Characterizing Key Stakeholders in an Online Black-Hat Marketplace

Over the past few years, many black-hat marketplaces have emerged that facilitate access to reputation manipulation services such as fake Facebook likes, fraudulent search engine optimization (SEO), or bogus Amazon reviews. In order to deploy effective technical and legal countermeasures, it is important to understand how these black-hat marketplaces operate, shedding light on the services they offer, who is selling, who is buying, what are they buying, who is more successful, why are they successful, etc. Toward this goal, in this paper, we present a detailed micro-economic analysis of a popular online black-hat marketplace, namely, SEOClerks.com. As the site provides non-anonymized transaction information, we set to analyze selling and buying behavior of individual users, propose a strategy to identify key users, and study their tactics as compared to other (non-key) users. We find that key users: (1) are mostly located in Asian countries, (2) are focused more on selling black-hat SEO services, (3) tend to list more lower priced services, and (4) sometimes buy services from other sellers and then sell at higher prices. Finally, we discuss the implications of our analysis with respect to devising effective economic and legal intervention strategies against marketplace operators and key users.Comment: 12th IEEE/APWG Symposium on Electronic Crime Research (eCrime 2017

All Your Cards Are Belong To Us: Understanding Online Carding Forums

Underground online forums are platforms that enable trades of illicit services and stolen goods. Carding forums, in particular, are known for being focused on trading financial information. However, little evidence exists about the sellers that are present on carding forums, the precise types of products they advertise, and the prices buyers pay. Existing literature mainly focuses on the organisation and structure of the forums. Furthermore, studies on carding forums are usually based on literature review, expert interviews, or data from forums that have already been shut down. This paper provides first-of-its-kind empirical evidence on active forums where stolen financial data is traded. We monitored 5 out of 25 discovered forums, collected posts from the forums over a three-month period, and analysed them quantitatively and qualitatively. We focused our analyses on products, prices, seller prolificacy, seller specialisation, and seller reputation

Malware and Exploits on the Dark Web

In recent years, the darknet has become the key location for the distribution of malware and exploits. We have seen scenarios where software vulnerabilities have been disclosed by vendors and shortly after, operational exploits are available on darknet forums and marketplaces. Many marketplace vendors offer zero-day exploits that have not yet been discovered or disclosed. This trend has led to security companies offering darknet analysis services to detect new exploits and malware, providing proactive threat intelligence. This paper presents information on the scale of malware distribution, the trends of malware types offered, the methods for discovering new exploits and the effectiveness of darknet analysis in detecting malware at the earliest possible stage.Comment: 5 pages, 0 figure

Gas Monitor: Developments in the Wholesale Gas Market in the Netherlands in 2006

The present situation in the wholesale gas market calls for measures aimed at enhancing competition. Our annual monitoring report into the functioning of the gas market identifies a number of serious problems that impede competition in the wholesale market. Market parties have indicated a lack of available import capacity, storage capacity and quality conversion capacity, though facilities are not always optimally utilised. The report’s findings confirm the necessity of the action plan which was presented by the NMa/ DTe to the Minister of Economic Affairs in early October this year. Improvement is required for the rules of play and the level of transparency in the gas market. It is also necessary to pursue further integration into North-West Europe.Monitoring,gas, competition, infrastructure

Economic Factors of Vulnerability Trade and Exploitation

Cybercrime markets support the development and diffusion of new attack technologies, vulnerability exploits, and malware. Whereas the revenue streams of cyber attackers have been studied multiple times in the literature, no quantitative account currently exists on the economics of attack acquisition and deployment. Yet, this understanding is critical to characterize the production of (traded) exploits, the economy that drives it, and its effects on the overall attack scenario. In this paper we provide an empirical investigation of the economics of vulnerability exploitation, and the effects of market factors on likelihood of exploit. Our data is collected first-handedly from a prominent Russian cybercrime market where the trading of the most active attack tools reported by the security industry happens. Our findings reveal that exploits in the underground are priced similarly or above vulnerabilities in legitimate bug-hunting programs, and that the refresh cycle of exploits is slower than currently often assumed. On the other hand, cybercriminals are becoming faster at introducing selected vulnerabilities, and the market is in clear expansion both in terms of players, traded exploits, and exploit pricing. We then evaluate the effects of these market variables on likelihood of attack realization, and find strong evidence of the correlation between market activity and exploit deployment. We discuss implications on vulnerability metrics, economics, and exploit measurement.Comment: 17 pages, 11 figures, 14 table

Police Ransomware - Threat Assessment

Over the past two years, European Union (EU) Member States (MS) have been confronted with a significant proliferation of police ransomware cases. Experts from both law enforcement and the private sector agree that prevention and raising awareness can only work in conjunction with investigations targeting the criminals behind the fraud. Furthermore, even if police ransomware in its current form might naturally fade out in the future, it is likely that an evolution of this modus operandi driven by the same or different perpetrators will take place. That is why it is important that measures against police ransomware and similar modi operandi are implemented in a coordinated, complementary and comprehensive manner. This assessment is the result of a common initiative of the European Cybercrime Centre (EC3) and the Dutch National High Tech Crime Unit (NHTCU). Its aim is to increase awareness of ransomware by providing an EU perspective on the problem and to identify opportunities for intervention and coordination. The assessment encourages better coordination and cooperation between MS law enforcement agencies from the early stages of cybercrime investigations and acknowledges once more the importance of partnering with private industry. This threat assessment relies on open source information, research papers on ransomware and semi-structured interviews with cybercrime investigators

Dynamics of Dark Web Financial Marketplaces: An Exploratory Study of Underground Fraud and Scam Business

The number of Dark Web financial marketplaces where Dark Web users and sellers actively trade illegal goods and services anonymously has been growing exponentially in recent years. The Dark Web has expanded illegal activities via selling various illicit products, from hacked credit cards to stolen crypto accounts. This study aims to delineate the characteristics of the Dark Web financial market and its scams. Data were derived from leading Dark Web financial websites, including Hidden Wiki, Onion List, and Dark Web Wiki, using Dark Web search engines. The study combines statistical analysis with thematic analysis of Dark Web content. Offering promotions and customer services with the payment methods of cryptocurrencies were prevalent, similar to the Surface Web\u27s e-commerce market. The findings suggest that the Dark Web financial market is likely to harbor scams targeting Dark Web buyers. Dark Web sellers construct a website to sell scam products and recommend purchasing Escrow services to ensure safe transactions as an additional scam. The results from this study provided empirical support for the components of the routine activity theory of the Dark Web financial market to substantiate a more comprehensive view of patterns of fraud/ scams. Enhancing law enforcement capabilities of investigating financial marketplaces and promoting public awareness and consumer safety programs are discussed as effective preventive measures