14 research outputs found
On Critical Infrastructure Protection and International Agreements
This paper evaluates the prospects for protecting critical social functions from âcyberâ attacks carried out over electronic information networks. In particular, it focuses on the feasibility of devising international laws, conventions or agreements to deter and/or punish perpetrators of such attacks. First,it briefly summarizes existing conventions and laws, and explains to which technological issues they can apply. The paper then turns to a technical discussion of the threats faced by critical infrastructure. By distinguishing between the different types of attacks (theft of information, destructive penetration, denial of service, etc.) that can be conducted, and examining the role of collateral damages in information security, the paper identifies the major challenges in devising and implementing international conventions for critical infrastructure protection. It then turns to a practical examination of how these findings apply to specific instances of critical networks (power grids and water systems, financial infrastructure, air traffic control and hospital networks), and draws conclusions about potential remedies. A notable finding is that critical functions should be isolated from non-critical functions in the network to have a chance to implement viable international agreements; and that, given the difficulty in performing attack attribution, other relevant laws should be designed with the objective of reducing negative externalities that facilitate such attacks
Flipping 419 Scams: Targeting the Weak and the Vulnerable
Most of cyberscam-related studies focus on threats perpetrated against the Western society, with a particular attention to the USA and Europe. Regrettably, no research has been done on scams targeting African countries, especially Nigeria, where the notorious and (in)famous 419 advanced fee scam, targeted towards other countries, originated. However, as we know, cybercrime is a global problem affecting all parties. In this study, we investigate a form of advance fee fraud scam unique to Nigeria and targeted at Nigerians, but unknown to the Western world. For the study, we rely substantially on almost two years worth of data harvested from an online discussion forum used by criminals. We complement
this dataset with recent data from three other active
forums to consolidate and generalize the research. We
apply machine learning to the data to understand the criminalsâ modus operandi. We show that the criminals exploit the socio-political and economic problems prevalent in the country to craft various fraud schemes to defraud vulnerable groups such as secondary school students and unemployed graduates. The result of our research can help potential victims and policy makers to develop measures to counter the activities of these criminal groups
Recommended from our members
Responses to Institutional Constraints
Institutions, as mechanisms of social order, often constrain the behavior of individuals within a society. Political institutions constrain the behavior of politicians, financial institutions constrain the behavior of businesses and payment processors and social institutions often constrain the behavior of individuals. These institutions often play an important role in constraining activities that may be seen as illicit or unwanted and careful analysis of these constraints can allow researchers to learn more about activities that are often hidden or go unreported.This dissertation explores the role of institutional constraints on unwanted behavior by studying deforestation in Brazil and Malawi as well as underground activity in fraudulent software sales. These cases share the commonality that they are influenced by institutional constraints. Politicians in Brazil are constrained by reelection incentives, perpetrators of fraudulent antivirus software are constrained by payment processors and the cultural practice of ethnic favoritism in public good provision leads to particular ethnic groups in Malawi receiving much more fertilizer subsidies than others.The first chapter examines deforestation in Brazil. Local political authority (formal or informal) over natural resources may create rents for politicians. The political decision to use or allocate resources involves balancing private rents with reelection prospects. I examine the case of deforestation in Brazil and a presidential decree granting the federal government the authority to punish counties that failed to limit total deforestation within their borders. This collective punishment aimed to generate pressure on local politicians to slow deforestation. Using binding term limits as a source of variation in reelection eligibility, I find eligibility has no effect on deforestation prior to the decree. After the decree, reelection eligible mayors reduced annual deforestation 10% more than mayors ineligible for reelection. These findings are consistent with the equilibrium outcome of a lobbying model. Policies such as sanctions, which target the electorate in order to influence political behavior, may be less effective when politicians are not accountable to voters.The second chapter examines Fake antivirus (AV) programs which have been utilized to defraud millions of computer users into paying as much as one hundred dollars for a phony software license. As a result, fake AV software has evolved into one of the most lucrative criminal operations on the Internet. In this chapter, we examine the operations of three large scale fake AV businesses, lasting from three months to more than two years. More precisely, we present the results of our analysis on a trove of data obtained from several backend servers that the cybercriminals used to drive their scam operations. Our investigations reveal that these three fake AV businesses had earned a combined revenue of more than $130 million dollars. A particular focus of our analysis is on the financial and economic aspects of the scam, which involves legitimate credit card networks as well as more dubious payment processors. In particular, we present an economic model that demonstrates that fake AV companies are actively monitoring the refunds (chargebacks) that customers demand from their credit card providers. When the number of chargebacks increases in a short interval, the fake AV companies react to customer complaints by granting more refunds. This lowers the rate of chargebacks and ensures that a fake AV company can stay in business for a longer period of time. However, this behavior also leads to unusual patterns in chargebacks, which can potentially be leveraged by vigilant payment processors and credit card companies to identify and ban fraudulent firms. This chapter is joint work with Brett Stone-Gross, Richard Kremmerer, Christopher Kruegel, Douglas Steigerwald, and Giovanni Vigna and was published as Stone-Gross et al. (2013).The final chapter returns to deforestation and studies it in the context of agriculture in Malawi. The effect of development policies on the environment is often ambiguous ex ante. Programs designed to improve agricultural productivity may increase deforestation by raising the marginal productivity of agricultural land, thus increasing the demand for land clearing. However, in a setting of subsistence farming on unproductive land, increasing agricultural productivity may reduce the need to shift cultivation to maintain the desired yields. This chapter examines the impact of agricultural subsidies on deforestation in Malawi by leveraging ethnic favoritism in government resource allocation. By exploiting a change in the ethnicity of the Malawi president following the 2004 election, we show that coethnic districts received more fertilizer subsidies and experienced significant declines in deforestation compared to districts with other predominant ethnicities. This paper studies a case in which poverty alleviation programs have beneficial environ- mental impacts demonstrating that, in certain contexts, input subsidies may provide a âwin-winâ scenario. This chapter is joint work with Conor Carney
Securing large cellular networks via a data oriented approach: applications to SMS spam and voice fraud defenses
University of Minnesota Ph.D. dissertation. December 2013. Major: Computer Science. Advisor: Zhi-Li Zhang. 1 computer file (PDF); x, 103 pages.With widespread adoption and growing sophistication of mobile devices, fraudsters have turned their attention from landlines and wired networks to cellular networks. While security threats to wireless data channels and applications have attracted the most attention, attacks through mobile voice channels, such as Short Message Service (SMS) spam and voice-related fraud activities also represent a serious threat to mobile users. In particular, it has been reported that the number of spam messages in the US has risen 45% in 2011 to 4.5 billion messages, affecting more than 69% of mobile users globally. Meanwhile, we have seen increasing numbers of incidents where fraudsters deploy malicious apps, e.g., disguised as gaming apps to entice users to download; when invoked, these apps automatically - and without users' knowledge - dial certain (international) phone numbers which charge exorbitantly high fees. Fraudsters also frequently utilize social engineering (e.g., SMS or email spam, Facebook postings) to trick users into dialing these exorbitant fee-charging numbers. Unlike traditional attacks towards data channels, e.g., Email spam and malware, both SMS spam and voice fraud are not only annoying, but they also inflict financial loss to mobile users and cellular carriers as well as adverse impact on cellular network performance. Hence the objective of defense techniques is to restrict phone numbers initialized these activities quickly before they reach too many victims. However, due to the scalability issues and high false alarm rates, anomaly detection based approaches for securing wireless data channels, mobile devices, and applications/services cannot be readily applied here. In this thesis, we share our experience and approach in building operational defense systems against SMS spam and voice fraud in large-scale cellular networks. Our approach is data oriented, i.e., we collect real data from a large national cellular network and exert significant efforts in analyzing and making sense of the data, especially to understand the characteristics of fraudsters and the communication patterns between fraudsters and victims. On top of the data analysis results, we can identify the best predictive features that can alert us of emerging fraud activities. Usually, these features represent unwanted communication patterns which are derived from the original feature space. Using these features, we apply advanced machine learning techniques to train accurate detection models. To ensure the validity of the proposed approaches, we build and deploy the defense systems in operational cellular networks and carry out both extensive off-line evaluation and long-term online trial. To evaluate the system performance, we adopt both direct measurement using known fraudster blacklist provided by fraud agents and indirect measurement by monitoring the change of victim report rates. In both problems, the proposed approaches demonstrate promising results which outperform customer feedback based defenses that have been widely adopted by cellular carriers today.More specifically, using a year (June 2011 to May 2012) of user reported SMS spam messages together with SMS network records collected from a large US based cellular carrier, we carry out a comprehensive study of SMS spamming. Our analysis shows various characteristics of SMS spamming activities. and also reveals that spam numbers with similar content exhibit strong similarity in terms of their sending patterns, tenure, devices and geolocations. Using the insights we have learned from our analysis, we propose several novel spam defense solutions. For example, we devise a novel algorithm for detecting related spam numbers. The algorithm incorporates user spam reports and identifies additional (unreported) spam number candidates which exhibit similar sending patterns at the same network location of the reported spam number during the nearby time period. The algorithm yields a high accuracy of 99.4% on real network data. Moreover, 72% of these spam numbers are detected at least 10 hours before user reports.From a different angle, we present the design of Greystar, a defense solution against the growing SMS spam traffic in cellular networks. By exploiting the fact that most SMS spammers select targets randomly from the finite phone number space, Greystar monitors phone numbers from the gray phone space (which are associated with data only devices like data cards and modems and machine-to-machine communication devices like point-of-sale machines and electricity meters) to alert emerging spamming activities. Greystar employs a novel statistical model for detecting spam numbers based on their footprints on the gray phone space. Evaluation using five month SMS call detail records from a large US cellular carrier shows that Greystar can detect thousands of spam numbers each month with very few false alarms and 15% of the detected spam numbers have never been reported by spam recipients. Moreover, Greystar is much faster than victim spam reports. By deploying Greystar we can reduce 75% spam messages during peak hours. To defend against voice-related fraud activities, we develop a novel methodology for detecting voice-related fraud activities using only call records. More specifically, we advance the notion of voice call graphs to represent voice calls from domestic callers to foreign recipients and propose a Markov Clustering based method for isolating dominant fraud activities from these international calls. Using data collected over a two year period from one of the largest cellular networks in the US, we evaluate the efficacy of the proposed fraud detection algorithm and conduct systematic analysis of the identified fraud activities. Our work sheds light on the unique characteristics and trends of fraud activities in cellular networks, and provides guidance on improving and securing hardware/software architecture to prevent these fraud activities
Hameçonnage bancaire : un cadre dâanalyse et de rĂ©duction de risque de victimisation
RĂSUMĂ : La fraude bancaire, tout particuliĂšrement celle qui implique lâhameçonnage, reste un enjeu majeur de la relation quâentretiennent les banques avec leurs clients. Les statistiques croissantes sur les montants dĂ©robĂ©s des comptes des victimes et la multiplicitĂ© des contremesures, des organismes nationaux et des coalitions multinationales dâentreprises qui luttent contre ce flĂ©au en sont deux
indicateurs de lâĂ©tendue du phĂ©nomĂšne. Ce constat nous a amenĂ©s Ă aborder dans cette thĂšse, les questions des facteurs de risque de victimisation et des amĂ©liorations Ă apporter aux contremesures afin dâen diminuer les impacts.
A Ă©tĂ© Ă©tudiĂ©e en premier, la question de savoir quels sont les Ă©lĂ©ments nĂ©cessaires et suffisants Ă la dĂ©finition de la victimisation par hameçonnage bancaire. Nous avons rĂ©pondu Ă cette question en proposant un ensemble cohĂ©rent de quatre Ă©lĂ©ments sur lesquels doit sâappuyer toute dĂ©finition de la victimisation par hameçonnage bancaire, notamment, lâaction posĂ©e, lâobjet utilisĂ©, les prĂ©sumĂ©s
victimes et la nature des prĂ©judices subis par lesdites victimes. Sur la base de ces Ă©lĂ©ments, nous avons dĂ©fini trois formes de victimisation : la tentative dâhameçonnage, lâinfection et la fraude. Prenant appui sur ces trois formes de victimisation, nous avons dĂ©veloppĂ© un modĂšle de rĂ©gression logistique pour analyser les donnĂ©es dâune vaste enquĂȘte canadienne (EnquĂȘte ESG, 2009) sur la
victimisation en ligne afin dâidentifier et classer hiĂ©rarchiquement les facteurs clĂ©s de risque de tentative dâhameçonnage, dâinfection et de fraude (cf. Tableau 5.1). Il en ressort que les comportements Ă risque en ligne, de mĂȘme que le manque de formation de base en sĂ©curitĂ© et de
sensibilisation aux menaces sont les catĂ©gories ayant le plus dâimportance dans lâexplication de la victimisation par tentative dâhameçonnage et par infection. Quant aux facteurs qui contribuent Ă la fraude (retrait de lâargent des comptes des victimes), les donnĂ©es de lâenquĂȘte ESG 2009 ne permettant pas dâĂ©tudier le processus de monĂ©tisation - manque de donnĂ©es sur le marchĂ© noir des
renseignements volĂ©s -, nous avons dĂ©veloppĂ© un modĂšle thĂ©orique pour Ă©tudier les comportements de deux acteurs de ce marchĂ© noir : le fraudeur et la mule. Pour ce faire, nous avons appliquĂ© la thĂ©orie du choix rationnel dĂ©veloppĂ©e en Ă©conomie. Aussi, les fonctions dâutilitĂ© classique de type CRRA (Constant Relative Risk Aversion) et de type CARA (Constant Absolute Risk Aversion) ont Ă©tĂ© utilisĂ©es pour Ă©tudier le comportement du fraudeur vis-Ă -vis du risque. Enfin, pour tester notre modĂšle thĂ©orique, nous avons exploitĂ© des donnĂ©es colligĂ©es des forums clandestins. Les rĂ©sultats de simulation de ce modĂšle rĂ©vĂšlent que six facteurs ont une influence, Ă des degrĂ©s
divers, sur le processus de monĂ©tisation. Il y a le revenu anticipĂ© du fraudeur, lâintensitĂ© du niveau des mesures de sĂ©curitĂ© mises en place par les banques, la commission versĂ©e Ă la mule, le prix du renseignement, la richesse initiale du fraudeur et la probabilitĂ© de se faire arrĂȘter.
Afin dâĂ©valuer la pertinence de notre modĂšle thĂ©orique pour rĂ©pondre Ă notre question de recherche sur les facteurs clĂ©s de risque de victimisation, une enquĂȘte basĂ©e sur un Ă©chantillon par choix raisonnĂ© a Ă©tĂ© menĂ©e auprĂšs de dix-sept experts en sĂ©curitĂ© informatique. Les rĂ©sultats de cette enquĂȘte confirment que deux des six facteurs dĂ©terminĂ©s par notre modĂšle thĂ©orique ont une grande
importance dans le processus de monĂ©tisation. Il sâagit du revenu anticipĂ© du fraudeur et du niveau de mesures mises en place par les banques. Deux autres facteurs que nous nâavons pas mesurĂ©s dans notre modĂšle, faute de donnĂ©es et de mĂ©triques, ont Ă©tĂ© retenus par les experts comme Ă©tant
des facteurs ayant des effets prĂ©pondĂ©rants sur la dĂ©cision de monĂ©tiser ou non un renseignement volĂ© : la qualitĂ© du renseignement et le temps Ă©coulĂ© entre le vol du renseignement et le retrait de lâargent du compte de la victime. Dans la mĂȘme enquĂȘte, nous avons demandĂ© aux experts de proposer des amĂ©liorations Ă apporter aux contremesures actuelles afin de rĂ©duire les risques de victimisation inhĂ©rents aux facteurs que nous avons dĂ©terminĂ©s. Lâanalyse des rĂ©ponses des experts a permis dâadresser vingt-cinq recommandations aux pouvoirs publics, Ă lâutilisateur final, aux entreprises, aux dĂ©veloppeurs de
solutions de sĂ©curitĂ© et aux organismes qui luttent contre lâhameçonnage bancaire. Le modĂšle micro-Ă©conomique que nous avons proposĂ© est la principale contribution thĂ©orique de
cette recherche. Quant à la principale contribution pratique, elle a été de proposer, en se basant sur
les avis des experts, des amĂ©liorations Ă apporter aux contremesures actuelles afin de rĂ©duire, le cas Ă©chĂ©ant, le risque dâhameçonnage bancaire. Cette recherche a toutefois quelques limites, notamment lâasymĂ©trie dâinformation dans un marchĂ© noir de renseignements bancaires et le nombre limitĂ© des experts de lâenquĂȘte. Il serait intĂ©ressant Ă lâavenir de prendre en compte lâasymĂ©trie dâinformation dans lâanalyse du marchĂ© noir et de valider le modĂšle conçu avec plus de donnĂ©es empiriques colligĂ©es des forums,
des banques et auprĂšs des experts en sĂ©curitĂ© informatique.----------ABSTRACT : Banking Fraud, specifically one which involves phishing, remains a major issue in the Relationship that banks maintain with their clients. The rising statistics on the amounts stolen from victimsâ accounts as well as the multiplicity of countermeasures, the national organisations and the coalition of multinational businesses that fight against the plague, are two indicators of the extent of this
phenomenon. This observation led us to examine in this thesis, the questions of victimisation risk factors and the improvements that can be made to countermeasures in order to diminish the impacts of phishing. We first examined the question of determining the necessary and sufficient elements required to define victimisation by banking phishing. We have answered this question by proposing a coherent ensemble of four elements on which any definition of victimisation by banking phishing must repose. These include the action, the objects used, the presumed victims and the nature of the prejudices suffered by said victims. On account of these elements, we have defined three forms of
victimisation: phishing attempts, infection and fraud. On the basis of three forms of victimisation, we have developed a logistic regression model to analyse the data from an extensive Canadian investigation into online victimisation; in order to identify and hierarchically classify the key risk factors of phishing attempt, infection and fraud (Table 5.1). It appears that risky online behaviours, as well as the lack of basic training in security and threat sensitisation are the most important categories in the explanation of victimisation by
attempt at phishing and by infection. As it related to factors that contribute to fraud (money withdrawal from victimsâ accounts), the data from the ESG 2009 investigation does not allow for a study of the monetisation process â lack of data on the black market of stolen information. We have developed a theoretical model to study the behaviours of two players in the black market: the fraudster and the mule. To carry this out, we applied the rational choice theory developed in economics. Also, the classical utility functions of the CRRA (Constant Relative Risk Aversion) and CARA (Constant Absolute Risk Aversion) varieties are used to study the behaviour of the
fraudster vis-Ă -vis risk. Finally, to test our theoretical model, we took advantage of the data gathered from clandestine sites. The results of the simulation of this model revealed that six factors influence, to different extents, the monetisation process. There is the anticipated revenue by the fraudster, the intensity of the level of security put in place by the banks, the commission paid to the mule, the price of the information, the initial wealth of the fraudster and the probability of getting caught. To evaluate the pertinence of our theoretical model in answering our research question on the key risk factors of victimisation, an investigation based on the rational choice sample has been performed among seventeen experts in information security. The results of this investigation
confirmed that two out of six factors determined by our theoretical model have significant influence on the monetisation process. These include the anticipated revenue by the fraudster and the level of measures put in place by banks. Two other factors that we have not measured in our model, due to a lack of data and metrics, have been retained by the experts as factors having dominating effects
on the decision to monetise or not stolen information: the quality of the information and the time elapsed since the theft as well as the withdrawal of money from the account by the victim. In the same investigation, we have asked experts to suggest improvements that can be made to the
actual countermeasures in order to reduce the inherent victimisation risks that we have determined. The analysis of the expertsâ responses has enabled us to provide twenty-five recommendations to authorities, the final user, businesses, security solutions developers and organisations that fight against banking phishing