Measuring eWhoring

eWhoring is the term used by offenders to refer to a type of online fraud in which cybersexual encounters are simulated for financial gain. Perpetrators use social engineering techniques to impersonate young women in online communities, e.g., chat or social networking sites. They engage potential customers in conversation with the aim of selling misleading sexual material – mostly photographs and interactive video shows – illicitly compiled from third-party sites. eWhoring is a popular topic in underground communities, with forums acting as a gateway into offending. Users not only share knowledge and tutorials, but also trade in goods and services, such as packs of images and videos. In this paper, we present a processing pipeline to quantitatively analyse various aspects of eWhoring. Our pipeline integrates multiple tools to crawl, annotate, and classify material in a semi-automatic way. It builds in precautions to safeguard against significant ethical issues, such as avoiding the researchers’ exposure to pornographic material, and legal concerns, which were justified as some of the images were classified as child exploitation material. We use it to perform a longitudinal measurement of eWhoring activities in 10 specialised underground forums from 2008 to 2019. Our study focuses on three of the main eWhoring components: (i) the acquisition and provenance of images; (ii) the financial profits and monetisation techniques; and (iii) a social network analysis of the offenders, including their relationships, interests, and pathways before and after engaging in this fraudulent activity. We provide recommendations, including potential intervention approaches.This work was supported by the Engineering and Physical Sciences Research Council (EPSRC) [grant number EP/M020320/1], by MINECO (grant TIN2016-79095-C2-2-R), and by the Comunidad de Madrid (P2018/TCS-4566, co-financed by European Structural Funds ESF and FEDER)

An analysis of fake social media engagement services

Fake engagement services allow users of online social media and other web platforms to illegitimately increase their online reach and boost their perceived popularity. Driven by socio-economic and even political motivations, the demand for fake engagement services has increased in the last years, which has incentivized the rise of a vast underground market and support infrastructure. Prior research in this area has been limited to the study of the infrastructure used to provide these services (e.g., botnets) and to the development of algorithms to detect and remove fake activity in online targeted platforms. Yet, the platforms in which these services are sold (known as panels) and the underground markets offering these services have not received much research attention. To fill this knowledge gap, this paper studies Social Media Management (SMM) panels, i.e., reselling platforms¿often found in underground forums¿in which a large variety of fake engagement services are offered. By daily crawling 86 representative SMM panels for 4 months, we harvest a dataset with 2.8 M forum entries grouped into 61k different services. This dataset allows us to build a detailed catalog of the services for sale, the platforms they target, and to derive new insights on fake social engagement services and its market. We then perform an economic analysis of fake engagement services and their trading activities by automatically analyzing 7k threads in underground forums. Our analysis reveals a broad range of offered services and levels of customization, where buyers can acquire fake engagement services by selecting features such as the quality of the service, the speed of delivery, the country of origin, and even personal attributes of the fake account (e.g., gender). The price analysis also yields interesting empirical results, showing significant disparities between prices of the same product across different markets. These observations suggest that the market is still undeveloped and sellers do not know the real market value of the services that they offer, leading them to underprice or overprice their services.This work was supported by the EU Horizon 2020 Research and Innovation Program under Grant agreement no. 101021377 (TRUST aWARE ); the Spanish grants ODIO (PID2019-111429RB-C21 and PID2019-111429RB-C22), and the Region of Madrid grant CYNAMON-CM (P2018/TCS-4566), co-financed by European Structural Funds ESF and FEDER

Digital persona portrayal: Identifying pluridentity vulnerabilities in digital life

The increasing use of the Internet for social purposes enriches the data available online about all of us and promotes the concept of the Digital Persona. Actually, most of us are represented online by more than one identity, what we define here as a Pluridentity . This trend brings increased risks: it is well known that the security of a Digital Persona can be exploited if its data and security are not effectively managed. In this paper, we focus specifically on a new type of digital attack that can be perpetrated by combining pieces of data belonging to one same Pluridentity in order to profile their target. Some victims can be so accurately depicted when looking at their Pluridentity that by using the gathered information attackers can execute very personalized social engineering attacks, or even bypass otherwise safe security mecha- nisms. We characterize these Pluridentity attacks as a security issue of a virtual System of Systems, whose constituent systems are the individual identities and the humans themselves. We present a strategy to identify vulnerabilities caused by overexposure due to the combination of data from the constituent iden- tities of a Pluridentity. To this end we introduce the Digital Persona Portrayal Metamodel, and the related Digital Pluridentity Persona Portrayal Analysis process that supports the architecting of data from differ- ent identities: such model and process can be used to identify the vulnerabilities of a Pluridentity due to its exploitation as a System of Systems. The approach has been validated on the Pluridentities of seven- teen candidates selected from a data leak, by retrieving the data of their Digital Personae, and matching them against the security mechanisms of their Pluridentities. After analyzing the results for some of the analyzed subjects we could detect several vulnerabilities.Ministerio dell'Universitá e della Ricerca (Italia) GAUSS 2015KWREMXMinisterio de Economía y Competitividad TIN2016-76956-C3-2-R (POLOLAS

WASEF: Web Acceleration Solutions Evaluation Framework

The World Wide Web has become increasingly complex in recent years. This complexity severely affects users in the developing regions due to slow cellular data connectivity and usage of low-end smartphone devices. Existing solutions to simplify the Web are generally evaluated using several different metrics and settings, which hinders the comparison of these solutions against each other. Hence, it is difficult to select the appropriate solution for a specific context and use case. This paper presents Wasef, a framework that uses a comprehensive set of timing, saving, and quality metrics to evaluate and compare different web complexity solutions in a reproducible manner and under realistic settings. The framework integrates a set of existing state-of-the-art solutions and facilitates the addition of newer solutions down the line. Wasef first creates a cache of web pages by crawling both landing and internal ones. Each page in the cache is then passed through a web complexity solution to generate an optimized version of the page. Finally, each optimized version is evaluated in a consistent manner using a uniform environment and metrics. We demonstrate how the framework can be used to compare and contrast the performance characteristics of different web complexity solutions under realistic conditions. We also show that the accessibility to pages in developing regions can be significantly improved, by evaluating the top 100 global pages in the developed world against the top 100 pages in the lowest 50 developing countries. Results show a significant difference in terms of complexity and a potential benefit for our framework in improving web accessibility in these countries.Comment: 15 pages, 4 figure

When will my PLC support Mirai? The security economics of large-scale attacks against internet-connected ICS devices

For nearly a decade, security researchers have highlighted the grave risk presented by Internet-connected Industrial Control Systems (ICS). Predictions of targeted and indiscriminate attacks have yet to materialise despite continued growth of a vulnerable population of devices. We investigate the missing attacks against ICS, focusing on large-scale attacks enabled by Internet-connected populations. We fingerprint and track more than 10,000 devices over four years to confirm that the population is growing, continuously-connected, and unpatched. We also track 150,000 botnet hosts, monitor 120 global ICS honeypots, and sift 70 million underground forum posts to show that the cybercrime community has little competence or interest in the ICS domain. Attackers may be dissuaded by the high cost of entry, the fragmented ICS population, and limited onboard resources; however, this justification is incomplete. We use a series of case studies to develop a security economics model for large-scale attacks against Internet-connected populations in general, and use it to explain both the current lack of interest in ICS and the features of Industry 4.0 that will make the domain more accessible and attractive to attackers

Improving Cybercrime Reporting in Scotland : A Systematic Literature Review

I have explored how to improve cybercrime reporting in Scotland by conducting a systematic literature review. Due to the lack of data on Scotland, I have frequently extrapolated from both the UK and the West. The research questions were: 1. What is known about cybercrime in the UK to date? 2. What is known about cybercrime victims in the UK to date? 3. What is known about cybercrime reporting to date? The answers were retrieved by combining Boolean variables with keywords into Scopus, Web of Science and ProQuest. This resulted in the analysis of 100 peer-reviewed articles. The analysis revealed a common trend, a novel taxonomy and an original conclusion. The common trend is that of responsibilisation, which is the shifting of responsibility for policing cybercrime from the government onto the citizens and private sector. The novel taxonomy is for classifying cybercrime reporting systems according to three pillars, which I referred to as Human-To-Human (H2H), Human-To-Machine (H2M) and Machine-To-Machine (M2M). The original conclusion is that to improve cybercrime reporting in Scotland, the process needs to be treated also as a social one rather than a purely mathematical one

UK cybercrime, victims and reporting : a systematic review

Individuals and organisations based in the United Kingdom often fall foul of cyber criminals. Unfortunately, these kinds of crimes are under-reported [66][115][123]. This under-reporting hampers the ability of crime fighting units to gauge the full extent of the problem, as well as their ability to pursue and apprehend cyber criminals [13][77]. To comprehend cybercrime under-reporting, we need to explore the nature of United Kingdom’s (henceforth: UK) cybercrime and its impact on UK-based victims. We investigated the entire landscape by carrying out a systematic literature review, covering both academic and grey literature. In our review, we sought to answer three research questions: (1) What characterises cybercrime in the UK? (2) What is known about UK cybercrime victims? and (3) What influences and deters cybercrime reporting in the UK? Our investigation revealed three types of reportable cybercrime, depending on the targets: (a) individuals, (b) private organisations, and (c) public organisations. Victimhood varies with various identified dimensions, such as: vulnerability aspects, psychological perspectives, age-related differences, and researcher attempts to model the victims of cybercrime. We also explored UK victims’ reported experiences in dealing with the consequences of falling victim to a cybercrime. In terms of cybercrime reporting, we identify three kinds of reporting: (a) Human-To-Human, (b) Human-To-Machine, and (c) Machine-To-Machine. In examining factors deterring reporting, we incorporate discussions of policing, and the challenges UK police forces face in coping with this relatively novel crime. Unlike traditional crimes, perpetrators possess sophisticated technological skills and reside outside of UK’s police jurisdiction. We discovered a strong social dimension to reporting incidence with the UK government‘s cyber responsibilization agenda likely playing a major role in deterring reporting. This strategy involves governments providing a great deal of advice and then expecting citizens to take care of their own cybersecurity. If they do not act on the advice, they should know that they will have to accept the consequences. Improvements in cybercrime reporting, to date, have been technologically focused. This neglects the social dimensions of cybercrime victimhood and does not acknowledge the reporting-deterring side effects of the UK's cyber responsibilization agenda. We conclude with suggestions for improving cybercrime reporting in the UK

A methodology for large-scale identification of related accounts in underground forums

Underground forums allow users to interact with communities focused on illicit activities. They serve as an entry point for actors interested in deviant and criminal topics. Due to the pseudo-anonymity provided, they have become improvised marketplaces for trading illegal products and services, including those used to conduct cyberattacks. Thus, these forums are an important data source for threat intelligence analysts and law enforcement. The use of multiple accounts is forbidden in most forums since these are mostly used for malicious purposes. Still, this is a common practice. Being able to identify an actor or gang behind multiple accounts allows for proper attribution in online investigations, and also to design intervention mechanisms for illegal activities. Existing solutions for multi-account detection either require ground truth data to conduct supervised classification or use manual approaches. In this work, we propose a methodology for the large-scale identification of related accounts in underground forums. These accounts are similar according to the distinctive content posted, and thus are likely to belong to the same actor or group. The methodology applies to various domains and leverages distinctive artefacts and personal information left online by the users. We provide experimental results on a large dataset comprising more than 1.1M user accounts from 15 different forums. We show how this methodology, combined with existing approaches commonly used in social media forensics, can assist with and improve online investigations.This work was partially supported by CERN openlab, the CERN Doctoral Student Programme, the Spanish grants ODIO (PID2019-111429RB-C21 and PID2019-111429RB) and the Region of Madrid grant CYNAMON-CM (P2018/TCS-4566), co-financed by European Structural Funds ESF and FEDER, and Excellence Program EPUC3M1