Characterizing Seller-Driven Black-Hat Marketplaces The Curious Case of SEOClerks and MyCheapJobs Shehroze Farooqi 1,3 , Muhammad Ikram 2 , Gohar Irfan 3 , Emiliano De Cristofaro 4 , Arik Friedman 2 , Guillaume Jourjon 2 , Mohamed Ali Kaafar 2 , M. Zubair Shafiq 1 , Fareed Zaffar 3 1 The University of Iowa 2 NICTA 3 LUMS 4 University College London ABSTRACT This paper investigates two seller-driven black-hat online marketplaces, SEOClerks and MyCheapJobs, aiming to shed light on the services they offer as well as sellers and cus- tomers they attract. We perform a measurement-based anal- ysis based on complete crawls of their websites and find that the vast majority of services target popular social media and e-commerce websites, such as website backlinks, Instagram followers, or Twitter retweets, and estimate revenues to be at least $1.3M for SEOClerks and $116K for MyCheapJobs. Our analysis uncovers the characteristics of these two non-underground seller-driven marketplaces and shows that many top sellers belong to an “insider ring”, where accounts created close to the marketplaces’ launch account for the majority of the sales. We provide first-of-its-kind evidence that marketplace operators may be involved in perpetuat- ing fraudulent activities and hope to facilitate deployment of technical, legal, and economic countermeasures. 1. INTRODUCTION An increasing number of black-hat online marketplaces are emerging that facilitate the sale of fraudulent services and illicit goods [10, 11, 15, 25]. Among these, some of- fer paid services geared for spreading false information and manipulating reputation, targeting many different services, including social networks and e-commerce websites. While many black-hat marketplaces (e.g., HackBB, Silk Road, Agora) operate underground (hosted as Tor hidden services [23]), other fraudsters have turned to popular, le- gitimate online micro-task marketplaces such as Fiverr and Freelancer [14, 20, 24]. As these increasingly act to block services violating their terms of services, dedicated buyer- driven crowdturfing [25] markets have surfaced, e.g., mi- croWorkers, RapidWorkers, ShortTask, Zhubajie, Sandaha, where requesters can recruit workers for specific micro- tasks. At the same time, a growing number of seller-driven black-hat marketplaces has also started to thrive, including SEOClerks, MyCheapJobs, Gigbucks, Gigton, TenBux. Un- like crowdturfing markets, these websites operate a standard seller-driven model where sellers offer specific (and often fraudulent/illegal) services for a fixed price, somewhat sim- ilar to Ebay or Amazon. Overview. While prior work on seller-driven market- places has mostly focused on underground ones, like Silk Road [10], or on fraud in legitimate micro-tasks ser- vices [14], we present a measurement-based study of two popular, non-underground, seller-driven black-hat online marketplaces: SEOClerks (SC, seoclerks.com) and My- CheapJobs (MCJ, mycheapjobs.com). Besides their pop- ularity, we choose these two as they are primarily geared for fraudulent and illegal services. After crawling the two sites (in February 2015), we analyze collected data to shed light on the services that are proposed/sold and the sellers and customers they attract. By studying the characteristics of these seller-driven marketplaces, and the main reasons for their success, we aim to provide useful evidence and insight to help counter this emerging cyber crime ecosystem. Main Findings. SC and MCJ were both created in 2011, but SC is much larger in terms of users, services, and esti- mated revenue. Our measurements reveal that SC has over 270K users and 47K listed services, and MCJ has 8K users and 22K services. A significant fraction of sellers are from a few Asian countries (India, Bangladesh, Pakistan, Indone- sia, Philippines), while buyers are relatively concentrated in developed countries (USA, UK, Italy, Canada). The vast ma- jority of services on both marketplaces are fraudulent or out- right illegal, e.g., selling wiki backlinks to improve Google PageRank, inflating website traffic for click fraud, spreading URLs via spam, garnering fake Instagram followers, Twitter retweets, or Facebook likes. Using buyer ratings as a proxy for sales, we provide a lower-bound estimate of their rev- enue: $1.3M for SC and $116K for MCJ. Our drill-down analysis of top sellers also reveals a few unexpected findings. Top sellers on SC and MCJ appear to belong to an “insider ring” whose accounts were created around the launch of the marketplace in 2011. These handful of accounts are still active (they have logged onto the website within a week before our crawl) and account for the majority of sales. These accounts are promoted to advanced user lev- els with many privileges, and some of them are even listed as admin/staff accounts. Our findings suggest that operators of both SC (Ionicware Inc., registered in North Carolina, USA) and MCJ (Jim Vidmar) are likely responsible for, or com- plicit in, perpetuating spam and fraud on target websites. 1 arXiv:1505.01637v1 [cs.CY] 7 May 2015
Transcript
Characterizing Seller-Driven Black-Hat MarketplacesThe Curious Case of SEOClerks and MyCheapJobs
Shehroze Farooqi1,3, Muhammad Ikram2, Gohar Irfan3, Emiliano De Cristofaro4,Arik Friedman2, Guillaume Jourjon2, Mohamed Ali Kaafar2, M. Zubair Shafiq1, Fareed Zaffar3
1The University of Iowa 2NICTA 3LUMS 4University College London
ABSTRACTThis paper investigates two seller-driven black-hat online
marketplaces, SEOClerks and MyCheapJobs, aiming to shedlight on the services they offer as well as sellers and cus-tomers they attract. We perform a measurement-based anal-ysis based on complete crawls of their websites and find thatthe vast majority of services target popular social media ande-commerce websites, such as website backlinks, Instagramfollowers, or Twitter retweets, and estimate revenues to be atleast $1.3M for SEOClerks and $116K for MyCheapJobs.
Our analysis uncovers the characteristics of these twonon-underground seller-driven marketplaces and shows thatmany top sellers belong to an “insider ring”, where accountscreated close to the marketplaces’ launch account for themajority of the sales. We provide first-of-its-kind evidencethat marketplace operators may be involved in perpetuat-ing fraudulent activities and hope to facilitate deploymentof technical, legal, and economic countermeasures.
1. INTRODUCTIONAn increasing number of black-hat online marketplaces
are emerging that facilitate the sale of fraudulent servicesand illicit goods [10, 11, 15, 25]. Among these, some of-fer paid services geared for spreading false information andmanipulating reputation, targeting many different services,including social networks and e-commerce websites.
While many black-hat marketplaces (e.g., HackBB, SilkRoad, Agora) operate underground (hosted as Tor hiddenservices [23]), other fraudsters have turned to popular, le-gitimate online micro-task marketplaces such as Fiverr andFreelancer [14, 20, 24]. As these increasingly act to blockservices violating their terms of services, dedicated buyer-driven crowdturfing [25] markets have surfaced, e.g., mi-croWorkers, RapidWorkers, ShortTask, Zhubajie, Sandaha,where requesters can recruit workers for specific micro-tasks. At the same time, a growing number of seller-drivenblack-hat marketplaces has also started to thrive, includingSEOClerks, MyCheapJobs, Gigbucks, Gigton, TenBux. Un-like crowdturfing markets, these websites operate a standardseller-driven model where sellers offer specific (and oftenfraudulent/illegal) services for a fixed price, somewhat sim-ilar to Ebay or Amazon.
Overview. While prior work on seller-driven market-places has mostly focused on underground ones, like SilkRoad [10], or on fraud in legitimate micro-tasks ser-vices [14], we present a measurement-based study of twopopular, non-underground, seller-driven black-hat onlinemarketplaces: SEOClerks (SC, seoclerks.com) and My-CheapJobs (MCJ, mycheapjobs.com). Besides their pop-ularity, we choose these two as they are primarily gearedfor fraudulent and illegal services. After crawling the twosites (in February 2015), we analyze collected data to shedlight on the services that are proposed/sold and the sellersand customers they attract. By studying the characteristicsof these seller-driven marketplaces, and the main reasons fortheir success, we aim to provide useful evidence and insightto help counter this emerging cyber crime ecosystem.
Main Findings. SC and MCJ were both created in 2011,but SC is much larger in terms of users, services, and esti-mated revenue. Our measurements reveal that SC has over270K users and 47K listed services, and MCJ has 8K usersand 22K services. A significant fraction of sellers are froma few Asian countries (India, Bangladesh, Pakistan, Indone-sia, Philippines), while buyers are relatively concentrated indeveloped countries (USA, UK, Italy, Canada). The vast ma-jority of services on both marketplaces are fraudulent or out-right illegal, e.g., selling wiki backlinks to improve GooglePageRank, inflating website traffic for click fraud, spreadingURLs via spam, garnering fake Instagram followers, Twitterretweets, or Facebook likes. Using buyer ratings as a proxyfor sales, we provide a lower-bound estimate of their rev-enue: $1.3M for SC and $116K for MCJ.
Our drill-down analysis of top sellers also reveals a fewunexpected findings. Top sellers on SC and MCJ appearto belong to an “insider ring” whose accounts were createdaround the launch of the marketplace in 2011. These handfulof accounts are still active (they have logged onto the websitewithin a week before our crawl) and account for the majorityof sales. These accounts are promoted to advanced user lev-els with many privileges, and some of them are even listed asadmin/staff accounts. Our findings suggest that operators ofboth SC (Ionicware Inc., registered in North Carolina, USA)and MCJ (Jim Vidmar) are likely responsible for, or com-plicit in, perpetuating spam and fraud on target websites.
Marketplace SEOClerks (SC) MyCheapJobs (MCJ)#Users 278,760 8,043#Services 47,517 22,230Services Sold 10,362 3,073Total Revenue $1,349,316 $116,360Revenue per service $130 $38Alexa Rank 5,280 68,221
Table 1: Statistics of black-hat marketplaces studied in this paper.
To the best of our knowledge, our work is the first toprovide evidence of the potential involvement of seller-driven marketplace operators in providing fraudulent ser-vices. Through the characterization of an important link inthe Internet fraud chain [16], our analysis provides an impor-tant step toward designing robust countermeasures as wellas devising effective economic and legal intervention strate-gies, suggesting that targeting key active players may be aviable and effective approach to mitigate these activities.
2. DATASETSThis section presents the methodology and the datasets
used to analyze SEOClerks and MyCheapJobs.Overview. We conducted complete crawls of SEOClerks(SC) and MyCheapJobs (MCJ) in February 2015, using theScrapy web crawler [7]. We collected all publicly availableinformation from both user and service pages. User pagescontain username, account creation date, last login date, lo-cation, user reputation level, ratings/recommendations, anddescription of skills. Service pages contain the seller’s user-name, the service price, the service creation date, a descrip-tion of the service, the expected delivery time, the numberof orders in progress, and ratings/recommendations.Statistics. In total, our data includes 286,832 users and66,747 services for these two marketplaces, as summarizedin Table 1. We found that SC is a large marketplace, with278,760 users and 47,517 services, and estimated its totalrevenue to be $1,349,316 by multiplying the price of eachproposed service with their rating count. Since buyers arenot required but are highly-recommended to provide ratings(as binary +ve/-ve) for their purchases, our estimate repre-sents a lower-bound on the actual total revenue. Also notethat the estimate does not include commission or transactionfees charged by the marketplace operators. In comparison,MCJ is an order of magnitude smaller in terms of revenue.21% of the services proposed on SC, and 15% of those onMCJ, are sold at least once. SC also has a much higher av-erage revenue per service than MCJ, specifically, $130 vs$38. Finally, note that SC is ranked by Alexa in the top-5000 globally, top-1500 website in India, and top-1000 inPakistan, while MCJ is ranked around top 65,000.Ethics. As we collected and analyzed data about users oftwo black-hat marketplaces and pertaining to possibly fraud-ulent activities, we requested approval from University ofIowa’s Institutional Review Board, which, in March 2015,classified our research as exempt. Note that: (i) we did notcompromise, or engage in any fraudulent transactions with,the marketplaces, and (ii) we only collected publicly avail-
Jan 2012 Aug 2012 Jan 2013 Aug 2013 Jan 2014 Aug 2014 Jan 2015100
101
102
103
104
105
106
Time
# U
sers
Daily New UsersTotal Users
(a) SC
Aug 2011 Jan 2012 Aug 2012 Jan 2013 Aug 2013 Jan 2014 Aug 2014 Jan 2015100
101
102
103
104
Time
# U
sers
Daily New UsersTotal Users
(b) MCJFigure 1: Temporal evolution of daily and cumulative number of users.
able information. Thus, our research does not prompt anyadditional risks. In order to let other researchers reproduceour results, all crawled data is available upon request.
3. MARKETPLACE ANALYSIS3.1 Temporal and Geographic Patterns
We start our analysis by studying the temporal evolutionof user registration on SC and MCJ. Figure 1 reports thedaily registration rate of new users and the cumulative num-ber of users on SC and MCJ. For both SC and MCJ, we notethat the first user account was registered in mid-2011. Ourassessment is confirmed by the Internet Archive WaybackMachine, which has the first snapshot of SC dating back toOctober 7, 2011, and May 25, 2011 for MCJ.
For SC, the number of users grew fairly slowly (daily newusers < 10), with 391 users until January 2013. The market-place experienced a sudden increase in new users beginningearly 2013 and the number of new users has remained sta-ble since. This sudden increase in the number of new usersmight be explained by an aggressive social media campaignin early 2013 (offering $2 promotional credit for tweetingabout SEOClerks [5]). For the last year, SC averages ap-proximately 400 daily new users, while MCJ has been at-tracting approximately 5 daily new users (on average).
SC and MCJ indicate the geographic location of usersbased on their IP geolocation and/or input from the user.In Table 2, we list the geographic distribution of all sellersand buyers. A significant fraction of sellers are from a fewAsian countries such as India, Bangladesh, Pakistan, Indone-sia and Philippines, which is somewhat expected because oftheir relatively lower per-capita income [9]. We also suspectthat some users may use VPNs/proxies to manipulate theirgeolocation. On the other hand, buyers are relatively con-
2
100
101
102
103
0
1
2
3
4
x 104
Price ($)
Cum
ulat
ive
Cou
nt o
f Ser
vice
s
(a) Price
100
101
102
103
3.8
4
4.2
4.4
4.6
x 104
Volume
Cum
ulat
ive
Cou
nt o
f Ser
vice
s
(b) Volume
100
101
102
103
104
3.8
4
4.2
4.4
4.6
x 104
Revenue ($)
Cum
ulat
ive
Cou
nt o
f Ser
vice
s
(c) RevenueFigure 2: Distribution of service price, volume, and revenue on SC.
100
101
102
103
0
0.5
1
1.5
2
x 104
Price ($)
Cum
ulat
ive
Cou
nt o
f Ser
vice
s
(a) Price
100
101
102
103
1.95
2
2.05
2.1
2.15
2.2x 10
4
Volume
Cum
ulat
ive
Cou
nt o
f Ser
vice
s
(b) Volume
100
101
102
103
104
1.95
2
2.05
2.1
2.15
2.2x 10
4
Revenue ($)
Cum
ulat
ive
Cou
nt o
f Ser
vice
s
(c) RevenueFigure 3: Distribution of service price, volume, and revenue on MCJ.
Table 2: Geographic location of sellers and buyers.
centrated in developed countries, including USA, UK, Italy,and Canada. Regardless of the role of the marketplace users,our findings somewhat mirror the marketplace audience ge-ography statistics as estimated by Alexa. For SC, Alexa es-timates that 28.5% of the visitors are located in India, fol-lowed by 6.1% in Pakistan and USA, and 4.6% in UK. ForMCJ, Alexa estimates that 19.1% of the visitors are locatedin India, followed by 16.9% in USA, and 11.7% in Pakistan.
3.2 ServicesWe counted a total of 47,517 and 22,230 services of-
fered, respectively, on SC and MCJ. A vast majority ofthese services are geared towards fraudulent services suchas selling wiki backlinks for black-hat search engine opti-mization (SEO), website traffic, Instagram followers, Twit-ter retweets, Facebook likes, URL spam, etc.
Price range. On SC, the services are priced anywhere inthe range of $1-999, whereas, on MCJ, the range is $5-500.Figures 2(a) and 3(a) plot the distributions of service priceon SC and MCJ, respectively. We note that a vast majorityof services are priced in the lower range with 30,445 (64%)services on SC and 15,842 (71%) services on MCJ beingpriced at or under $10. The mode of service price distribu-tion for both SC and MCJ is $5, which accounts for 13,796
(29%) services on SC and 12,433 (56%) services on MCJ.Note that $5 is the minimum service price allowed for newlyregistered sellers on SC and for all sellers on MCJ. As dis-cussed later, only experienced sellers on SC are allowed tocreate lower cost services.
Sales and revenues. For SC, we recorded a total of 304,060sales accounting for a total estimated revenue of $1,349,316,and a total 13,309 sales for MCJ with an estimated revenueof $116,360. Figures 2 and 3 show the distributions of ser-vice volume and revenue on both marketplaces. We notethat a vast majority of services on SC (37,155 = 78%) andMCJ (19,036 = 86%) have no sales and thus zero revenue.We observe a long-tail distribution for the remaining ser-vices, with 8% of the services with just one sale, 3% of theservices with two sales, and 2% of the services with threesales. Less than 10% for both marketplaces, however, repre-sent the vast majority of the sales volume and total revenue.The most popular service in terms of sales volume for SC is“1000+ Instagram followers” (priced at $2) and has 3,853sales resulting in $7,706 revenue. The most lucrative servicefor SC is “Backlinks to improve Google search ranking”(priced at $29) attracting 1,364 sales and generating $39,556in revenue. For MCJ, the most popular service in terms ofsales volume (“Email page to a list of 70000 for $5”) has332 sales generating $1,660 revenue and the most popularservice in terms of revenue (“10000 SoundCloud plays for$15”) has 141 sales yielding $2,115 revenue.
Categorization. To systematically analyze different types ofservices on SEOClerks, we use keyword analysis and man-ual curation to group services into various categories, basedon their target websites, e.g., Twitter followers, Instagramfollowers, etc. Table 3 lists the top categories of services(in terms of sales volume) and the top selling (in terms ofrevenue) service for each category on SC. Clearly, a vast ma-jority of services target black-hat search engine optimization
3
Category #Services Revenue Top ServiceName Revenue Price
Black-hat SEO 34.0% $692,621 (51%) Backlinks to improve Google search ranking $39,556 $29Twitter 18.8% $158,629 (12%) 1 million Twitter followers $11,037 $849Instagram 12.6% $139,882 (10%) 1000+ Instagram followers $7,706 $10YouTube 10.0% $106,855 (8%) 100,000+ YouTube views $35,160 $120Website traffic 9.2% $95,643 (7%) Traffic from social networks for 30 days $7,105 $29Soundcloud 2.7% $14,207 (1%) 100+ Soundcloud followers $1,444 $1Facebook 2.5% $46,832 (3%) Facebook fan page promotion $15,480 $30Google+ 2.1% $8,459 (1%) 2000 Google+ followers $1,806 $7
Table 3: Categories and details of popular services in each category on SC.
Table 4: User experience levels used by SC and MCJ.
and social network manipulation. The largest service cate-gory targets Google rank improvement using backlinks, andaccounts for 34% of services and 51% of revenue. In theblack-hat SEO category, the most popular service is sold for$29 and made $39,556 in total revenue. The second largestservice category targets Twitter followers and retweets, andaccounts for 19% of services and 12% of revenue. The mostpopular service in Twitter category provides “1 million Twit-ter followers” for $849 and made $11,037 in total revenue.We observe a similar category distribution on MCJ and thedetails are left out due to space constraints.
3.3 UsersUsers on SC and MCJ are assigned different reputation
levels: Table 4 summarizes the user experience level statis-tics in SC and MCJ. New users start from level 1 and are pro-moted to higher levels based on certain requirements. De-tails of requirements and benefits for level promotion aredescribed in [6, 8]. MCJ has 3 levels (levels 1, 2, and 3),while SC has five additional levels (X3, 4, X4, 5, X5). Ahigher level means lesser restrictions, including lower clear-ance time for payments or better rewards, such as cashback.
The vast majority of users are at level 1 (93% on SC and96% on MCJ). Naturally, one expects users at higher levelsto be successful sellers: indeed, only 59 SC users have levelshigher than 3 but they account for $577,618 (43%) of totalrevenue. Likewise, only 203 users on MCJ have level 3 andthey account for $96,715 (83%) of the revenue.
Recall that users can be sellers and/or buyers: in the fol-lowing, we analyze them separately.
3.3.1 Seller AnalysisThere are 8,861 sellers on SC and 4,233 sellers on MCJ.
Some advertised at least one service but had not sold anyyet—these “zero-sale” sellers are included in our statistics.
#Services. Figures 4(a) and 5(a) plot distributions of thenumber of services listed by sellers, resp., on SC and MCJ.We note that most sellers listed only one service (54% on
2012 2013 2014 2015
2014
2015
Seller Join Date
Sel
ler
Last
Log
in D
ate
(a) SC
2012 2013 2014 2015Seller Join Date
(b) MCJFigure 6: Relationship between seller join date, last login date, and rev-enue. Circle size represents seller revenue. Note that last login date is notavailable for MCJ.
SC and 45% on MCJ). The seller with most listed serviceson MC had 1,092 services and the one on MCJ — 1,754.
Ratings. As illustrated in Figures 4(b) and 5(b), we foundthat most of the sellers have positive ratings: 95% of thesellers received more than 90% positive ratings on SC andMCJ. This pattern of overwhelmingly positive ratings is alsoobserved in other online e-commerce marketplaces [10, 12].
Revenue. Figures 4(c) and 5(c) plot distributions of sellerrevenue on SC and MCJ, respectively. Only 2,228 (25%)sellers on SC and 933 (22%) sellers on MCJ have soldat least one service. The long-tail distribution indicatesthat a small number of sellers account for most revenue.More specifically, the top-100 sellers account for $1,022,860(76%) revenue on SC and $79,140 (68%) revenue on MCJ.
Impact of joining date. We now analyze the impact ofjoining date and last login date on seller revenue. As illus-trated in Figure 6, where circles represent sellers and theirradius the corresponding revenue, top sellers (i.e, large cir-cles) joined the marketplace in the early days. Specifically, 8of the top 10 sellers on SC and 6 out of the top 10 sellers onMCJ did so before 2013. Furthermore, for SC, most seller
4
100
101
102
103
104
0
2000
4000
6000
8000
# Services
Cum
ulat
ive
Sel
ler
Cou
nt
(a) Number of Services
100
101
102
103
104
6000
6500
7000
7500
8000
8500
# Ratings
Cum
ulat
ive
Sel
ler
Cou
nt
+ve ratings−ve ratings
(b) Ratings
100
101
102
103
104
105
5000
5500
6000
6500
7000
7500
8000
8500
Revenue ($)
Cum
ulat
ive
Sel
ler
Cou
nt
(c) RevenueFigure 4: Distributions of seller services, revenue, and ratings on SC.
100
101
102
103
104
0
500
1000
1500
2000
2500
3000
3500
4000
# Services
Cum
ulat
ive
Sel
ler
Cou
nt
(a) Number of Services
100
101
102
103
104
3000
3200
3400
3600
3800
4000
4200
# RatingsC
umul
ativ
e S
elle
r C
ount
+ve ratings−ve ratings
(b) Ratings
100
101
102
103
104
105
3000
3200
3400
3600
3800
4000
4200
Revenue ($)
Cum
ulat
ive
Sel
ler
Cou
nt
(c) RevenueFigure 5: Distributions of seller services, revenue, and ratings on MCJ.
accounts created before 2013 have last login dates withina week of our crawl. This pattern contrasts with seller ac-counts created after January 2013, which are more likely tobe inactive within a few months of their join date.
In essence, Figure 6 shows that most top sellers: (i) joinedthe marketplaces very early (often before the public releaseof the marketplace), (ii) attract larger shares of the total rev-enue, and (iii) are returning active visitors. This is particu-larly relevant in the case of SC. This suggests that the topsellers on SC and MCJ (particularly those created before2013) are part of an “insider ring.” These handful of in-sider accounts created several years ago, are still active andaccount for a large majority of sales.
Insider accounts. We then took a closer look at these ac-counts to provide insights about top sellers and their oper-ations, hoping to facilitate the design of technical counter-measures and strategies for economic or legal intervention.
The top seller on SC is user BarryinSiam [4]: accordingto the rating counts, this user has at least $94,189 in revenue,more than $30K above the second-best seller. The accounthas user experience level X3 (meaning this user was manu-ally selected by SC staff) and was created in October 2011.22 out of 26 services offered by this seller target variations ofblack-hat SEO category. BarryinSiam also operates a collu-sion network for backlinks, i.e., buyers get a discount if theyinclude backlinks to specified domains [13]. More informa-tion about the user is available from his Google+ profile [2]and an interview with SC’s CMO [3].
On MCJ, the top seller is badgehelp [1], who has userexperience level 3 and is the oldest account on the mar-ketplace (created in May 2011). This user has $14,980in revenue to date, almost 3-fold the second-best seller.badgehelp sells services across 7 out of the 8 categorieslisted in Table 3. A manual inspection of his user page [1]and https://www.linkedin.com/in/badgehelp confirmsthat this user (Jim Vidmar) is MCJ’s owner.
3.3.2 Buyer AnalysisWe now analyze various characteristics of buyers, i.e.,
users who have purchased at least one service, on SC andMCJ. In total, there are 34,300 buyers on SC and 3,540 onMCJ. Figures 7(a) and 8(a) plot the distribution of total andunique services purchased by buyers for both marketplaces.Most buyers purchase a few services, with 89% buyers onSC and 86% buyers on MCJ purchasing 10 or fewer services,while only a few buyers buy a large number of services.
Expenses. The distribution of expenses is plotted in Fig-ures 7(b) and 8(b), which show that approximately half ofthe buyers spend less than $10 on purchases. While only 18buyers spend at least $100 on MCJ, 3,042 actually spend atleast $100 on SC. In particular, the most active buyer on SCpurchased a total of 143 services paying $6,671. This buyerbought black-hat SEO services from different sellers.
Buyer-Service correlation. To further analyze correlationsbetween buyers and service, we visualize the scatter plot be-tween buyers and services in Figures 7(c) and 8(c), with ser-vices and buyers sorted in descending ordered w.r.t. theirpurchase frequency. The dark color represents 1 purchaseand the lighter blue colors represent repeated purchases.Most users buy a service only once (75% service-buyer pairson SC and 81% service-buyer pairs on MCJ), while popularservices (on the left) have many repeat buyers.
3.4 SummaryOur analysis of SC and MCJ unveiled a dichotomy be-
tween sellers and buyers in terms of their location: the for-mer are mostly located Asian developing countries, whilethe latter – in developed countries. We also presented ananalysis of the revenue, providing lower-bound estimates of$1.3M for SC and $116K for MCJ. Furthermore, we showedthat the top sellers on SC and MCJ belong to an “insiderring” with accounts created around marketplace launch.
(c) Buyer-Service MatrixFigure 7: Distributions of buyer purchase volume and expense on SC.
100
101
102
0
500
1000
1500
2000
2500
3000
3500
# Services Bought
Cum
ulat
ive
Buy
er C
ount
TotalUnique
(a) Volume
100
101
102
103
104
0
500
1000
1500
2000
2500
3000
3500
Buyer Expense ($)C
umul
ativ
e B
uyer
Cou
nt
(b) Expense
0 500 1000 1500 2000 2500 30000
500
1000
1500
2000
2500
3000
3500
Service Index (descending sort)
Buy
er In
dex
(des
cend
ing
sort
)
(c) Buyer-Service MatrixFigure 8: Distributions of buyer purchase volume and expense on MCJ.
Our findings suggest that targeting key active playersmay be a viable and effective approach to countering theseemerging cyber crime ecosystem. Both SC and MCJ usean escrow mechanism to get transaction/commission feesand to resolve disputes between sellers and buyers. Buy-ers on SC can purchase services using standard credit/debitcard, PayPal, Payza, or using cryptocurrencies. For PayPaland Payza, the SC marketplace account is registered to Ion-icware Inc. For all cryptocurrency transactions, SC uses anaccount on BitPay which is also registered to Ionicware Inc.MCJ only allows payments to its PayPal account registeredto “My Cheap Jobs.” Therefore, SC/MCJ marketplace ac-counts on PayPal, Payza, and BitPay can be targeted for eco-nomic and legal intervention.
4. RELATED WORKSeveral research efforts have looked at underground mar-
ketplaces [10, 11, 14–22, 24, 25], analyzing markets in termsof demographics, nature and quality of offered services, rev-enue models, financial intervention. In contrast, our workpresents, to the best of our knowledge, a first-of-its-kindanalysis on the presence of “insider accounts” on seller-driven black-hat marketplaces, pointing to the operators’ po-tential involvement in fraudulent services.
Crowdturfing markets. Wang et al. [25] studied “crowd-turfing” (astroturfing + crowdsourcing) on two large Chinesemalicious crowdsourcing markets (Zhubajie and Sandaha),and surveyed several U.S. and Indian malicious crowdsourc-ing sites such as ShortTask, MinuteWorkers, etc. Unlikeour work (which focuses on seller-driven markets), theyfocused on buyer-driven malicious crowdsourcing markets.Motoyama et al. [20] and Lee et al. [14,15] studied servicesand crowdturfing, respectively, on Freelancer and Fiverr.They developed machine learning models to detect crowd-turfing. Our work confirms many findings from [12, 14, 15,20] but differs from them in that Fiverr/Freelancer offers
mostly legitimate services (80%, according to the authors),whereas, SC and MCJ are dedicated black-hat marketplaces.Standalone merchants. Thomas et al. [24] analyzed traf-ficking of fake accounts in Twitter: they bought accountsfrom 27 merchants and developed a classifier to detect them.In a similar study, Stringhini et al. [21,22] measured the mar-ket of Twitter followers, providing Twitter followers for sale.De Cristofaro et al. [11] presented a measurement study ofFacebook like farms, which provide paid services to boostthe number of page likes. We note that this line of researchfocuses on individual merchants and their operational as-pects, whereas, our work studies operation of black-hat mar-ketplaces involving thousands of merchants.Underground forums and markets. Motoyama et al. [19]analyzed social dynamics in six underground forums andcategorized illegal merchandize traded on these forums.Christin [10] studied Silk Road, an anonymous undergroundmarketplace for contrabands, drugs, and pornography, pro-viding a detailed analysis of the items being sold and theseller population. Since actual sales data was not available,buyer feedback was used as a proxy for sale in order to esti-mate total revenue and volume of the transactions. We use asimilar approach in our work. Silk Road data suggests a coreclique of top sellers, and our analysis shows a similar trend,where a small group of sellers joined SC and MCJ early andalso happen to be the most successful sellers.
5. CONCLUSIONThis paper presented a measurement-based study aimed to
characterize two popular seller-driven online black-hat mar-ketplaces: SEOClerks and MyCheapJobs. It highlights op-portunities for economic and legal intervention to countersuch operations, as it demonstrates that a significant part ofthe activity is concentrated in the hands of relatively fewactors. Moreover, to the best of our knowledge, our workpresents first-of-its-kind evidence of black-hat marketplaceoperators’ involvement in providing fraudulent services.
6
6. REFERENCES[1] badgehelp – User page at MyCheapJobs.
http://mycheapjobs.com/user/badgehelp.Accessed May 6th, 2015.
[2] barryinsiam – Google+ Profile. https://plus.google.com/103850024999683758669/.Accessed May 6th, 2015.
[7] Scrapy – A Fast and Powerful Scraping and WebCrawling Framework. http://www.scrapy.org.
[8] SEOClerks – User Levels.https://www.seoclerk.com/userlevels.
[9] GDP per capita based on Purchasing Power Parity(PPP). http://goo.gl/zgoRlI, 2014.
[10] N. Christin. Traveling the Silk Road: A MeasurementAnalysis of a Large Anonymous Online Marketplace.In WWW, 2013.
[11] E. De Cristofaro, A. Friedman, G. Jourjon, M. A.Kaafar, and M. Z. Shafiq. Paying for Likes?Understanding Facebook Like Fraud UsingHoneypots. In IMC, 2014.
[12] H. Ge, J. Caverlee, and K. Lee. Crowds, Gigs, andSuper Sellers: A Measurement Study of aSupply-Driven Crowdsourcing Marketplace. InICWSM, 2015.
[13] Ionicware. Inc. OnlineSmartTools: SEO BacklinksTool. http://www.onlinesmarttools.com/contact.php.
[14] K. Lee, S. Webb, and H. Ge. The Dark Side ofMicro-Task Marketplaces: Characterizing Fiverr andAutomatically Detecting Crowdturfing. In ICWSM,2014.
[15] K. Lee, S. Webb, and H. Ge. Characterizing andAutomatically Detecting Crowdturfing in Fiverr andTwitter. Social Network Analysis and Mining, 5(2),2015.
[16] K. Levchenko, A. Pitsillidis, N. Chachra, B. Enright,M. Felegyhazi, C. Grier, T. Halvorson, C. Kanich,C. Kreibich, H. Liu, D. McCoy, N. Weaver, V. Paxson,G. M. Voelker, and S. Savage. Click Trajectories:End-to-End Analysis of the Spam Value Chain. InIEEE Symposium on Security and Privacy, 2011.
[17] D. McCoy, H. Dharmdasani, C. Kreibich, G. M.Voelker, and S. Savage. Priceless: The Role ofPayments in Abuse-advertised Goods. In CCS, 2012.
[18] D. McCoy, A. Pitsillidis, G. Jordan, N. Weaver,C. Kreibich, B. Krebs, G. M. Voelker, S. Savage, andK. Levchenko. PharmaLeaks: Understanding theBusiness of Online Pharmaceutical Affiliate Programs.In USENIX Security Symposium, 2012.
[19] M. Motoyama, D. McCoy, K. Levchenko, S. Savage,and G. M. Voelker. An Analysis of UndergroundForums. In IMC, 2011.
[20] M. Motoyama, D. McCoy, K. Levchenko, S. Savage,and G. M. Voelker. Dirty Jobs: The Role of FreelanceLabor in Web Service Abuse. In USENIX SecuritySymposium, 2011.
[21] G. Stringhini, M. Egele, C. Kruegel, and G. Vigna.Poultry Markets: On the Underground Economy ofTwitter Followers. In WOSN, 2012.
[22] G. Stringhini, G. Wang, M. Egeley, C. Kruegel,G. Vigna, H. Zheng, and B. Y. Zhao. Follow theGreen: Growth and Dynamics in Twitter FollowerMarkets. In IMC, 2013.
[23] The Tor Project. Tor Hidden Services. https://www.torproject.org/docs/hidden-services.html.en.
[24] K. Thomas, D. McCoy, C. Grier, A. Kolcz, andV. Paxson. Trafficking Fraudulent Accounts: The Roleof the Underground Market in Twitter Spam andAbuse. In USENIX Security Symposium, 2013.
[25] G. Wang, C. Wilson, X. Zhao, Y. Zhu, M. Mohanlal,H. Zheng, and B. Y. Zhao. Serf and Turf:Crowdturfing for Fun and Profit. In WWW, 2012.
