thinking like they do: an inside look at cybercriminal operations
TRANSCRIPT
Thinking Like They Do:An Inside Look at Cybercriminal Operations
Gianluca StringhiniUniversity College London
Cybercrime is a growing problem
An Inside Look at Cybercriminal Operations 4
Source: Levchenko et al. 2011
Spammer
Anatomy of a spam operation
An Inside Look at Cybercriminal Operations 5
Harvester
Botmaster
How can we effectively disrupt spamming botnets?We need to get a better understanding of these cybercriminal operations
Over the last years we have been studying spamming botnets by
• Observing the actors involved
• Getting an inside look into a real botnet
An Inside Look at Cybercriminal Operations 6
Fingerprinting a spam operation
An Inside Look at Cybercriminal Operations 7
The actors in the underground market are linked by long-lasting trust relations
More details in “The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape” from AsiaCCS 2014
The Cutwail takedownIn 2010 we participated in an attempted takedown –we tried to disrupt the botnet by seizing the C&C servers
We obtained access to 24 C&C servers
• 30% of the botnet
• Each server rent by a different spammer
• Detailed statistics on the spammers’ campaigns
An Inside Look at Cybercriminal Operations 11
Some Statistics
The logs of the C&C servers contained information about
• 9 spammers who rented one or more C&Cs
• More than 2M bot IP addresses
• More than 500B spam emails sent
An Inside Look at Cybercriminal Operations 12
The performance of spam operations varies a lot: the most successful spammer sent 7B emails
per day, the least successful only 5.5M
More details in “The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns” from LEET 2011
Botnets need to be efficient engineering systems
An Inside Look at Cybercriminal Operations 13
Additional constraints:• Infected computers are usually on bad Internet connections• Adversarial actions can severely disrupt the botnet (victims cleaning up infected
computers, law enforcement seizing control servers)
If we identify the elements that make a botnet work well, we can develop better mitigation techniques
An Inside Look at Cybercriminal Operations 14
Spammers split an email list among many bots – we can use this to find additional bots!
An Inside Look at Cybercriminal Operations 15
More details in “BotMagnifier: Detecting Spambots on the Internet” from USENIX 2011
What makes a spam operation successful?Good “housekeeping”
• Clean up email lists for non-existing addresses
• Limit bots to 5,000 at most
Bots have bad Internet connections
Instruct bots to retry sending emails multiple times
Interesting fact: the geographic location of bots does not influence the performance of the botnet!
An Inside Look at Cybercriminal Operations 16
More details in “The Tricks of the Trade: What Makes Spam Campaigns Successful?” from IWCC 2014
Possible mitigations
Tamper with spammers cleaning up email lists
[Stringhini et al., USENIX 2012]
Exhausting the C&C’s bandwidth by connecting fake bots
[Work in progress]
Use network errors for spam detection
[Kakavelakis et al., LISA 2011]
An Inside Look at Cybercriminal Operations 17
Conclusions
Cybercrime is a worldwide phenomenon, and we need effective countermeasures to fight it
Botnets can be modeled as a distributed systems, and mitigations can be designed to make such distributed system perform poorly
Other types of cybercriminal operations require different techniques• Identity theft• Ransomware• Financial fraud
An Inside Look at Cybercriminal Operations 18