cold trail hot.

"You know where the mistakes are likely to be made," said Steve Santorelli, director of global outreach for Team Cymru, a nonprofit Internet security research firm. "You can turn over the right rocks quickly."

And Santorelli added: "Google doesn't forget anything."

News items in which Ultrascan or one of its liaisons was quoted. (in various languages)

(Suckers) Victims lost $9.3 billion to 419 scammers in 2009 - ARS Technica

Advance-fee fraud (AFF), also known as 419 scams and Nigerian scams, exploded in 2009, with victims losing more money than ever before. This is according to the latest analysis from Dutch investigation firm Ultrascan—a company that has been monitoring the activities of 419 scammers since 1996—which says that victims lost almost 50 percent more money in 2009 than 2008.


Ultrascan, a Netherlands-based consultancy, is one of a small number of organizations that has tried to estimate the number and value of advance fee fraud scams worldwide. In an analysis of dozens of mostly rich countries, it concluded that the total losses to British companies and individuals in 2005 were $520 million, second only to the US at $720 million. It further estimated that 20 scam rings comprising, on average, dozens of members were active in the UK. The survey does not show the ‘complete advance fee fraud situation’: in most cases, its estimates are ‘low’ or ‘extremely low’

Some people argue that foreign countries, including Britain, should make a much bigger effortto gather intelligence on advance fee frauds, as well as other types of Nigeria-related crime. AsUltrascan, the Dutch consultancy, puts it, ‘everyone has a piece of the picture, but no-one has the full picture’ .

The 419 Coalition, an anti-scam body, says countries should have a centralized, single place for submission of reports by those targeted by scams.

One Nigerian law enforcement officer warns that it is potentially catastrophic for Britain and other rich nations to ignore these frauds. They are the crude surface manifestation of criminal networks that flourish precisely because people dismiss them as not worthy of serious attention. ‘That was the mistake we made earlier,’ he says. ‘If there is no shift in this position,this problem will become something huge....


The Australian Crime Commision  - ORGANISED CRIME IN AUSTRALIA - 2011

.... Advance fee fraud is defined as any fraud requiring a victim to make payment/s in advance of the promised receipt of a large monetary or other material benefit. The extent of advance fee fraud in Australia has continually increased over the past years. There has been a recent increase in the number of advance fee fraud variations observed in Australia, with inheritance, lottery, romance and employment frauds increasing.

The size, sophistication and organisation of foreign-based entities involved in advance fee fraud have increased. Some groups exploit highly complex psychological triggers to target victims. International syndicates are also showing increasing signs of combining advance fee fraud with other offences such as identity crime, counterfeiting and, in some cases, drug trafficking.

It is difficult to accurately assess the total losses caused by advance fee fraud. Victim reporting is limited because of the embarrassment (and, in some cases, fear) attached to reporting such activity. Advance fee fraud losses by companies
and individuals in Australia are likely to be hundreds of millions of dollars.

Globally, victims of advance fee fraud lost an estimated US$9.3 billion in 2009, which is an increase from an estimated US$6.3 billion in 2008 . The top three countries for advance fee fraud losses in 2009 were the US (US$2.1 billion), the UK (US$1.2 billion) and the People’s republic of China (US$936 million)....

Worldwide Slump Makes Nigeria's Online Scammers Work That Much Harder - Washington Post

Ultrascan Advanced Global Investigations in the Netherlands, which has a special department dedicated to 419 crimes, estimates conservatively that $4.3 billion was lost worldwide to 419 scams in 2007. Countries most victimized are the U.S., U.K. and Japan. Ultrascan's data comes from its own investigations, and it advises that the real figure is likely many times higher.

Famous DJ's Credit Card Details for Sale - PCWorld

Armin Van Buuren is one of the world's most well-known trance music DJs. He also apparently has had his credit card details stolen.

Investigators with Ultrascan, a company that investigates credit card fraud and other kinds of online crime, were doing research on forums and systems used to sell credit card numbers

Catalog of Stolen Data

A potential buyer for stolen credit card details sees a greeting: "Hello welcome to ICQ bot. Press '1' for Russian. Press '2' for English." After pressing "2," users get three selections: "1. Buy CVV, 2. Checker 3. Account," according to a screen shot supplied by Ultrascan.

When CVV is selected, the buyer sees how many credit card details are available, sorted by country. From the screen shot, it was possible to see that some 19,046 U.S. card numbers are for sale, 7,843 from the U.K. and more from other countries such as France, Italy and the Netherlands. .....