Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
194 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

You Can Tell a Cybercriminal by the Company they Keep: A Framework to Infer the Relevance of Underground Communities to the Threat Landscape (2306.05898v2)

Published 9 Jun 2023 in cs.CR, cs.CY, and cs.SI

Abstract: The criminal underground is populated with forum marketplaces where, allegedly, cybercriminals share and trade knowledge, skills, and cybercrime products. However, it is still unclear whether all marketplaces matter the same in the overall threat landscape. To effectively support trade and avoid degenerating into scams-for-scammers places, underground markets must address fundamental economic problems (such as moral hazard, adverse selection) that enable the exchange of actual technology and cybercrime products (as opposed to repackaged malware or years-old password databases). From the relevant literature and manual investigation, we identify several mechanisms that marketplaces implement to mitigate these problems, and we condense them into a market evaluation framework based on the Business Model Canvas. We use this framework to evaluate which mechanisms successful' marketplaces have in place, and whether these differ from those employed byunsuccessful' marketplaces. We test the framework on 23 underground forum markets by searching 836 aliases of indicted cybercriminals to identify `successful' marketplaces. We find evidence that marketplaces whose administrators are impartial in trade, verify their sellers, and have the right economic incentives to keep the market functional are more likely to be credible sources of threat.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (61)
  1. M. Campobasso and L. Allodi, “Impersonation-as-a-Service: Characterizing the Emerging Criminal Infrastructure for User Impersonation at Scale,” in Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, 2020, pp. 1665–1680.
  2. S. Pastrana, A. Hutchings, D. Thomas, and J. Tapiador, “Measuring ewhoring,” in Proceedings of the Internet Measurement Conference, 2019, pp. 463–477.
  3. D. Gambetta, “Codes of the Underworld.”   Princeton University Press, 2011.
  4. M. R. Soudijn and B. C. T. Zegers, “Cybercrime and virtual offender convergence settings,” Trends in organized crime, vol. 15, no. 2-3, pp. 111–129, 2012.
  5. K. Huang, M. Siegel, and S. Madnick, “Systematically understanding the cyber attack business: A survey,” ACM Computing Surveys (CSUR), vol. 51, no. 4, pp. 1–36, 2018.
  6. N. Christin, “Traveling the Silk Road: A measurement analysis of a large anonymous online marketplace,” in Proceedings of the 22nd International Conference on World Wide Web, 2013, pp. 213–224.
  7. K. Thomas, D. Huang, D. Wang, E. Bursztein, C. Grier, T. J. Holt, C. Kruegel, D. McCoy, S. Savage, and G. Vigna, “Framing dependencies introduced by underground commoditization,” 14th Workshop on the Economics of Information Security (WEIS), 2015.
  8. S. Alrwais, X. Liao, X. Mi, P. Wang, X. Wang, F. Qian, R. Beyah, and D. McCoy, “Under the shadow of sunshine: Understanding and detecting bulletproof hosting on legitimate service provider networks,” in 2017 IEEE Symposium on Security and Privacy (SP).   IEEE, 2017, pp. 805–823.
  9. C. Herley and D. Florêncio, “Nobody sells gold for the price of silver: Dishonesty, uncertainty and the underground economy,” in Economics of Information Security and Privacy.   Springer, 2010, pp. 33–53.
  10. G. A. Akerlof, “The Market for ”Lemons”: Quality Uncertainty and the Market Mechanism,” The Quarterly Journal of Economics, vol. 84, no. 3, pp. 488–500, 1970.
  11. M. Yip, N. Shadbolt, and C. Webber, “Why forums? an empirical analysis into the facilitating factors of carding forums,” in Proceedings of the 5th annual ACM Web Science Conference, 2013, pp. 453–462.
  12. L. Allodi, M. Corradin, and F. Massacci, “Then and Now: On the Maturity of the Cybercrime Markets The Lesson That Black-Hat Marketeers Learned,” IEEE Transactions on Emerging Topics in Computing, vol. 4, no. 1, pp. 35–46, 2016.
  13. B. Dupont, A.-M. Côté, C. Savine, and D. Décary-Hétu, “The ecology of trust among hackers,” Global Crime, vol. 17, no. 2, pp. 129–151, 2016.
  14. B. Dupont, A.-M. Côté, J.-I. Boutin, and J. Fernandez, “Darkode: Recruitment patterns and transactional features of “the most dangerous cybercrime forum in the world”,” American Behavioral Scientist, vol. 61, no. 11, pp. 1219–1243, 2017.
  15. M. Motoyama, D. McCoy, K. Levchenko, S. Savage, and G. M. Voelker, “An analysis of underground forums,” in Proceedings of the Internet Measurement Conference, 2011, pp. 71–80.
  16. M. Yip, C. Webber, and N. Shadbolt, “Trust among cybercriminals? carding forums, uncertainty and implications for policing,” Policing and Society, vol. 23, no. 4, pp. 516–539, 2013.
  17. L. Allodi, “Economic factors of vulnerability trade and exploitation,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 1483–1499.
  18. S. Gailmard, “Accountability and Principal–Agent Theory,” in The Oxford Handbook of Public Accountability.   Oxford University Press, 05 2014. [Online]. Available: https://doi.org/10.1093/oxfordhb/9780199641253.013.0016
  19. K. M. Eisenhardt, “Agency theory: An assessment and review,” The Academy of Management Review, vol. 14, no. 1, pp. 57–74, 1989. [Online]. Available: http://www.jstor.org/stable/258191
  20. R. Chohan, “Opportunistic Behavior in Industrial Marketing Relationships,” Ph.D. dissertation, Luleå University of Technology, 2020.
  21. J. Lusthaus, “Trust in the world of cybercrime,” Global crime, vol. 13, no. 2, pp. 71–94, 2012.
  22. G. Pearson and D. Hobbs, “King pin? a case study of a middle market drug broker,” The Howard Journal of Criminal Justice, vol. 42, no. 4, pp. 335–347, 2003.
  23. M. Goncharov, “Criminal hideouts for lease: Bulletproof hosting services,” Forward-Looking Threat Research (FTR) Team, A TrendLabsSM Research Paper, vol. 28, 2015.
  24. B. Collier, R. Clayton, A. Hutchings, and D. Thomas, “Cybercrime is (often) boring: maintaining the infrastructure of cybercrime economies,” 19th Workshop on the Economics of Information Security (WEIS), 2020.
  25. B. Collier, D. R. Thomas, R. Clayton, and A. Hutchings, “Booting the booters: Evaluating the effects of police interventions in the market for denial-of-service attacks,” in Proceedings of the Internet Measurement Conference, 2019, pp. 50–64.
  26. D. Georgoulias, J. M. Pedersen, M. Falch, and E. Vasilomanolakis, “A qualitative mapping of Darkweb marketplaces,” in 2021 APWG Symposium on Electronic Crime Research (eCrime).   IEEE, 2021, pp. 1–15.
  27. J. Franklin, A. Perrig, V. Paxson, and S. Savage, “An inquiry into the nature and causes of the wealth of internet miscreants.” Proceedings of the 2007 ACM SIGSAC Conference on Computer and Communications Security, vol. 7, pp. 375–388, 2007.
  28. R. Overdorf, C. Troncoso, R. Greenstadt, and D. McCoy, “Under the underground: Predicting private interactions in underground forums,” arXiv preprint arXiv:1805.04494, 2018.
  29. A. Bermudez-Villalva and G. Stringhini, “The shady economy: Understanding the difference in trading activity from underground forums in different layers of the web,” in 2021 APWG Symposium on Electronic Crime Research (eCrime).   IEEE, 2021, pp. 1–10.
  30. R. Bhalerao, M. Aliapoulios, I. Shumailov, S. Afroz, and D. McCoy, “Mapping the underground: Supervised discovery of cybercrime supply chains,” in 2019 APWG Symposium on Electronic Crime Research (eCrime).   IEEE, 2019, pp. 1–16.
  31. S. Afroz, V. Garg, D. McCoy, and R. Greenstadt, “Honor among thieves: A common’s analysis of cybercrime economies,” in 2013 APWG eCrime Researchers Summit.   IEEE, 2013, pp. 1–11.
  32. M. Campobasso and L. Allodi, “THREAT/crawl: a Trainable, Highly-Reusable, and Extensible Automated Method and Tool to Crawl Criminal Underground Forums,” arXiv preprint arXiv:2212.03641, 2022.
  33. J. Huggins, P. Gross, J. T. Wang, and individual contributors, “Selenium, a suite of tools for browser automation.” 2004. [Online]. Available: https://www.selenium.dev/
  34. G. Acar, M. Juarez, and individual contributors, “tor-browser-selenium - Tor Browser automation with Selenium,” 2020. [Online]. Available: https://github.com/webfp/tor-browser-selenium
  35. CTRLBOX Consulting, “Cyber Crime Incident Tracker - Cached copy (website offline),” 2021. [Online]. Available: https://web.archive.org/web/20221205110731/https://www.arresttracker.com/pages
  36. Department of Justice, “Text of the indictment charging 36 defendants for alleged roles in transnational criminal organization responsible for cybercrimes,” Equipo Nizkor, 2018. [Online]. Available: http://www.derechos.org/nizkor/corru/doc/infraud2.html
  37. S. Pastrana, D. R. Thomas, A. Hutchings, and R. Clayton, “Crimebb: Enabling cybercrime research on underground forums at scale,” in Proceedings of the 2018 World Wide Web Conference, 2018, pp. 1845–1854.
  38. J. Martin and N. Christin, “Ethics in cryptomarket research,” International Journal of Drug Policy, vol. 35, pp. 84–91, 2016.
  39. V. Benjamin, J. S. Valacich, and H. Chen, “Dice-e: A framework for conducting darknet identification, collection, evaluation with ethics.” MIS Quarterly, vol. 43, no. 1, 2019.
  40. K. Turk, S. Pastrana, and B. Collier, “A tight scrape: methodological approaches to cybercrime research data collection in adversarial environments,” in 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).   IEEE, 2020, pp. 428–437.
  41. D. Laferrière and D. Décary-Hétu, “Examining the uncharted dark web: Trust signalling on single vendor shops,” Deviant Behavior, vol. 44, no. 1, pp. 37–56, 2023.
  42. E. R. Leukfeldt, “Organised cybercrime and social opportunity structures: A proposal for future research directions,” The European Review of Organised Crime, vol. 2, no. 2, pp. 91–103, 2015.
  43. A. Tabarrok and T. Cowen, “The end of asymmetric information,” Cato Unbound, vol. 6, 2015.
  44. K. Soska and N. Christin, “Measuring the longitudinal evolution of the online anonymous marketplace ecosystem,” in Proceedings of the 24th USENIX Security Symposium, 2015, pp. 33–48.
  45. A. Hutchings and T. J. Holt, “A crime script analysis of the online stolen data market,” British Journal of Criminology, vol. 55, no. 3, pp. 596–614, 2015.
  46. Vx-Underground, “The staff of xss appear to be mildly frustrated with threat intelligence companies scraping their forum.they are now allowing companies the ability to scrape the forum for an annual fee of $2,000. pic.twitter.com/pffkhxlnfr,” Oct 2022. [Online]. Available: https://twitter.com/vxunderground/status/1585368524901748736?s=20
  47. L. Abrams, “Dutch police post ”say no to cybercrime” warnings on hacker forums,” Feb 2021. [Online]. Available: https://www.bleepingcomputer.com/news/security/dutch-police-post-say-no-to-cybercrime-warnings-on-hacker-forums/
  48. D. Décary-Hétu and J. Aldridge, “Sifting through the net: Monitoring of online offenders by researchers,” European Review of Organised Crime, vol. 2, no. 2, pp. 122–141, 2015.
  49. D. Décary-Hétu and A. Leppänen, “Criminals and signals: An assessment of criminal performance in the carding underworld,” Security Journal, vol. 29, pp. 442–460, 2016.
  50. J. J. Santanna, R. van Rijswijk-Deij, R. Hofstede, A. Sperotto, M. Wierbosch, L. Z. Granville, and A. Pras, “Booters—An analysis of DDoS-as-a-service attacks,” in 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).   IEEE, 2015, pp. 243–251.
  51. M. Karami and D. McCoy, “Understanding the emerging threat of DDoS-as-a-Service,” in 6th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 13), 2013.
  52. Department of Justice, “First Superseeding Indictment.” [Online]. Available: https://web.archive.org/web/20221029212509/https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/infraudsupersedingindictment.pdf
  53. Department of Justice , “Criminal Indictment.” [Online]. Available: https://web.archive.org/web/20150211203259/https://cis.uab.edu/forensics/blog/Kostyukov.Indictment.pdf
  54. M. Felson, “The process of co-offending,” Crime prevention studies, vol. 16, pp. 149–168, 2003.
  55. K. Thomas, R. Amira, A. Ben-Yoash, O. Folger, A. Hardon, A. Berger, E. Bursztein, and M. Bailey, “The abuse sharing economy: Understanding the limits of threat exchanges,” in International Symposium on Research in Attacks, Intrusions, and Defenses (RAID).   Springer, 2016, pp. 143–164.
  56. V. G. Li, M. Dunn, P. Pearce, D. McCoy, G. M. Voelker, S. Savage, and K. Levchenko, “Reading the tea leaves: A comparative analysis of threat intelligence,” in Proceedings of the 28th USENIX Security Symposium, 2019.
  57. X. Bouwman, H. Griffioen, J. Egbers, C. Doerr, B. Klievink, and M. Van Eeten, “A different cup of {{\{{TI}}\}}? the added value of commercial threat intelligence,” in Proceedings of the 29th USENIX Security Symposium, 2020, pp. 433–450.
  58. Ponemon Institute LLC, “The value of threat intelligence: Annual study of north american & united kingdom companies.” [Online]. Available: https://stratejm.com/wp-content/uploads/2019/08/2019_Ponemon_Institute-Value_of_Threat_Intelligence_Research_Report_from_Anomali.pdf
  59. M. Rosso, M. Campobasso, G. Gankhuyag, and L. Allodi, “SAIBERSOC: A Methodology and Tool for Experimenting with Security Operation Centers,” Digital Threats: Research and Practice (DTRAP), vol. 3, no. 2, pp. 1–29, 2022.
  60. A. Shah, R. Ganesan, S. Jajodia, and H. Cam, “Understanding tradeoffs between throughput, quality, and cost of alert analysis in a CSOC,” IEEE Transactions on Information Forensics and Security, vol. 14, no. 5, pp. 1155–1170, 2018.
  61. M. Schäfer, M. Fuchs, M. Strohmeier, M. Engel, M. Liechti, and V. Lenders, “Blackwidow: Monitoring the dark web for cyber security information,” in 2019 11th International Conference on Cyber Conflict (CyCon), vol. 900.   IEEE, 2019, pp. 1–21.
Citations (4)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now