cybercrime fighting cybercrime...cybercrime part ii tyler moore computer science & engineering...
TRANSCRIPT
CybercrimePart II
Tyler Moore
Computer Science & Engineering Department, SMU, Dallas, TX
Lecture 12
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Fighting cybercrime
Private actors take steps to mitigate risk of cybercrime (e.g.,install AV)
Considerable effort is made to stop cybercrime after it hasbeen committed
Interested private actors and law enforcement both play a role
3 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Voluntary defenses against cybercrime
Actors in voluntary cybercrime defense1 “Vigilantes” (e.g., AA419) who gather evidence and pass
information to relevant operators2 Industry victims (e.g., banks) who directly employ teams to
remove objectionable content3 Responding operators (e.g., hosting providers) who
cooperate with requests from victims4 “Mercenaries” (e.g., take-down companies) who clean up
wicked content for hire5 Industry collaboratives (e.g., Conficker Working group) who
pool resources and data on incidents to collaborate againstthreats after they emerge
4 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Law enforcement approaches to cybercrime
1 Infiltrate underground communications channels ex ante
Simplifies job in terms of evidence collectionDeals with internationalization challengesHas potential to obviate harmHard to figure out whether those caught represent significantthreats or not
2 Pursue criminal groups ex post
Can go after those criminals who have the biggest impactChallenge is that many groups are in protected jurisdictions
5 / 48
Notes
Notes
Notes
Notes
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Notice and take-down
Undesirable content pervades the Internet
Schemes for its removal are called notice and take-down(NTD) regimes
Those who want the content removed get into contact withthe responsible ISPs, webmasters
We discuss NTD regimes to illuminate how private and publicactors fight cybercrime
6 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Types of content subject to NTD
Defamation
Copyright violations
Phishing
Fake escrow agents
Mule-recruitment websites
Online pharmacies
Spam, malware and virus hosts
Child sexual abuse images
7 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Comparing NTD regimes
Factors for comparing NTD regimes
Incentives for removal on requesting partyFormalization of NTD mechanismLegal framework availableHosting strategy used by offendersSpeed at which material is removed
We can compare the speed of removal for different regimes,and see how the results match up to the available incentives,legal frameworks and hosting strategies
8 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Phishing
Phishing websites impersonate banks to commit identity theft
Banks issue take-down notices despite no legislative basis
Hosting options for phishing websites1 Compromised machine (http:
//www.example.com/~user/images/www.bankname.com/)2 Free webspace (http:
//www.bankname.freespacesitename.com/signin/)3 Registered domain (bankname-variant.com) which then
points to free webspace or compromised machine
9 / 48
Notes
Notes
Notes
Notes
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Phishing (ctd.)
4 Rock-phish attacks
Purchase many innocuous-sounding domains (e.g.,lof80.info)
Send out phishing email with URL http:
//www.volksbank.de.netw.oid3614061.lof80.info/vr
Gang-hosted DNS server resolves domain to IP address ofone of several compromised machines, which proxy to themothership hosting 20 fake websites
5 Fast-flux attacks
Same strategy as rock-phish, except domains resolve to 5 IPaddresses for a short time, then abandon them for 5 moreForces take-down of domains, not compromised machines
10 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Phishing-website lifetimes by hosting method
Sites Lifetime (hours)mean median
Free web-hostingall 395 47.6 0brand owner aware 240 4.3 0brand owner missed 155 114.7 29
Compromised machinesall 193 49.2 0brand owner aware 105 3.5 0brand owner missed 155 103.8 10
Rock-phish domains 821 70.3 33Fast-flux domains 314 96.1 25.5
11 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Fake escrow agents
12 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Fake escrow agents (ctd.)
13 / 48
Notes
Notes
Notes
Notes
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Fake escrow agents
Unlike phishing, fake escrow agents do not impersonate a realbusiness
Instead, they impersonate a service
Fake escrow agent lifetimes
For 696 fake escrow sites, mean lifetime is 222 hours (24.5hour median)Bank customers are harmed, but no bank is impersonated sothe banks don’t get involvedOnly motivated ‘vigilantes’ remove the sitesLonger lifetime than phishing, but surprisingly short
14 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Mule-recruitment websites
15 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Mule-recruitment websites
16 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Mule-recruitment websites
17 / 48
Notes
Notes
Notes
Notes
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Mule-recruitment websites
18 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Child sexual abuse images
Perhaps the most widely condemned form of Internet content
Universally illegal
Internet Watch Foundation (IWF)
Operates a ‘hotline’ for reports in the UKTrained staff check reports, pass along to the UK police ifillegalIf site is located in the UK, pass report directly to ISPIf site is located overseas, pass report to respective authorityIWF kindly provided sanitized data on websites they track
19 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Website lifetimes for all types of offending content
Sites Lifetime (hours)mean median
Child sexual abuse images 2 585 719 288Phishing
Free web-hosting 240 4.3 0Compromised machines 105 3.5 0Rock-phish domains 821 70.3 33Fast-flux domains 314 96.1 25.5
Fraudulent websitesEscrow agents 696 222.2 24.5Mule-recruitment websites 67 308.2 188Fast-flux pharmacies 82 1 370.7 1 404.5
20 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Comparing speed of removal
Incentive on the party requesting content removal mattersmost
Banks are highly motivated to remove phishing websitesBanks overcome many international jurisdictions and no clearlegal frameworkBanks’ incentives remain imperfect: they only remove websitesdirectly impersonating their brand, while overlookingmule-recruitment websites
Technology chosen by attacker has small impact
Fast-flux phishing websites removed within 3 days, fast-fluxpharmacies not removed at all!
21 / 48
Notes
Notes
Notes
Notes
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Why are lifetimes for child sexual abuse images so long?
Mean lifetime is 150 times greater than for phishing hosted oncompromised machines!
Dividing take-down responsibility according to nationaljurisdiction is to blame
If site hosted in UK, IWF work directly with ISPs to removeIf not in UK, IWF notifies law enforcement and equivalenthotline operatorHotline operators only exist in 29 countries, and policies varyon what to do (e.g., US-based NCMEC only issues take-downnotices to ISPs “when appropriate”)IWF claim they “are not permitted or authorised to issuenotices to takedown content to anyone outside the UK”The defamed, the rights holders, the banks, and the take-downcompanies have not waited for permission
22 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Why measuring cybercrime is hard
Victims may be reluctant to discuss incidents
Reputational risk
Regulatory risk
Section 5 of the FTC Act authorizes FTC to take actionagainst unfair or deceptive acts and practices that affectcommerceSEC Disclosure Guidance on Cybersecurity Risks http://www.
sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
Mandatory disclosure used for data breaches
But what to do if affected firms don’t want to share andthere’s no mandate?
24 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Relying on third parties for data collection
Enlist support of disinterested third parties who observeevidence of incidents
ISPs already observe every domain name that customers try tovisitCybercriminals register domain names for purely maliciouspurposes (e.g., to control computers in a botnet)One can estimate the prevalence of malicious web traffic at anISP by observing the logs of its DNS server (passive DNS)
Obtain a copy of records maintained by criminals
One group got access to fake AV records for 3 gangs, includingdata on conversion rates and revenues
25 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Direct observation
When no one will help, one can collect data directly
Monitoring IRC channels advertising goods for sale
Co-opting portions of a botnet to observe spam conversionrate
Google deploys automated crawlers to block websitesdistributing malware (found that 1.3% of incoming searchqueries had at least one malicious result)
While these studies describe the prevalence of badness, it ishard to translate this directly to user harm
There is a trade-off between comprehensiveness and precisionwhen measuring cybercrime
26 / 48
Notes
Notes
Notes
Notes
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Click trajectories data collection methodology
Source: http://www.icir.org/christian/publications/2011-oakland-trajectory.pdf
27 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Challenges in direct observation
Data that can be observed may not be representative of allcrime (think public marketplaces vs. private deals)
Moreover, data that can be observed may exclude the mostsophisticated criminals
Corollary: crimes inherently difficult to measure may gounexamined
28 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Why cybercrime surveys are hard to get right
Definitions are loose and left open to interpretation (whatcounts as an “attack”? see next slide for example)
Definitional ambiguity occurs more often in surveys ofconsumers than for firms
Sources of measurement error for survey respondents1 Underreport events not observed to be attacks2 Misclassify benign events as attacks3 Translating experience of cybercrime into dollars is hard, so
reported figures may be unreliable
Only 22% of CSI survey respondents included a financialfigure for cybercrime losses, not fair to extrapolate to thosewho didn’t report values
29 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Question: Experiences with cybercrime
Cybercrimes can include many different types of criminal activity.How often have you experienced or been a victim of the followingsituations?
Identity theft (somebody stealing your personal data andimpersonating you, e.g. shopping under your name)
Received emails fraudulently asking for money or personaldetails (including banking or payment information)
Online fraud where goods purchased were not delivered,counterfeit or not as advertised
Not being able to access online services (e.g. bankingservices) because of cyber attacks
Respondents were asked to answer “often”, “occasionally”,“never”, or “don’t know”.
30 / 48
Notes
Notes
Notes
Notes
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Why cybercrime surveys are hard to get right
Sample bias occurs when the set of survey respondents doesnot accurately represent the population being studied
2011 CSI industry survey received 6.4% response rate, andcome disproportionately from large companies who investheavily in IT security
Even with a random sample, the underlying distribution isoften inherently skewed
2 outlier losses in CSI’s survey ($20M and $25M), while theaverage for the other 75 was $100K
Shouldn’t discard the outliers, but can’t use the mean either
Median is a more appropriate summary measure, but doesn’tcapture total harm
31 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Another problem for cybercrime surveys
Many cybercrimes affect only a very small portion of theoverall population
One study suggests that 0.4% of the Internet population fallsfor phishing attacks annually
Thus getting a truly random sample of the population requiressampling from a larger pool
Response bias is also magnified
Victims may be more likely to respond to surveys since topic ismore salient for themVictimization rate is inflated by factor matching relativeresponse rate of victims (e.g., if victims are twice as likely torespond, then surveyed incidence will be double the true rate)
For more detail, see: http://research.microsoft.com/
apps/pubs/default.aspx?id=149886
32 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
How much does cybercrime cost?
Source: http://www.propublica.org/article/does-cybercrime-really-cost-1-trillion
34 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
How much does cybercrime cost?
35 / 48
Notes
Notes
Notes
Notes
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Can such high estimates really be right?
In 2009 AT&T’s Ed Amoroso testified before the US Congressthat global cybercrime profits topped $1 trillion
That’s 1.6% of world GDP
Detica’s figure (£27 Bn) is 2% of UK GDP
Not only are the figures eye-poppingly large, it’s often unclearwhat is being measured
Amoroso spoke of cybercrime ‘profits’, while Detica describes‘losses’
36 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Upon closer inspection, the Detica estimates don’t hold up
37 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Upon closer inspection, the Detica estimates don’t hold up
IP theft (£9.2 Bn) and espionage (£7.6 Bn) account for 62%of the total loss estimate
Yet the methodology for computing these estimates appearsto rely extensively on random guesses
IP theft: buried on p. 16 of the report, the authors admit “theproportion of IP actually stolen cannot at present be measuredwith any degree of confidence”, so they assign probabilities ofloss and multiply by sectoral GDPEspionage: because “it is very hard to determine whatproportion of industrial espionage is due to cybercrime”, theauthors ascribe values to plausible targets and guess how oftenthey might be pilfered
38 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Why are poor cybercrime cost estimates dangerous?
39 / 48
Notes
Notes
Notes
Notes
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Why are poor cybercrime cost estimates dangerous?
40 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
But how can we do better?
It is one thing to point out flaws in others’ estimates, but it isquite another to produce a more reliable estimate ofcybercrime losses
The UK Ministry of Defence challenged us to produce a moreaccurate estimate
Here’s an overview of our attempt
41 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Decomposing the cost of cybercrime
Indirect losses
Defense costs
Direct losses
Cost to society
Criminal revenue
Cybercrimes Supportinginfrastructure
42 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Decomposing the cost of cybercrime
Many cybercrime measurement efforts conflate differentcategories of costs, which renders figures incomparable
We break up the cost of cybercrime into four categories1 Criminal revenue: gross receipts from a crime2 Direct losses: losses, damage, or other suffering felt by the
victim as a consequence of a cybercrime3 Indirect losses: losses and opportunity costs imposed on
society by the fact that a certain cybercrime is carried out4 Defense costs: cost of prevention efforts
We also distinguish between the primary costs of cybercrimesand the costs attributed to a common infrastructure used toperpetrate cybercrimes (e.g., botnets)
43 / 48
Notes
Notes
Notes
Notes
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
An example cost breakdown: phishing
Criminal revenuesum of the money withdrawn from victim accountsrevenue to spammer for sending phishing mails
Direct lossescriminal revenuetime and effort to reset account credentialssecondary costs of overdrawn accounts (deferred purchases)lost attention and bandwidth caused by spam messages
Indirect lossesloss of trust in online bankinglost opportunity for banks to communicate via emailefforts to clean-up PCs infected with malware
Defense costssecurity products (spam filters, antivirus)services for consumers (training) & industry (‘take-down’)fraud detection, tracking, and recuperation effortslaw enforcement
44 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Indirect and defense costs outweigh direct losses
Cybercrime cost category Estimate
Direct losses– genuine cybercrime (e.g., phishing, advanced-fee fraud) $2–3Bn– online payment card fraud $4BnDefense costs– cybercriminal infrastructure (e.g., antivirus) $15Bn– payment card and online banking security measures $4BnIndirect costs– cybercriminal infrastructure (e.g., malware cleanup) $10Bn– loss of confidence in online transactions $30Bn
45 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Factors affecting the likelihood of shopping online
Factors decreasing thelikelihood of buying
online
Factors increasing thelikelihood of buying
online
General concern: onlinepayments security
Confidence about ownInternet skills
Personal concern:e-commerce fraud
Do online banking
Experience:e-commerce fraud
Higher education
General concern:misuse of personal data
Personal concern:phishing/fraud spam
%-pts. −5−10−15 %-pts.5 10 15
46 / 48
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Factors affecting the likelihood of banking online
Factors decreasing thelikelihood of banking
online
Factors increasing thelikelihood of banking
online
General concern: onlinepayments security
Confidence about ownInternet skills
General concern:misuse of personal data
Nothing heard aboutcybercrime
Experience: identitytheft
Do online shopping
Experience:e-commerce fraud
Higher education
Personal concern:phishing/fraud spam
Read about cybercrimeon the Internet
%-pts. −5−10−15 %-pts.5 10 15
47 / 48
Notes
Notes
Notes
Notes
Fighting cybercrimeMeasuring cybercrime
The cost of cybercrime
Concern about cybercrime inhibits more than experience
One important and unexpected result: concern aboutcybercrime inhibits online participation more than directexperience with cybercrime does.
People may find the experience of cybercrime to be lesspainful than their worst fears
Regardless of what drives the result, its implications are clear
Assuaging society’s concerns over cybercrime should be priorityAwareness campaigns should focus on positive steps to takethat improve cybersecurity, not “scaring people straight” bymaking cybercrime fears more salient
48 / 48
Notes
Notes
Notes
Notes