Internet CyberCrime Economics - PowerPoint Presentation

Slide1

Internet CyberCrime Economics

Vyas Sekar

1

Slide2

Why study Internet cybercrime?

Understand structure of attack ecosystemPotential weaknesses?How many organizations involved?How easy is to stop?How easy is it for attackers to respawn?

2

Slide3

Little published on this topic

SensitiveHard to perform this style of investigationGround truthE.g., check out krebsonsecurity.comUCSD/ICSI have done quite a bit

3

Slide4

Two papers

Click TrajectoriesManufacturing Compromise

4

Slide5

Click Trajectory

Characterize resource dependencies for spamMany months of spam data Analyze ecosystem of servers, name servers, hosts Real online transactions!

5

Slide6

Key findings from paper

Payment tier is most concentratedFew banks seem to transact most paymentsPotential point of effective blocking!

6

Slide7

Spam is a complex business today

AdvertisingSending emails ec Click supportNon trivial and need to be robust to defendersRealizationGet actual transactions customer support

7

Slide8

Prior work on Spam

Detection – ML/NLP etc Blocking – signatures, network blocksMostly focus on the “advertising” aspectThis work is different – focus on Click and realization aspects

8

Slide9

Click support in depth

Historical: direct urlsEasy to blockCurrently use many redirectsOutsourced DNSManaged DNSDomain resources eventually managed by spammerFind “indifferent” registrarsName serversFind “bulletproof” hosting servicesWeb servers Bulletproof hosting, fast flux DNS

9

Slide10

Emergence of affiliates

BeforeSpammer does everything from sending to hosting and payment etcNowFind a way to spamJoin affiliateAffiliate Handles logistics and pays “commission” to spammerProvides storefront/web templates etc“Specialization” of market!

10

Slide11

Realization step

Use conventional payment step like paypal/credit card etcThree parts:Issuing bank, acquiring bank, association network (visa,mastercard)To be viable have to be part of association network and abide by their rulesGet product from somewhere and ship“B2B” sites

11

Slide12

Curiously..

Most transactions are coded with correct transaction codesVisa/Mastercard are quite severe on violations!

12

Slide13

13

Globalization of Spam!

Slide14

Data collection

14

Slide15

Feed collection from multiple sourcesE.g, honeypots, bots, third partiesExtract URLs that point to spamBuild custom DNS and web crawlers to extract nameservers and hosting serversE.g., take screenshots, emulate JS/flash etcSome optimizations for scalability to reduce redundant crawls etc

15

Slide16

Data collection (2)

16

Slide17

Content clustering to get “high-level” business activites Pharma, Replicas, SoftwareCluster pages that look similar and tag categories Cluster by affiliates also Manual reg exp tagging

17

Slide18

Purchasing

Did 120 purchasesSome were blocked!76 authorized and 56 settled

18

Slide19

Doing this study is non-trivial!

Spammers are not dumb!Care to ensure IP was correctSpammers check for security companies trying to catch them and use GeoLoc services Tracking transactions is not easyPaying from grants is not easy Got a bank to give them throwaway cards and track transactionsEthics/LegalityWhat products to buy?Human subjects?

19

Slide20

Why take all this pain??

Analyze bottlenecks in spam value chain!Name servers?Hosting servers?Realization?

20

Slide21

Criteria for blocking

Resource diversitySwitching costFew opportunities for spammers to respawn

21

Slide22

Name registrars

Some concentration (NauNet)But lots of diversity Low switching costDomains are cheap and expendable bulk price: $1

22

Slide23

Hosting?

Many choicesLow switching costHost via botnets

23

Slide24

Banks?

Low diversityThree banks cover 95% of our corpusFew banks willing to work with “high risk” merchantsHigh switching costRequires creating merchant account at bank in personMoney held by bank to cover chargebacks

24

Slide25

Suggested reading 

25

Slide26

Two papers

Click TrajectoriesManufacturing Compromise

26

Slide27

Problem they are studying

Emergence of “software-as-a-service” model in browser compromiseExploit as a service!Decoupling complexity of compromise from the act of driving traffic to the malicious server

27

Slide28

Before EaaS

Pay per installMalware compromises host by social engg, spam etcHosts shared on underground forumsEaaS focuses on drive by downloads

28

Slide29

What’s a drive by download?

download that happens without a users’ knowledgeE.g., innocent click on popup window or message is “implicit” ack for downloadingTarget browser and extension vulnerabilities

29

Slide30

30

Slide31

Exploit Kit

Earliest known was MPACK 2006Profiles browser/OS etcDelivers a suitable exploit Traditional: one-time fees like softwareNew model: SaaS paradigm

31

Slide32

Traffic PPI

Evolution of PPIDecouple the stepsPPI Service handles 1,2,3 and 5 “Client” just provides (4)

32

Slide33

What happens after install?

Monetization via SpamPII harvestingClick fraudHijacking browserFakeAVProxy and hosting (“cloud”)Droppers for third parties

33

Slide34

Measurement methodology

34

Slide35

Malware sources

35

Slide36

Contained execution

Typical of “honeypots”Want to “fake” real services so that malware behaves normallyBut avoid damage to real servicesE.g., Trap on actual packets

36

Slide37

Clustering malware families

Several heuristicsDomains contactedHTTP requestsSystem modificationsScreenshots

37

Slide38

Key findings

No single source of malware is comprehensive9 exploit kits account for 92% of malicious URLS29% are Blackhole Kits distribute 32 most prominent malware familiesInfrastructure for hosting is short lived 2.5 hrs  URL crawling has limitations

38

Slide39

Takeaways

Cybercrime infrastructure is a full-fledged businessPretty “robust” ecosystemOften hide behind bulletproof hosting services and/or botnetsEmergence of business modelsAffiliates, EaaS, Exploit kits, “specialization”, “globalization”, customer care Payment seems like a potential bottleneck

39