data exploration and midterm review - tyler moore, tandy ... · data exploration and midterm review...

21
Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX Lecture 4 Outline 1 Midterm review 2 Characteristics of cybercrime 3 Cybercrime supply chains 4 Fighting cybercrime 5 Measuring cybercrime 6 The cost of cybercrime 2 / 81 Midterm review Midterm Exam You have 90 minutes My goal is for the exam to take 60 minutes to complete You are allowed to bring in one sheet of letter-sized paper with hand-written notes (one size only) Calculators are allowed but not required (no smartphones or computers) Warning from the test: You may not speak to any of your classmates during the exam; anyone observed communicating with others (in verbal, written or cyber form) will receive a failing grade. Anyone found using the Internet or other outside resources beyond the single sheet of paper with notes will receive a failing grade. 4 / 81 Midterm review Non-exhaustive list of topics: security Protection goals (confidentiality, integrity, availability) Asymmetric cryptography (for confidentiality and integrity) Symmetric cryptography Identification vs. authentication vs. authorization Threat models 5 / 81 Notes Notes Notes Notes

Upload: others

Post on 30-May-2020

5 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

Data Exploration and Midterm Review

Tyler Moore

CSE 7338Computer Science & Engineering Department, SMU, Dallas, TX

Lecture 4

Outline

1 Midterm review

2 Characteristics of cybercrime

3 Cybercrime supply chains

4 Fighting cybercrime

5 Measuring cybercrime

6 The cost of cybercrime

2 / 81

Midterm review

Midterm Exam

You have 90 minutes

My goal is for the exam to take 60 minutes to complete

You are allowed to bring in one sheet of letter-sized paper withhand-written notes (one size only)

Calculators are allowed but not required (no smartphones orcomputers)

Warning from the test:

You may not speak to any of your classmates during theexam; anyone observed communicating with others (inverbal, written or cyber form) will receive a failing grade.Anyone found using the Internet or other outside resourcesbeyond the single sheet of paper with notes will receive afailing grade.

4 / 81

Midterm review

Non-exhaustive list of topics: security

Protection goals (confidentiality, integrity, availability)

Asymmetric cryptography (for confidentiality and integrity)

Symmetric cryptography

Identification vs. authentication vs. authorization

Threat models

5 / 81

Notes

Notes

Notes

Notes

Page 2: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

Midterm review

Non-exhaustive list of topics: economics

Preferences and utility functions

Indifference curves

Expected utility

Attitudes to risk

Market failures

6 / 81

Midterm review

Non-exhaustive list of topics: security investment

Metrics (ALE,EBIS,ENBIS,ROSI,NPV)

Models

Breach probability functionsOptimal investmentGordon-Loeb model (BPF, what decreasing marginal returns of securityinvestment means, 37% rule)No calculus required, but you may need to interpret a plot

Risk management

Model of filtering with false positives and negatives

Cost-benefit analysis

Calculate expected benefits with multiple loss typesInterpret graphsIdentify breakeven values

7 / 81

Midterm review

Example question

Suppose that without taking precautions, there is a 5% chance a firm willbe hacked, costing the firm $12 million. Suppose that the company isconsidering spending a $20K on a solution that will reduce the probabilityof being hacked to 2%.

a. What is the expected loss if no additional precautions are taken?

b. What is the expected loss if the additional security investment ismade?

c. What is the expected benefit of additional security investment?

d. What is the expected net benefit of additional security investment?

e. What is the return on security investment of additional securityspending?

f. Would you advise that the firm spend the extra $20K on security?What metrics justify your decision?

8 / 81

Characteristics of cybercrime Defining cybercrime

Defining cybercrime

We (mainly) adopt the European Commission’s proposed definition:1 traditional forms of crime such as fraud or forgery, though committed

over electronic communication networks and information systems;2 the publication of illegal content over electronic media (e.g., child

sexual abuse material or incitement to racial hatred);3 crimes unique to electronic networks, e.g., attacks against information

systems, denial of service and hacking.

For this part of the course, we are mainly concerned with cybercrimesthat are profit-motivated, not so much crimes fitting the secondcomponent of the definition

The boundary between traditional and cybercrimes is fluid

10 / 81

Notes

Notes

Notes

Notes

Page 3: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

Characteristics of cybercrime Defining cybercrime

Distinguishing between types of cybercrime

Online banking fraud

Fake antivirus

‘Stranded traveler’ scams

‘Fake escrow’ scams

Advanced fee fraud

Infringing pharmaceuticals

Copyright-infringing software

Copyright-infringing music and video

Online payment card fraud

In-person payment card fraud

PABX fraud

Industrial cyber-espionage and extortion

Welfare fraud

Tax and tax filing fraud

‘Genuine’ cybercrime

Transitional cybercrime

Traditional crime becoming ‘cyber’

11 / 81

Characteristics of cybercrime How is cybercrime different?

How does cybercrime differ from traditional crime?

1 Scale – a single attack can make little money and be unsuccessfulmost of the time, yet still be hugely profitable if it is replicated easilyfor almost no cost

2 Global adddressability – pool of available targets remains practicallyinfinite

3 Distributed control – stakeholders have competing interests andlimited visibility across networks, which hampers ability to defendagainst attacks

4 International nature – makes law enforcement more difficult

12 / 81

Characteristics of cybercrime Primary vs. infrastructure cybercrimes

Distinguishing between ‘primary’ cybercrimes andinfrastructure crimes

‘Primary’ cybercrimes perpetrate a particular scam (e.g., phishingsteals bank credentials, illicit pharmaceutical programs sellprescription drugs without prescription)

Yet these primary cybercrimes rely on a criminal infrastructurecommon to most scams

1 Exploits: offer a way to compromise computers so that unauthorizedsoftware can be executed

2 Botnets: provide anonymity to criminals and a resource forexploitation

3 Email spam: advertises scams to unsuspecting victims4 Search-engine poisoning: exposes unsuspecting victims to scams

13 / 81

Cybercrime supply chains

Supply chains and the division of labor

Adam Smith on pin production (1776):

One man draws out the wire, another straights it,a third cuts it, a fourth points it, a fifth grinds itat the top for receiving the head: to make thehead requires two or three distinct operations: toput it on is a particular business, to whiten thepins is another ... and the important business ofmaking a pin is, in this manner, divided intoabout eighteen distinct operations, which in somemanufactories are all performed by distinct hands,though in others the same man will sometimeperform two or three of them.

15 / 81

Notes

Notes

Notes

Notes

Page 4: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

Cybercrime supply chains The underground economy

The underground economy: division of labor in cybercrime

Advertisement

i have boa wells and barclays bank logins....have hacked hosts, mail lists, php mailer

send to all inboxi need 1 mastercard i give 1 linux hacked rooti have verified paypal accounts with good balance...

and i can cashout paypals

Source: http://www.cs.cmu.edu/

~jfrankli/acmccs07/ccs07_

franklin_eCrime.pdf

16 / 81

Cybercrime supply chains The underground economy

Credit card #s for sale on underground

Source: http://www.cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdf

17 / 81

Cybercrime supply chains The underground economy

Services on offer on underground

Source: http://www.cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdf

18 / 81

Cybercrime supply chains The underground economy

Some advertised prices on the underground

Source: http://press.pandasecurity.com/wp-content/uploads/2011/01/The-Cyber-Crime-Black-Market.pdf19 / 81

Notes

Notes

Notes

Notes

Page 5: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

Cybercrime supply chains The underground economy

Cybercrime supply chains

traffic host hook monetization cash out

20 / 81

Cybercrime supply chains Sample cybercrimes

Phishing supply chain step 1: traffic (email spam)

21 / 81

Cybercrime supply chains Sample cybercrimes

Phishing supply chain step 2: host (compromise server)

22 / 81

Cybercrime supply chains Sample cybercrimes

Phishing supply chain step 3: hook (phishing kit)

23 / 81

Notes

Notes

Notes

Notes

Page 6: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

Cybercrime supply chains Sample cybercrimes

Phishing supply chain step 4: monetize (bank transfer)

24 / 81

Cybercrime supply chains Sample cybercrimes

Phishing supply chain step 5: cash out (hire mules)

25 / 81

Cybercrime supply chains Sample cybercrimes

Illicit online pharmacies

26 / 81

Cybercrime supply chains Sample cybercrimes

Illicit online pharmacies

What do illicit online pharmacies have to do with phishing?

Both make use of a similar criminal supply chain1 Traffic: hijack web search results (or send email spam)2 Host: compromise a high-ranking server to redirect to pharmacy3 Hook: affiliate programs let criminals set up website front-ends to sell

drugs4 Monetize: sell drugs ordered by consumers5 Cash out: no need to hire mules, just take credit cards!

For more: http://lyle.smu.edu/~tylerm/usenix11.pdf

27 / 81

Notes

Notes

Notes

Notes

Page 7: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

Cybercrime supply chains Sample cybercrimes

Abusing dynamic search terms

28 / 81

Cybercrime supply chains Sample cybercrimes

At best you may encounter ad-filled sites

29 / 81

Cybercrime supply chains Sample cybercrimes

At worst you may encounter malware

30 / 81

Cybercrime supply chains Sample cybercrimes

Abusing search-engine results

Once again the criminal supply chain is similar1 Traffic: hijack unrelated web search results2 Host: compromise a high-ranking server3 Hook: install an exploit (for fake AV), or fill with auto-generated

content (for ad sites)4 Monetize: peddle fake AV or load page with ads5 Cash out: credit cards or hire mules (fake AV), or get paid by ad

platforms

For more: http://lyle.smu.edu/~tylerm/ccs11.pdf

31 / 81

Notes

Notes

Notes

Notes

Page 8: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

Cybercrime supply chains Sample cybercrimes

Cybercrime supply chains: common mode of operation

Cybercrime Traffic Host Hook Monetization Cash out

Phishing (bank) email spam hacked server website kit ACH transfer money mulePhishing (email acct.) email spam hacked server website kit ‘stranded traveler’ -Phishing (email acct.) email spam hacked server website kit malware -Phishing (social net.) email spam hacked server website kit ‘stranded traveler’ -Phishing (social net.) email spam hacked server website kit malware -Illicit pharma email spam hacked server website frontend payments -Illicit pharma web poisoning hacked server website frontend payments -Fake antivirus web poisoning hacked server exploit install payments -Fake antivirus web poisoning hacked server exploit install e-currency money mulesAd-laden sites web poisoning own server - PPC ads ad platformTyposquatting user error own server - PPC ads ad platform‘Stranded traveler’ social net. takeover - deceptive msg. wire transfer -‘Fake escrow’ scams auction buyers own server deceptive msg. wire transfer -Industrial espionage email spam own server exploit install exfiltrate data -

32 / 81

Cybercrime supply chains Strategies for integrating criminal supply chains

Market for crimeware

traffic host hook monetization cash out

Alice Bob Charlie David

Option 1: underground market as pin factoryAttacker

buys

bu

ys

buys

sells

Mules

Phisherman

buy

spam

bu

yco

mp

.

serv

er

buykit

sell credentials

Mules

hires

Counterfeit drugs salesman

buy

spam

hir

ese

rver

beaffi

liate

complete sale

Option 2: traffic brokers

Alice

Attacker

buys

traffi

c

monetize

advertising fraud

infect with malware

More info: http://iseclab.org/papers/weis2010.pdf

Option 3: exploit-as-a-serviceAttacker

provid

etraffi

c,b

uy

EaaS

install malware

More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf

Option 4: pay-per-installAttacker

order

PP

I

use compromised machines

(e.g., show fake AV, steal

credentials, launch DoS)

More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf

33 / 81

Cybercrime supply chains Strategies for integrating criminal supply chains

Market for crimeware

traffic host hook monetization cash out

Alice Bob Charlie David

Option 1: underground market as pin factory

Attacker

buys

bu

ys

buys

sells

Mules

Phisherman

buy

spam

bu

yco

mp

.

serv

er

buykit

sell credentials

Mules

hires

Counterfeit drugs salesman

buy

spam

hir

ese

rver

beaffi

liate

complete sale

Option 2: traffic brokers

Alice

Attacker

buys

traffi

c

monetize

advertising fraud

infect with malware

More info: http://iseclab.org/papers/weis2010.pdf

Option 3: exploit-as-a-serviceAttacker

provid

etraffi

c,b

uy

EaaS

install malware

More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf

Option 4: pay-per-installAttacker

order

PP

I

use compromised machines

(e.g., show fake AV, steal

credentials, launch DoS)

More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf

33 / 81

Cybercrime supply chains Strategies for integrating criminal supply chains

Market for crimeware

traffic host hook monetization cash out

Alice Bob Charlie David

Option 1: underground market as pin factory

Attacker

buys

bu

ys

buys

sells

Mules

Phisherman

buy

spam

bu

yco

mp

.

serv

er

buykit

sell credentials

Mules

hires

Counterfeit drugs salesman

buy

spam

hir

ese

rver

beaffi

liate

complete sale

Option 2: traffic brokers

Alice

Attacker

buys

traffi

c

monetize

advertising fraud

infect with malware

More info: http://iseclab.org/papers/weis2010.pdf

Option 3: exploit-as-a-serviceAttacker

provid

etraffi

c,b

uy

EaaS

install malware

More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf

Option 4: pay-per-installAttacker

order

PP

I

use compromised machines

(e.g., show fake AV, steal

credentials, launch DoS)

More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf

33 / 81

Notes

Notes

Notes

Notes

Page 9: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

Cybercrime supply chains Strategies for integrating criminal supply chains

Market for crimeware

traffic host hook monetization cash out

Alice Bob Charlie David

Option 1: underground market as pin factoryAttacker

buys

bu

ys

buys

sells

Mules

Phisherman

buy

spam

bu

yco

mp

.

serv

er

buykit

sell credentials

Mules

hires

Counterfeit drugs salesman

buy

spam

hir

ese

rver

beaffi

liate

complete sale

Option 2: traffic brokers

Alice

Attacker

buys

traffi

c

monetize

advertising fraud

infect with malware

More info: http://iseclab.org/papers/weis2010.pdf

Option 3: exploit-as-a-serviceAttacker

provid

etraffi

c,b

uy

EaaS

install malware

More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf

Option 4: pay-per-installAttacker

order

PP

I

use compromised machines

(e.g., show fake AV, steal

credentials, launch DoS)

More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf

33 / 81

Cybercrime supply chains Strategies for integrating criminal supply chains

Market for crimeware

traffic host hook monetization cash out

Alice Bob Charlie David

Option 1: underground market as pin factoryAttacker

buys

bu

ys

buys

sells

Mules

Phisherman

buy

spam

bu

yco

mp

.

serv

er

buykit

sell credentials

Mules

hires

Counterfeit drugs salesman

buy

spam

hir

ese

rver

beaffi

liate

complete sale

Option 2: traffic brokers

Alice

Attacker

buys

traffi

c

monetize

advertising fraud

infect with malware

More info: http://iseclab.org/papers/weis2010.pdf

Option 3: exploit-as-a-serviceAttacker

provid

etraffi

c,b

uy

EaaS

install malware

More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf

Option 4: pay-per-installAttacker

order

PP

I

use compromised machines

(e.g., show fake AV, steal

credentials, launch DoS)

More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf

33 / 81

Cybercrime supply chains Strategies for integrating criminal supply chains

Market for crimeware

traffic host hook monetization cash out

Alice Bob Charlie David

Option 1: underground market as pin factoryAttacker

buys

bu

ys

buys

sells

Mules

Phisherman

buy

spam

bu

yco

mp

.

serv

er

buykit

sell credentials

Mules

hires

Counterfeit drugs salesman

buy

spam

hir

ese

rver

beaffi

liate

complete sale

Option 2: traffic brokers

Alice

Attacker

buys

traffi

c

monetize

advertising fraud

infect with malware

More info: http://iseclab.org/papers/weis2010.pdf

Option 3: exploit-as-a-serviceAttacker

provid

etraffi

c,b

uy

EaaS

install malware

More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf

Option 4: pay-per-installAttacker

order

PP

I

use compromised machines

(e.g., show fake AV, steal

credentials, launch DoS)

More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf

33 / 81

Cybercrime supply chains Strategies for integrating criminal supply chains

Market for crimeware

traffic host hook monetization cash out

Alice Bob Charlie David

Option 1: underground market as pin factoryAttacker

buys

bu

ys

buys

sells

Mules

Phisherman

buy

spam

bu

yco

mp

.

serv

er

buykit

sell credentials

Mules

hires

Counterfeit drugs salesman

buy

spam

hir

ese

rver

beaffi

liate

complete sale

Option 2: traffic brokers

Alice

Attacker

buys

traffi

c

monetize

advertising fraud

infect with malware

More info: http://iseclab.org/papers/weis2010.pdf

Option 3: exploit-as-a-serviceAttacker

provid

etraffi

c,b

uy

EaaS

install malware

More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf

Option 4: pay-per-installAttacker

order

PP

I

use compromised machines

(e.g., show fake AV, steal

credentials, launch DoS)

More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf

33 / 81

Notes

Notes

Notes

Notes

Page 10: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

Cybercrime supply chains Strategies for integrating criminal supply chains

Market for crimeware

traffic host hook monetization cash out

Alice Bob Charlie David

Option 1: underground market as pin factoryAttacker

buys

bu

ys

buys

sells

Mules

Phisherman

buy

spam

bu

yco

mp

.

serv

er

buykit

sell credentials

Mules

hires

Counterfeit drugs salesman

buy

spam

hir

ese

rver

beaffi

liate

complete sale

Option 2: traffic brokers

Alice

Attacker

buys

traffi

c

monetize

advertising fraud

infect with malware

More info: http://iseclab.org/papers/weis2010.pdf

Option 3: exploit-as-a-serviceAttacker

provid

etraffi

c,b

uy

EaaS

install malware

More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf

Option 4: pay-per-installAttacker

order

PP

I

use compromised machines

(e.g., show fake AV, steal

credentials, launch DoS)

More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf

33 / 81

Cybercrime supply chains Strategies for integrating criminal supply chains

Vertical integration of supply chains

traffic host hook monetization cash out

While underground forums, pay-per-installs and exploit-as-a-serviceattracts the most attention, some criminals vertically integrate

Why? better defense against ‘rippers’ (seehttp://research.microsoft.com/pubs/80034/

nobodysellsgoldforthepriceofsilver.pdf)

Some EaaS and PPI suites are not for sale, but instead usedexclusively by particular gangs (e.g., Carberp)

34 / 81

Cybercrime supply chains Strategies for integrating criminal supply chains

Vertical integration in phishing: rock-phish gang

‘Rock-phish’ gang used vertical integration to carry out phishingattacks

At 2007-08 peak, accounted for half of phishing attacks1 Purchase several innocuous-sounding domains (e.g., lof80.info)2 Send out phishing email with URL

http://www.volksbank.de.netw.oid3614061.lof80.info/vr

3 Gang-hosted DNS server resolves domain to IP address of one ofseveral compromised machines

4 Compromised machines run a proxy to a back-end server5 Server loaded with many fake websites (around 20), all of which

can be accessed from any domain or compromised machine

35 / 81

Fighting cybercrime

Fighting cybercrime

Private actors take steps to mitigate risk of cybercrime (e.g., installAV)

Considerable effort is made to stop cybercrime after it has beencommitted

Interested private actors and law enforcement both play a role

37 / 81

Notes

Notes

Notes

Notes

Page 11: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

Fighting cybercrime

Voluntary defenses against cybercrime

Actors in voluntary cybercrime defense1 “Vigilantes” (e.g., AA419) who gather evidence and pass information

to relevant operators2 Industry victims (e.g., banks) who directly employ teams to remove

objectionable content3 Responding operators (e.g., hosting providers) who cooperate with

requests from victims4 “Mercenaries” (e.g., take-down companies) who clean up wicked

content for hire5 Industry collaboratives (e.g., Conficker Working group) who pool

resources and data on incidents to collaborate against threats afterthey emerge

38 / 81

Fighting cybercrime

Law enforcement approaches to cybercrime

1 Infiltrate underground communications channels ex ante

Simplifies job in terms of evidence collectionDeals with internationalization challengesHas potential to obviate harmHard to figure out whether those caught represent significant threats ornot

2 Pursue criminal groups ex post

Can go after those criminals who have the biggest impactChallenge is that many groups are in protected jurisdictions

39 / 81

Fighting cybercrime

Notice and take-down

Undesirable content pervades the Internet

Schemes for its removal are called notice and take-down (NTD)regimes

Those who want the content removed get into contact with theresponsible ISPs, webmasters

We discuss NTD regimes to illuminate how private and public actorsfight cybercrime

40 / 81

Fighting cybercrime

Types of content subject to NTD

Defamation

Copyright violations

Phishing

Fake escrow agents

Mule-recruitment websites

Online pharmacies

Spam, malware and virus hosts

Child sexual abuse images

41 / 81

Notes

Notes

Notes

Notes

Page 12: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

Fighting cybercrime

Comparing NTD regimes

Factors for comparing NTD regimes

Incentives for removal on requesting partyFormalization of NTD mechanismLegal framework availableHosting strategy used by offendersSpeed at which material is removed

We can compare the speed of removal for different regimes, and seehow the results match up to the available incentives, legal frameworksand hosting strategies

42 / 81

Fighting cybercrime

Phishing

Phishing websites impersonate banks to commit identity theft

Banks issue take-down notices despite no legislative basis

Hosting options for phishing websites1 Compromised machine

(http://www.example.com/~user/images/www.bankname.com/)2 Free webspace

(http://www.bankname.freespacesitename.com/signin/)3 Registered domain (bankname-variant.com) which then points to

free webspace or compromised machine

43 / 81

Fighting cybercrime

Phishing (ctd.)

4 Rock-phish attacks

Purchase many innocuous-sounding domains (e.g., lof80.info)

Send out phishing email with URL

http://www.volksbank.de.netw.oid3614061.lof80.info/vr

Gang-hosted DNS server resolves domain to IP address of one ofseveral compromised machines, which proxy to the mothershiphosting 20 fake websites

5 Fast-flux attacks

Same strategy as rock-phish, except domains resolve to 5 IP addressesfor a short time, then abandon them for 5 moreForces take-down of domains, not compromised machines

44 / 81

Fighting cybercrime

Phishing-website lifetimes by hosting method

Sites Lifetime (hours)mean median

Free web-hostingall 395 47.6 0brand owner aware 240 4.3 0brand owner missed 155 114.7 29

Compromised machinesall 193 49.2 0brand owner aware 105 3.5 0brand owner missed 155 103.8 10

Rock-phish domains 821 70.3 33Fast-flux domains 314 96.1 25.5

45 / 81

Notes

Notes

Notes

Notes

Page 13: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

Fighting cybercrime

Fake escrow agents

46 / 81

Fighting cybercrime

Fake escrow agents (ctd.)

47 / 81

Fighting cybercrime

Fake escrow agents

Unlike phishing, fake escrow agents do not impersonate a real business

Instead, they impersonate a service

Fake escrow agent lifetimes

For 696 fake escrow sites, mean lifetime is 222 hours (24.5 hourmedian)Bank customers are harmed, but no bank is impersonated so the banksdon’t get involvedOnly motivated ‘vigilantes’ remove the sitesLonger lifetime than phishing, but surprisingly short

48 / 81

Fighting cybercrime

Mule-recruitment websites

49 / 81

Notes

Notes

Notes

Notes

Page 14: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

Fighting cybercrime

Mule-recruitment websites

50 / 81

Fighting cybercrime

Mule-recruitment websites

51 / 81

Fighting cybercrime

Mule-recruitment websites

52 / 81

Fighting cybercrime

Child sexual abuse images

Perhaps the most widely condemned form of Internet content

Universally illegal

Internet Watch Foundation (IWF)

Operates a ‘hotline’ for reports in the UKTrained staff check reports, pass along to the UK police if illegalIf site is located in the UK, pass report directly to ISPIf site is located overseas, pass report to respective authorityIWF kindly provided sanitized data on websites they track

53 / 81

Notes

Notes

Notes

Notes

Page 15: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

Fighting cybercrime

Website lifetimes for all types of offending content

Sites Lifetime (hours)mean median

Child sexual abuse images 2 585 719 288Phishing

Free web-hosting 240 4.3 0Compromised machines 105 3.5 0Rock-phish domains 821 70.3 33Fast-flux domains 314 96.1 25.5

Fraudulent websitesEscrow agents 696 222.2 24.5Mule-recruitment websites 67 308.2 188Fast-flux pharmacies 82 1 370.7 1 404.5

54 / 81

Fighting cybercrime

Comparing speed of removal

Incentive on the party requesting content removal matters most

Banks are highly motivated to remove phishing websitesBanks overcome many international jurisdictions and no clear legalframeworkBanks’ incentives remain imperfect: they only remove websites directlyimpersonating their brand, while overlooking mule-recruitment websites

Technology chosen by attacker has small impact

Fast-flux phishing websites removed within 3 days, fast-flux pharmaciesnot removed at all!

55 / 81

Fighting cybercrime

Why are lifetimes for child sexual abuse images so long?

Mean lifetime is 150 times greater than for phishing hosted oncompromised machines!

Dividing take-down responsibility according to national jurisdiction isto blame

If site hosted in UK, IWF work directly with ISPs to removeIf not in UK, IWF notifies law enforcement and equivalent hotlineoperatorHotline operators only exist in 29 countries, and policies vary on whatto do (e.g., US-based NCMEC only issues take-down notices to ISPs“when appropriate”)IWF claim they “are not permitted or authorised to issue notices totakedown content to anyone outside the UK”The defamed, the rights holders, the banks, and the take-downcompanies have not waited for permission

56 / 81

Measuring cybercrime

Why measuring cybercrime is hard

Victims may be reluctant to discuss incidents

Reputational risk

Regulatory risk

Section 5 of the FTC Act authorizes FTC to take action against unfairor deceptive acts and practices that affect commerceSEC Disclosure Guidance on Cybersecurity Riskshttp://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

Mandatory disclosure used for data breaches

But what to do if affected firms don’t want to share and there’s nomandate?

58 / 81

Notes

Notes

Notes

Notes

Page 16: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

Measuring cybercrime

Relying on third parties for data collection

Enlist support of disinterested third parties who observe evidence ofincidents

ISPs already observe every domain name that customers try to visitCybercriminals register domain names for purely malicious purposes(e.g., to control computers in a botnet)One can estimate the prevalence of malicious web traffic at an ISP byobserving the logs of its DNS server (passive DNS)

Obtain a copy of records maintained by criminals

One group got access to fake AV records for 3 gangs, including data onconversion rates and revenues

59 / 81

Measuring cybercrime

Direct observation

When no one will help, one can collect data directly

Monitoring IRC channels advertising goods for sale

Co-opting portions of a botnet to observe spam conversion rate

Google deploys automated crawlers to block websites distributingmalware (found that 1.3% of incoming search queries had at least onemalicious result)

While these studies describe the prevalence of badness, it is hard totranslate this directly to user harm

There is a trade-off between comprehensiveness and precision whenmeasuring cybercrime

60 / 81

Measuring cybercrime

Click trajectories data collection methodology

Source: http://www.icir.org/christian/publications/2011-oakland-trajectory.pdf

61 / 81

Measuring cybercrime

Challenges in direct observation

Data that can be observed may not be representative of all crime(think public marketplaces vs. private deals)

Moreover, data that can be observed may exclude the mostsophisticated criminals

Corollary: crimes inherently difficult to measure may go unexamined

62 / 81

Notes

Notes

Notes

Notes

Page 17: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

Measuring cybercrime

Why cybercrime surveys are hard to get right

Definitions are loose and left open to interpretation (what counts asan “attack”? see next slide for example)

Definitional ambiguity occurs more often in surveys of consumersthan for firms

Sources of measurement error for survey respondents1 Underreport events not observed to be attacks2 Misclassify benign events as attacks3 Translating experience of cybercrime into dollars is hard, so reported

figures may be unreliable

Only 22% of CSI survey respondents included a financial figure forcybercrime losses, not fair to extrapolate to those who didn’t reportvalues

63 / 81

Measuring cybercrime

Question: Experiences with cybercrime

Cybercrimes can include many different types of criminal activity. Howoften have you experienced or been a victim of the following situations?

Identity theft (somebody stealing your personal data andimpersonating you, e.g. shopping under your name)

Received emails fraudulently asking for money or personal details(including banking or payment information)

Online fraud where goods purchased were not delivered, counterfeit ornot as advertised

Not being able to access online services (e.g. banking services)because of cyber attacks

Respondents were asked to answer “often”, “occasionally”, “never”, or“don’t know”.

64 / 81

Measuring cybercrime

Why cybercrime surveys are hard to get right

Sample bias occurs when the set of survey respondents does notaccurately represent the population being studied

2011 CSI industry survey received 6.4% response rate, and comedisproportionately from large companies who invest heavily in ITsecurity

Even with a random sample, the underlying distribution is ofteninherently skewed

2 outlier losses in CSI’s survey ($20M and $25M), while the averagefor the other 75 was $100K

Shouldn’t discard the outliers, but can’t use the mean either

Median is a more appropriate summary measure, but doesn’t capturetotal harm

65 / 81

Measuring cybercrime

Another problem for cybercrime surveys

Many cybercrimes affect only a very small portion of the overallpopulation

One study suggests that 0.4% of the Internet population falls forphishing attacks annually

Thus getting a truly random sample of the population requiressampling from a larger pool

Response bias is also magnified

Victims may be more likely to respond to surveys since topic is moresalient for themVictimization rate is inflated by factor matching relative response rateof victims (e.g., if victims are twice as likely to respond, then surveyedincidence will be double the true rate)

For more detail, see: http://research.microsoft.com/apps/

pubs/default.aspx?id=149886

66 / 81

Notes

Notes

Notes

Notes

Page 18: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

The cost of cybercrime

How much does cybercrime cost?

Source: http://www.propublica.org/article/does-cybercrime-really-cost-1-trillion68 / 81

The cost of cybercrime

How much does cybercrime cost?

69 / 81

The cost of cybercrime

Can such high estimates really be right?

In 2009 AT&T’s Ed Amoroso testified before the US Congress thatglobal cybercrime profits topped $1 trillion

That’s 1.6% of world GDP

Detica’s figure (£27 Bn) is 2% of UK GDP

Not only are the figures eye-poppingly large, it’s often unclear what isbeing measured

Amoroso spoke of cybercrime ‘profits’, while Detica describes ‘losses’

70 / 81

The cost of cybercrime

Upon closer inspection, the Detica estimates don’t hold up

71 / 81

Notes

Notes

Notes

Notes

Page 19: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

The cost of cybercrime

Upon closer inspection, the Detica estimates don’t hold up

IP theft (£9.2 Bn) and espionage (£7.6 Bn) account for 62% of thetotal loss estimate

Yet the methodology for computing these estimates appears to relyextensively on random guesses

IP theft: buried on p. 16 of the report, the authors admit “theproportion of IP actually stolen cannot at present be measured withany degree of confidence”, so they assign probabilities of loss andmultiply by sectoral GDPEspionage: because “it is very hard to determine what proportion ofindustrial espionage is due to cybercrime”, the authors ascribe valuesto plausible targets and guess how often they might be pilfered

72 / 81

The cost of cybercrime

Why are poor cybercrime cost estimates dangerous?

73 / 81

The cost of cybercrime

Why are poor cybercrime cost estimates dangerous?

74 / 81

The cost of cybercrime

But how can we do better?

It is one thing to point out flaws in others’ estimates, but it is quiteanother to produce a more reliable estimate of cybercrime losses

The UK Ministry of Defence challenged us to produce a moreaccurate estimate

Here’s an overview of our attempt

75 / 81

Notes

Notes

Notes

Notes

Page 20: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

The cost of cybercrime

Decomposing the cost of cybercrime

Indirect losses

Defense costs

Direct losses

Cost to society

Criminal revenue

Cybercrimes Supportinginfrastructure

76 / 81

The cost of cybercrime

Decomposing the cost of cybercrime

Many cybercrime measurement efforts conflate different categories ofcosts, which renders figures incomparable

We break up the cost of cybercrime into four categories1 Criminal revenue: gross receipts from a crime2 Direct losses: losses, damage, or other suffering felt by the victim as a

consequence of a cybercrime3 Indirect losses: losses and opportunity costs imposed on society by the

fact that a certain cybercrime is carried out4 Defense costs: cost of prevention efforts

We also distinguish between the primary costs of cybercrimes and thecosts attributed to a common infrastructure used to perpetratecybercrimes (e.g., botnets)

77 / 81

The cost of cybercrime

An example cost breakdown: phishing

Criminal revenuesum of the money withdrawn from victim accountsrevenue to spammer for sending phishing mails

Direct lossescriminal revenuetime and effort to reset account credentialssecondary costs of overdrawn accounts (deferred purchases)lost attention and bandwidth caused by spam messages

Indirect lossesloss of trust in online bankinglost opportunity for banks to communicate via emailefforts to clean-up PCs infected with malware

Defense costssecurity products (spam filters, antivirus)services for consumers (training) & industry (‘take-down’)fraud detection, tracking, and recuperation effortslaw enforcement

78 / 81

The cost of cybercrime

Indirect and defense costs outweigh direct losses

Cybercrime cost category Estimate

Direct losses– genuine cybercrime (e.g., phishing, advanced-fee fraud) $2–3Bn– online payment card fraud $4BnDefense costs– cybercriminal infrastructure (e.g., antivirus) $15Bn– payment card and online banking security measures $4BnIndirect costs– cybercriminal infrastructure (e.g., malware cleanup) $10Bn– loss of confidence in online transactions $30Bn

79 / 81

Notes

Notes

Notes

Notes

Page 21: Data Exploration and Midterm Review - Tyler Moore, Tandy ... · Data Exploration and Midterm Review Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX

The cost of cybercrime

Factors affecting the likelihood of shopping online

Factors decreasing thelikelihood of buying

online

Factors increasing thelikelihood of buying

online

General concern: onlinepayments security

Confidence about ownInternet skills

Personal concern:e-commerce fraud

Do online banking

Experience:e-commerce fraud

Higher education

General concern:misuse of personal data

Personal concern:phishing/fraud spam

%-pts. −5−10−15 %-pts.5 10 15

80 / 81

The cost of cybercrime

Concern about cybercrime inhibits more than experience

One important and unexpected result: concern about cybercrimeinhibits online participation more than direct experience withcybercrime does.

People may find the experience of cybercrime to be less painful thantheir worst fears

Regardless of what drives the result, its implications are clear

Assuaging society’s concerns over cybercrime should be priorityAwareness campaigns should focus on positive steps to take thatimprove cybersecurity, not “scaring people straight” by makingcybercrime fears more salient

81 / 81

Notes

Notes

Notes

Notes