Characterizing eve: Analysing cybercrime actors in a large underground forum

Underground forums contain many thousands of active users, but the vast majority will be involved, at most, in minor levels of deviance. The number who engage in serious criminal activity is small. That being said, underground forums have played a significant role in several recent high-profile cybercrime activities. In this work we apply data science approaches to understand criminal pathways and characterize key actors related to illegal activity in one of the largest and longest- running underground forums. We combine the results of a logistic regression model with k-means clustering and social network analysis, verifying the findings using topic analysis. We identify variables relating to forum activity that predict the likelihood a user will become an actor of interest to law enforcement, and would therefore benefit the most from intervention. This work provides the first step towards identifying ways to deter the involvement of young people away from a career in cybercrime.Alan Turing Institut

From playing games to committing crimes: A multi-technique approach to predicting key actors on an online gaming forum

We propose a systematic framework for analysing forum datasets, which contain minimal structure, and are non-trivial to analyse at scale, aiming to support future analysis of underground forum communities. We use a multi-technique approach which draws on a combination of features, including post classifications extracted using natural language processing tools, and apply clustering and predictive techniques to this dataset, to predict potential key actors---individuals who have a central role in overtly criminal activities, or activities which could lead to later offending, and hence might benefit most from interventions. We predict 49 key actors on an underground gaming-specific cheating and hacking forum, validated by observing only overlaps of techniques, combined with topic analysis, to build a classifier for key actor status. In addition, we also use these techniques to provide further insight of key actor activity. We found one cluster and two posting trajectories to contain a high proportion of key actors, logistic regression found an actor's h-index to have higher odds for prediction than other features, and partial dependence plots found reputation to have a significant change in prediction between values of 100 to 1000

Email Babel: Does Language Affect Criminal Activity in Compromised Webmail Accounts?

We set out to understand the effects of differing language on the ability of cybercriminals to navigate webmail accounts and locate sensitive information in them. To this end, we configured thirty Gmail honeypot accounts with English, Romanian, and Greek language settings. We populated the accounts with email messages in those languages by subscribing them to selected online newsletters. We hid email messages about fake bank accounts in fifteen of the accounts to mimic real-world webmail users that sometimes store sensitive information in their accounts. We then leaked credentials to the honey accounts via paste sites on the Surface Web and the Dark Web, and collected data for fifteen days. Our statistical analyses on the data show that cybercriminals are more likely to discover sensitive information (bank account information) in the Greek accounts than the remaining accounts, contrary to the expectation that Greek ought to constitute a barrier to the understanding of non-Greek visitors to the Greek accounts. We also extracted the important words among the emails that cybercriminals accessed (as an approximation of the keywords that they searched for within the honey accounts), and found that financial terms featured among the top words. In summary, we show that language plays a significant role in the ability of cybercriminals to access sensitive information hidden in compromised webmail accounts

Understanding the difference in malicious activity between Surface Web and Dark Web

The world has seen a dramatic increase in illegal activities on the Internet. Prior research has investigated different types of cybercrime, especially in the Surface Web, which is the portion of the content on the World Wide Web that popular engines may index. At the same time, evidence suggests cybercriminals are moving their operations to the Dark Web. This portion is not indexed by conventional search engines and is accessed through network overlays such as The Onion Router network. Since the Dark Web provides anonymity, cybercriminals use this environment to avoid getting caught or blocked, which represents a significant challenge for researchers. This research project investigates the modus operandi of cybercriminals on the Surface Web and the Dark Web to understand how cybercrime unfolds in different layers of the Web. Honeypots, specialised crawlers and extraction tools are used to analyse different types of online crimes. In addition, quantitative analysis is performed to establish comparisons between the two Web environments. This thesis is comprised of three studies. The first examines the use of stolen account credentials leaked in different outlets on the Surface and Dark Web to understand how cybercriminals interact with stolen credentials in the wild. In the second study, malvertising is analysed from the user's perspective to understand whether using different technologies to access the Web could influence the probability of malware infection. In the final study, underground forums on the Surface and Dark Web are analysed to observe differences in trading patterns in both environments. Understanding how criminals operate in different Web layers is essential to developing policies and countermeasures to prevent cybercrime more efficiently

You Can Tell a Cybercriminal by the Company they Keep: A Framework to Infer the Relevance of Underground Communities to the Threat Landscape

The criminal underground is populated with forum marketplaces where, allegedly, cybercriminals share and trade knowledge, skills, and cybercrime products. However, it is still unclear whether all marketplaces matter the same in the overall threat landscape. To effectively support trade and avoid degenerating into scams-for-scammers places, underground markets must address fundamental economic problems (such as moral hazard, adverse selection) that enable the exchange of actual technology and cybercrime products (as opposed to repackaged malware or years-old password databases). From the relevant literature and manual investigation, we identify several mechanisms that marketplaces implement to mitigate these problems, and we condense them into a market evaluation framework based on the Business Model Canvas. We use this framework to evaluate which mechanisms `successful' marketplaces have in place, and whether these differ from those employed by `unsuccessful' marketplaces. We test the framework on 23 underground forum markets by searching 836 aliases of indicted cybercriminals to identify `successful' marketplaces. We find evidence that marketplaces whose administrators are impartial in trade, verify their sellers, and have the right economic incentives to keep the market functional are more likely to be credible sources of threat.Comment: The 22nd Workshop on the Economics of Information Security (WEIS'23), July 05--08, 2023, Geneva, Switzerlan

A methodology for large-scale identification of related accounts in underground forums

Underground forums allow users to interact with communities focused on illicit activities. They serve as an entry point for actors interested in deviant and criminal topics. Due to the pseudo-anonymity provided, they have become improvised marketplaces for trading illegal products and services, including those used to conduct cyberattacks. Thus, these forums are an important data source for threat intelligence analysts and law enforcement. The use of multiple accounts is forbidden in most forums since these are mostly used for malicious purposes. Still, this is a common practice. Being able to identify an actor or gang behind multiple accounts allows for proper attribution in online investigations, and also to design intervention mechanisms for illegal activities. Existing solutions for multi-account detection either require ground truth data to conduct supervised classification or use manual approaches. In this work, we propose a methodology for the large-scale identification of related accounts in underground forums. These accounts are similar according to the distinctive content posted, and thus are likely to belong to the same actor or group. The methodology applies to various domains and leverages distinctive artefacts and personal information left online by the users. We provide experimental results on a large dataset comprising more than 1.1M user accounts from 15 different forums. We show how this methodology, combined with existing approaches commonly used in social media forensics, can assist with and improve online investigations.This work was partially supported by CERN openlab, the CERN Doctoral Student Programme, the Spanish grants ODIO (PID2019-111429RB-C21 and PID2019-111429RB) and the Region of Madrid grant CYNAMON-CM (P2018/TCS-4566), co-financed by European Structural Funds ESF and FEDER, and Excellence Program EPUC3M1

Understanding Hacking-as-a-Service Markets

abstract: An examination of 12 darkweb sites involved in selling hacking services - often referred to as ”Hacking-as-a-Service” (HaaS) sites is performed. Data is gathered and analyzed for 7 months via weekly site crawling and parsing. In this empirical study, after examining over 200 forum threads, common categories of services available on HaaS sites are identified as well as their associated topics of conversation. Some of the most common hacking service categories in the HaaS market include Social Media, Database, and Phone hacking. These types of services are the most commonly advertised; found on over 50\% of all HaaS sites, while services related to Malware and Ransomware are advertised on less than 30\% of these sites. Additionally, an analysis is performed on prices of these services along with their volume of demand and comparisons made between the prices listed in posts seeking services with those sites selling services. It is observed that individuals looking to hire hackers for these services are offering to pay premium prices, on average, 73\% more than what the individual hackers are requesting on their own sites. Overall, this study provides insights into illicit markets for contact based hacking especially with regards to services such as social media hacking, email breaches, and website defacement.Dissertation/ThesisMasters Thesis Computer Science 201

Bridging Physical and Social Sciences to Unlock New Potential for Addressing Interconnected Resource Challenges

As urbanizing cities work toward sustainable resource planning, particular attention must be given to the interdependence of interconnected resource challenges. Coherent policies, strengthened by and consistent with, the research understanding of the challenges and their interdependencies, are necessary for sustainable resource allocation. Enabling Environments must be created that allow: 1) development of interdisciplinary research, 2) cross-sectoral stakeholder cooperation in planning resource allocations, and 3) appropriate levels of engagement and exchange of information between researchers and related stakeholders. This dissertation focuses on opportunities for bringing together the knowledge accumulated in understanding and quantifying the interconnections between resource systems with theories in social science and their application. Building on common pool resources and collective action theory, the work uses social network analysis to understand the interactions between stakeholders governing interconnected resource systems. Using convergence theory, a methodology and criteria are developed for assessing the extent to which researchers and stakeholders tend to converge on topics related to the resource challenges, thereby reducing feedback cycles and increasing information exchange and support. This is accomplished through two surveys, in the context of a model resource hotspot in San Antonio, Texas: a growing, urbanizing population with major agricultural activity, situated above the Eagle Ford shale play’s growing hydraulic fracturing development. The study’s main outcomes follow. 1) Identification of challenges faced in developing an interdisciplinary research team, i.e. defining the study region’s physical boundaries, establishing dependency relations between sub-groups, data incompatibilities, varying data access, and funding. 2) Modest levels of communication exist between water institutions, but very low levels of communication exist between water institutions and those responsible for food and energy decisions. Frequency of communication among officials at different water institutions was higher among those who participated in stakeholder engagement activities: significant only in the communication among water officials themselves. Main institutional barriers to higher levels of communication between cross sectoral stakeholders include finance, structure, capacity, or differences in language, interest and value systems. 3) Aspects of convergence were identified between the perspectives of researchers and regional stakeholders on issues of water, energy, and food in the San Antonio Region. Similar aspects of convergence were found in the perspectives of both groups regarding the Texas Water Development Board strategies with the greatest or least potential. Both groups converged on water as a first priority, but not on their perspective of the direction of future regional priorities: they differed in their rankings of energy and food (second and third priorities). The study also indicated convergence regarding potential roles of “increased communication” and “information sharing between agencies” as a means to improve cooperation and address interconnected resource challenges. To realize these potentials, institutional mechanisms and finances for such activities should be revisited: addressing communication barriers is critical to developing cooperative stakeholder environments that allow long-term planning for resource allocation that avoids potentially unintended consequences

Adversarial behaviours knowledge area

The technological advancements witnessed by our society in recent decades have brought improvements in our quality of life, but they have also created a number of opportunities for attackers to cause harm. Before the Internet revolution, most crime and malicious activity generally required a victim and a perpetrator to come into physical contact, and this limited the reach that malicious parties had. Technology has removed the need for physical contact to perform many types of crime, and now attackers can reach victims anywhere in the world, as long as they are connected to the Internet. This has revolutionised the characteristics of crime and warfare, allowing operations that would not have been possible before. In this document, we provide an overview of the malicious operations that are happening on the Internet today. We first provide a taxonomy of malicious activities based on the attacker’s motivations and capabilities, and then move on to the technological and human elements that adversaries require to run a successful operation. We then discuss a number of frameworks that have been proposed to model malicious operations. Since adversarial behaviours are not a purely technical topic, we draw from research in a number of fields (computer science, criminology, war studies). While doing this, we discuss how these frameworks can be used by researchers and practitioners to develop effective mitigations against malicious online operations.Published versio