Vyas Sekar 1 Why study Internet cybercrime Understand structure of attack ecosystem Potential weaknesses How many organizations involved How easy is to stop How easy is it for attackers to ID: 759540
Download Presentation The PPT/PDF document "Internet CyberCrime Economics" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Internet CyberCrime Economics
Vyas Sekar
1
Slide2Why study Internet cybercrime?
Understand structure of attack ecosystemPotential weaknesses?How many organizations involved?How easy is to stop?How easy is it for attackers to respawn?
2
Slide3Little published on this topic
SensitiveHard to perform this style of investigationGround truthE.g., check out krebsonsecurity.comUCSD/ICSI have done quite a bit
3
Slide4Two papers
Click TrajectoriesManufacturing Compromise
4
Slide5Click Trajectory
Characterize resource dependencies for spamMany months of spam data Analyze ecosystem of servers, name servers, hosts Real online transactions!
5
Slide6Key findings from paper
Payment tier is most concentratedFew banks seem to transact most paymentsPotential point of effective blocking!
6
Slide7Spam is a complex business today
AdvertisingSending emails ec Click supportNon trivial and need to be robust to defendersRealizationGet actual transactions customer support
7
Slide8Prior work on Spam
Detection – ML/NLP etc Blocking – signatures, network blocksMostly focus on the “advertising” aspectThis work is different – focus on Click and realization aspects
8
Slide9Click support in depth
Historical: direct urlsEasy to blockCurrently use many redirectsOutsourced DNSManaged DNSDomain resources eventually managed by spammerFind “indifferent” registrarsName serversFind “bulletproof” hosting servicesWeb servers Bulletproof hosting, fast flux DNS
9
Slide10Emergence of affiliates
BeforeSpammer does everything from sending to hosting and payment etcNowFind a way to spamJoin affiliateAffiliate Handles logistics and pays “commission” to spammerProvides storefront/web templates etc“Specialization” of market!
10
Slide11Realization step
Use conventional payment step like paypal/credit card etcThree parts:Issuing bank, acquiring bank, association network (visa,mastercard)To be viable have to be part of association network and abide by their rulesGet product from somewhere and ship“B2B” sites
11
Slide12Curiously..
Most transactions are coded with correct transaction codesVisa/Mastercard are quite severe on violations!
12
Slide1313
Globalization of Spam!
Slide14Data collection
14
Slide15Feed collection from multiple sourcesE.g, honeypots, bots, third partiesExtract URLs that point to spamBuild custom DNS and web crawlers to extract nameservers and hosting serversE.g., take screenshots, emulate JS/flash etcSome optimizations for scalability to reduce redundant crawls etc
15
Slide16Data collection (2)
16
Slide17Content clustering to get “high-level” business activites Pharma, Replicas, SoftwareCluster pages that look similar and tag categories Cluster by affiliates also Manual reg exp tagging
17
Slide18Purchasing
Did 120 purchasesSome were blocked!76 authorized and 56 settled
18
Slide19Doing this study is non-trivial!
Spammers are not dumb!Care to ensure IP was correctSpammers check for security companies trying to catch them and use GeoLoc services Tracking transactions is not easyPaying from grants is not easy Got a bank to give them throwaway cards and track transactionsEthics/LegalityWhat products to buy?Human subjects?
19
Slide20Why take all this pain??
Analyze bottlenecks in spam value chain!Name servers?Hosting servers?Realization?
20
Slide21Criteria for blocking
Resource diversitySwitching costFew opportunities for spammers to respawn
21
Slide22Name registrars
Some concentration (NauNet)But lots of diversity Low switching costDomains are cheap and expendable bulk price: $1
22
Slide23Hosting?
Many choicesLow switching costHost via botnets
23
Slide24Banks?
Low diversityThree banks cover 95% of our corpusFew banks willing to work with “high risk” merchantsHigh switching costRequires creating merchant account at bank in personMoney held by bank to cover chargebacks
24
Slide25Suggested reading
25
Slide26Two papers
Click TrajectoriesManufacturing Compromise
26
Slide27Problem they are studying
Emergence of “software-as-a-service” model in browser compromiseExploit as a service!Decoupling complexity of compromise from the act of driving traffic to the malicious server
27
Slide28Before EaaS
Pay per installMalware compromises host by social engg, spam etcHosts shared on underground forumsEaaS focuses on drive by downloads
28
Slide29What’s a drive by download?
download that happens without a users’ knowledgeE.g., innocent click on popup window or message is “implicit” ack for downloadingTarget browser and extension vulnerabilities
29
Slide3030
Slide31Exploit Kit
Earliest known was MPACK 2006Profiles browser/OS etcDelivers a suitable exploit Traditional: one-time fees like softwareNew model: SaaS paradigm
31
Slide32Traffic PPI
Evolution of PPIDecouple the stepsPPI Service handles 1,2,3 and 5 “Client” just provides (4)
32
Slide33What happens after install?
Monetization via SpamPII harvestingClick fraudHijacking browserFakeAVProxy and hosting (“cloud”)Droppers for third parties
33
Slide34Measurement methodology
34
Slide35Malware sources
35
Slide36Contained execution
Typical of “honeypots”Want to “fake” real services so that malware behaves normallyBut avoid damage to real servicesE.g., Trap on actual packets
36
Slide37Clustering malware families
Several heuristicsDomains contactedHTTP requestsSystem modificationsScreenshots
37
Slide38Key findings
No single source of malware is comprehensive9 exploit kits account for 92% of malicious URLS29% are Blackhole Kits distribute 32 most prominent malware familiesInfrastructure for hosting is short lived 2.5 hrs URL crawling has limitations
38
Slide39Takeaways
Cybercrime infrastructure is a full-fledged businessPretty “robust” ecosystemOften hide behind bulletproof hosting services and/or botnetsEmergence of business modelsAffiliates, EaaS, Exploit kits, “specialization”, “globalization”, customer care Payment seems like a potential bottleneck
39