Assignment 4.1 - "Hacking" Laws

Computer Fraud and Abuse Act (CFAA)

Logo18 U.S. Code § 1030 - Fraud and related activity in connection with computersLII / Legal Information Institute

  1. In order to avoid breaching the Computer and Fraud Abuse Act (CFAA), pen testers should not "intentionally access a computer without authorization or exceed authorized access, and thereby obtain — financial records, information from any department or agency of the United States or from any protected compter". As a core tenet of ethical hacking, this law should be upheld in all client engagements and personal affairs. As soon as a pen tester breaches a system without explicit consent, they would no longer be considered a "white hat hacker" and would then be considered a "black hat/grey hat hacker.". Therefore, in order to uphold this section of the CFAA, penetration testers should always refer to their statement of work for legal written consent to break into a network or system.

  2. In order to avoid the extortion of money or valuable items, penetration testers should not communicate about damaging a protected computer, obtaining information from a protected computer, or demanding money or information from a protected computer. A penetration tester should uphold the scope outlined in the SOW, as if they breach this scope, they will violate the CFAA and be punished accordingly.

Vermont's state law (Title 13 Crimes, Chapter 87 Computer Crimes)

LogoVermont Laws

  1. Vermont Statue 13, chapter 87: Computer crimes, defines the laws and punishments surrounding computer crimes. In order to avoid breaching Section 4102: Unauthorized Access, penetration testers should not knowingly and intentionally access any computer or system without lawful authority. To lawfully access a system, penetration testers should always refer to their statement of work for legal written consent and authority.

  2. In order to avoid breaches Section 4103: Access to computers for fraudulent purposes; penetration testers should never access a computer or system with the intent to commit fraud or obtain services, property, or money under false pretenses. Testers must ensure that all actions are performed strictly within the agreed scope and purpose outlined in their statement of work. Any activity that involved deception could be considered fraudulent access and a violation of this section.

  3. To comply with Section 4104: Alteration, damage, or interferance, penetration testers must avoid interntionally modifying, destroying, or disrupting any compter system, network, or data beyond the agreed-upon scope. Testers should use non-destructive testing methods unless explicitly authorized.

  4. Under Section 4105: Theft or destruction penetration testers should never remove, delete, or destroy any data or digtial property from a system without prior written consent. Testers should refrain from copying sensitive data unless it is explicitly permitted as part of the engagement. Data handling procedures should be secure, with collected information deleted or returned to the client after the engagement.

Research on the FBI Cyber Most Wanted

LogoCyber Crimes | Federal Bureau of InvestigationFederal Bureau of Investigation

Name: Maksim Viktorovich Yakubets

Allias: Aqua

Place of Birth: Ukraine

Crimes:

Maskim Viktorovich Yakubets is wanted for conspiracy, conspiracy to commit fraud, wire fraud, bank fraud and intentional damage to a computer. He is involved in the deployment of the malicious software Zeus that infected thousands of computers in North America and Europe and caused millions of dollars in financial losses. Additionally, he is thought to be part of the Russian hacking group Evil Corp. and to have headed the Dridex financial trojan conspiracy, where he oversaw and managed the development, maintenance, distribution, and infection of the malware.

https://www.fbi.gov/wanted/cyber/maksim-viktorovich-yakubets

Zeus/Zbot Malware

Zeus is a trojan horse virus that was introduced to the internet in 2007. Zeus malware can give attackers full access to infected machines. The original variant of the malware mostly used man-in-the-browser keyloggers, which infected a browser with malware to capture data entered into web forms. This allows attackers to intercept and manipulate user input directly within the browser in order to gain access to infected computers banking/financial credentials. Some variants of the Zeus Trojan are fileless, meaning they use native, legitimate tools built into a system to execute a cyberattack. This makes it harder for antivirus software to detect the malware. Other forms of the virus can add CryptoLocker ransomware to an operating system or add infected computers to a botnet to perform DDoS attacks. The two goals of the Zeus trojan are stealing financial information and adding machines to a botnet.

There are two attack vectors that open Windows computers to Zeus Trojan attacks.

  1. Drive by downloads

    1. It requires a user to visit a website that has a backdoor trojan code on it.

    2. The attacker then downloads files into the user's computer without their knowledge.

  2. Phishing Attacks

    1. Users think they are downloading legitimate software from links in a phishing email or social media post

There are many variants of the Zeus malware:

  • Gameover Zeus

    • The most dangerous varient of Zeus

    • Allows people who deploy it to launch a rensomeware attack on a computer running Microsoft Windows.

  • SpyEye

    • Banking malware that works very similar to the original Zeus malware

  • Ice IX

    • The first botnet based on the Zeus source code

    • Uses rouge forms to steal financial information

  • Carberp

    • Banking trojan that impacts older versions of Windows, such as Windows XP and Windows 7.

    • Someone combined this financial trojan with Zeus's code to create Zberp

  • Shylock

    • Uses man-in-the-browser attacks to steal bank account information

Dridex/Bugat/Cridex Malware

Dridex is a financial Trojan that targets users banking information. The main attack vector for the Dridex is targeting Windows users via phishing emails. These phishing email emails prompt the user to download or open Word or Excel files that contain malicious macros. If the user opens the file, the malware installs a keylogger that allows the attackers to read what the users are typing, and in turn they are able to steal their banking credentials. Targets are mainly financial institutions and their customers.

Evil Corp./Dridex/INDRIK SPIDER

Evil Corp/Dridex/Indrik Spider is a Russian-based cybercriminal group that has been active since 2014. They are said to be one of the first major financial crime hacking groups and continue to run to this day. Indrik Spider started with the Dridex banking Trojan and has since begun running ransomware operations using BitPaymer, WastedLocker, and Hades ransomware. Led by Maksim Yakubets, the group is a family business based out of Moscow.

Crowdstike APT profile picture

Sources:

  1. https://www.crowdstrike.com/en-us/cybersecurity-101/malware/zeus-malware/

  2. https://en.wikipedia.org/wiki/Dridex

  3. https://www.fbi.gov/wanted/cyber/maksim-viktorovich-yakubets

  4. https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-339a

  5. https://blog.lastpass.com/posts/man-in-the-browser-attack

  6. https://www.crowdstrike.com/en-us/cybersecurity-101/malware/fileless-malware/

  7. https://www.crowdstrike.com/en-us/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/

  8. https://attack.mitre.org/groups/G0119/

  9. https://www.nationalcrimeagency.gov.uk/who-we-are/publications/732-evil-corp-behind-the-screens/file

  10. https://www.techtarget.com/searchsecurity/definition/Dridex-malware

PreviousModule 4: Manual Vulnerability DetectionNextActivity 4.1: Exploiting Cupcake

Last updated