No Plan Survives Contact

Similar documents
On the Effects of Registrar-level Intervention

Intermediaries and regulation

UC San Diego UC San Diego Electronic Theses and Dissertations

Underground economy. Economics of Security and Privacy (BMEVIHIAV15) Mark Felegyhazi. assistant professor CrySyS Lab.


Vincent van Kooten, EMEA North Fraud & Risk Intelligence Specialist RSA, The Security Division of EMC

STEVE GOODING JUNE 15, 2018

PROTECTING YOUR BUSINESS ASSETS

Cloak of Visibility. -Detecting When Machines Browse A Different Web. Zhe Zhao

CLOAK OF VISIBILITY : DETECTING WHEN MACHINES BROWSE A DIFFERENT WEB

Web Infrastructure Internet And Network Architecture Two 1 Hour Crash Courses Quick Glance

UC San Diego UC San Diego Electronic Theses and Dissertations

Finding the Linchpins of the Dark Web: A Study on Topologically Dedicated Hosts on Malicious Web Infrastructures

Monetizing Attacks / The Underground Economy

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

Wire Fraud Begins to Hammer the Construction Industry

WHITE PAPER TWENTY-ONE PRODUCTIVITY TOOLS

SME Developing and managing your online presence. Presented by: Rasheed Girvan Global Directories

Version 14 Supplemental Manual

Maintaining Trust: Visa Inc. Payment Security Strategy

Account Takeover: Why Payment Fraud Protection is Not Enough

We will divide the many telecom fraud schemes into three broad categories, based on who the fraudsters are targeting. These categories are:

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

WHITE PAPER THE SOCIAL MEDIA FRAUD REVOLUTION A STUDY OF THE EXPANSION OF CYBERCRIME TO NEW PLATFORMS

DNS Security. Ch 1: The Importance of DNS Security. Updated

The Bots Are Coming The Bots Are Coming Scott Taylor Director, Solutions Engineering

DIALING BACK PHONE VERIFIED ACCOUNT ABUSE. Kurt Thomas, Dmytro Iatskiv, Elie Bursztein, Tadek Pietraszek, Chris Grier (Databricks), Damon McCoy (GMU)

Dirty Jobs: The Role of Freelance Labor in Web Service Abuse

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm

How to Build a Culture of Security

Automating Security Response based on Internet Reputation

Peering into the Underground

How technology changed fraud investigations. Jean-François Legault Senior Manager Analytic & Forensic Technology June 13, 2011

Asset Management conference 2016

August 14th, 2018 PRESENTED BY:

Modern Cookie Stuffing

Vantiv ecommerce for Magento 2

The role of phone numbers in understanding cyber-crime

Security and Privacy. Xin Liu Computer Science University of California, Davis. Introduction 1-1

CAPTCHAAttacks and Weaknesses against OCR Technology

Cyber Security Updates and Trends Affecting the Real Estate Industry

Unique Phishing Attacks (2008 vs in thousands)

Tripwire Inferring Internet Site Compromise

Staying Safe on the Internet. Mark Schulman

Threat Based Defence Alonso Jose da Silva II. GRC & Cyber Security Conference - Bringing the Silos

FINDING THE SWEET SPOT BETWEEN AI AND EI IN THE CONTACT CENTRE. Jonathan Sharp Sales & Marketing Director, Britannic Technologies Stand #F131

Beyond Blind Defense: Gaining Insights from Proactive App Sec

Flash Purple Transition FAQs for IBOs

About Lavasoft. Contact. Key Facts:

Protecting Your Business From Hackers

Mobile Messaging Apps Study : India. August 2014

Large-Scale Internet Crimes Global Reach, Vast Numbers, and Anonymity

Quick recap on ing Security Recap on where to find things on Belvidere website & a look at the Belvidere Facebook page

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

Panda Security 2010 Page 1

News English.com Ready-to-use ESL / EFL Lessons

Nuance Loop Voice & Data Credit

MEASURING AND FINGERPRINTING CLICK-SPAM IN AD NETWORKS

Creating and Using an Account

Advanced Marketing Certification Training

Online Scams. Ready to get started? Click on the green button to continue.

Enterprise Identity Management 101. Phillip J. Windley Brigham Young University

Security Trend of New Computing Era

Definition. Quantifying Anonymity. Anonymous Communication. How can we calculate how anonymous we are? Who you are from the communicating party

Vantiv ecommerce for Magento 1 User Guide. Version 1.0.7

A SIMPLE INTRODUCTION TO TOR

Internet Applications. Q. What is Internet Explorer? Explain features of Internet Explorer.

A Review Paper on Network Security Attacks and Defences

Elementary Computing CSC 100. M. Cheng, Computer Science

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

CSE Computer Security

EXAM - CAS-002. CompTIA Advanced Security Practitioner (CASP) Exam. Buy Full Product.

Computer Security CS 426

Mitigating Outgoing Spam, DoS/DDoS Attacks and Other Security Threats

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

Why a Disaster Recovery Plan Isn t Just a Good Idea (It s Essential) ContinuityCenters.com

RSA Fraud & Risk Intelligence Solutions

Introduction to

Welcome. ScrogginsGrear clients. to Cybersecurity Education Series. Password Management & Public Wi-Fi Security

Bank of america report phishing

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organization from Impostors, Phishers and Other Non-Malware Threats.

Links For SEO in 2018

Table Of Contents. Introduction Blockchain and Cryptocurrency...1. Stellar (payment network)...2. Internet and its issues...3. LocalXpose...

Tracking Evil with Passive DNS

Marketing Insider... 3 Section 1 Your List... 4 AWeber Basics... 4 Create your Account... 5 Exploring AWeber s Members Area...

Terms of Service. USER means the individual that creates and/or has access to manage or maintain

How to Fight Back against Phishing A guide to mitigating and deterring attacks targeting your customers

Think big, think Brazil

Creating Shared Digital Value at Qwant: Protecting Privacy while Remaining Profitable

Software Defined Perimeter & PrecisionAccess. Secure. Simple.

The Tension. Security vs. ease of use: the more security measures added, the more difficult a site is to use, and the slower it becomes

THE WORLD S NUMBER ONE WEBSITE GROUP FOR WEB PROFESSIONALS

Online Brand Enforcement Protecting Your Trademarks in the Electronic Environment. The Deep Web, darknets, Bitcoin and brand protection

Global Prepaid Card Market with Focus on The United States ( ) April 2016

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

CPSC156a: The Internet Co-Evolution of Technology and Society

Security by Any Other Name:

YOU CAN'T AFFORD FAKE ACCOUNTS. NOW, NEITHER CAN THE FRAUDSTERS. Fraud Report

Cybersecurity. Anna Chan, Marketing Director, Akamai Technologies

Transcription:

No Plan Survives Contact Experience with Cybercrime Measurement Chris Kanich Neha Chachra Damon McCoy Chris Grier David Wang Marti Motoyama Kirill Levchenko Stefan Savage Geoffrey M. Voelker UC San Diego UC Berkeley 1

Security Experiments Modern testbeds enable controlled study DDoS defense, Routing security Passive measurement captures real-world malice Prevalence of BGP hijacking, DNS attacks But some questions require actively engaging with an adversary How much can you earn solving CAPTCHAs? Do spammers steal your CC or send you pills? 2

Engaging the Underground Economy Started in 2006 with numerous projects since: Early infrastructure supporting scams [Security07] Crawl network & host infrastructure from 1M spams CAPTCHA-solving ecosystem [Security10] Customer and worker for 8 CAPTCHA-solving services Spam value chain [Oakland11] Crawl infrastructure for 1B spams, 100s of purchases Order volume, customer demand [Security11] 100s of purchases, inference of revenue & demands Freelance marketplace of abuse jobs [Security11] Crawl 7 years of Freelancer.com, hire workers to validate 3

Requirements We have learned the hard way that engagement has two key requirements Verisimilitude Attackers defend themselves Need to appear as who they expect Makes engaging at scale more challenging Scale Attackers operate at scale Have to engage at scale to observe big picture Need infrastructure to collect, analyze huge data Goal: Explain methods and lessons learned to help future security researchers with similar goals 4

Two Kinds of Engagement Cover two kinds of engagement in this talk: Engagement as an underground peer Buy cybercrime software, CAPTCHA solutions, Facebook Likes, Appear to be a normal cybercriminal These guys don t take VISA! (much less English ) Engagement as a customer Crawl 100s of millions of URLS, buy 100s of items Appear to be a normal customer At scale requires sophisticated identity management 5

6

Engaging in the Underground 7

Underground Forums Miscreants openly describe their activities and methods on underground forums & IRC Tremendous source of useful information Learned much about affiliate programs Forums also serve as a marketplace for buying and selling digital goods Items, quantities, prices, contacts, 8

Underground Purchases Kinds of purchases we made CAPTCHA services ($3,400) Underground software ($640) Hiring freelance workers ($2,100) Web mail accounts All negotiated online 9

10

Challenges and Lessons Language and culture Russian (human translated) was critical» Group member is a native speaker Full of slang, interaction requires a real voice Means of payment Visa/MC/Paypal not accepted WebMoney/LibertyReserve popular Non-reversible online transactions IP address cloaking not necessary Can do it from your desk: IM and VPNs effectively hide IP origination 11

Engaging as a Customer

Visiting Their Sites When visiting 1B URLs over three months Full-featured browsers necessary for verisimilitude Redirection: Flash/javascript, clicking on popups, More danger, more complexity, beefier machines IP diversity is necessary at scale Deterrence: You will get blacklisted, plan for it Cloud providers and IP-hiding services easy to use 13

14

Crawling Challenges Blacklisting by bad guys Hierarchical IP space usage Scale Dozens of machines, 100s of browsers/machine Central dispatcher, distributed client Poisoning by bad guys A spammer started inserting well-formed junk URLs Added an importance-based crawl scheduler 15

Blacklisting #!/bin/bash iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -F INPUT iptables -A INPUT -p tcp --dport 80 -j DROP iptables -A INPUT -p udp --dport 53 -j DROP if [ "$1" = "zeus" ] then sh google_block.sh sh zeustracker_block.sh fi iptables -A INPUT -s 149.20.54.132 iptables -A INPUT -s 149.20.54.134 -j DROP -j DROP #pt1b.phishtank.com #pt2b.phishtank.com iptables -A INPUT -s 133.5.16.238 -p tcp -m multiport --dports 80,443,8080 -j DROP #HidemaruMail SpamFilter Agent Kyushu University iptables -A INPUT -s 198.134.135.0/24 -j DROP #University of California at San Diego FAKE UA,REF iptables -A INPUT -s 216.163.176.0/20 -j DROP #Commtouch Inc. iptables -A INPUT -s 95.211.120.0/24 -j DROP #leaseweb.com BAD BLOCK 16

Purchasing as a Customer How to do this at scale? 100s of purchases, $17K spent on items + shipping When buying from an online pharmacy you need: Name, shipping address, email, phone number IP address from which to make the purchase Method for receiving and cataloging the goods And you want to collect: Virtual properties (site ID, communication style) Financial properties (VISA BIN, Bank name) Physical properties (where from, active ingredient) 17

Identity Management (Corporeal) Originally: Pseudonyms + P.O. Box Specialty issuer: no pseudonyms High volume spooked the P.O. Box guys State of the art: real names + home addresses Ordering legal, end user goods Odd orders, but our money is green Prepaid cell phones + add l Google Voice #s Difficult to know which order/customer call is for Required on-the-spot creativity at times 18

Identity Management (Virtual) Email through Google Apps free account Can create nonce address for each purchase gmail/hotmail/ymail increases fraud score Purchase from SD residential IP addresses IP Geo-location important for fraud score VPN tunnel to home machine, 3G, stay home and buy drugs 19

Financial Transactions History Originally used $500 prepaid VISA gift cards Issued to manufactured names Online balance management malfunctioned» Collecting data by phone very error prone Couldn t get BIN information Tried several other consumer-level cards CARD act is a major setback here Called several specialty issuers Specialty issuer finally played ball with us Manual, batch-based process 20

Internal red tape As involved as solving the technical problems Extensive oversight Legal oversight Research oversight Build trust slowly, incrementally Our capabilities are the result of years of trust-building 21

Final Takeaways Full-fidelity crawling architecture necessary for verisimilitude But increases challenges for achieving scale Underground forums provide finger on the pulse Acquiring payment data was priceless Engagement can lead to serendipitous opportunities 22

Thank You! Yahoo! 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback