INTERNET SECURITY SEMINAR Paper : An inquiry into the nature and causes of the wealth of internet miscreants By Jason Franklin &Vern Paxson presented by Matimbila Lyuba at University of Birmingham 28/01/2013
Structure of presentation Underground Market Research analysis Countermeasures Conclusion
SECTION I: UNDERGROUND ECONOMY Underground economy - commoditization of activities like credit card fraud Identity theft Spamming Phishing Online credit theft Compromised host What other illegal activities.? -Underground market internet as the backbone of communication Internet Relay Chat(IRC) networks Web forums
IRC Provide buyers and sellers a meeting place. How IRC works? A standard protocol for real-time message exchange over internet. Employes a client/server architecture/model Client lookup for server then connect to a network via server
IRC terminologies Seller A person capable to provide goods or service Buyer A person who needs good or service Cashier Convert accounts credentials into funds Confirmer Pretends to be card owner Can be a buyer if reside in the same country where the victim account exist Ripper Dishonest seller or buyer Participant Any of the above
Playing a game
The game Hence fund is transferred through western union or E- Gold Demo for accessing the channel What parameters can you easily identify? What is track1 & track 2? Data with all information?
Accessing the market Market administrator Insure participants have identifiers Notify participants about rippers Client participation Start client program then connect to the network via server Provide nickname Provided with a seal of approval +v Choose channel Can PM Verified status Attain to be trusted Provide sample of valid data Approximate 95% of participants post less than 18 sample to attain +v flag
Access the market Data samples posted by participants to attain +v flag
Market activities Question: What do you think is sold on these channels?
Market activities Advertisement Types(Goods)
Market activities
SECTION II Research analysis How study was conducted Data collection Connect to particular channel on different IRC networks Logging all subsequent public messages Format {timestamp, IRC server IP address, source identifier, channel name, message} Why not logging private messages? Why logging in this format..? Dataset collected 2.4GB over a period of 7 months. Messages collected 13 million from a total of more than 100,000 distinct nick names!!
Market analysis Most sensitive data Credit card data Financial data Identity data
Credit card data No repetition Checked against Luhn digit: a checksum value guide against simple error in transmission A necessary condition for a card validity A total of 100,490 unique cards numbers
Credit card arrival Valid Luhn cards arrive at a rate of 402 cards per day Invalid Luhn cards arrive at a rate of 145 cards per day
Credit card arrival Why many valid Luhn cards? Implies miscreants: Continuously collect data Posses large number of stolen then release in batches bases Why invalid Luhn cards.? Novice miscreants Need to buy Gold for a price of Silver!!
New vs repeated cards With the channel Between channels 95% of card repeats
Global data source
Financial data Checking and saving account numbers with their balances Copied from the access webpage of banks Effectiveness of phishing attacks..? Demonstrating ability to access the stated accounts Gain buyers trust Validity Dynamicity of account! Valid user can withdraw money at any time.
Financial data Assume all amount is valid and successfully remove from the account.!!!!
Identity data Social Security Number (SSNs) SSN==individual identity Falls with the issued range listed by Social Security Administration. No proof whether they have issued Majority are repeated Why?
Market service Activity level 64,000 messages are seen per day Average of new messages per day is greater than 19,000 Repeated messages arrives at a rate of 45,000 per day How? automated scripts are used.. Why? Participants joins the channel at different time
Participants identification Lurkers Idle sending zero public messages Can monitor the channel ads and contacts seller via private messages Leechers Looking for free financial data Preventions services eg CardCops http://www.adcops.com/account_takeover.htm
Participants An average of 1,500 nicks participate per day New nicks arrives at an average rate of 553 nicks per day Active Lifetime Time between the nick s first and last message Measure the extend of building relationship by maintaining a nick over a long period versus creating the new identity
Participants 95% of nicks have an active lifetime of 112.5 days The longer you maintain nick the more relationship and credibility you build
Channel services Run by channel administrator Executed through command Provides useful services: Credit card limit check Access to BIN list
Channel service bot commands No service for free!!chk,!cclimit,!cvv2 are fallacious Returns deterministic results without querying the database or attempting a transaction to infer the card s limit! possible..? Bot administrator use to steal other credit card numbers..! Does it mean Return on investment? Target: naïve participants
Pricing Price for compromised host varies For DDoS you can get 1,000 hosts for $10,000 Helps to analyse threat model
Client IP lookup 10% in CBL (Composed Block List) Compromised host are used to connect to the market 1% in SBL(Spamhaus Block List) Spamming activities
Total wealth of Miscreants Estimation base on assumptions Add total loss from credit card frauds and financial theft Include only cards with valid Luhn digit check Some are still retained by miscreants Removal repetitions Only collection from public messaging Reasons Account dynamicity
Results Average funds loss per card credit/debit fraud $427.50 according to Internet Crime Complaint Centre Report (2006) Total wealth from credit card only $37M Financial frauds $56M Total $93M
SECTION III Countermeasures Enforce laws such as: Locating and disabling hosting infrastructures Identifying and arresting market participants Challenges Multi-national cooperation may be time and resource consuming Cooperation to foreign law enforcement agencies is difficult Market can re-merge under new administration with new bulletproof Political differences Who will be in-charge.?
Low cost countermeasures Sybil attack to the market Undercutting participant verification system How..? Sybil generation register as many nickname as equal to number of verified-sellers in the market Achieve verified status build the status for each identity for low-cost post or replay credit card seen in one channel to other channels
Low cost countermeasures deceptive sales advertise goods and services for sale rapping -request payment and fail providing goods or service make buyer unwilling to pay since can't differentiate honest sellers lemon market buyer can't distinguish the quality of goods
Low cost countermeasures Slander attack Eliminate the verified status of buyers and sellers through false defamation reduce the status of honest seller so buyers can turn to dishonest who fails to deliver hence discourage the market Principals of economy What are measures.?
Learning with security in mind Quantifying the security of systems Forecasting and predict future state of internet security Understanding the true costs and benefits of deployed security technologies, data breeches and new security protocols Analysing the threat model 1,000 compromised hosts for $10,000 =DDoS Estimate global trends that are difficult to measure Total number of compromised hosts on the internet What else?
SECTION IV Conclusion MORE QUESTIONS AND DISCUSSION
Special thanks Tom Chothia You all End of presentation