Introduction to Cybercrime
Thomas J. Holt
Professor
School of Criminal Justice
Michigan State University
517-353-9563
@spartandevilshn; @IIRCC1
IIRCC?
• The International Interdisciplinary Research Consortium on Cybercrime is an organization that links the social and technical sciences together with law enforcement and practitioners to understand cybercrime and cybersecurity issues• Participating faculty at institutions across the US, Canada, Europe, and
Oceania
• Seeking relationships with organizations, government, industry• Members are currently conducting research on all manner of cybercrime
• Funding from the Australian Research Council, Ford Foundation, US DHS, UK HO
3
The Digital Divide
• Computers and mobile devices are now ubiquitous• The availability of computer-mediated communications (CMC), like email,
text, Facebook, etc have changed the world
• This is a recent innovation, causing a generational divide• Digital Natives
• Digital Immigrants
4
5
Internet
• The Internet is an interconnected system of networks that connects computers around the world via the TCP/IP protocol• Interconnected networks
6
It’s a Series of Tubes
• The Internet is a series of interconnected computer networks that share and transmit data• Composed of many smaller networks around the world
• Contains a number of different services and functionalities• E-mail
• IRC
• FTP
• World Wide Web
• The Internet and World Wide Web are not the same
The Internet As We Don’t Know It
7
Criminological Theory
• Cybercrime is distinct in that it provides a venue for new offenses, while also enabling existing offenses• Old wine in new bottles, new wine but no bottles
• Applying existing criminological theories to these offenses demonstrate that some factors are consistent on and off-line
8
Defining Computer Misuse
• There are several key terms to define abuse and misuse of technology• Cyberdeviance are behaviors that may not be illegal but go against local
norms or values
• Cybercrimes occur when a perpetrator uses special knowledge of cyberspace to commit a crime
• Cyberterror involves the use of digital technology or CMCs to cause harm and force social change based on ideological or political beliefs
9
Why Is Cybercrime Attractive?
• There are several reasons why individuals may choose to engage in cybercrimes relative to real world offenses• Access
• Ease
• Diminished risk
• Difficulty policing
• Undercounting by victims
• MONEY!!!!!!!!!$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
10
Wall’s Typology of Cybercrime
• Cyber-trespass• Individuals cross boundaries of computer systems into areas
where ownership has already been established• Hackers, crackers, phreakers
• Cyber-Deception/Theft• Criminal acquisitions that can occur on-line
• Pirates, fraudsters, and hackers
11
Computer HackersHacking is a skill that has multiple applications
Theft
Terror
Espionage
Fraud
Hacking
Hacker Skills• Hackers vary significantly in terms of knowledge, skill,
and technical ability• How do we explain participation in hacking?
Skilled hackers
Semi-skilled attacker/hacker
Unskilled attacker/hacker
Innovator and game changer
Applied skillsFeeds off the top tiers to learn and attack
Motivations
• There are several recognized motives within the hacker community• Money
• Entertainment
• Ego
• Cause
• Entrance to a social group
• Status
• These motives are mutable, regionally influenced and impacted by macro and micro social trends
Criminological Theory and Hacking
• Hackers attempt to justify their actions through the application of techniques of neutralization
• Subcultural justifications which are learned through social interactions on and off-line
• There is some evidence hackers with greater skill may have higher levels of self-control, contrary to larger literature• They may also not be deterred through traditional mechanisms
15
Cybercrime As Service
• In previous years, most issues of hacking, malware, and data theft/reuse were thought to involve technically proficient actors
• The emergence of cybercrime as service markets have eliminated the need for skill• Monetized capability
• Monetized data
• Distributed infrastructure
Stolen Data Markets
Stresser/Booters Ops
Decision-making in Open Markets
• Few have considered the extent to which service providers accurately advertise their attack services• How do live attacks function relative to what they were hired to do?
• What is the origin of most attacks
• This study attempted to address these issues using packet capture analyses of 155 attacks from 21 different providers
Methods
• Attacks were conducted over a month period between December 2015 and January 2016• Attacks lasted 1-5 minutes depending
• Target was a Windows Server 2012 with 12GB ram on a dedicated commercial Internet connection • Data capture via an inline Barracuda Networks, Ethernet Tap on a separate
computer running Windows 7.
• Pcap logs analyzed via wireshark
Stresser Service Provider DetailsStresser Cost Stresser Cost1 $14 - 84 (Free) 12 $5 – 1252 $13 - 75 13 $5 – 3003 $2 – 60 14 $2 – 1504 $5 - 289 15 $5 – 555 $15 - 1980 16 $4 - 130 (Free)6 Free 17 $10 - 1757 $12 - 300 18 $10 -20 (Free)8 $5 - 30 (Free) 19 $10 - 809 $5 – 35 20 $5 -80 (Free)10 $15 - 49 21 $7 - 25011 $3 - 120
Attack Service Providers and AttacksStresser NTP SSYN CHARGEN DNS ACK UDP SSDP XML-RPC DOMINATE VSE SNMP JOOMLA XTS3 RIP GET POST RST PSH OVH
1 X X X X X
2 X X X X X X X X X X
3 X x
4 X X X X X X
5 x x x x x x x x
6 X
7 X X X
8 X X X X X X
9 X X X X X X X
10 X X X X X X X X
11 X X X X X X X X X X
12 x x x x x X
13 x
14 X X X X X
15 X X X X X
16 X X X
17 X X X X X X X X X X
18 X X X X X X X X X X
19 X X X X X
20 x
21 X X X X X X X
14 13 11 10 10 9 8 6 6 6 4 4 4 3 3 2 2 2 2
Percentage of Reflection Servers by CountryCharGen DNS SNMP
China 26.39% United States 30.27% United States 35.66%
United States 14.92% China 7.99% Russia 10.32%
Italy 11.04% Russia 6.04% Canada 4.08%South Korea 8.66% Japan 4.52% France 3.77%Taiwan 4.64% European Union 3.72% China 2.84%
NTP SSDP Joomla
United States 20.75% China 54.42% United States 30.77%
China 13.19% United States 13.77% Germany 6.79%Russia 6.20% Canada 5.97% Malaysia 5.43%
European Union 5.68% Vietnam 2.99% European Union 3.62%South Korea 4.50% Taiwan 1.99% Australia 3.17%
XML-RPC RIP
United States 41.64% United States 21.77%European Union 6.96% France 13.71%China 6.87% China 12.10%Germany 4.82% Russia 9.68%Japan 4.64% Ukraine 4.84%
Geographic Distribution of Servers
CN 6667
0
40%
US 3162
6
19%
CA 7394 4.5%
RU 4645 2.8%
KR 3674 2.2%
VT 3634 2.2%
TW 3322 2%
Shared Reflected ServersStresser (#) (%) (#) (%) (#) (%) (#) (%) (#) (%) (#) (%) (#) (%) (#) (%)
1 164 65% 598 58% --- --- --- --- --- --- 77 57% --- --- --- ---
2 --- --- 5763 20% 17438 1% 9512 1% --- --- --- --- --- --- --- ---
3 --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
4 170 66% --- --- 1236 10% --- --- --- --- --- --- --- --- --- ---
5 860 57% 1210 66% 374 33% 3994 2% --- --- --- --- --- --- --- ---
6 --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
7 --- --- --- --- --- --- --- --- 71 37% --- --- --- --- --- ---
8 296 39% --- --- 38 5% --- --- --- --- --- --- 688 10% --- ---
9 --- --- 594 20% --- --- --- --- --- --- --- --- --- --- --- ---
10 540 47% --- --- 598 28% --- --- --- --- --- --- --- --- --- ---
11 641 56% --- --- 732 12% --- --- 173 15% --- --- --- --- --- ---
12 2177 33% 915 68% --- --- --- --- --- --- 61 69% --- --- --- ---
13 --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
14 --- --- 742 51% 1698 6% --- --- --- --- --- --- --- --- --- ---
15 130 80% --- --- 630 32% --- --- --- --- --- --- --- --- 504 6%
16 --- --- --- --- 226 8% 1354 3% --- --- --- --- --- --- --- ---
17 996 21% 1120 62% --- --- --- --- --- --- 57 72% 688 16% 60322 >1%
18 816 21% 781 68% --- --- --- --- --- --- --- --- --- --- --- ---
19 --- --- 419 55% 1536 6% --- --- --- --- --- --- --- --- --- ---
20 --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
21 967 51% 873 59% --- --- --- --- --- --- --- --- --- --- --- ---
Total 7757 40.32% 13043 41.32% 24506 4.01% 14860 1.23% 244 21.31% 195 65.12% 1120 11.96% 60826 >1%
SNMP SSDPNTP Chargen DNS XML-RPC Joomla RIP
DRDoS Attack Accuracy By ProviderStresser Total Attacks Successful (%) As Advertised (%)
Combined
(%) Cost
6 1 1 100.00% 1 100.00% 100.00% 0
7 4 4 100.00% 4 100.00% 100.00% 12
20 1 1 100.00% 1 100.00% 100.00% 0
11 12 10 83.33% 10 100.00% 83.33% 3
15 5 5 100.00% 4 80.00% 80.00% 5
5 9 8 88.89% 7 87.50% 77.78% 15
17 11 8 72.73% 8 100.00% 72.73% 10
1 7 6 85.71% 5 83.33% 71.43% 14
21 10 8 80.00% 7 87.50% 70.00% 7
16 3 3 100.00% 2 66.67% 66.67% 0
19 6 5 83.33% 4 80.00% 66.67% 10
2 13 11 84.62% 8 72.73% 61.54% 13
14 5 5 100.00% 3 60.00% 60.00% 2
18 10 8 80.00% 6 75.00% 60.00% 0
3 7 5 71.43% 4 80.00% 57.14% 2
12 7 5 71.43% 4 80.00% 57.14% 5
4 11 9 81.82% 5 55.56% 45.45% 5
9 9 8 88.89% 4 50.00% 44.44% 5
8 11 7 63.64% 4 57.14% 36.36% 5
10 11 6 54.55% 4 66.67% 36.36% 15
13 2 0 0.00% 0 0.00% 0.00% 5
155 123 79.35% 95 77.24% 61.29%
Attack Type Launched By Provider
Stresser Advertised Launched Correct Cost Stresser Advertised Launched Correct Cost1 PORT MAP RPC 71.00% $14 10 CHARGEN NONE 36.00% $15
2 SSDP QUIC 69.00% $13 SSYN NONE
ES-SYN NONE SSDP QUIC
XMAS NONE DOMINATE NONE
S-UDP DNS GSS NONE
GET ACK CSGO NONE
3 NTP QUIC 57.00% $2 SNMP DNS
LAG NONE 11 SNMP NONE 83.00% $3
BOGUS NONE TCP-SYN NONE
4 XTS3 QUIC 45.00% $5 12 TCP-SYN ICMP 71.00% $5
VSE QUIC TCP-FIN NONE
TS3 UDP TCP-PSH NONE
DOMINATE NONE 13 XPOD NONE 0.00% $5
ATCP NONE R-UDP NONE
NSYN ACK 14 NTP DNS 60.00% $2
VSE STATIC NONE TS3 UDP
5 LAG DNS 78.00% $15 15 ACK SYN 80.00% $5
RST NONE 16 TCP AMP RIP 67.00% $0
8 SSDP QUIC 36.00% $5 17 DOMINATE NONE 73.00% $10
MS-SQL QUIC JOOMLA NONE
NETBOIS QUIC XMLRPC NONE
RUDY NONE 18 SSDP UDP NTP 60.00% $0
SLOWLORIS NONE TCP FLAG SYN
ARME NONE XML-RPC NONE
SYN NONE JOOMLA NONE
9 SSDP QUIC 44.00% $5 19 SSYN CHARGEN 67.00% $10
NTP QUIC TCP NONE
SSYN NONE 21 RST NONE 70.00% $7
KSS QUIC VSE NONE
OVH TCP CF BYPASS HTTP GET
Open Vs. Deep Vs. Dark
Tor-Based Markets
• Sites hosted using Tor comprise the ‘Dark Web’ • Websites and content considered "hidden services", in that they can only be
accessed via Tor
• Much attention has been paid to the presence of drug markets hosted on Tor• Few studies have examined data services
• Unknown what differences may be present in processes/structure
Forum Rus/Engl Number of Posts in Sample
Posts With Geographic Identifiers
TOR-basedNumber
Percent of
Total1 Engl/Rus 139 55 39.6% No2 Engl 861 825 95.8% No3 Rus 184 117 63.6% No4 Engl 1915 1638 85.5% No5 Rus 328 116 35.4% No6 Engl/Rus 498 375 75.3% No7 Engl 51 18 35.3% Yes8 Rus 634 411 64.8% No9 Rus 227 172 75.8% No10 Rus 368 80 21.7% No11 Engl 257 212 82.5% No12 Engl 6663 6244 93.7% No13 Engl 2647 0 0.0% No14 Engl 80 40 50.0% Yes15 Rus 90 30 33.3% No16 Rus 32 0 0.0% No17 Rus 236 236 100.0% No18 Rus 154 94 61.0% NoTotal n = 15,364 n = 10,663 69.4%
M = 853.6
SD = 1,456.7
M = 592.4
SD = 1,606.2
M = 56.3%
SD = 31.2%
Overall in the data we have only 1.29% (195) TOR-based advertisements.
Table 2: Shop Descriptive Statistics
Posts with Geographic
Identifiers
Number of
Shop Rus/Engl Posts in Sample Number Percentage Tor-based
1 Engl 16 16 100.0% Yes
2 Engl 2 2 100.0% Yes
3 Engl 4 4 100.0% Yes
4 Engl 3 3 100.0% Yes
5 Engl 3 3 100.0% Yes
6 Engl 1 1 100.0% Yes
7 Engl 21 0 0.0% Yes
8 Engl 2 2 100.0% Yes
9 Engl 2 2 100.0% Yes
10 Engl 1 1 100.0% Yes
11 Engl 2 2 100.0% Yes
12 Engl 2 2 100.0% Yes
13 Engl 2 2 100.0% Yes
14 Engl 1 1 100.0% Yes
15 Engl 2 2 100.0% Yes
Total n = 64 n = 43 67.2%
M = 4.3 M = 2.9 M = 93.3%
SD = 3.8 SD = 5.9 SD = 25.8%
The Sales Process
Seller Posts an Ad in Forum or Shop
• The sales process involves mutual association and participation
***Dumps Fresh Base ... EU-USA-CANADA-ASIA-OTHER.. Best Valid..*** PRICE LIST:*************USA***************1pcs CLASSIC/STANDARD= 20$1pcs GOLD/PLATINUM = 25$1pcs BUSINESS/SIGNATURE/PURCHASE/CORPORATE/WORLD = 30$1pcs AMEX = 20$*************CANADA************1pcs CLASSIC/STANDARD = 50$1pcs GOLD/PLATINUM/BUSINESS/SIGNATURE/PURCHASE/CORPORATE/WORLD = 70-200$*******EUROPE & ASIA & LATIN & OTHERS*********---[code 101 - non chip]---1pcs CLASSIC/STANDART = 110$1pcs GOLD/PLATINUM = 130$1pcs BUSINESS/SIGNATURE/PURCHASE/CORPORATE/WORLD = 150$1pcs INFINITE = 200$***********************
The Sales Process
Seller Posts an Ad in Forum or Shop
• The sales process involves mutual association and participation
RULES:(please read the rules carefully and follow all the steps, anyone breaking this rules shall expect to be fully ignored by service)1. Contact with one of the our supports and choose dumps u want.2. Calculate total price and submit your order.3. Send us money and your e-mail.4. We have 24 hours (maximum) to complete your order.(LR [Liberty Reserve Payment] INSTANT DELIEVERY )5. We replace only Pickup/Hold Call Dumps with in 24 hours after time period we are not responsiblePAYMENT INFO:LIBERTY RESERVESupport Icq: [removed]
Geographic Identifiers in Ads
Open web forums
Differences between Open and Tor forums
Tor forums Differences between Tor forums and shops
Tor shops Differences between Open forums and shops
No Geographic Identifiers
2,741 23.98% -10.39%
[-26.86, 6.08,]
11 34.38% 34.38%
[17.92, 50.83]
0a
0.00% 23.98% [23.20, 24.77]
Geographic Identifiers
8,687 76.01% 10.38%
[-6.08, 26.86]
21 65.63% -34.38%
[-50.83, -17.92,]
22 100.00% -23.98%
[-24.77, -23.20]
Total 11,428100.00%
32100.00%
22100.00%
Note: The percentages represent the percentage from columns’ total. The differences are statistically significant at .05 level; χ2(2) = 8.84, p=0.012, Fisher’s exact p = 0.004. Numbers
in square brackets are 95% confidence intervals for differences.a The expected count equals 5 for this cell.
Regions Open forums Differences between
Open and Tor forums
Tor forums Differences between Tor
forums and shops
Tor shops Differences between Open
forums and Tor shops
Europe 4,022
48.54% 19.13%
[-2.56, 40.81]
5
29.41% -20.59%
[-50.68, 9.51]
11
50.00% -1.46%
[-22.38, 19.46]North America 3,221
38.87% -14.06%
[-37.82, 9.68]
9
52.94% 2.94%
[-28.67, 34.56]
11
50.00% -11.13%
[-32.05, 9.79]Asia 470
5.67% 5.67%
[5.17, 6.17]
0
0.00% a 0%
0
0% a 5.67%
[5.17, 6.17]Australia and New Zealand 396
4.78% 4.78%
[4.32, 5.24]
0
0.00% a 0%
0
0% a 4.78%
[4.32, 5.24]South America 56
0.68% -5.21%
[-16.39, 5.97]
1
5.88% 5.88%
[-5.30,17.07]
0
0% a 0.68%
[0.50, 0.85]
Central America 53
0.64% -11.13%
[-26.44, 4.19]
2
11.76% 11.76%
[-3.55, 27.08]
0
0% a 0.64%
[0.47, 0.81]Middle East 57
0.69% 0.69%
[0.51,0.87]
0
0.00% a 0%
0
0% a 0.69%
[0.51,0.87]Africa 11
0.13% 0.13%
[0.05, 0.21]
0
0% a 0%
0
0% a 0.13%
[0.05, 0.21]
The Caribbean b -- -- --Total 8,286
100.00%
n/a
17
100.00%
n/a
22
100.00%
n/a
Wall’s Typology of Cybercrime
• Cyberporn/Obscenity• Sexting, prostitution, child sexual exploitation
• Challenging legal space depending on participants
• Cyber-violence• Cyber-stalking
• Cyber-hate
• Tech-talk
46
Pedophile Subculture
• The Internet has engendered the formation of a pedophile subculture where those with an attraction to children can express their interest with others
• This subculture provides justifications and rationalizations for relationships with children
• “Child love”
• Denial of injury
Cyber-Bullying
• Cyber-bullying involves intentional aggressive behavior performed through electronic means• Can cause social and emotional harm to victims similar to real-world bullying
• Can take place via numerous types of computer mediated communication
• There are clear risk factors for cyberbullying victimization in keeping with RAT• Females appear somewhat more likely to experience cyberbullying
• Age attenuation
• Participation in specific acts, not general time online
• Sharing more information on-line
• Real world bullying experiences increase risk
49
Sexting• Sexting involves the use of technology to send photos
or videos of oneself in sexual poses or acts, primarily through text or DM• Snapchat, Instagram, and other apps are uniquely suited to
this purpose
• Private on snapchat or tumblr also lets people monetize this practice
50
Sexting• Evidence suggests sexting rates vary by place and age of sample
• Some US data suggests as few as 2.5% have sent a nude photo while 7.1% received one
• Recent research from Australia is much higher, suggesting 50% of youth aged 13-15 sent a photo, while 60% received a photo
51
Revenge Porn
52
Revenge Porn
• This has created a whole new category of pornography, with sites either selling access or simply offering this content• Research suggests that 23% of those who send sexts/nudes
wind up having their content posted elsewhere
53
Revenge Porn
• Individuals who are victims of revenge porn report various negative consequences from the experience• emotional distress
• social impairment (especially at work)
• suicidal ideation (52%)
• 49% report being stalked or harassed as a result of this content
• 90% of revenge porn victims are women
54
The Threat Landscape• Range of groups with an interest in cyberattacks
• Far left
• Far Right
• Jihadist groups
• Unaffiliated ideological attackers
55
Ideological Cyberattacks
M. As-Salim,39 Ways to Serve and Participate in Jihad, 2003
Principle 34 (Electronic Jihad) on media operations and cyber attacks
Hacking “... is truly deserving of the term „electronic Jihad‟ since the term carries the meaning of force; to strike and to attack. So whoever is given knowledge in this field, then he should not be stingy with it in regards to using it to serve the Jihad. He should concentrate his efforts on destroying any American websites, as well as any sites that are Anti-Jihad and Mujahidin, Jewish websites, modernist and secular websites.”
Recent Notable EventsMalaysian ISIS hacker extradited to US for prosecution
“…[W]e are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands!”
Recent Notable Events
Weev- aka Andrew Auernheimer
Ideological Attacks
• Using an ECDB-modeled open source collection model, we identified 30 total attacks performed by far left actors• ELF, ALF, Anonymous, Non-affiliated actors
Attack Method Date Range5 Doxxing incidents 2011-20168 Defacements 1996-2016
11 Data breaches 1996-20156 DDOS 2007-2015
Ideological Attacks
• Anonymous accounted for all doxing incidents
• Zoos, companies
• ALF- DDoS, Defacements, data breaches
• Furriers, leather goods, animal shooting range, labs
• 72% of data breaches targeted customer data
• ELF- defacements, DDOS, 1 data breach
• electronics manufactures, universities
• All involve an attempt to punish or embarrass
• To the owners of "The twisted pine fur and leather company" you have no excuse to sale the flesh, skin and fur of another creature. Your website lacks security. To the customers, you have no right to buy the flesh, skin or fur of another creature. You deserve this. You're lucky this is the only data we dumped. Exploiters, you've been warned. Expect us.
• | custFirst | custLast | custCity | custState | custZip | | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -| MIKE | WALLUP | peyton | CO | 80831 || chris | mccave | peyton | CO | 80831 || Kent | Smith | peyton | CO | 80831 |
• These were just some of the vulnerable columns in the "customers" table of the "twistedp_db" database:"custFirst" "custLast""custAdd1" "custAdd2" "custCity" "custState" "custZip" "custCountry""custEMail" "custPhone""cardType" "cardName" "cardExp" "cardCVS" "cardNumber"
• Can you really put that much faith into the security of a company that sales the fur, skin and flesh of dead animals to make a profit?
• We are Anonymous. We are Legion. We do not forgive. We do not forget.We are antisec.We are operation liberate.Expect us.
Discussion
• Cybercrime is an umbrella term encompassing a range of offenses• Offline and online impacts
• Criminological theory has partial success, but many limitations• Deterrence may be all but impossible
• Its evolution will be directly tied to mutable changes in uptake by consumers• Not clear how/when it will be disrupted
Questions?
• Thank you for having me! If you have any questions:• Please feel free to call: 517-353-9563
• Email: [email protected]
• Follow us on Twitter: @IIRCC1
Introduction to Cybercrime
Thomas J. Holt
Professor
School of Criminal Justice
Michigan State University
517-353-9563
@spartandevilshn; @IIRCC1