Category Archives: Cybercrime

From Playing Games to Committing Crimes: A Multi-Technique Approach to Predicting Key Actors on an Online Gaming Forum

I recently travelled to Pittsburgh, USA, to present the paper “From Playing Games to Committing Crimes: A Multi-Technique Approach to Predicting Key Actors on an Online Gaming Forum” at eCrime 2019, co-authored with Ben Collier and Alice Hutchings. The accepted version of the paper can be accessed here.

The structure and content of various underground forums have been studied in the literature, from threat detection to the classification of marketplace advertisements. These platforms can provide a mechanism for knowledge sharing and a marketplace between cybercriminals and other members.

However, gaming-related activity on underground hacking forums have been largely unexplored. Meanwhile, UK law enforcement believe there is a potential link between playing online games and committing cybercrime—a possible cybercrime pathway. A small-scale study by the NCA found that users looking for gaming cheats on these types of forums can lead to interactions with users involved in cybercrime, leading to a possible first offences, followed by escalating levels of offending. Also, there has been interest from UK law enforcement in exploring intervention activity which aim to deter gamers from becoming involved in cybercrime activity.

We begin to explore this by presenting a data processing pipeline framework, used to identify potential key actors on a gaming-specific forum, using predictive and clustering methods on an initial set of key actors. We adapt open-source tools created for use in analysis of an underground hacking forum and apply them to this forum. In addition, we add NLP features, machine learning models, and use group-based trajectory modelling.

From this, we can begin to characterise key actors, both by looking at the distributions of predictions, and from inspecting each of the models used. Social network analysis, built using author-replier relationships, shows key actors and predicted key actors are well connected, and group-based trajectory modelling highlights a much higher proportion of key actors are contained in both a high-frequency super-engager trajectory in the gaming category, and in a high-frequency super-engager posting activity in the general category.

This work provides an initial look into a perceived link between playing online games and committing cybercrime by analysing an underground forum focused on cheats for games.

Honware: A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days

Existing defenses are slow to detect zero day exploits and capture attack traffic targeting inadequately secured Customer Premise Equipment (CPE) and Internet of Things (IoT) devices. This means that attackers have considerable periods of time to find and compromise vulnerable devices before the attack vectors are well understood and mitigation is in place.

About a month ago we presented honware at eCrime 2019, a new honeypot framework that enables the rapid construction of honeypots for a wide range of CPE and IoT devices. The framework automatically processes a standard firmware image (as is commonly provided for updates) and runs the system with a special pre-built Linux kernel without needing custom hardware. It then logs attacker traffic and records which of their actions led to a compromise.

We provide an extensive evaluation and show that our framework is scalable and significantly better than existing emulation strategies in emulating the devices’ firmware applications. We were able to successfully process close to 2000 firmware images across a dozen brands (TP-Link, Netgear, D-Link…) and run them as honeypots. Also, as we use the original firmware images, the honeypots are not susceptible to fingerprinting attacks based on protocol deviations or self-revealing properties.

By simplifying the process of deploying realistic honeypots at Internet scale, honware supports the detection of malware types that often go unnoticed by users and manufactures. We hope that honware will be used at Internet scale by manufacturers setting up honeypots for all of their products and firmware versions or by researchers looking for new types of malware.

The paper is available here.

APWG eCrime 2019

Last week the APWG Symposium on Electronic Crime Research was held at Carnegie Mellon University in Pittsburgh. The Cambridge Cybercrime Centre was very well-represented at the symposium. Of the 12 accepted research papers, five were authored or co-authored by scholars from the Centre. The topics of the research papers addressed a wide range of cybercrime issues, ranging from honeypots to gaming as pathways to cybercrime. One of the papers with a Cambridge author, “Identifying Unintended Harms of Cybersecurity Countermeasures”, received the Best Paper award. The Honorable Mention award went to “Mapping the Underground: Supervised Discovery of Cybercrime Supply Chains”, which was a collaboration between NYU, ICSI and the Centre.

In this post, we will provide a brief description for each paper in this post. The final versions aren’t yet available, we will blog them in more detail as they appear.

Best Paper

Identifying Unintended Harms of Cybersecurity Countermeasures

Yi Ting Chua, Simon Parkin, Matthew Edwards, Daniela Oliveira, Stefan Schiffner, Gareth Tyson, and Alice Hutchings

In this paper, the authors consider that well-intentioned cybersecurity risk management activities can create not only unintended consequences, but also unintended harms to user behaviours, system users, or the infrastructure itself. Through reviewing countermeasures and associated unintended harms for five cyber deception and aggression scenarios (including tech-abuse, disinformation campaigns, and dating fraud), the authors identified categorizations of unintended harms. These categories were further developed into a framework of questions to prompt risk managers to consider harms in a structured manner, and introduce the discussion of vulnerable groups across all harms. The authors envision that this framework can act as a common-ground and a tool bringing together stakeholders towards a coordinated approach to cybersecurity risk management in a complex, multi-party service and/or technology ecosystem.

Honorable Mention

Mapping the Underground: Supervised Discovery of Cybercrime Supply Chains

Rasika Bhalerao, Maxwell Aliapoulios, Ilia Shumailov, Sadia Afroz, and Damon McCoy

Cybercrime forums enable modern criminal entrepreneurs to collaborate with other criminals into increasingly efficient and sophisticated criminal endeavors.
Understanding the connections between different products and services is currently very expensive and requires a lot of time-consuming manual effort. In this paper, we propose a language-agnostic method to automatically extract supply chains from cybercrime forum posts and replies. Our analysis of generated supply chains highlights unique differences in the lifecycle of products and services on offer in Russian and English cybercrime forums.

Honware: A Virtual Honeypot Framework for Capturing CPE and IoT Zero Day

Alexander Vetterl and Richard Clayton

We presented honware, a new honeypot framework which can rapidly emulate a wide range of CPE and IoT devices without any access to the manufacturers’ hardware.

The framework processes a standard firmware image and will help to detect real attacks and associated vulnerabilities that might otherwise be exploited for considerable periods of time without anyone noticing.

From Playing Games to Committing Crimes: A Multi-Technique Approach to Predicting Key Actors on an Online Gaming Forum

Jack Hughes , Ben Collier, and Alice Hutchings

This paper proposes a systematic framework for analysing forum datasets, which contain minimal structure and are non-trivial to analyse at scale. The paper takes a multi-technique approach drawing on a combination of features relating to content and metadata, to predict potential key actors. From these predictions and trained models, the paper begins to look at characteristics of the group of potential key actors, which may benefit more from targeted intervention activities.

Fighting the “Blackheart Airports”: Internal Policing in the Chinese Censorship Circumvention Ecosystem

Yi Ting Chua and Ben Collier

In this paper, the authors provide an overview of the self-policing mechanisms present in the ecosystem of services used in China to circumvent online censorship. We conducted an in-depth netnographic study of four Telegram channels which were used to co-ordinate various kinds of attacks on groups and individuals offering fake or scam services. More specifically, these actors utilized cybercrime tools such as denial of service attack and doxxing to punish scammers. The motivations behind this self-policing appear to be genuinely altruistic, with individuals largely concerned with maintaining a stable ecosystem of services to allow Chinese citizens to bypass the Great Firewall. Although this is an emerging phenomenon, it appears to be developing into an important and novel kind of trust mechanism within this market

Usability of Cybercrime Datasets

By Ildiko Pete and Yi Ting Chua

The availability of publicly accessible datasets plays an essential role in the advancement of cybercrime and cybersecurity as a field. There has been increasing effort to understand how datasets are created, classified, shared, and used by scholars. However, there has been very few studies that address the usability of datasets. 

As part of an ongoing project to improve the accessibility of cybersecurity and cybercrime datasets, we conducted a case study that examined and assessed the datasets offered by the Cambridge Cybercrime Centre (CCC). We examined two stages of the data sharing process: dataset sharing and dataset usage. Dataset sharing refers to three steps: (1) informing potential users of available datasets, (2) providing instructions on application process, and (3) granting access to users. Dataset usage refers to the process of querying, manipulation and extracting data from the dataset. We were interested in assessing users’ experiences with the data sharing process and discovering challenges and difficulties when using any of the offered datasets. 

To this end, we reached out to 65 individuals who applied for access to the CCC’s datasets and are potentially actively using the datasets. The survey questionnaire was administered via Qualtrics. We received sixteen responses, nine of which were fully completed. The responses to open-ended questions were transcribed, and then we performed thematic analysis.

As a result, we discovered two main themes. The first theme is users’ level of technological competence, and the second one is users’ experiences. The findings revealed generally positive user experiences with the CCC’s data sharing process and users reported no major obstacles with regards to the dataset sharing stage. Most participants have accessed and used the CrimeBB dataset, which contains more than 48 million posts. Users also expressed that they are likely to recommend the dataset to other researchers. During the dataset usage phase, users reported some technical difficulties. Interestingly, these technical issues were specific, such as version conflicts. This highlights that users with a higher level of technical skills also experience technical difficulties, however these are of different nature in contrast to generic technical challenges. Nonetheless, the survey shown the CCC’s success in sharing their datasets to a sub-set of cybercrime and cybersecurity researchers approached in the current study. 

Ildiko Pete presented the preliminary findings on 12thAugust at CSET’19. Click here to access the full paper. 

Hiring for the Cambridge Cybercrime Centre

We have just re-advertised a “post-doc” position in the Cambridge Cybercrime Centre: The vacancy arises because Daniel is off to become a Chancellor’s Fellow at Strathclyde), the re-advertisement is because of a technical flaw in the previous advertising process (which is now addressed).

We are looking for an enthusiastic researcher to join us to work on our datasets of cybercrime activity, collecting new types of data, maintaining existing datasets and doing innovative research using our data. The person we appoint will define their own goals and objectives and pursue them independently, or as part of a team.

An ideal candidate would identify cybercrime datasets that can be collected, build the collection systems and then do cutting edge research on this data — whilst encouraging other academics to take our data and make their own contributions to the field.

We are not necessarily looking for existing experience in researching cybercrime, although this would be a bonus. However, we are looking for strong programming skills — and experience with scripting languages and databases would be much preferred. Good knowledge of English and communication skills are important.

Please follow this link to the advert to read the formal advertisement for the details about exactly who and what we’re looking for and how to apply — and please pay attention to our request that in the covering letter you create as part of the application you should explain which particular aspects of cybercrime research are of particular interest to you.

Fourth Annual Cybercrime Conference

The Cambridge Cybercrime Centre is organising another one day conference on cybercrime on Thursday, 11th July 2019.

We have a stellar group of invited speakers who are at the forefront of their fields:

They will present various aspects of cybercrime from the point of view of criminology, policy, security economics and policing.

This one day event, to be held in the Faculty of Law, University of Cambridge will follow immediately after (and will be in the same venue as) the “12th International Conference on Evidence Based Policing” organised by the Institute of Criminology which runs on the 9th and 10th July 2018.

Full details (and information about booking) is here.

WEIS 2019 – Liveblog

I’ll be trying to liveblog the seventeenth workshop on the economics of information security at Harvard. I’m not in Cambridge, Massachussetts, but in Cambridge, England, because of a visa held in ‘administrative processing’ (a fate that has befallen several other cryptographers). My postdoc Ben Collier is attending as my proxy (inspired by this and this).

The Changing Cost of Cybercrime

In 2012 we presented the first systematic study of the costs of cybercrime. We have now repeated our study, to work out what’s changed in the seven years since then.

Measuring the Changing Cost of Cybercrime will appear on Monday at WEIS. The period has seen huge changes, with the smartphone replacing as PC and laptop as the consumer terminal of choice, with Android replacing Windows as the most popular operating system, and many services moving to the cloud. Yet the overall pattern of cybercrime is much the same.

We know a lot more than we did then. Back in 2012, we guessed that cybercrime was about half of all crime, by volume and value; we now know from surveys in several countries that this is the case. Payment fraud has doubled, but fallen slightly as a proportion of payment value; the payment system has got larger, and slightly more efficient.

So what’s changed? New cybercrimes include ransomware and other offences related to cryptocurrencies; travel fraud has also grown. Business email compromise and its cousin, authorised push payment fraud, are also growth areas. We’ve also seen serious collateral damage from cyber-weapons such as the NotPetya worm. The good news is that crimes that infringe intellectual property – from patent-infringing pharmaceuticals to copyright-infringing software, music and video – are down.

Our conclusions are much the same as in 2012. Most cyber-criminals operate with impunity, and we have to fix this. We need to put a lot more effort into catching and punishing the perpetrators.

Our new paper is here. For comparison the 2012 paper is here, while a separate study on the emotional cost of cybercrime is here.

Security Engineering: Third Edition

I’m writing a third edition of my best-selling book Security Engineering. The chapters will be available online for review and feedback as I write them.

Today I put online a chapter on Who is the Opponent, which draws together what we learned from Snowden and others about the capabilities of state actors, together with what we’ve learned about cybercrime actors as a result of running the Cambridge Cybercrime Centre. Isn’t it odd that almost six years after Snowden, nobody’s tried to pull together what we learned into a coherent summary?

There’s also a chapter on Surveillance or Privacy which looks at policy. What’s the privacy landscape now, and what might we expect from the tussles over data retention, government backdoors and censorship more generally?

There’s also a preface to the third edition.

As the chapters come out for review, they will appear on my book page, so you can give me comment and feedback as I write them. This collaborative authorship approach is inspired by the late David MacKay. I’d suggest you bookmark my book page and come back every couple of weeks for the latest instalment!