Analysis of the economic damage caused by Internet crime

Volodymyr Mosorov

Department of Computer Science in Economics

University of Lodz, POLAND

• Cybercrime

• Types of cyberattacks

• Classifications

• Statistics of Cyberattacks

• DDoS attack trends

• Real life attack scenarios

• Cost aspect

2

Agenda

Introduction

• 24% of adult population world wide cannot live without the Internet

• 41% of adult population world wide needs access to the Internet daily

• number of adult victims of cyber crime in 2011 was three times greater than the number of victims of traditional crime

• 431 millions of Internet users were cyber crime victims (more than one million daily internet users in 2011)

3

Distributed Denial of Service (DDoS) attack

Botnet Network

5

Attack result

DDoS attack cont.

A DDoS attack can be perpetrated in a number of ways

Attack Classification: • Consumption of computational resources, such as bandwidth,

memory, disk space, or processor time. • Disruption of configuration information, such as routing

information. • Disruption of state information, such as unsolicited resetting of

TCP sessions. • Disruption of physical network components.

Schema of botnet creation

Most DDoS attacks are very small, usually less than 10Gbps.

A typical DDoS attack is not very long, usually less than 30 minutes.

Interesting Facts (2012):

89% of DDoS traffic was generated in 23 countries US and Indonesia made up a 10% of attack traffic

Online shopping sites, including e-stores, auctions, and buy and sell message boards made up 25% of all targeted sites

80% of all DDoS attacks take place Monday through Thursday

23% of the week’s DDoS attacks occur on a Tuesday

DDoS attack parameters (Arbor Special Report: Worldwide Infrastructure Security Report, 2012)

DDoS attacks against customers remain the number one of operational threat seen during the survey period, with DDoS attacks against infrastructure being the top concern for 2014.

DDoS remains a key issue; therefore, it should not be surprising that nearly two-thirds of service provider respondents are seeing an increasing demand for DDoS detection/mitigation services from their customers.

9

Averaged attack time, 2012

Targets of DDoS attack, 2012

What is the financial impact of DDoS attack?

DDoS attack inflicts a grave

toll on revenues.

The reported 2013 revenue risk

was slightly lower than in 2012,

due to the increased

investment in DDoS protection

solutions.

More companies in 2012 (74%

versus 65% in 2011) claimed

that DDoS outage would cost

them up to $10K per hour, the

rest reported that revenue

risks will be $50-100K per hour.

The largest DDoS attack (February 2014)

A record-breaking distributed denial-of-service (DDoS)

attack peaked at 400 Gbit/s, which is about 100

Gbit/s more than the largest previously seen DDoS

attack.

DDoS defense firm CloudFlare disclosed the attack --

against one of its customers: "Very big reflection

attack hitting us right now. Appears to be bigger than

the #Spamhaus attack from last year, which peaked

at a record-breaking 300 Gbit/s.”

Facts

• According to CNBC, U.S. banks were main targets of DDoS attacks during 2013. These events resulted in their inactivation of 250 hours in total. Calculated losses (related only to income) amounting to 12,450,000 $

• Interesting fact: one man, who was taking part in anonymous attack on Koch Industries during 1 minute ONLY was sentenced to two years of probation and penalty of paying 183 thousands dollars!

Business model of a cyberattack DDoS as a commercial service

Preparation of malicious software

Propagation of malicious software

Establishing command & control

Selling the service

Delivering the attack

13

Business Model

The attacker hopes to obtain some revenue by extorting the victim.

The expression of the profit:

Profit = E - C > 0 where

E - represents the attacker’s revenue,

C - the cost of DDoS service’s hiring.

The attacker’s revenue

The attacker’s revenue can be expressed in the following way:

E = n ×R where

n - is the percentage of victims, who in the attacker’s opinion will give in to blackmail R

Estimation of blackmail

Estimation of blackmail: R = k *AR

where AR is the victim’s annual revenue, k is some ratio. Estimation of a victim´s annual revenue: We have compared these amounts with the annual revenue of some of the online sites and we have estimated that extortions are approximately 1,000 times smaller. Hence k=0.001. According to the reference (SEGUR@ Project, 2013) the amount of the extortion was between 20,000$ and 50,000$.

According to the Arbor Networks Inc. (Arbor Networks Inc. is a leading provider of network security and management solutions for enterprise and service provider networks) an estimated average revenue:

R = k × AR = 0.001 x 20000 × 30(price/per month) × 12 month = 7200$/year

Estimation of blackmail cont.

Estimated costs of hiring DDoS attack service

To estimate these costs we need to obtain the following data:

•the revenue of attackers

•the cost of hiring DDoS service

Hiring of DDoS attack service

*There are plenty of forums on the Internet where everyone has an access to this kind of service.

An example of conversation with DDoS service provider

Botnet Rental Pricing (Segura and Lahuerta, 2013)

DDoS Service - Estimated Costs

Example

Bitcoins - cybercrimes' currency Bitcoin is a payment system introduced as open-source software (2009)

Bitcoin price: $653.08

Bitcoins - cybercrimes' currency

•Bitcoins are associated with cybercriminal behavior. •Used to obfuscate online transactions. •The Washington Post calls it "the currency of choice for seedy online activities." •The FBI stated in a 2012 report that "bitcoin will likely continue to attract cyber-criminals who view it as a means to move or steal funds." •Bitcoins are money laundering like the use of botnets or exchange for illegal items/services.

Conclusion

• The economic motive seems to be the main pushing force of the Internet crime’s incidents. When that happens, attackers´ behavior is rational and predictable.

• Under some assumptions, it is possible to model the conditions that will influence the attacker´s behavior. If we are able to collect data for our model, we can estimate the probability of the attacks.

• A simple economic model fits in a real scenario based on a Intenet provider service.

• This model represents the incentives of a potential attacker for launching DDoS attacks.

• To apply the model, data from two sources should be collected: prices of hiring DDoS attack services and percentage of victims, who paid extortion money in the past on online gambling sites (to estimate the amount of money that attacker could demand in the service).

• The analysis performed enables to estimate the incentives for launching DDoS attacks based on objective data.

• Applying this approach is not always possible, because not always the necessary data are attainable.

Conclusion cont.

28

• Creation of botnet market in near future?

• DDoS attack as bussiness activity?

Future vision

29