̽��ֱ�� of Cambridge - Cambridge Cybercrime Centre

Honour among thieves: the study of a cybercrime marketplace in action

Anonymous — Fri, 06 Nov 2020 16:19:06 +0000

Having seen a large rise in illegal transactions during the first national lockdown last spring, the researchers warned that the second lockdown is likely to result in another surge in cybercrime activities. But they also offer insights on how such activity can be disrupted.

̽��ֱ��researchers have been collecting the data on illicit trades from HackForums – the world’s largest and most popular online cybercrime community. Two years ago, it set up a market where contracts had to be logged for all transactions as an attempt to protect members of the community from scamming and frauds.

̽��ֱ��contract system was introduced in 2018, and then made mandatory in spring 2019, for all market users. It logged all the illicit buying and selling of – among other things – malicious software (malware), currencies including Bitcoin and gift vouchers, eWhoring ‘packs’ (e.g. of photos and videos with sexual content), hacking tutorials and tools that allow users illegally to access or control remote servers.

Ironically, HackForums had introduced the contract logging system in response to its members’ concerns that trades were being abused and they were being scammed. But in doing so, it unwittingly lifted the lid on the way such underground markets operate.

̽��ֱ��data the contract logging generated has been collected by researchers here. And after analysing it and using statistical modelling approaches, the researchers have been able to shed important new light on the way a cybercrime market operates, hopefully to the benefit of the security community.

̽��ֱ��researchers watched the market initially function as a forum where many individual users conducted one-off transactions. Then it changed. As the contract system became mandatory, within a few months, the market was becoming concentrated around a small group of ‘power-users’ offering goods and services that were attractive to many.

“This small group of users – representing about 5 per cent of all users – are involved in around 70 per cent of all the transactions,” said Anh Vu, a research assistant in the Cambridge Cybercrime Centre and co-author of the paper the Centre has just produced, ‘Turning Up the Dial: the Evolution of a Cybercrime Market through Set-up, Stable, and Covid-19 Eras’ .

And then came the global declaration of the coronavirus pandemic in March 2020. ̽��ֱ��research team saw the virus and the resulting lockdowns that were introduced significantly “turn up the dial” on the number of market transactions.

“There was a big rise in transactions in what we call the ‘Covid-19 era’,” said Anh. “Looking at the discussion forums, we could see that a period of mass boredom and economic change – when presumably some members were not able to go to school and others had lost their jobs – really stimulated the market.

“Members needed to make money online and they had a lot of time on their hands, and so we saw a rise in trading activity. We expect to see another rise during the second lockdown, but we don’t think it will be as large as during the first.”

̽��ֱ��increase in business during the pandemic also meant that contracts for transactions were concluded much faster. Where in the early months of the market, the completion time for contracts was around 70 hours, during the pandemic it dropped to less than 10 hours.

Online underground forums like HackForums are communities used for trading in illicit material and sharing knowledge. ̽��ֱ��forums support a plethora of cybercrimes, allowing members to learn about and engage in criminal activities such as trading virtual items obtained by illicit means, launching denial of service attacks, or obtaining and using malware. They facilitate a variety of illicit businesses aiming at making easy money.

̽��ֱ��Cambridge Cybercrime Centre researchers have done some previous work looking at underground forums. “But this is the first dataset we are aware of that provides insights about the contracts made in these forums,” says Anh. Previously, while traders might meet online in a forum, they would likely trade offline via private messaging. But the introduction of the contract system means all trades are now logged – and can therefore be tracked.

Using the data, the researchers looked at a variety of trading activities taking place in the market. ̽��ֱ��largest activities were currency exchanges and payments – for example, exchanging Bitcoin (a very popular currency in illicit trading because people believe that it leaves no trace) for PayPal funds.

This activity was followed by trades in gift cards (including Amazon gift cards) and software licences. “When you install a software package like Windows,” Anh said. “You have to input a key to activate it. People often buy software keys illegally in a market like this because it is cheaper for them than purchasing it officially from Microsoft – and sometimes they can obtain it for free in exchange for other items.”

Other products and services they found being traded in the underground market were hacking tutorials, remote access tools and eWhoring materials – photos and videos with sexual content that are sold to a third party, who pays for them believing that they are paying for an online sexual encounter.

They used several methods to try and estimate the values of trades taking place via HackForums and concluded that taking both public and private transactions into account and extrapolating by each contract type, the lower bound total of trades was in excess of $6 million.

What the researchers learned about the operation of an underground cybercrime market is valuable, they believe, to the security community. ̽��ֱ��logging of contracts when goods were traded has allowed users to build up a form of trust and reputation and this in turn led to the rise of the ‘power-users’ in the market.

“And now we know a small group of power-users are responsible for a large number of transactions, it would make sense to focus interventions on them,” Anh said. “As that will have a much bigger impact than going after a large number of individuals.”

In their paper they suggest interventions to undermine the perceived reputations and trustworthiness of the big players – for example by posting false negative reviews of them and using other methods, known as Sybil attacks, that disrupt the market’s reputation systems.

And the researchers are continuing to watch the market. “We’re interested to know how the marketplace evolves during this second lockdown and afterwards,” said Anh. “And will be looking to see whether any new trading activities emerge.”

Reference:
‘Turning Up the Dial: the Evolution of a Cybercrime Market through Set-up, Stable, and Covid-19 Eras’ was presented at a seminar series of the 2020 Internet Measurement Conference. It was also presented at the Workshop on Security and Human Behaviour taking place on Thursday 5 November 2020.

Researchers at the Cambridge Cybercrime Centre have revealed what they’ve learned from analysing hundreds of thousands of illicit trades that took place in an underground cybercrime forum over the last two years.

We’re interested to know how the marketplace evolves during this second lockdown and afterwards, and will be looking to see whether any new trading activities emerge

Anh Vu

Mika Baumeister on Unsplash

Someone programming a website in HTML

̽��ֱ��text in this work is licensed under a Creative Commons Attribution 4.0 International License. Images, including our videos, are Copyright © ̽��ֱ�� of Cambridge and licensors/contributors as identified. All rights reserved. We make our image and video content available in a number of ways – as here, on our main website under its Terms and conditions, and on a range of channels including social media that permit your use and sharing of our content under their respective Terms.

Yes

Combating cybercrime when there's plenty of phish in the sea

sc604 — Fri, 21 Oct 2016 07:51:23 +0000

We’ve all received the emails, hundreds, maybe thousands of them. Warnings that our bank account will be closed tomorrow, and we’ve only got to click a link and send credit card information to stop it from happening. Promises of untold riches, and it will only cost a tiny fee to access them. Stories of people in desperate circumstances, who only need some kind soul to go to the nearest Western Union and send a money transfer to save them.

Tricking people into handing over sensitive information such as credit card details – known as ‘phishing’ – is one of the ways criminals scam people online. Most of us think we’re smarter than these scams. Most of us think that we could probably con the con artist if we tried. But we would be wrong.

Across the world, cybercrime is booming. When the UK government included cybercrime in the national crime statistics for the first time in 2015, it doubled the crime rate overnight. Millions of people worldwide are victimised by online scams, whether it’s blocking access to a website, stealing personal or credit card information, or attempting to extort money by remotely holding the contents of a personal computer hostage.

“Since 2005, the police have largely ignored cybercrime,” says Professor Ross Anderson of Cambridge’s Computer Laboratory. “Reported crime fell by as much as a half in some categories. Yet, now that online and electronic fraud are included, the number of reported crimes has more than doubled. Crime was not falling; it was just moving online.”

In 2015, computer scientists, criminologists and legal academics joined forces to form the Cambridge Cybercrime Centre, with funding from the Engineering and Physical Sciences Research Council. Their aim is to help governments, businesses and ordinary users to construct better defences.

To understand how the criminals operate, researchers use machine learning and other techniques to recognise bad websites, understand what kinds of brands tend to be attacked and how often, determine how many criminals are behind an attack by looking at the pattern of the creation of fake sites and how effective the various defence systems are at getting them taken down.

One way in which studying cybercrime differs from many other areas of research is that the datasets are difficult to come by. Most belong to private companies, and researchers need to work hard to negotiate access. This is generally done through nondisclosure agreements, even if the data is out of date. And once researchers complete their work, they cannot make the data public, since it would reduce the competitive advantage of corporate players, and it may also make it possible for criminals to reverse engineer what was detected (and what wasn’t) and stay one step ahead of law enforcement.

One of the goals of the Cambridge Cybercrime Centre is to make it easier for cybercrime researchers from around the world to get access to data and share their results with colleagues.

To open up cybercrime research to colleagues across the globe, the team will leverage their existing relationships to collect and store cybercrime datasets, and then any bona fide researcher can sign a licence with the Centre and get to work without all the complexity of identifying and approaching the data holders themselves.

“Right now, getting access to data in this area is incredibly complicated,” says Dr Richard Clayton of Cambridge’s Computer Laboratory, who is also Director of the Centre. “But we think the framework we’ve set up will create a step change in the amount of work in cybercrime that uses real data. More people will be able to do research, and by allowing others to work on the same datasets more people will be able to do reproducible research and compare techniques, which is done extremely rarely at the moment.”

One of the team helping to make this work is Dr Julia Powles, a legal researcher cross-appointed between the Computer Laboratory and Faculty of Law. “There are several hurdles to data sharing,” says Powles. “Part of my job is to identify which ones are legitimate – for example, when there are genuine data protection and privacy concerns, or risks to commercial interests – and to work out when we are just dealing with paper tigers. We are striving to be as clear, principled and creative as possible in ratcheting up research in this essential field.”

Better research will make for better defences for governments, businesses and ordinary users. Today, there are a lot more tools to help users defend themselves against cybercrime – browsers are getting better at recognising bad URLs, for example – but, at the same time, criminals are becoming ever more effective, and more and more people are getting caught in their traps.

“You don’t actually have to be as clever as people once thought in order to fool a user,” says Clayton when explaining how fake bank websites are used to ‘phish’ for user credentials. “It used to be that cybercriminals would register a new domain name, like Barclays with two Ls, for instance. But they generally don’t do that for phishing attacks anymore, as end users aren’t looking at the address bar, they’re looking at whether the page looks right, whether the logos look right.”

̽��ֱ��Centre is also looking at issues around what motivates someone to commit cybercrime, and what makes them stop.

According to Dr Alice Hutchings, a criminologist specialising in cybercrime, cybercriminals tend to fall into two main categories. ̽��ֱ��first category is the opportunistic offender, who may be motivated by a major strain in their lives, such as financial pressures or problems with gambling or addiction, and who uses cybercrime as a way to meet their goals. ̽��ֱ��second type of offender typically comes from a more stable background, and is gradually exposed to techniques for committing cybercrime through associations with others.

Both groups will usually keep offending as long as cybercrime meets their particular needs, whether it’s financial gratification, or supporting a drug habit, or giving them recognition within their community. What often makes offenders stop is the point at which the costs of continuing outweigh the benefits: for instance, when it takes a toll on their employment, other outside interests or personal relationships.

“Most offenders never get caught, so there’s no reason to think that they won’t go back to cybercrime,” says Hutchings. “They can always start again if circumstances in their lives change.

“There is so much cybercrime happening out there. You can educate potential victims, but there will always be other potential victims, and new ways that criminals can come up with to social engineer somebody’s details, for example. Proactive prevention against potential offenders is a good place to start.”

Criminologist Professor Lawrence Sherman believes the collaboration between security engineering and criminology is long overdue, both at Cambridge and globally: “Cybercrime is the crime of this century, a challenge we are just beginning to understand and challenge with science.”

“We’re extremely grateful to the people giving us this data, who are doing it because they think academic research will make a difference,” says Clayton. “Our key contribution is realising that there was a roadblock in terms of being able to distribute the data. It’s not that other people couldn’t get the data before, but it was very time-consuming, so only a limited number of people were doing research in this area – we want to change that.”

“Our Cybercrime Centre will not only provide detailed technical information about what’s going on, so that firms can construct better defences,” says Anderson. “It will also provide strategic information, as a basis for making better policy.”

As more and more crime moves online, computer scientists, criminologists and legal academics have joined forces in Cambridge to improve our understanding and responses to cybercrime, helping governments, businesses and ordinary users construct better defences.

You don’t actually have to be as clever as people once thought in order to fool a user

Richard Clayton

LastHuckleBerry

TeQi's Graffitti Phish

̽��ֱ��text in this work is licensed under a Creative Commons Attribution 4.0 International License. For image use please see separate credits above.

Yes

Licence type:

Attribution-ShareAlike