Post on 30-May-2020
Data Exploration and Midterm Review
Tyler Moore
CSE 7338Computer Science & Engineering Department, SMU, Dallas, TX
Lecture 4
Outline
1 Midterm review
2 Characteristics of cybercrime
3 Cybercrime supply chains
4 Fighting cybercrime
5 Measuring cybercrime
6 The cost of cybercrime
2 / 81
Midterm review
Midterm Exam
You have 90 minutes
My goal is for the exam to take 60 minutes to complete
You are allowed to bring in one sheet of letter-sized paper withhand-written notes (one size only)
Calculators are allowed but not required (no smartphones orcomputers)
Warning from the test:
You may not speak to any of your classmates during theexam; anyone observed communicating with others (inverbal, written or cyber form) will receive a failing grade.Anyone found using the Internet or other outside resourcesbeyond the single sheet of paper with notes will receive afailing grade.
4 / 81
Midterm review
Non-exhaustive list of topics: security
Protection goals (confidentiality, integrity, availability)
Asymmetric cryptography (for confidentiality and integrity)
Symmetric cryptography
Identification vs. authentication vs. authorization
Threat models
5 / 81
Notes
Notes
Notes
Notes
Midterm review
Non-exhaustive list of topics: economics
Preferences and utility functions
Indifference curves
Expected utility
Attitudes to risk
Market failures
6 / 81
Midterm review
Non-exhaustive list of topics: security investment
Metrics (ALE,EBIS,ENBIS,ROSI,NPV)
Models
Breach probability functionsOptimal investmentGordon-Loeb model (BPF, what decreasing marginal returns of securityinvestment means, 37% rule)No calculus required, but you may need to interpret a plot
Risk management
Model of filtering with false positives and negatives
Cost-benefit analysis
Calculate expected benefits with multiple loss typesInterpret graphsIdentify breakeven values
7 / 81
Midterm review
Example question
Suppose that without taking precautions, there is a 5% chance a firm willbe hacked, costing the firm $12 million. Suppose that the company isconsidering spending a $20K on a solution that will reduce the probabilityof being hacked to 2%.
a. What is the expected loss if no additional precautions are taken?
b. What is the expected loss if the additional security investment ismade?
c. What is the expected benefit of additional security investment?
d. What is the expected net benefit of additional security investment?
e. What is the return on security investment of additional securityspending?
f. Would you advise that the firm spend the extra $20K on security?What metrics justify your decision?
8 / 81
Characteristics of cybercrime Defining cybercrime
Defining cybercrime
We (mainly) adopt the European Commission’s proposed definition:1 traditional forms of crime such as fraud or forgery, though committed
over electronic communication networks and information systems;2 the publication of illegal content over electronic media (e.g., child
sexual abuse material or incitement to racial hatred);3 crimes unique to electronic networks, e.g., attacks against information
systems, denial of service and hacking.
For this part of the course, we are mainly concerned with cybercrimesthat are profit-motivated, not so much crimes fitting the secondcomponent of the definition
The boundary between traditional and cybercrimes is fluid
10 / 81
Notes
Notes
Notes
Notes
Characteristics of cybercrime Defining cybercrime
Distinguishing between types of cybercrime
Online banking fraud
Fake antivirus
‘Stranded traveler’ scams
‘Fake escrow’ scams
Advanced fee fraud
Infringing pharmaceuticals
Copyright-infringing software
Copyright-infringing music and video
Online payment card fraud
In-person payment card fraud
PABX fraud
Industrial cyber-espionage and extortion
Welfare fraud
Tax and tax filing fraud
‘Genuine’ cybercrime
Transitional cybercrime
Traditional crime becoming ‘cyber’
11 / 81
Characteristics of cybercrime How is cybercrime different?
How does cybercrime differ from traditional crime?
1 Scale – a single attack can make little money and be unsuccessfulmost of the time, yet still be hugely profitable if it is replicated easilyfor almost no cost
2 Global adddressability – pool of available targets remains practicallyinfinite
3 Distributed control – stakeholders have competing interests andlimited visibility across networks, which hampers ability to defendagainst attacks
4 International nature – makes law enforcement more difficult
12 / 81
Characteristics of cybercrime Primary vs. infrastructure cybercrimes
Distinguishing between ‘primary’ cybercrimes andinfrastructure crimes
‘Primary’ cybercrimes perpetrate a particular scam (e.g., phishingsteals bank credentials, illicit pharmaceutical programs sellprescription drugs without prescription)
Yet these primary cybercrimes rely on a criminal infrastructurecommon to most scams
1 Exploits: offer a way to compromise computers so that unauthorizedsoftware can be executed
2 Botnets: provide anonymity to criminals and a resource forexploitation
3 Email spam: advertises scams to unsuspecting victims4 Search-engine poisoning: exposes unsuspecting victims to scams
13 / 81
Cybercrime supply chains
Supply chains and the division of labor
Adam Smith on pin production (1776):
One man draws out the wire, another straights it,a third cuts it, a fourth points it, a fifth grinds itat the top for receiving the head: to make thehead requires two or three distinct operations: toput it on is a particular business, to whiten thepins is another ... and the important business ofmaking a pin is, in this manner, divided intoabout eighteen distinct operations, which in somemanufactories are all performed by distinct hands,though in others the same man will sometimeperform two or three of them.
15 / 81
Notes
Notes
Notes
Notes
Cybercrime supply chains The underground economy
The underground economy: division of labor in cybercrime
Advertisement
i have boa wells and barclays bank logins....have hacked hosts, mail lists, php mailer
send to all inboxi need 1 mastercard i give 1 linux hacked rooti have verified paypal accounts with good balance...
and i can cashout paypals
Source: http://www.cs.cmu.edu/
~jfrankli/acmccs07/ccs07_
franklin_eCrime.pdf
16 / 81
Cybercrime supply chains The underground economy
Credit card #s for sale on underground
Source: http://www.cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdf
17 / 81
Cybercrime supply chains The underground economy
Services on offer on underground
Source: http://www.cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdf
18 / 81
Cybercrime supply chains The underground economy
Some advertised prices on the underground
Source: http://press.pandasecurity.com/wp-content/uploads/2011/01/The-Cyber-Crime-Black-Market.pdf19 / 81
Notes
Notes
Notes
Notes
Cybercrime supply chains The underground economy
Cybercrime supply chains
traffic host hook monetization cash out
20 / 81
Cybercrime supply chains Sample cybercrimes
Phishing supply chain step 1: traffic (email spam)
21 / 81
Cybercrime supply chains Sample cybercrimes
Phishing supply chain step 2: host (compromise server)
22 / 81
Cybercrime supply chains Sample cybercrimes
Phishing supply chain step 3: hook (phishing kit)
23 / 81
Notes
Notes
Notes
Notes
Cybercrime supply chains Sample cybercrimes
Phishing supply chain step 4: monetize (bank transfer)
24 / 81
Cybercrime supply chains Sample cybercrimes
Phishing supply chain step 5: cash out (hire mules)
25 / 81
Cybercrime supply chains Sample cybercrimes
Illicit online pharmacies
26 / 81
Cybercrime supply chains Sample cybercrimes
Illicit online pharmacies
What do illicit online pharmacies have to do with phishing?
Both make use of a similar criminal supply chain1 Traffic: hijack web search results (or send email spam)2 Host: compromise a high-ranking server to redirect to pharmacy3 Hook: affiliate programs let criminals set up website front-ends to sell
drugs4 Monetize: sell drugs ordered by consumers5 Cash out: no need to hire mules, just take credit cards!
For more: http://lyle.smu.edu/~tylerm/usenix11.pdf
27 / 81
Notes
Notes
Notes
Notes
Cybercrime supply chains Sample cybercrimes
Abusing dynamic search terms
28 / 81
Cybercrime supply chains Sample cybercrimes
At best you may encounter ad-filled sites
29 / 81
Cybercrime supply chains Sample cybercrimes
At worst you may encounter malware
30 / 81
Cybercrime supply chains Sample cybercrimes
Abusing search-engine results
Once again the criminal supply chain is similar1 Traffic: hijack unrelated web search results2 Host: compromise a high-ranking server3 Hook: install an exploit (for fake AV), or fill with auto-generated
content (for ad sites)4 Monetize: peddle fake AV or load page with ads5 Cash out: credit cards or hire mules (fake AV), or get paid by ad
platforms
For more: http://lyle.smu.edu/~tylerm/ccs11.pdf
31 / 81
Notes
Notes
Notes
Notes
Cybercrime supply chains Sample cybercrimes
Cybercrime supply chains: common mode of operation
Cybercrime Traffic Host Hook Monetization Cash out
Phishing (bank) email spam hacked server website kit ACH transfer money mulePhishing (email acct.) email spam hacked server website kit ‘stranded traveler’ -Phishing (email acct.) email spam hacked server website kit malware -Phishing (social net.) email spam hacked server website kit ‘stranded traveler’ -Phishing (social net.) email spam hacked server website kit malware -Illicit pharma email spam hacked server website frontend payments -Illicit pharma web poisoning hacked server website frontend payments -Fake antivirus web poisoning hacked server exploit install payments -Fake antivirus web poisoning hacked server exploit install e-currency money mulesAd-laden sites web poisoning own server - PPC ads ad platformTyposquatting user error own server - PPC ads ad platform‘Stranded traveler’ social net. takeover - deceptive msg. wire transfer -‘Fake escrow’ scams auction buyers own server deceptive msg. wire transfer -Industrial espionage email spam own server exploit install exfiltrate data -
32 / 81
Cybercrime supply chains Strategies for integrating criminal supply chains
Market for crimeware
traffic host hook monetization cash out
Alice Bob Charlie David
Option 1: underground market as pin factoryAttacker
buys
bu
ys
buys
sells
Mules
Phisherman
buy
spam
bu
yco
mp
.
serv
er
buykit
sell credentials
Mules
hires
Counterfeit drugs salesman
buy
spam
hir
ese
rver
beaffi
liate
complete sale
Option 2: traffic brokers
Alice
Attacker
buys
traffi
c
monetize
advertising fraud
infect with malware
More info: http://iseclab.org/papers/weis2010.pdf
Option 3: exploit-as-a-serviceAttacker
provid
etraffi
c,b
uy
EaaS
install malware
More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
Option 4: pay-per-installAttacker
order
PP
I
use compromised machines
(e.g., show fake AV, steal
credentials, launch DoS)
More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf
33 / 81
Cybercrime supply chains Strategies for integrating criminal supply chains
Market for crimeware
traffic host hook monetization cash out
Alice Bob Charlie David
Option 1: underground market as pin factory
Attacker
buys
bu
ys
buys
sells
Mules
Phisherman
buy
spam
bu
yco
mp
.
serv
er
buykit
sell credentials
Mules
hires
Counterfeit drugs salesman
buy
spam
hir
ese
rver
beaffi
liate
complete sale
Option 2: traffic brokers
Alice
Attacker
buys
traffi
c
monetize
advertising fraud
infect with malware
More info: http://iseclab.org/papers/weis2010.pdf
Option 3: exploit-as-a-serviceAttacker
provid
etraffi
c,b
uy
EaaS
install malware
More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
Option 4: pay-per-installAttacker
order
PP
I
use compromised machines
(e.g., show fake AV, steal
credentials, launch DoS)
More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf
33 / 81
Cybercrime supply chains Strategies for integrating criminal supply chains
Market for crimeware
traffic host hook monetization cash out
Alice Bob Charlie David
Option 1: underground market as pin factory
Attacker
buys
bu
ys
buys
sells
Mules
Phisherman
buy
spam
bu
yco
mp
.
serv
er
buykit
sell credentials
Mules
hires
Counterfeit drugs salesman
buy
spam
hir
ese
rver
beaffi
liate
complete sale
Option 2: traffic brokers
Alice
Attacker
buys
traffi
c
monetize
advertising fraud
infect with malware
More info: http://iseclab.org/papers/weis2010.pdf
Option 3: exploit-as-a-serviceAttacker
provid
etraffi
c,b
uy
EaaS
install malware
More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
Option 4: pay-per-installAttacker
order
PP
I
use compromised machines
(e.g., show fake AV, steal
credentials, launch DoS)
More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf
33 / 81
Notes
Notes
Notes
Notes
Cybercrime supply chains Strategies for integrating criminal supply chains
Market for crimeware
traffic host hook monetization cash out
Alice Bob Charlie David
Option 1: underground market as pin factoryAttacker
buys
bu
ys
buys
sells
Mules
Phisherman
buy
spam
bu
yco
mp
.
serv
er
buykit
sell credentials
Mules
hires
Counterfeit drugs salesman
buy
spam
hir
ese
rver
beaffi
liate
complete sale
Option 2: traffic brokers
Alice
Attacker
buys
traffi
c
monetize
advertising fraud
infect with malware
More info: http://iseclab.org/papers/weis2010.pdf
Option 3: exploit-as-a-serviceAttacker
provid
etraffi
c,b
uy
EaaS
install malware
More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
Option 4: pay-per-installAttacker
order
PP
I
use compromised machines
(e.g., show fake AV, steal
credentials, launch DoS)
More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf
33 / 81
Cybercrime supply chains Strategies for integrating criminal supply chains
Market for crimeware
traffic host hook monetization cash out
Alice Bob Charlie David
Option 1: underground market as pin factoryAttacker
buys
bu
ys
buys
sells
Mules
Phisherman
buy
spam
bu
yco
mp
.
serv
er
buykit
sell credentials
Mules
hires
Counterfeit drugs salesman
buy
spam
hir
ese
rver
beaffi
liate
complete sale
Option 2: traffic brokers
Alice
Attacker
buys
traffi
c
monetize
advertising fraud
infect with malware
More info: http://iseclab.org/papers/weis2010.pdf
Option 3: exploit-as-a-serviceAttacker
provid
etraffi
c,b
uy
EaaS
install malware
More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
Option 4: pay-per-installAttacker
order
PP
I
use compromised machines
(e.g., show fake AV, steal
credentials, launch DoS)
More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf
33 / 81
Cybercrime supply chains Strategies for integrating criminal supply chains
Market for crimeware
traffic host hook monetization cash out
Alice Bob Charlie David
Option 1: underground market as pin factoryAttacker
buys
bu
ys
buys
sells
Mules
Phisherman
buy
spam
bu
yco
mp
.
serv
er
buykit
sell credentials
Mules
hires
Counterfeit drugs salesman
buy
spam
hir
ese
rver
beaffi
liate
complete sale
Option 2: traffic brokers
Alice
Attacker
buys
traffi
c
monetize
advertising fraud
infect with malware
More info: http://iseclab.org/papers/weis2010.pdf
Option 3: exploit-as-a-serviceAttacker
provid
etraffi
c,b
uy
EaaS
install malware
More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
Option 4: pay-per-installAttacker
order
PP
I
use compromised machines
(e.g., show fake AV, steal
credentials, launch DoS)
More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf
33 / 81
Cybercrime supply chains Strategies for integrating criminal supply chains
Market for crimeware
traffic host hook monetization cash out
Alice Bob Charlie David
Option 1: underground market as pin factoryAttacker
buys
bu
ys
buys
sells
Mules
Phisherman
buy
spam
bu
yco
mp
.
serv
er
buykit
sell credentials
Mules
hires
Counterfeit drugs salesman
buy
spam
hir
ese
rver
beaffi
liate
complete sale
Option 2: traffic brokers
Alice
Attacker
buys
traffi
c
monetize
advertising fraud
infect with malware
More info: http://iseclab.org/papers/weis2010.pdf
Option 3: exploit-as-a-serviceAttacker
provid
etraffi
c,b
uy
EaaS
install malware
More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
Option 4: pay-per-installAttacker
order
PP
I
use compromised machines
(e.g., show fake AV, steal
credentials, launch DoS)
More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf
33 / 81
Notes
Notes
Notes
Notes
Cybercrime supply chains Strategies for integrating criminal supply chains
Market for crimeware
traffic host hook monetization cash out
Alice Bob Charlie David
Option 1: underground market as pin factoryAttacker
buys
bu
ys
buys
sells
Mules
Phisherman
buy
spam
bu
yco
mp
.
serv
er
buykit
sell credentials
Mules
hires
Counterfeit drugs salesman
buy
spam
hir
ese
rver
beaffi
liate
complete sale
Option 2: traffic brokers
Alice
Attacker
buys
traffi
c
monetize
advertising fraud
infect with malware
More info: http://iseclab.org/papers/weis2010.pdf
Option 3: exploit-as-a-serviceAttacker
provid
etraffi
c,b
uy
EaaS
install malware
More info: http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
Option 4: pay-per-installAttacker
order
PP
I
use compromised machines
(e.g., show fake AV, steal
credentials, launch DoS)
More info: http://www.usenix.org/events/sec11/tech/full_papers/Caballero.pdf
33 / 81
Cybercrime supply chains Strategies for integrating criminal supply chains
Vertical integration of supply chains
traffic host hook monetization cash out
While underground forums, pay-per-installs and exploit-as-a-serviceattracts the most attention, some criminals vertically integrate
Why? better defense against ‘rippers’ (seehttp://research.microsoft.com/pubs/80034/
nobodysellsgoldforthepriceofsilver.pdf)
Some EaaS and PPI suites are not for sale, but instead usedexclusively by particular gangs (e.g., Carberp)
34 / 81
Cybercrime supply chains Strategies for integrating criminal supply chains
Vertical integration in phishing: rock-phish gang
‘Rock-phish’ gang used vertical integration to carry out phishingattacks
At 2007-08 peak, accounted for half of phishing attacks1 Purchase several innocuous-sounding domains (e.g., lof80.info)2 Send out phishing email with URL
http://www.volksbank.de.netw.oid3614061.lof80.info/vr
3 Gang-hosted DNS server resolves domain to IP address of one ofseveral compromised machines
4 Compromised machines run a proxy to a back-end server5 Server loaded with many fake websites (around 20), all of which
can be accessed from any domain or compromised machine
35 / 81
Fighting cybercrime
Fighting cybercrime
Private actors take steps to mitigate risk of cybercrime (e.g., installAV)
Considerable effort is made to stop cybercrime after it has beencommitted
Interested private actors and law enforcement both play a role
37 / 81
Notes
Notes
Notes
Notes
Fighting cybercrime
Voluntary defenses against cybercrime
Actors in voluntary cybercrime defense1 “Vigilantes” (e.g., AA419) who gather evidence and pass information
to relevant operators2 Industry victims (e.g., banks) who directly employ teams to remove
objectionable content3 Responding operators (e.g., hosting providers) who cooperate with
requests from victims4 “Mercenaries” (e.g., take-down companies) who clean up wicked
content for hire5 Industry collaboratives (e.g., Conficker Working group) who pool
resources and data on incidents to collaborate against threats afterthey emerge
38 / 81
Fighting cybercrime
Law enforcement approaches to cybercrime
1 Infiltrate underground communications channels ex ante
Simplifies job in terms of evidence collectionDeals with internationalization challengesHas potential to obviate harmHard to figure out whether those caught represent significant threats ornot
2 Pursue criminal groups ex post
Can go after those criminals who have the biggest impactChallenge is that many groups are in protected jurisdictions
39 / 81
Fighting cybercrime
Notice and take-down
Undesirable content pervades the Internet
Schemes for its removal are called notice and take-down (NTD)regimes
Those who want the content removed get into contact with theresponsible ISPs, webmasters
We discuss NTD regimes to illuminate how private and public actorsfight cybercrime
40 / 81
Fighting cybercrime
Types of content subject to NTD
Defamation
Copyright violations
Phishing
Fake escrow agents
Mule-recruitment websites
Online pharmacies
Spam, malware and virus hosts
Child sexual abuse images
41 / 81
Notes
Notes
Notes
Notes
Fighting cybercrime
Comparing NTD regimes
Factors for comparing NTD regimes
Incentives for removal on requesting partyFormalization of NTD mechanismLegal framework availableHosting strategy used by offendersSpeed at which material is removed
We can compare the speed of removal for different regimes, and seehow the results match up to the available incentives, legal frameworksand hosting strategies
42 / 81
Fighting cybercrime
Phishing
Phishing websites impersonate banks to commit identity theft
Banks issue take-down notices despite no legislative basis
Hosting options for phishing websites1 Compromised machine
(http://www.example.com/~user/images/www.bankname.com/)2 Free webspace
(http://www.bankname.freespacesitename.com/signin/)3 Registered domain (bankname-variant.com) which then points to
free webspace or compromised machine
43 / 81
Fighting cybercrime
Phishing (ctd.)
4 Rock-phish attacks
Purchase many innocuous-sounding domains (e.g., lof80.info)
Send out phishing email with URL
http://www.volksbank.de.netw.oid3614061.lof80.info/vr
Gang-hosted DNS server resolves domain to IP address of one ofseveral compromised machines, which proxy to the mothershiphosting 20 fake websites
5 Fast-flux attacks
Same strategy as rock-phish, except domains resolve to 5 IP addressesfor a short time, then abandon them for 5 moreForces take-down of domains, not compromised machines
44 / 81
Fighting cybercrime
Phishing-website lifetimes by hosting method
Sites Lifetime (hours)mean median
Free web-hostingall 395 47.6 0brand owner aware 240 4.3 0brand owner missed 155 114.7 29
Compromised machinesall 193 49.2 0brand owner aware 105 3.5 0brand owner missed 155 103.8 10
Rock-phish domains 821 70.3 33Fast-flux domains 314 96.1 25.5
45 / 81
Notes
Notes
Notes
Notes
Fighting cybercrime
Fake escrow agents
46 / 81
Fighting cybercrime
Fake escrow agents (ctd.)
47 / 81
Fighting cybercrime
Fake escrow agents
Unlike phishing, fake escrow agents do not impersonate a real business
Instead, they impersonate a service
Fake escrow agent lifetimes
For 696 fake escrow sites, mean lifetime is 222 hours (24.5 hourmedian)Bank customers are harmed, but no bank is impersonated so the banksdon’t get involvedOnly motivated ‘vigilantes’ remove the sitesLonger lifetime than phishing, but surprisingly short
48 / 81
Fighting cybercrime
Mule-recruitment websites
49 / 81
Notes
Notes
Notes
Notes
Fighting cybercrime
Mule-recruitment websites
50 / 81
Fighting cybercrime
Mule-recruitment websites
51 / 81
Fighting cybercrime
Mule-recruitment websites
52 / 81
Fighting cybercrime
Child sexual abuse images
Perhaps the most widely condemned form of Internet content
Universally illegal
Internet Watch Foundation (IWF)
Operates a ‘hotline’ for reports in the UKTrained staff check reports, pass along to the UK police if illegalIf site is located in the UK, pass report directly to ISPIf site is located overseas, pass report to respective authorityIWF kindly provided sanitized data on websites they track
53 / 81
Notes
Notes
Notes
Notes
Fighting cybercrime
Website lifetimes for all types of offending content
Sites Lifetime (hours)mean median
Child sexual abuse images 2 585 719 288Phishing
Free web-hosting 240 4.3 0Compromised machines 105 3.5 0Rock-phish domains 821 70.3 33Fast-flux domains 314 96.1 25.5
Fraudulent websitesEscrow agents 696 222.2 24.5Mule-recruitment websites 67 308.2 188Fast-flux pharmacies 82 1 370.7 1 404.5
54 / 81
Fighting cybercrime
Comparing speed of removal
Incentive on the party requesting content removal matters most
Banks are highly motivated to remove phishing websitesBanks overcome many international jurisdictions and no clear legalframeworkBanks’ incentives remain imperfect: they only remove websites directlyimpersonating their brand, while overlooking mule-recruitment websites
Technology chosen by attacker has small impact
Fast-flux phishing websites removed within 3 days, fast-flux pharmaciesnot removed at all!
55 / 81
Fighting cybercrime
Why are lifetimes for child sexual abuse images so long?
Mean lifetime is 150 times greater than for phishing hosted oncompromised machines!
Dividing take-down responsibility according to national jurisdiction isto blame
If site hosted in UK, IWF work directly with ISPs to removeIf not in UK, IWF notifies law enforcement and equivalent hotlineoperatorHotline operators only exist in 29 countries, and policies vary on whatto do (e.g., US-based NCMEC only issues take-down notices to ISPs“when appropriate”)IWF claim they “are not permitted or authorised to issue notices totakedown content to anyone outside the UK”The defamed, the rights holders, the banks, and the take-downcompanies have not waited for permission
56 / 81
Measuring cybercrime
Why measuring cybercrime is hard
Victims may be reluctant to discuss incidents
Reputational risk
Regulatory risk
Section 5 of the FTC Act authorizes FTC to take action against unfairor deceptive acts and practices that affect commerceSEC Disclosure Guidance on Cybersecurity Riskshttp://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
Mandatory disclosure used for data breaches
But what to do if affected firms don’t want to share and there’s nomandate?
58 / 81
Notes
Notes
Notes
Notes
Measuring cybercrime
Relying on third parties for data collection
Enlist support of disinterested third parties who observe evidence ofincidents
ISPs already observe every domain name that customers try to visitCybercriminals register domain names for purely malicious purposes(e.g., to control computers in a botnet)One can estimate the prevalence of malicious web traffic at an ISP byobserving the logs of its DNS server (passive DNS)
Obtain a copy of records maintained by criminals
One group got access to fake AV records for 3 gangs, including data onconversion rates and revenues
59 / 81
Measuring cybercrime
Direct observation
When no one will help, one can collect data directly
Monitoring IRC channels advertising goods for sale
Co-opting portions of a botnet to observe spam conversion rate
Google deploys automated crawlers to block websites distributingmalware (found that 1.3% of incoming search queries had at least onemalicious result)
While these studies describe the prevalence of badness, it is hard totranslate this directly to user harm
There is a trade-off between comprehensiveness and precision whenmeasuring cybercrime
60 / 81
Measuring cybercrime
Click trajectories data collection methodology
Source: http://www.icir.org/christian/publications/2011-oakland-trajectory.pdf
61 / 81
Measuring cybercrime
Challenges in direct observation
Data that can be observed may not be representative of all crime(think public marketplaces vs. private deals)
Moreover, data that can be observed may exclude the mostsophisticated criminals
Corollary: crimes inherently difficult to measure may go unexamined
62 / 81
Notes
Notes
Notes
Notes
Measuring cybercrime
Why cybercrime surveys are hard to get right
Definitions are loose and left open to interpretation (what counts asan “attack”? see next slide for example)
Definitional ambiguity occurs more often in surveys of consumersthan for firms
Sources of measurement error for survey respondents1 Underreport events not observed to be attacks2 Misclassify benign events as attacks3 Translating experience of cybercrime into dollars is hard, so reported
figures may be unreliable
Only 22% of CSI survey respondents included a financial figure forcybercrime losses, not fair to extrapolate to those who didn’t reportvalues
63 / 81
Measuring cybercrime
Question: Experiences with cybercrime
Cybercrimes can include many different types of criminal activity. Howoften have you experienced or been a victim of the following situations?
Identity theft (somebody stealing your personal data andimpersonating you, e.g. shopping under your name)
Received emails fraudulently asking for money or personal details(including banking or payment information)
Online fraud where goods purchased were not delivered, counterfeit ornot as advertised
Not being able to access online services (e.g. banking services)because of cyber attacks
Respondents were asked to answer “often”, “occasionally”, “never”, or“don’t know”.
64 / 81
Measuring cybercrime
Why cybercrime surveys are hard to get right
Sample bias occurs when the set of survey respondents does notaccurately represent the population being studied
2011 CSI industry survey received 6.4% response rate, and comedisproportionately from large companies who invest heavily in ITsecurity
Even with a random sample, the underlying distribution is ofteninherently skewed
2 outlier losses in CSI’s survey ($20M and $25M), while the averagefor the other 75 was $100K
Shouldn’t discard the outliers, but can’t use the mean either
Median is a more appropriate summary measure, but doesn’t capturetotal harm
65 / 81
Measuring cybercrime
Another problem for cybercrime surveys
Many cybercrimes affect only a very small portion of the overallpopulation
One study suggests that 0.4% of the Internet population falls forphishing attacks annually
Thus getting a truly random sample of the population requiressampling from a larger pool
Response bias is also magnified
Victims may be more likely to respond to surveys since topic is moresalient for themVictimization rate is inflated by factor matching relative response rateof victims (e.g., if victims are twice as likely to respond, then surveyedincidence will be double the true rate)
For more detail, see: http://research.microsoft.com/apps/
pubs/default.aspx?id=149886
66 / 81
Notes
Notes
Notes
Notes
The cost of cybercrime
How much does cybercrime cost?
Source: http://www.propublica.org/article/does-cybercrime-really-cost-1-trillion68 / 81
The cost of cybercrime
How much does cybercrime cost?
69 / 81
The cost of cybercrime
Can such high estimates really be right?
In 2009 AT&T’s Ed Amoroso testified before the US Congress thatglobal cybercrime profits topped $1 trillion
That’s 1.6% of world GDP
Detica’s figure (£27 Bn) is 2% of UK GDP
Not only are the figures eye-poppingly large, it’s often unclear what isbeing measured
Amoroso spoke of cybercrime ‘profits’, while Detica describes ‘losses’
70 / 81
The cost of cybercrime
Upon closer inspection, the Detica estimates don’t hold up
71 / 81
Notes
Notes
Notes
Notes
The cost of cybercrime
Upon closer inspection, the Detica estimates don’t hold up
IP theft (£9.2 Bn) and espionage (£7.6 Bn) account for 62% of thetotal loss estimate
Yet the methodology for computing these estimates appears to relyextensively on random guesses
IP theft: buried on p. 16 of the report, the authors admit “theproportion of IP actually stolen cannot at present be measured withany degree of confidence”, so they assign probabilities of loss andmultiply by sectoral GDPEspionage: because “it is very hard to determine what proportion ofindustrial espionage is due to cybercrime”, the authors ascribe valuesto plausible targets and guess how often they might be pilfered
72 / 81
The cost of cybercrime
Why are poor cybercrime cost estimates dangerous?
73 / 81
The cost of cybercrime
Why are poor cybercrime cost estimates dangerous?
74 / 81
The cost of cybercrime
But how can we do better?
It is one thing to point out flaws in others’ estimates, but it is quiteanother to produce a more reliable estimate of cybercrime losses
The UK Ministry of Defence challenged us to produce a moreaccurate estimate
Here’s an overview of our attempt
75 / 81
Notes
Notes
Notes
Notes
The cost of cybercrime
Decomposing the cost of cybercrime
Indirect losses
Defense costs
Direct losses
Cost to society
Criminal revenue
Cybercrimes Supportinginfrastructure
76 / 81
The cost of cybercrime
Decomposing the cost of cybercrime
Many cybercrime measurement efforts conflate different categories ofcosts, which renders figures incomparable
We break up the cost of cybercrime into four categories1 Criminal revenue: gross receipts from a crime2 Direct losses: losses, damage, or other suffering felt by the victim as a
consequence of a cybercrime3 Indirect losses: losses and opportunity costs imposed on society by the
fact that a certain cybercrime is carried out4 Defense costs: cost of prevention efforts
We also distinguish between the primary costs of cybercrimes and thecosts attributed to a common infrastructure used to perpetratecybercrimes (e.g., botnets)
77 / 81
The cost of cybercrime
An example cost breakdown: phishing
Criminal revenuesum of the money withdrawn from victim accountsrevenue to spammer for sending phishing mails
Direct lossescriminal revenuetime and effort to reset account credentialssecondary costs of overdrawn accounts (deferred purchases)lost attention and bandwidth caused by spam messages
Indirect lossesloss of trust in online bankinglost opportunity for banks to communicate via emailefforts to clean-up PCs infected with malware
Defense costssecurity products (spam filters, antivirus)services for consumers (training) & industry (‘take-down’)fraud detection, tracking, and recuperation effortslaw enforcement
78 / 81
The cost of cybercrime
Indirect and defense costs outweigh direct losses
Cybercrime cost category Estimate
Direct losses– genuine cybercrime (e.g., phishing, advanced-fee fraud) $2–3Bn– online payment card fraud $4BnDefense costs– cybercriminal infrastructure (e.g., antivirus) $15Bn– payment card and online banking security measures $4BnIndirect costs– cybercriminal infrastructure (e.g., malware cleanup) $10Bn– loss of confidence in online transactions $30Bn
79 / 81
Notes
Notes
Notes
Notes
The cost of cybercrime
Factors affecting the likelihood of shopping online
Factors decreasing thelikelihood of buying
online
Factors increasing thelikelihood of buying
online
General concern: onlinepayments security
Confidence about ownInternet skills
Personal concern:e-commerce fraud
Do online banking
Experience:e-commerce fraud
Higher education
General concern:misuse of personal data
Personal concern:phishing/fraud spam
%-pts. −5−10−15 %-pts.5 10 15
80 / 81
The cost of cybercrime
Concern about cybercrime inhibits more than experience
One important and unexpected result: concern about cybercrimeinhibits online participation more than direct experience withcybercrime does.
People may find the experience of cybercrime to be less painful thantheir worst fears
Regardless of what drives the result, its implications are clear
Assuaging society’s concerns over cybercrime should be priorityAwareness campaigns should focus on positive steps to take thatimprove cybersecurity, not “scaring people straight” by makingcybercrime fears more salient
81 / 81
Notes
Notes
Notes
Notes