plug and prey? - usenix · silk road 1 silk road 2. 16 listings, feedbacks and revenue over time 0...
TRANSCRIPT
1
Plug and Prey?Measuring the Commoditization of Cybercrime via Online Anonymous Markets
Rolf van Wegberg1, Samaneh Tajalizadehkhoob1, Kyle Soska2, Ugur Akyazi1, Carlos Gañán1, Bram Klievink1, Nicolas Christin2, and Michel van Eeten1
1 Delft University of Technology, 2 Carnegie Mellon University
2
3
§ Which parts of cybercrime value chains are successfully commoditized and which are not?
§ What kind of revenue do these criminal business-to-business services generate and how fast are they growing?
Commoditization of cybercrime
4
5
§ Characteristics of commodities are highly congruent with characteristics of online anonymous marketplaces.
§ The one-shot, anonymous purchases require suppliers to offer highly commoditized offerings.
§ If cybercrime offerings can be commoditized, online anonymous markets should be a highly attractive place to sell.
Online anonymous markets
6
1. Develop a conceptual model of the value chain components in dominant cybercriminal business models.
2. Collect and parse longitudinal data on eight online anonymous marketplaces, between 2011 and 2017.
3. Classify cybercrime-related listings to these components to track trends in listings and transaction volumes.
4. Identify the best-selling clusters of listings and compare these offerings to the capabilities, resources and services needed.
Measuring commoditization
7
Cybercriminal business models
8
§ Leveraged the parsed and analyzed dataset of Soska and Christin (2015) on seven prominent online markets.
§ We then extended this data with 16 complete and parsed scrapes of AlphaBay between 2014 and 2017.
§ This resulted in a longitudinal dataset covering eight prominent markets between 2011 to 2017.
Data collection
9
§ Leveraged the parsed and analyzed dataset of Soska and Christin (2015) on seven prominent online markets.
§ We then extended this data with 16 complete and parsed scrapes of AlphaBay between 2014 and 2017.
Data set
Market #Listings #Vendors #Feedbacks
Agora 27,974 1,961 234,372
AlphaBay 101,999 6,262 2,223,992
Black Market Reloaded 9,075 980 62,876
Evolution 35,015 2,352 464,146
Hydra 2,343 133 43,701
Pandora 7,674 459 89,065
Silk Road 1 24,363 2,336 605,744
Silk Road 2 22,174 1,201 662,497
Total 230,617 15,684 4,386,393
10
11
§ Categories:- Benzos- Cannabis- Digital Goods- Dissassociatives- Drug Paraphernalia- Electronics- MDMA- Miscellaneous
Pre-filtering
- Opioids- Other- Prescription drugs- Psychedelics- Sildenafil- Stimulants- Tobacco- Weapons
§ Prediction from Soska & Christin (2015).
12
§ For labeling ground truth, we randomly selected 1,500 items from all Digital Goods or Miscellaneous listings (n=44,060).
§ We excluded JavaScripts, web-injects, and customer service. For these products we found no listings in our random sample.
§ We did find business-to-consumer (B2C) cybercrime listings, so we added additional categories to map these.
§ We implemented a Linear Support Vector Machine (SVM) classifier to predict ten B2B and seven B2C product classes.
Classification approach
13
Classifier performance
rat
app
botn
etca
shou
t
emai
l
expl
oit
host
ing
mal
war
e
othe
rot
her -
acc
ount
ot
her -
cus
tom
othe
r - fa
keot
her -
gui
deot
her -
pira
ted
othe
r - v
ouch
erph
one
web
site
websitephone
other - voucherother - pirated
other - guideother - fake
other - customother - account
othermalwarehostingexploitemail
cashoutbotnet
apprat
0 0 0 0.14 0.07 0.07 0 0 0.07 0 0 0.07 0 0 0 0 0.570 0 0 0 0 0 0 0 0 0 0 0 0 0.1 0 0.9 00 0 0 0.05 0 0 0 0 0.1 0.24 0 0 0 0 0.57 0.05 00 0 0 0.04 0.04 0 0 0 0.12 0.04 0 0 0.28 0.48 0 0 00 0.02 0 0.08 0.02 0 0 0 0.1 0.04 0 0 0.68 0.06 0 0 00 0 0 0.03 0 0 0 0 0.03 0 0.03 0.86 0.06 0 0 0 00 0 0 0.02 0 0 0 0 0.08 0 0.83 0.03 0.05 0 0 0 00 0 0 0.02 0 0 0 0 0 0.8 0 0.02 0.07 0.07 0.02 0 00 0.01 0 0.04 0.01 0 0 0 0.73 0 0.06 0.01 0.08 0 0.01 0 0.03
0.07 0 0 0.07 0 0 0 0.71 0 0 0 0 0.14 0 0 0 00 0 0 0 0 0 0.75 0 0 0 0 0.25 0 0 0 0 00 0 0 0.12 0 0.62 0 0 0 0 0 0 0.12 0.12 0 0 00 0 0 0.03 0.87 0 0 0 0 0.07 0 0 0.03 0 0 0 00 0 0 0.77 0.02 0 0 0.01 0.01 0.07 0 0.03 0.09 0 0 0 0.010 0 0.92 0 0 0 0 0 0 0 0 0 0 0 0 0 0.080 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0.92 0 0 0 0 0 0 0 0 0 0 0 0.08 0 0 0 0
0.0
0.2
0.4
0.6
0.8
1.0
14
Classifying listings to cybercrime components
15
Active vendors on markets over time
0
1,000
2,000
3,000
4,000
5,000
2012 2013 2014 2015 2016 2017
Date
Nr.
of
act
ive
ve
nd
ors
Agora
AlphaBay
Black Market Reloaded
Evolution
Hydra
Pandora
Silk Road 1
Silk Road 2
16
Listings, feedbacks and revenue over time
0
2500
5000
7500
10000
2012 2013 2014 2015 2016 2017
Date
Tota
l mo
nth
ly c
ou
nt
# listings
# feedback
0
200
400
600
2012 2013 2014 2015 2016 2017
Date
Tota
l mo
nth
ly r
eve
nu
e (
1,0
00
s U
SD
)
17
Total revenue per category per month
0
200
400
2012 2013 2014 2015 2016 2017
Date
Ave
rag
e m
on
thly
reve
nu
e(1
,00
0s
US
D)
RAT
App
Botnet
Cash−out
E−mail
Exploits
Hosting
Malware
Phone
Website
18
Number of active vendors per month
0
2,000
4,000
6,000
2012 2013 2014 2015 2016 2017
Date
Nr.
of
act
ive
ve
nd
ors
RAT
App
Botnet
Cash−out
E−mail
Exploits
Hosting
Malware
Phone
Website
19
Cumulative percentage of listings across vendors
0.00
0.25
0.50
0.75
1.00
0 500 1000 1500 2000
Number of vendors
Cum
ula
tive d
istr
ibutio
n funct
ion
Listings
Revenue
20
Product portfolios of markets
0
25
50
75
100
Agora
AlphaBayBMR
Evolutio
nHydra
Pandora
Silk Road 1
Silk Road 2
% o
f to
tal n
r. o
f lis
tings
(logged)
RAT
App
Botnet
Cash−out
E−mail
Exploits
Hosting
Malware
Phone
Website
21
§ Identify the three best-selling clusters within each category
§ Only partial fulfillment of cybercriminal demand- Credit cards dominant in the cash-out category- Office exploit dominant in the exploit category- Ransomware dominant in the malware category
§ Outsourcing not trivial, given- Niche supply- Broad demand
Best-selling clusters
22
§ There is evidence of commoditization, but outsourcing options are restricted and transaction volume is often modest.
§ Similar to narcotic sales, a significant amount of revenue is in retail cybercrime, rather than business-to-business.
§ We conservatively estimate the overall revenue for cybercrime commodities on online anonymous markets to be at least US $15M between 2011-2017.
§ While there is growth, commoditization is a spottier phenomenon than previously assumed.
Takeaways
23
Plug and Prey?Measuring the Commoditization of Cybercrime via Online Anonymous Markets
Get in [email protected]@RolfvanWegberg
Open dataAll data is publicly available in anonymizedand non-anonymized form through IMPACT (https://www.impactcybertrust.org/)
See also web interface at https://arima.cylab.cmu.edu/markets/