On Critical Infrastructure Protection and International Agreements

This paper evaluates the prospects for protecting critical social functions from “cyber” attacks carried out over electronic information networks. In particular, it focuses on the feasibility of devising international laws, conventions or agreements to deter and/or punish perpetrators of such attacks. First,it briefly summarizes existing conventions and laws, and explains to which technological issues they can apply. The paper then turns to a technical discussion of the threats faced by critical infrastructure. By distinguishing between the different types of attacks (theft of information, destructive penetration, denial of service, etc.) that can be conducted, and examining the role of collateral damages in information security, the paper identifies the major challenges in devising and implementing international conventions for critical infrastructure protection. It then turns to a practical examination of how these findings apply to specific instances of critical networks (power grids and water systems, financial infrastructure, air traffic control and hospital networks), and draws conclusions about potential remedies. A notable finding is that critical functions should be isolated from non-critical functions in the network to have a chance to implement viable international agreements; and that, given the difficulty in performing attack attribution, other relevant laws should be designed with the objective of reducing negative externalities that facilitate such attacks

Flipping 419 Scams: Targeting the Weak and the Vulnerable

Most of cyberscam-related studies focus on threats perpetrated against the Western society, with a particular attention to the USA and Europe. Regrettably, no research has been done on scams targeting African countries, especially Nigeria, where the notorious and (in)famous 419 advanced fee scam, targeted towards other countries, originated. However, as we know, cybercrime is a global problem affecting all parties. In this study, we investigate a form of advance fee fraud scam unique to Nigeria and targeted at Nigerians, but unknown to the Western world. For the study, we rely substantially on almost two years worth of data harvested from an online discussion forum used by criminals. We complement this dataset with recent data from three other active forums to consolidate and generalize the research. We apply machine learning to the data to understand the criminals’ modus operandi. We show that the criminals exploit the socio-political and economic problems prevalent in the country to craft various fraud schemes to defraud vulnerable groups such as secondary school students and unemployed graduates. The result of our research can help potential victims and policy makers to develop measures to counter the activities of these criminal groups

Responses to Institutional Constraints

Institutions, as mechanisms of social order, often constrain the behavior of individuals within a society. Political institutions constrain the behavior of politicians, financial institutions constrain the behavior of businesses and payment processors and social institutions often constrain the behavior of individuals. These institutions often play an important role in constraining activities that may be seen as illicit or unwanted and careful analysis of these constraints can allow researchers to learn more about activities that are often hidden or go unreported.This dissertation explores the role of institutional constraints on unwanted behavior by studying deforestation in Brazil and Malawi as well as underground activity in fraudulent software sales. These cases share the commonality that they are influenced by institutional constraints. Politicians in Brazil are constrained by reelection incentives, perpetrators of fraudulent antivirus software are constrained by payment processors and the cultural practice of ethnic favoritism in public good provision leads to particular ethnic groups in Malawi receiving much more fertilizer subsidies than others.The first chapter examines deforestation in Brazil. Local political authority (formal or informal) over natural resources may create rents for politicians. The political decision to use or allocate resources involves balancing private rents with reelection prospects. I examine the case of deforestation in Brazil and a presidential decree granting the federal government the authority to punish counties that failed to limit total deforestation within their borders. This collective punishment aimed to generate pressure on local politicians to slow deforestation. Using binding term limits as a source of variation in reelection eligibility, I find eligibility has no effect on deforestation prior to the decree. After the decree, reelection eligible mayors reduced annual deforestation 10% more than mayors ineligible for reelection. These findings are consistent with the equilibrium outcome of a lobbying model. Policies such as sanctions, which target the electorate in order to influence political behavior, may be less effective when politicians are not accountable to voters.The second chapter examines Fake antivirus (AV) programs which have been utilized to defraud millions of computer users into paying as much as one hundred dollars for a phony software license. As a result, fake AV software has evolved into one of the most lucrative criminal operations on the Internet. In this chapter, we examine the operations of three large scale fake AV businesses, lasting from three months to more than two years. More precisely, we present the results of our analysis on a trove of data obtained from several backend servers that the cybercriminals used to drive their scam operations. Our investigations reveal that these three fake AV businesses had earned a combined revenue of more than $130 million dollars. A particular focus of our analysis is on the financial and economic aspects of the scam, which involves legitimate credit card networks as well as more dubious payment processors. In particular, we present an economic model that demonstrates that fake AV companies are actively monitoring the refunds (chargebacks) that customers demand from their credit card providers. When the number of chargebacks increases in a short interval, the fake AV companies react to customer complaints by granting more refunds. This lowers the rate of chargebacks and ensures that a fake AV company can stay in business for a longer period of time. However, this behavior also leads to unusual patterns in chargebacks, which can potentially be leveraged by vigilant payment processors and credit card companies to identify and ban fraudulent firms. This chapter is joint work with Brett Stone-Gross, Richard Kremmerer, Christopher Kruegel, Douglas Steigerwald, and Giovanni Vigna and was published as Stone-Gross et al. (2013).The final chapter returns to deforestation and studies it in the context of agriculture in Malawi. The effect of development policies on the environment is often ambiguous ex ante. Programs designed to improve agricultural productivity may increase deforestation by raising the marginal productivity of agricultural land, thus increasing the demand for land clearing. However, in a setting of subsistence farming on unproductive land, increasing agricultural productivity may reduce the need to shift cultivation to maintain the desired yields. This chapter examines the impact of agricultural subsidies on deforestation in Malawi by leveraging ethnic favoritism in government resource allocation. By exploiting a change in the ethnicity of the Malawi president following the 2004 election, we show that coethnic districts received more fertilizer subsidies and experienced significant declines in deforestation compared to districts with other predominant ethnicities. This paper studies a case in which poverty alleviation programs have beneficial environ- mental impacts demonstrating that, in certain contexts, input subsidies may provide a ‘win-win’ scenario. This chapter is joint work with Conor Carney

Securing large cellular networks via a data oriented approach: applications to SMS spam and voice fraud defenses

University of Minnesota Ph.D. dissertation. December 2013. Major: Computer Science. Advisor: Zhi-Li Zhang. 1 computer file (PDF); x, 103 pages.With widespread adoption and growing sophistication of mobile devices, fraudsters have turned their attention from landlines and wired networks to cellular networks. While security threats to wireless data channels and applications have attracted the most attention, attacks through mobile voice channels, such as Short Message Service (SMS) spam and voice-related fraud activities also represent a serious threat to mobile users. In particular, it has been reported that the number of spam messages in the US has risen 45% in 2011 to 4.5 billion messages, affecting more than 69% of mobile users globally. Meanwhile, we have seen increasing numbers of incidents where fraudsters deploy malicious apps, e.g., disguised as gaming apps to entice users to download; when invoked, these apps automatically - and without users' knowledge - dial certain (international) phone numbers which charge exorbitantly high fees. Fraudsters also frequently utilize social engineering (e.g., SMS or email spam, Facebook postings) to trick users into dialing these exorbitant fee-charging numbers. Unlike traditional attacks towards data channels, e.g., Email spam and malware, both SMS spam and voice fraud are not only annoying, but they also inflict financial loss to mobile users and cellular carriers as well as adverse impact on cellular network performance. Hence the objective of defense techniques is to restrict phone numbers initialized these activities quickly before they reach too many victims. However, due to the scalability issues and high false alarm rates, anomaly detection based approaches for securing wireless data channels, mobile devices, and applications/services cannot be readily applied here. In this thesis, we share our experience and approach in building operational defense systems against SMS spam and voice fraud in large-scale cellular networks. Our approach is data oriented, i.e., we collect real data from a large national cellular network and exert significant efforts in analyzing and making sense of the data, especially to understand the characteristics of fraudsters and the communication patterns between fraudsters and victims. On top of the data analysis results, we can identify the best predictive features that can alert us of emerging fraud activities. Usually, these features represent unwanted communication patterns which are derived from the original feature space. Using these features, we apply advanced machine learning techniques to train accurate detection models. To ensure the validity of the proposed approaches, we build and deploy the defense systems in operational cellular networks and carry out both extensive off-line evaluation and long-term online trial. To evaluate the system performance, we adopt both direct measurement using known fraudster blacklist provided by fraud agents and indirect measurement by monitoring the change of victim report rates. In both problems, the proposed approaches demonstrate promising results which outperform customer feedback based defenses that have been widely adopted by cellular carriers today.More specifically, using a year (June 2011 to May 2012) of user reported SMS spam messages together with SMS network records collected from a large US based cellular carrier, we carry out a comprehensive study of SMS spamming. Our analysis shows various characteristics of SMS spamming activities. and also reveals that spam numbers with similar content exhibit strong similarity in terms of their sending patterns, tenure, devices and geolocations. Using the insights we have learned from our analysis, we propose several novel spam defense solutions. For example, we devise a novel algorithm for detecting related spam numbers. The algorithm incorporates user spam reports and identifies additional (unreported) spam number candidates which exhibit similar sending patterns at the same network location of the reported spam number during the nearby time period. The algorithm yields a high accuracy of 99.4% on real network data. Moreover, 72% of these spam numbers are detected at least 10 hours before user reports.From a different angle, we present the design of Greystar, a defense solution against the growing SMS spam traffic in cellular networks. By exploiting the fact that most SMS spammers select targets randomly from the finite phone number space, Greystar monitors phone numbers from the gray phone space (which are associated with data only devices like data cards and modems and machine-to-machine communication devices like point-of-sale machines and electricity meters) to alert emerging spamming activities. Greystar employs a novel statistical model for detecting spam numbers based on their footprints on the gray phone space. Evaluation using five month SMS call detail records from a large US cellular carrier shows that Greystar can detect thousands of spam numbers each month with very few false alarms and 15% of the detected spam numbers have never been reported by spam recipients. Moreover, Greystar is much faster than victim spam reports. By deploying Greystar we can reduce 75% spam messages during peak hours. To defend against voice-related fraud activities, we develop a novel methodology for detecting voice-related fraud activities using only call records. More specifically, we advance the notion of voice call graphs to represent voice calls from domestic callers to foreign recipients and propose a Markov Clustering based method for isolating dominant fraud activities from these international calls. Using data collected over a two year period from one of the largest cellular networks in the US, we evaluate the efficacy of the proposed fraud detection algorithm and conduct systematic analysis of the identified fraud activities. Our work sheds light on the unique characteristics and trends of fraud activities in cellular networks, and provides guidance on improving and securing hardware/software architecture to prevent these fraud activities

Hameçonnage bancaire : un cadre d’analyse et de réduction de risque de victimisation

RÉSUMÉ : La fraude bancaire, tout particulièrement celle qui implique l’hameçonnage, reste un enjeu majeur de la relation qu’entretiennent les banques avec leurs clients. Les statistiques croissantes sur les montants dérobés des comptes des victimes et la multiplicité des contremesures, des organismes nationaux et des coalitions multinationales d’entreprises qui luttent contre ce fléau en sont deux indicateurs de l’étendue du phénomène. Ce constat nous a amenés à aborder dans cette thèse, les questions des facteurs de risque de victimisation et des améliorations à apporter aux contremesures afin d’en diminuer les impacts. A été étudiée en premier, la question de savoir quels sont les éléments nécessaires et suffisants à la définition de la victimisation par hameçonnage bancaire. Nous avons répondu à cette question en proposant un ensemble cohérent de quatre éléments sur lesquels doit s’appuyer toute définition de la victimisation par hameçonnage bancaire, notamment, l’action posée, l’objet utilisé, les présumés victimes et la nature des préjudices subis par lesdites victimes. Sur la base de ces éléments, nous avons défini trois formes de victimisation : la tentative d’hameçonnage, l’infection et la fraude. Prenant appui sur ces trois formes de victimisation, nous avons développé un modèle de régression logistique pour analyser les données d’une vaste enquête canadienne (Enquête ESG, 2009) sur la victimisation en ligne afin d’identifier et classer hiérarchiquement les facteurs clés de risque de tentative d’hameçonnage, d’infection et de fraude (cf. Tableau 5.1). Il en ressort que les comportements à risque en ligne, de même que le manque de formation de base en sécurité et de sensibilisation aux menaces sont les catégories ayant le plus d’importance dans l’explication de la victimisation par tentative d’hameçonnage et par infection. Quant aux facteurs qui contribuent à la fraude (retrait de l’argent des comptes des victimes), les données de l’enquête ESG 2009 ne permettant pas d’étudier le processus de monétisation - manque de données sur le marché noir des renseignements volés -, nous avons développé un modèle théorique pour étudier les comportements de deux acteurs de ce marché noir : le fraudeur et la mule. Pour ce faire, nous avons appliqué la théorie du choix rationnel développée en économie. Aussi, les fonctions d’utilité classique de type CRRA (Constant Relative Risk Aversion) et de type CARA (Constant Absolute Risk Aversion) ont été utilisées pour étudier le comportement du fraudeur vis-à-vis du risque. Enfin, pour tester notre modèle théorique, nous avons exploité des données colligées des forums clandestins. Les résultats de simulation de ce modèle révèlent que six facteurs ont une influence, à des degrés divers, sur le processus de monétisation. Il y a le revenu anticipé du fraudeur, l’intensité du niveau des mesures de sécurité mises en place par les banques, la commission versée à la mule, le prix du renseignement, la richesse initiale du fraudeur et la probabilité de se faire arrêter. Afin d’évaluer la pertinence de notre modèle théorique pour répondre à notre question de recherche sur les facteurs clés de risque de victimisation, une enquête basée sur un échantillon par choix raisonné a été menée auprès de dix-sept experts en sécurité informatique. Les résultats de cette enquête confirment que deux des six facteurs déterminés par notre modèle théorique ont une grande importance dans le processus de monétisation. Il s’agit du revenu anticipé du fraudeur et du niveau de mesures mises en place par les banques. Deux autres facteurs que nous n’avons pas mesurés dans notre modèle, faute de données et de métriques, ont été retenus par les experts comme étant des facteurs ayant des effets prépondérants sur la décision de monétiser ou non un renseignement volé : la qualité du renseignement et le temps écoulé entre le vol du renseignement et le retrait de l’argent du compte de la victime. Dans la même enquête, nous avons demandé aux experts de proposer des améliorations à apporter aux contremesures actuelles afin de réduire les risques de victimisation inhérents aux facteurs que nous avons déterminés. L’analyse des réponses des experts a permis d’adresser vingt-cinq recommandations aux pouvoirs publics, à l’utilisateur final, aux entreprises, aux développeurs de solutions de sécurité et aux organismes qui luttent contre l’hameçonnage bancaire. Le modèle micro-économique que nous avons proposé est la principale contribution théorique de cette recherche. Quant à la principale contribution pratique, elle a été de proposer, en se basant sur les avis des experts, des améliorations à apporter aux contremesures actuelles afin de réduire, le cas échéant, le risque d’hameçonnage bancaire. Cette recherche a toutefois quelques limites, notamment l’asymétrie d’information dans un marché noir de renseignements bancaires et le nombre limité des experts de l’enquête. Il serait intéressant à l’avenir de prendre en compte l’asymétrie d’information dans l’analyse du marché noir et de valider le modèle conçu avec plus de données empiriques colligées des forums, des banques et auprès des experts en sécurité informatique.----------ABSTRACT : Banking Fraud, specifically one which involves phishing, remains a major issue in the Relationship that banks maintain with their clients. The rising statistics on the amounts stolen from victims’ accounts as well as the multiplicity of countermeasures, the national organisations and the coalition of multinational businesses that fight against the plague, are two indicators of the extent of this phenomenon. This observation led us to examine in this thesis, the questions of victimisation risk factors and the improvements that can be made to countermeasures in order to diminish the impacts of phishing. We first examined the question of determining the necessary and sufficient elements required to define victimisation by banking phishing. We have answered this question by proposing a coherent ensemble of four elements on which any definition of victimisation by banking phishing must repose. These include the action, the objects used, the presumed victims and the nature of the prejudices suffered by said victims. On account of these elements, we have defined three forms of victimisation: phishing attempts, infection and fraud. On the basis of three forms of victimisation, we have developed a logistic regression model to analyse the data from an extensive Canadian investigation into online victimisation; in order to identify and hierarchically classify the key risk factors of phishing attempt, infection and fraud (Table 5.1). It appears that risky online behaviours, as well as the lack of basic training in security and threat sensitisation are the most important categories in the explanation of victimisation by attempt at phishing and by infection. As it related to factors that contribute to fraud (money withdrawal from victims’ accounts), the data from the ESG 2009 investigation does not allow for a study of the monetisation process – lack of data on the black market of stolen information. We have developed a theoretical model to study the behaviours of two players in the black market: the fraudster and the mule. To carry this out, we applied the rational choice theory developed in economics. Also, the classical utility functions of the CRRA (Constant Relative Risk Aversion) and CARA (Constant Absolute Risk Aversion) varieties are used to study the behaviour of the fraudster vis-à-vis risk. Finally, to test our theoretical model, we took advantage of the data gathered from clandestine sites. The results of the simulation of this model revealed that six factors influence, to different extents, the monetisation process. There is the anticipated revenue by the fraudster, the intensity of the level of security put in place by the banks, the commission paid to the mule, the price of the information, the initial wealth of the fraudster and the probability of getting caught. To evaluate the pertinence of our theoretical model in answering our research question on the key risk factors of victimisation, an investigation based on the rational choice sample has been performed among seventeen experts in information security. The results of this investigation confirmed that two out of six factors determined by our theoretical model have significant influence on the monetisation process. These include the anticipated revenue by the fraudster and the level of measures put in place by banks. Two other factors that we have not measured in our model, due to a lack of data and metrics, have been retained by the experts as factors having dominating effects on the decision to monetise or not stolen information: the quality of the information and the time elapsed since the theft as well as the withdrawal of money from the account by the victim. In the same investigation, we have asked experts to suggest improvements that can be made to the actual countermeasures in order to reduce the inherent victimisation risks that we have determined. The analysis of the experts’ responses has enabled us to provide twenty-five recommendations to authorities, the final user, businesses, security solutions developers and organisations that fight against banking phishing