cybercrime fighting cybercrime...cybercrime part ii tyler moore computer science & engineering...

CybercrimePart II

Tyler Moore

Computer Science & Engineering Department, SMU, Dallas, TX

Lecture 12

Fighting cybercrimeMeasuring cybercrime

The cost of cybercrime

Fighting cybercrime

Private actors take steps to mitigate risk of cybercrime (e.g.,install AV)

Considerable effort is made to stop cybercrime after it hasbeen committed

Interested private actors and law enforcement both play a role

3 / 48



Voluntary defenses against cybercrime

Actors in voluntary cybercrime defense1 “Vigilantes” (e.g., AA419) who gather evidence and pass

information to relevant operators2 Industry victims (e.g., banks) who directly employ teams to

remove objectionable content3 Responding operators (e.g., hosting providers) who

cooperate with requests from victims4 “Mercenaries” (e.g., take-down companies) who clean up

wicked content for hire5 Industry collaboratives (e.g., Conficker Working group) who

pool resources and data on incidents to collaborate againstthreats after they emerge

4 / 48



Law enforcement approaches to cybercrime

1 Infiltrate underground communications channels ex ante

Simplifies job in terms of evidence collectionDeals with internationalization challengesHas potential to obviate harmHard to figure out whether those caught represent significantthreats or not

2 Pursue criminal groups ex post

Can go after those criminals who have the biggest impactChallenge is that many groups are in protected jurisdictions

5 / 48

Notes

Notes

Notes

Notes



Notice and take-down

Undesirable content pervades the Internet

Schemes for its removal are called notice and take-down(NTD) regimes

Those who want the content removed get into contact withthe responsible ISPs, webmasters

We discuss NTD regimes to illuminate how private and publicactors fight cybercrime

6 / 48



Types of content subject to NTD

Defamation

Copyright violations

Phishing

Fake escrow agents

Mule-recruitment websites

Online pharmacies

Spam, malware and virus hosts

Child sexual abuse images

7 / 48



Comparing NTD regimes

Factors for comparing NTD regimes

Incentives for removal on requesting partyFormalization of NTD mechanismLegal framework availableHosting strategy used by offendersSpeed at which material is removed

We can compare the speed of removal for different regimes,and see how the results match up to the available incentives,legal frameworks and hosting strategies

8 / 48



Phishing

Phishing websites impersonate banks to commit identity theft

Banks issue take-down notices despite no legislative basis

Hosting options for phishing websites1 Compromised machine (http:

//www.example.com/~user/images/www.bankname.com/)2 Free webspace (http:

//www.bankname.freespacesitename.com/signin/)3 Registered domain (bankname-variant.com) which then

points to free webspace or compromised machine

9 / 48

Notes

Notes

Notes

Notes

http://www.example.com/~user/images/www.bankname.com/

http://www.example.com/~user/images/www.bankname.com/

http://www.bankname.freespacesitename.com/signin/

http://www.bankname.freespacesitename.com/signin/

bankname-variant.com



Phishing (ctd.)

4 Rock-phish attacks

Purchase many innocuous-sounding domains (e.g.,lof80.info)

Send out phishing email with URL http:

//www.volksbank.de.netw.oid3614061.lof80.info/vr

Gang-hosted DNS server resolves domain to IP address ofone of several compromised machines, which proxy to themothership hosting 20 fake websites

5 Fast-flux attacks

Same strategy as rock-phish, except domains resolve to 5 IPaddresses for a short time, then abandon them for 5 moreForces take-down of domains, not compromised machines

10 / 48



Phishing-website lifetimes by hosting method

Sites Lifetime (hours)mean median

Free web-hostingall 395 47.6 0brand owner aware 240 4.3 0brand owner missed 155 114.7 29

Compromised machinesall 193 49.2 0brand owner aware 105 3.5 0brand owner missed 155 103.8 10

Rock-phish domains 821 70.3 33Fast-flux domains 314 96.1 25.5

11 / 48



Fake escrow agents

12 / 48



Fake escrow agents (ctd.)

13 / 48

Notes

Notes

Notes

Notes

lof80.info

http://www.volksbank.de.netw.oid3614061.lof80.info/vr

http://www.volksbank.de.netw.oid3614061.lof80.info/vr



Fake escrow agents

Unlike phishing, fake escrow agents do not impersonate a realbusiness

Instead, they impersonate a service

Fake escrow agent lifetimes

For 696 fake escrow sites, mean lifetime is 222 hours (24.5hour median)Bank customers are harmed, but no bank is impersonated sothe banks don’t get involvedOnly motivated ‘vigilantes’ remove the sitesLonger lifetime than phishing, but surprisingly short

14 / 48




15 / 48




16 / 48




17 / 48

Notes

Notes

Notes

Notes




18 / 48



Child sexual abuse images

Perhaps the most widely condemned form of Internet content

Universally illegal

Internet Watch Foundation (IWF)

Operates a ‘hotline’ for reports in the UKTrained staff check reports, pass along to the UK police ifillegalIf site is located in the UK, pass report directly to ISPIf site is located overseas, pass report to respective authorityIWF kindly provided sanitized data on websites they track

19 / 48



Website lifetimes for all types of offending content

Sites Lifetime (hours)mean median

Child sexual abuse images 2 585 719 288Phishing

Free web-hosting 240 4.3 0Compromised machines 105 3.5 0Rock-phish domains 821 70.3 33Fast-flux domains 314 96.1 25.5

Fraudulent websitesEscrow agents 696 222.2 24.5Mule-recruitment websites 67 308.2 188Fast-flux pharmacies 82 1 370.7 1 404.5

20 / 48



Comparing speed of removal

Incentive on the party requesting content removal mattersmost

Banks are highly motivated to remove phishing websitesBanks overcome many international jurisdictions and no clearlegal frameworkBanks’ incentives remain imperfect: they only remove websitesdirectly impersonating their brand, while overlookingmule-recruitment websites

Technology chosen by attacker has small impact

Fast-flux phishing websites removed within 3 days, fast-fluxpharmacies not removed at all!

21 / 48

Notes

Notes

Notes

Notes



Why are lifetimes for child sexual abuse images so long?

Mean lifetime is 150 times greater than for phishing hosted oncompromised machines!

Dividing take-down responsibility according to nationaljurisdiction is to blame

If site hosted in UK, IWF work directly with ISPs to removeIf not in UK, IWF notifies law enforcement and equivalenthotline operatorHotline operators only exist in 29 countries, and policies varyon what to do (e.g., US-based NCMEC only issues take-downnotices to ISPs “when appropriate”)IWF claim they “are not permitted or authorised to issuenotices to takedown content to anyone outside the UK”The defamed, the rights holders, the banks, and the take-downcompanies have not waited for permission

22 / 48



Why measuring cybercrime is hard

Victims may be reluctant to discuss incidents

Reputational risk

Regulatory risk

Section 5 of the FTC Act authorizes FTC to take actionagainst unfair or deceptive acts and practices that affectcommerceSEC Disclosure Guidance on Cybersecurity Risks http://www.

sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

Mandatory disclosure used for data breaches

But what to do if affected firms don’t want to share andthere’s no mandate?

24 / 48



Relying on third parties for data collection

Enlist support of disinterested third parties who observeevidence of incidents

ISPs already observe every domain name that customers try tovisitCybercriminals register domain names for purely maliciouspurposes (e.g., to control computers in a botnet)One can estimate the prevalence of malicious web traffic at anISP by observing the logs of its DNS server (passive DNS)

Obtain a copy of records maintained by criminals

One group got access to fake AV records for 3 gangs, includingdata on conversion rates and revenues

25 / 48



Direct observation

When no one will help, one can collect data directly

Monitoring IRC channels advertising goods for sale

Co-opting portions of a botnet to observe spam conversionrate

Google deploys automated crawlers to block websitesdistributing malware (found that 1.3% of incoming searchqueries had at least one malicious result)

While these studies describe the prevalence of badness, it ishard to translate this directly to user harm

There is a trade-off between comprehensiveness and precisionwhen measuring cybercrime

26 / 48

Notes

Notes

Notes

Notes

http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm



Click trajectories data collection methodology

Source: http://www.icir.org/christian/publications/2011-oakland-trajectory.pdf

27 / 48



Challenges in direct observation

Data that can be observed may not be representative of allcrime (think public marketplaces vs. private deals)

Moreover, data that can be observed may exclude the mostsophisticated criminals

Corollary: crimes inherently difficult to measure may gounexamined

28 / 48



Why cybercrime surveys are hard to get right

Definitions are loose and left open to interpretation (whatcounts as an “attack”? see next slide for example)

Definitional ambiguity occurs more often in surveys ofconsumers than for firms

Sources of measurement error for survey respondents1 Underreport events not observed to be attacks2 Misclassify benign events as attacks3 Translating experience of cybercrime into dollars is hard, so

reported figures may be unreliable

Only 22% of CSI survey respondents included a financialfigure for cybercrime losses, not fair to extrapolate to thosewho didn’t report values

29 / 48



Question: Experiences with cybercrime

Cybercrimes can include many different types of criminal activity.How often have you experienced or been a victim of the followingsituations?

Identity theft (somebody stealing your personal data andimpersonating you, e.g. shopping under your name)

Received emails fraudulently asking for money or personaldetails (including banking or payment information)

Online fraud where goods purchased were not delivered,counterfeit or not as advertised

Not being able to access online services (e.g. bankingservices) because of cyber attacks

Respondents were asked to answer “often”, “occasionally”,“never”, or “don’t know”.

30 / 48

Notes

Notes

Notes

Notes

http://www.icir.org/christian/publications/2011-oakland-trajectory.pdf



Why cybercrime surveys are hard to get right

Sample bias occurs when the set of survey respondents doesnot accurately represent the population being studied

2011 CSI industry survey received 6.4% response rate, andcome disproportionately from large companies who investheavily in IT security

Even with a random sample, the underlying distribution isoften inherently skewed

2 outlier losses in CSI’s survey ($20M and $25M), while theaverage for the other 75 was $100K

Shouldn’t discard the outliers, but can’t use the mean either

Median is a more appropriate summary measure, but doesn’tcapture total harm

31 / 48



Another problem for cybercrime surveys

Many cybercrimes affect only a very small portion of theoverall population

One study suggests that 0.4% of the Internet population fallsfor phishing attacks annually

Thus getting a truly random sample of the population requiressampling from a larger pool

Response bias is also magnified

Victims may be more likely to respond to surveys since topic ismore salient for themVictimization rate is inflated by factor matching relativeresponse rate of victims (e.g., if victims are twice as likely torespond, then surveyed incidence will be double the true rate)

For more detail, see: http://research.microsoft.com/

apps/pubs/default.aspx?id=149886

32 / 48



How much does cybercrime cost?

Source: http://www.propublica.org/article/does-cybercrime-really-cost-1-trillion

34 / 48



How much does cybercrime cost?

35 / 48

Notes

Notes

Notes

Notes

http://research.microsoft.com/apps/pubs/default.aspx?id=149886

http://research.microsoft.com/apps/pubs/default.aspx?id=149886

http://www.propublica.org/article/does-cybercrime-really-cost-1-trillion



Can such high estimates really be right?

In 2009 AT&T’s Ed Amoroso testified before the US Congressthat global cybercrime profits topped $1 trillion

That’s 1.6% of world GDP

Detica’s figure (£27 Bn) is 2% of UK GDP

Not only are the figures eye-poppingly large, it’s often unclearwhat is being measured

Amoroso spoke of cybercrime ‘profits’, while Detica describes‘losses’

36 / 48



Upon closer inspection, the Detica estimates don’t hold up

37 / 48



Upon closer inspection, the Detica estimates don’t hold up

IP theft (£9.2 Bn) and espionage (£7.6 Bn) account for 62%of the total loss estimate

Yet the methodology for computing these estimates appearsto rely extensively on random guesses

IP theft: buried on p. 16 of the report, the authors admit “theproportion of IP actually stolen cannot at present be measuredwith any degree of confidence”, so they assign probabilities ofloss and multiply by sectoral GDPEspionage: because “it is very hard to determine whatproportion of industrial espionage is due to cybercrime”, theauthors ascribe values to plausible targets and guess how oftenthey might be pilfered

38 / 48



Why are poor cybercrime cost estimates dangerous?

39 / 48

Notes

Notes

Notes

Notes



Why are poor cybercrime cost estimates dangerous?

40 / 48



But how can we do better?

It is one thing to point out flaws in others’ estimates, but it isquite another to produce a more reliable estimate ofcybercrime losses

The UK Ministry of Defence challenged us to produce a moreaccurate estimate

Here’s an overview of our attempt

41 / 48



Decomposing the cost of cybercrime

Indirect losses

Defense costs

Direct losses

Cost to society

Criminal revenue

Cybercrimes Supportinginfrastructure

42 / 48



Decomposing the cost of cybercrime

Many cybercrime measurement efforts conflate differentcategories of costs, which renders figures incomparable

We break up the cost of cybercrime into four categories1 Criminal revenue: gross receipts from a crime2 Direct losses: losses, damage, or other suffering felt by the

victim as a consequence of a cybercrime3 Indirect losses: losses and opportunity costs imposed on

society by the fact that a certain cybercrime is carried out4 Defense costs: cost of prevention efforts

We also distinguish between the primary costs of cybercrimesand the costs attributed to a common infrastructure used toperpetrate cybercrimes (e.g., botnets)

43 / 48

Notes

Notes

Notes

Notes



An example cost breakdown: phishing

Criminal revenuesum of the money withdrawn from victim accountsrevenue to spammer for sending phishing mails

Direct lossescriminal revenuetime and effort to reset account credentialssecondary costs of overdrawn accounts (deferred purchases)lost attention and bandwidth caused by spam messages

Indirect lossesloss of trust in online bankinglost opportunity for banks to communicate via emailefforts to clean-up PCs infected with malware

Defense costssecurity products (spam filters, antivirus)services for consumers (training) & industry (‘take-down’)fraud detection, tracking, and recuperation effortslaw enforcement

44 / 48



Indirect and defense costs outweigh direct losses

Cybercrime cost category Estimate

Direct losses– genuine cybercrime (e.g., phishing, advanced-fee fraud) $2–3Bn– online payment card fraud $4BnDefense costs– cybercriminal infrastructure (e.g., antivirus) $15Bn– payment card and online banking security measures $4BnIndirect costs– cybercriminal infrastructure (e.g., malware cleanup) $10Bn– loss of confidence in online transactions $30Bn

45 / 48



Factors affecting the likelihood of shopping online

Factors decreasing thelikelihood of buying

online

Factors increasing thelikelihood of buying

online

General concern: onlinepayments security

Confidence about ownInternet skills

Personal concern:e-commerce fraud

Do online banking

Experience:e-commerce fraud

Higher education

General concern:misuse of personal data

Personal concern:phishing/fraud spam

%-pts. −5−10−15 %-pts.5 10 15

46 / 48



Factors affecting the likelihood of banking online

Factors decreasing thelikelihood of banking

online

Factors increasing thelikelihood of banking

online

General concern: onlinepayments security

Confidence about ownInternet skills

General concern:misuse of personal data

Nothing heard aboutcybercrime

Experience: identitytheft

Do online shopping

Experience:e-commerce fraud

Higher education

Personal concern:phishing/fraud spam

Read about cybercrimeon the Internet

%-pts. −5−10−15 %-pts.5 10 15

47 / 48

Notes

Notes

Notes

Notes



Concern about cybercrime inhibits more than experience

One important and unexpected result: concern aboutcybercrime inhibits online participation more than directexperience with cybercrime does.

People may find the experience of cybercrime to be lesspainful than their worst fears

Regardless of what drives the result, its implications are clear

Assuaging society’s concerns over cybercrime should be priorityAwareness campaigns should focus on positive steps to takethat improve cybersecurity, not “scaring people straight” bymaking cybercrime fears more salient

48 / 48

Notes

Notes

Notes

Notes

cybercrime fighting cybercrime...cybercrime part ii tyler moore computer science & engineering...

Documents