cybercrime de ning cybercrime - university of tulsade ning cybercrime we (mainly) adopt the european...

CybercrimePart I

Tyler Moore

Computer Science & Engineering Department, SMU, Dallas, TX

Lecture 11

Characteristics of cybercrimeCybercrime supply chains

Defining cybercrimeHow is cybercrime different?Primary vs. infrastructure cybercrimes

Defining cybercrime

We (mainly) adopt the European Commission’s proposeddefinition:

1 traditional forms of crime such as fraud or forgery, thoughcommitted over electronic communication networks andinformation systems;

2 the publication of illegal content over electronic media (e.g.,child sexual abuse material or incitement to racial hatred);

3 crimes unique to electronic networks, e.g., attacks againstinformation systems, denial of service and hacking.

For this part of the course, we are mainly concerned withcybercrimes that are profit-motivated, not so much crimesfitting the second component of the definition

The boundary between traditional and cybercrimes is fluid

3 / 28



Distinguishing between types of cybercrime

Online banking fraud

Fake antivirus

‘Stranded traveler’ scams

‘Fake escrow’ scams

Advanced fee fraud

Infringing pharmaceuticals

Copyright-infringing software

Copyright-infringing music and video

Online payment card fraud

In-person payment card fraud

PABX fraud

Industrial cyber-espionage and extortion

Welfare fraud

Tax and tax filing fraud

‘Genuine’ cybercrime

Transitional cybercrime

Traditional crime becoming ‘cyber’

4 / 28



How does cybercrime differ from traditional crime?

1 Scale – a single attack can make little money and beunsuccessful most of the time, yet still be hugely profitable ifit is replicated easily for almost no cost

2 Global adddressability – pool of available targets remainspractically infinite

3 Distributed control – stakeholders have competing interestsand limited visibility across networks, which hampers ability todefend against attacks

4 International nature – makes law enforcement more difficult

5 / 28

Notes

Notes

Notes

Notes



Distinguishing between ‘primary’ cybercrimes andinfrastructure crimes

‘Primary’ cybercrimes perpetrate a particular scam (e.g.,phishing steals bank credentials, illicit pharmaceuticalprograms sell prescription drugs without prescription)

Yet these primary cybercrimes rely on a criminal infrastructurecommon to most scams

1 Exploits: offer a way to compromise computers so thatunauthorized software can be executed

2 Botnets: provide anonymity to criminals and a resource forexploitation

3 Email spam: advertises scams to unsuspecting victims4 Search-engine poisoning: exposes unsuspecting victims to

scams

6 / 28


The underground economySample cybercrimesStrategies for integrating criminal supply chains

Supply chains and the division of labor

Adam Smith on pin production (1776):

One man draws out the wire, anotherstraights it, a third cuts it, a fourth pointsit, a fifth grinds it at the top for receivingthe head: to make the head requires two orthree distinct operations: to put it on is aparticular business, to whiten the pins isanother ... and the important business ofmaking a pin is, in this manner, dividedinto about eighteen distinct operations,which in some manufactories are allperformed by distinct hands, though inothers the same man will sometime performtwo or three of them.

8 / 28



The underground economy: division of labor in cybercrime

Advertisement

i have boa wells and barclays bank logins....have hacked hosts, mail lists, php mailer

send to all inboxi need 1 mastercard i give 1 linux hacked rooti have verified paypal accounts with good balance...

and i can cashout paypals

Source: http://www.cs.cmu.

edu/~jfrankli/acmccs07/

ccs07_franklin_eCrime.pdf

9 / 28



Credit card #s for sale on underground

Source: http://www.cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdf

10 / 28

Notes

Notes

Notes

Notes

http://www.cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdf






Services on offer on underground

Source: http://www.cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdf

11 / 28



Some advertised prices on the underground

Source: http://press.pandasecurity.com/wp-content/uploads/2011/01/The-Cyber-Crime-Black-Market.pdf

12 / 28



Cybercrime supply chains

traffic host hook monetization cash out

13 / 28



Phishing supply chain step 1: traffic (email spam)

14 / 28

Notes

Notes

Notes

Notes


http://press.pandasecurity.com/wp-content/uploads/2011/01/The-Cyber-Crime-Black-Market.pdf



Phishing supply chain step 2: host (compromise server)

15 / 28



Phishing supply chain step 3: hook (phishing kit)

16 / 28



Phishing supply chain step 4: monetize (bank transfer)

17 / 28



Phishing supply chain step 5: cash out (hire mules)

18 / 28

Notes

Notes

Notes

Notes



Illicit online pharmacies

What do illicit online pharmacies have to do with phishing?

Both make use of a similar criminal supply chain1 Traffic: hijack web search results (or send email spam)2 Host: compromise a high-ranking server to redirect to

pharmacy3 Hook: affiliate programs let criminals set up website

front-ends to sell drugs4 Monetize: sell drugs ordered by consumers5 Cash out: no need to hire mules, just take credit cards!

For more: http://lyle.smu.edu/~tylerm/usenix11.pdf

20 / 28



Abusing dynamic search terms

21 / 28



At best you may encounter ad-filled sites

22 / 28



At worst you may encounter malware

23 / 28

Notes

Notes

Notes

Notes

http://lyle.smu.edu/~tylerm/usenix11.pdf



Abusing search-engine results

Once again the criminal supply chain is similar1 Traffic: hijack unrelated web search results2 Host: compromise a high-ranking server3 Hook: install an exploit (for fake AV), or fill with

auto-generated content (for ad sites)4 Monetize: peddle fake AV or load page with ads5 Cash out: credit cards or hire mules (fake AV), or get paid by

ad platforms

For more: http://lyle.smu.edu/~tylerm/ccs11.pdf

24 / 28



Cybercrime supply chains: common mode of operation

Cybercrime Traffic Host Hook Monetization Cash out

Phishing (bank) email spam hacked server website kit ACH transfer money mulePhishing (email acct.) email spam hacked server website kit ‘stranded traveler’ -Phishing (email acct.) email spam hacked server website kit malware -Phishing (social net.) email spam hacked server website kit ‘stranded traveler’ -Phishing (social net.) email spam hacked server website kit malware -Illicit pharma email spam hacked server website frontend payments -Illicit pharma web poisoning hacked server website frontend payments -Fake antivirus web poisoning hacked server exploit install payments -Fake antivirus web poisoning hacked server exploit install e-currency money mulesAd-laden sites web poisoning own server - PPC ads ad platformTyposquatting user error own server - PPC ads ad platform‘Stranded traveler’ social net. takeover - deceptive msg. wire transfer -‘Fake escrow’ scams auction buyers own server deceptive msg. wire transfer -Industrial espionage email spam own server exploit install exfiltrate data -

25 / 28



Market for crimeware


Alice Bob Charlie David

Option 1: underground market as pin factoryAttacker

buys

bu

ys

buyssells

Mules

Phisherman

buy

spam

bu

yco

mp

.

serv

er

buykit

sell credentials

Mules

hires

Counterfeit drugs salesman

buy

spam

hir

ese

rver

beaffi

liate

complete sale

Option 2: traffic brokers

Alice

Attacker

buys

traffi

c

monetize

advertising fraud

infect with malware

More info: http://iseclab.org/papers/weis2010.pdf

Option 3: exploit-as-a-serviceAttacker

provid

etraffi

c,b

uy

EaaS

install malware

More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf

Option 4: pay-per-installAttacker

order

PP

I

use compromised machines

(e.g., show fake AV, steal

credentials, launch DoS)

More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf

26 / 28






Option 1: underground market as pin factory

Attacker

buys

bu

ys

buys

sells

Mules

Phisherman

buy

spam

bu

yco

mp

.

serv

er

buykit

sell credentials

Mules

hires


buy

spam

hir

ese

rver

beaffi

liate

complete sale


Alice

Attacker

buys

traffi

c

monetize

advertising fraud

infect with malware



provid

etraffi

c,b

uy

EaaS

install malware



order

PP

I





26 / 28

Notes

Notes

Notes

Notes

http://lyle.smu.edu/~tylerm/ccs11.pdf

http://iseclab.org/papers/weis2010.pdf

http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf

http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf









Option 1: underground market as pin factory

Attacker

buys

bu

ys

buys

sells

Mules

Phisherman

buy

spam

bu

yco

mp

.

serv

er

buykit

sell credentials

Mules

hires


buy

spam

hir

ese

rver

beaffi

liate

complete sale


Alice

Attacker

buys

traffi

c

monetize

advertising fraud

infect with malware



provid

etraffi

c,b

uy

EaaS

install malware



order

PP

I





26 / 28







buys

bu

ys

buys

sells

Mules

Phisherman

buy

spam

bu

yco

mp

.

serv

er

buykit

sell credentials

Mules

hires


buy

spam

hir

ese

rver

beaffi

liate

complete sale


Alice

Attacker

buys

traffi

c

monetize

advertising fraud

infect with malware



provid

etraffi

c,b

uy

EaaS

install malware



order

PP

I





26 / 28







buys

bu

ys

buyssells

Mules

Phisherman

buy

spam

bu

yco

mp

.

serv

er

buykit

sell credentials

Mules

hires


buy

spam

hir

ese

rver

beaffi

liate

complete sale


Alice

Attacker

buys

traffi

c

monetize

advertising fraud

infect with malware



provid

etraffi

c,b

uy

EaaS

install malware



order

PP

I





26 / 28







buys

bu

ys

buys

sells

Mules

Phisherman

buy

spam

bu

yco

mp

.

serv

er

buykit

sell credentials

Mules

hires


buy

spam

hir

ese

rver

beaffi

liate

complete sale


Alice

Attacker

buys

traffi

c

monetize

advertising fraud

infect with malware



provid

etraffi

c,b

uy

EaaS

install malware



order

PP

I





26 / 28

Notes

Notes

Notes

Notes



















buys

bu

ys

buys

sells

Mules

Phisherman

buy

spam

bu

yco

mp

.

serv

er

buykit

sell credentials

Mules

hires


buy

spam

hir

ese

rver

beaffi

liate

complete sale


Alice

Attacker

buys

traffi

c

monetize

advertising fraud

infect with malware



provid

etraffi

c,b

uy

EaaS

install malware



order

PP

I





26 / 28







buys

bu

ys

buys

sells

Mules

Phisherman

buy

spam

bu

yco

mp

.

serv

er

buykit

sell credentials

Mules

hires


buy

spam

hir

ese

rver

beaffi

liate

complete sale


Alice

Attacker

buys

traffi

c

monetize

advertising fraud

infect with malware



provid

etraffi

c,b

uy

EaaS

install malware



order

PP

I





26 / 28



Vertical integration of supply chains


While underground forums, pay-per-installs andexploit-as-a-service attracts the most attention, somecriminals vertically integrate

Why? better defense against ‘rippers’ (seehttp://research.microsoft.com/pubs/80034/

nobodysellsgoldforthepriceofsilver.pdf)

Some EaaS and PPI suites are not for sale, but instead usedexclusively by particular gangs (e.g., Carberp)

27 / 28



Vertical integration in phishing: rock-phish gang

‘Rock-phish’ gang used vertical integration to carry outphishing attacks

At 2007-08 peak, accounted for half of phishing attacks1 Purchase several innocuous-sounding domains (e.g.,

lof80.info)2 Send out phishing email with URL http:

//www.volksbank.de.netw.oid3614061.lof80.info/vr

3 Gang-hosted DNS server resolves domain to IP address ofone of several compromised machines

4 Compromised machines run a proxy to a back-end server5 Server loaded with many fake websites (around 20), all of

which can be accessed from any domain or compromisedmachine

28 / 28

Notes

Notes

Notes

Notes







http://research.microsoft.com/pubs/80034/nobodysellsgoldforthepriceofsilver.pdf

http://research.microsoft.com/pubs/80034/nobodysellsgoldforthepriceofsilver.pdf

lof80.info

http://www.volksbank.de.netw.oid3614061.lof80.info/vr

http://www.volksbank.de.netw.oid3614061.lof80.info/vr

cybercrime de ning cybercrime - university of tulsade ning cybercrime we (mainly) adopt the european...

Documents