Underground economy. Economics of Security and Privacy (BMEVIHIAV15) Mark Felegyhazi. assistant professor CrySyS Lab.

Transcription

1 Underground economy Economics of Security and Privacy (BMEVIHIAV15) Mark Felegyhazi assistant professor CrySyS Lab. Underground economy BME Department of Telecommunications (Híradástechnikai Tanszék) mfelegyhazi(atat)crysys(dot)hu

2 Underground economy 2 What is spam? spam = unwanted traffic , FB, Twitter, spam is an economic problem the Internet infrastructure amplifies the issues sending is cheap anonymity helps infrastructure can be dynamically changed after several years of research, spam is still an issue

3 How does spam look like? Underground economy 3

4 Underground economy 4 Defenses defend against spam detect botnets analyze and detect malware binaries block attack vectors using blacklists - , Twitter, FB, SEO, detect and take down infrastructure elements - DNS servers - web servers understand their profits

5 Underground economy 5 Spam is for profit + = spam is not a technology issue economics facet for profit operation most estimates are on the costs > 100 Billion spam s sent every day [Ironport] > $1B in direct costs anti-spam products/services [IDC] Estimates of indirect costs (e.g., productivity) x more need credible estimates on the demand-side Kanich, C. and Kreibich, C. and Levchenko, K. and Enright, B. and Voelker, G.M. and Paxson, V. and Savage, S., Spamalytics: An empirical analysis of spam marketing conversion, ACM CCS 2008

6 Underground economy 6 Costs for spammers benefit if production cost + delivery cost < conversion rate * marginal revenue spam no printing cost production & lead generation cost (i.e. mailing list) negligible delivery cost negligible botnets measure the conversion rate

7 Underground economy 7 Spam conversion rate A B C D E crawler targeted addresses converter not delivered blocked by spam filter ignored by user user left site Kanich, C. and Kreibich, C. and Levchenko, K. and Enright, B. and Voelker, G.M. and Paxson, V. and Savage, S., Spamalytics: An empirical analysis of spam marketing conversion, ACM CCS 2008

8 Underground economy 8 Storm botnet measurement study Overnet protocol workers proxies masters servers (bulletproof hosting) rendezvous codes to build a C&C channel operation 1. worker sends update request to proxies 2. proxies respond with spam workload: - spam template - addresses - dictionary 3. worker send spam 4. worker delivers report

9 Underground economy 9 s assigned per ho Storm botnet infiltration infiltration of the C&C architecture spam delivery honey free accounts for spam spam click-through redirect (part of the) clicks to own websites mimic original site Figure disallow 4: Number checkout of and messages discard assigned all form per info hour for each campaign. campaigns separate crawler visits Date CAMPAIGN DATES WORKERS S Pharmacy Mar 21 Apr 15 31, ,590,389 Postcard Mar 9 Mar 15 17,639 83,665,479 April Fool Mar 31 Apr 2 3,678 38,651,124 Total 469,906,992 Table 1: Campaigns used in the experiment. Number of conne

10 Underground economy 10 Measurements: conversion line A B C D E crawler targeted addresses converter not delivered blocked by spam filter ignored by user user left site STAGE PHARMACY POSTCARD APRIL FOOL A Spam Targets 347,590, % 83,655, % 40,135, % B MTA Delivery (est.) 82,700, % 21,100, % 10,100, % C Inbox Delivery D User Site Visits 10, % 3, % 2, % E User Conversions % % % conversion rate: 1/12.4m 1/265k 1/178k

11 Underground economy 11 Time to click Fraction of clicks Crawlers Users Converters 0 1s 10s 1min 10min 1h 6h 1d 1w 1m Time to click

12 Effects of blacklisting Underground economy Delivery Rate Prior to Blacklisting Delivery Rate Post Blacklisting

13 Geographic distributions of converters (1/2) Underground economy 13

14 Underground economy 14 Geographic distributions of converters (2/2) Number of Responders IND POL RUS CHN FRA GBR BRA MYS TUR CAN BGR UKR KOR DEU JPN AUS SAU THA CZE TWN EGY PAK HUN ISR ZAFITA ROM MEX ARG NLD CHL HKG ESP SGP AUT CHE SWE USA Response Rate for Pharmacy 5e 05 2e 04 5e 04 2e 03 TWN JPN USA FRA TUR MEX CHL ARGKOR GBR AUS CZE CANZAF DEU ITA NLD MYS UKR RUS CHN HUN ISR POL ROM THA VNM BRA PHL BGR EGY SAU PAK IND 2e+04 1e+05 5e+05 2e+06 1e+07 Number of Targets 2e 04 5e 04 1e 03 2e 03 5e 03 1e 02 Response Rate for Self prop

15 Underground economy 15 Conversion calculation 28/350m pharmacy s result in an (attempted) purchase ~ $100 per purchase $2, profit or $140/day BUT, only 1.5% of the worker bots studied estimated turnover: $7000/day or 3.5m/year how much is profit? we don t know cost of sending spam: $25000 means = spam sending would not make profits unless campaigns are interconnected (operated by the same gang) profit margins in spam are narrow and spammers are susceptible to economic-based defenses

16 Underground economy 16 Next step: spam value chain spam conversion conversion rate is small profits are marginal spammers sensitive to cost-increasing defenses GOAL: Find the weakest link in the spam value chain

17 Underground economy 17 Understand the spammers value chain gather data analyze data, infrastructure from spam sending to product delivery identify the weakest link = observe what changes takes the most effort

18 Pharmacy Express Underground economy 18

19 Underground economy 19 Data collection and processing Aug 1 Oct 31, 2010 data sources large URL feeds (security companies, webmail operators) botnet farm output spam honeypots crawling DNS, WHOIS, web clustering and tagging purchases and recording of fulfillments banking info delivery

20 Underground economy 20 Data source total URLs Feed Feed Received Distinct Name Description URLs Domains Feed A MX honeypot 32,548, ,631 Feed B Seeded honey accounts 73,614,895 35,506 Feed C MX honeypot 451,603,575 1,315,292 Feed D Seeded honey accounts 30,991,248 79,040 Feed X MX honeypot 198,871,030 2,127,164 Feed Y Human identified 10,733,231 1,051,211 Feed Z MX honeypot 12,517,244 67,856 Cutwail Bot 3,267, Grum Bot 11,920, MegaD Bot 1,221,253 4 Rustock Bot 141,621,731 13,612,815 Other bots Bot 7,768 4 Total 968,918,303 17,813,952 clustered and tagged URLs

21 Underground economy 21 Affiliate programs and infrastructure Purchases: 120 attempted 76 authorized 56 settled 49 products delivered

22 Infrastructure sharing Underground economy 22

23 Takedown potential Underground economy 23

24 Underground economy 24 Take-away banking is the weakest link for spammers two potential remedies pressure merchant banks establish a financial blacklist to stop transactions with certain merchant codes

25 Information sharing 25 Reading for next time Odlyzko, A., Privacy, Economics and Price Discrimination on the Internet Proceedings of the 5th international conference on Electronic commerce, 2003 optional: Acquisti, A., The Economics of Privacy, draft presentation, website: