thinking like they do: an inside look at cybercriminal operations

Thinking Like They Do:An Inside Look at Cybercriminal Operations

Gianluca StringhiniUniversity College London

Cybercrime is a growing problem

An Inside Look at Cybercriminal Operations 2



Source: Levchenko et al. 2011

Spammer

Anatomy of a spam operation


Harvester

Botmaster

How can we effectively disrupt spamming botnets?We need to get a better understanding of these cybercriminal operations

Over the last years we have been studying spamming botnets by

• Observing the actors involved

• Getting an inside look into a real botnet


Fingerprinting a spam operation


The actors in the underground market are linked by long-lasting trust relations

More details in “The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape” from AsiaCCS 2014

Spammers buy bots in different countries – Lethic


Spammers buy bots in different countries - Cutwail


An inside look into a real spamming botnet


The Cutwail takedownIn 2010 we participated in an attempted takedown –we tried to disrupt the botnet by seizing the C&C servers

We obtained access to 24 C&C servers

• 30% of the botnet

• Each server rent by a different spammer

• Detailed statistics on the spammers’ campaigns


Some Statistics

The logs of the C&C servers contained information about

• 9 spammers who rented one or more C&Cs

• More than 2M bot IP addresses

• More than 500B spam emails sent


The performance of spam operations varies a lot: the most successful spammer sent 7B emails

per day, the least successful only 5.5M

More details in “The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns” from LEET 2011

Botnets need to be efficient engineering systems


Additional constraints:• Infected computers are usually on bad Internet connections• Adversarial actions can severely disrupt the botnet (victims cleaning up infected

computers, law enforcement seizing control servers)

If we identify the elements that make a botnet work well, we can develop better mitigation techniques


Spammers split an email list among many bots – we can use this to find additional bots!


More details in “BotMagnifier: Detecting Spambots on the Internet” from USENIX 2011

What makes a spam operation successful?Good “housekeeping”

• Clean up email lists for non-existing addresses

• Limit bots to 5,000 at most

Bots have bad Internet connections

Instruct bots to retry sending emails multiple times

Interesting fact: the geographic location of bots does not influence the performance of the botnet!


More details in “The Tricks of the Trade: What Makes Spam Campaigns Successful?” from IWCC 2014

Possible mitigations

Tamper with spammers cleaning up email lists

[Stringhini et al., USENIX 2012]

Exhausting the C&C’s bandwidth by connecting fake bots

[Work in progress]

Use network errors for spam detection

[Kakavelakis et al., LISA 2011]


Conclusions

Cybercrime is a worldwide phenomenon, and we need effective countermeasures to fight it

Botnets can be modeled as a distributed systems, and mitigations can be designed to make such distributed system perform poorly

Other types of cybercriminal operations require different techniques• Identity theft• Ransomware• Financial fraud


[email protected]

@gianluca_string

thinking like they do: an inside look at cybercriminal operations

Technology

inside look

cybercriminal operations7

cybercriminal operations3

cybercriminal operations9

cybercriminal operations15

cybercriminal operations2

additional bots

spam landscape