internet security seminar - university of birminghamtpc/isecsem/talks/ml.pdf · learning with...
TRANSCRIPT
INTERNET SECURITY SEMINAR Paper :“An inquiry into the nature and causes of the wealth of internet miscreants”
By Jason Franklin &Vern Paxson
presented by Matimbila Lyuba at University of Birmingham
28/01/2013
Structure of presentation
• Underground Market • Research analysis • Countermeasures
• Conclusion
SECTION I: UNDERGROUND ECONOMY • Underground economy - commoditization of activities like
credit card fraud Identity theft Spamming Phishing Online credit theft Compromised host What other illegal activities ….?
-Underground market internet as the backbone of communication Internet Relay Chat(IRC) networks Web forums
IRC • Provide buyers and sellers a meeting place. • How IRC works?
A standard protocol for real-time message exchange over internet. Employes a client/server architecture/model Client lookup for server then connect to a network via server
IRC terminologies • Seller
A person capable to provide goods or service
• Buyer A person who needs good or service
• Cashier Convert accounts credentials into funds
• Confirmer Pretends to be card owner Can be a buyer if reside in the same country where the victim account
exist
• Ripper Dishonest seller or buyer
• Participant Any of the above
Playing a game
The game • Hence fund is transferred through western union or E-
Gold • Demo for accessing the channel • What parameters can you easily identify …? • What is track1 & track 2 …? • Data with all information ……?
Accessing the market • Market administrator
Insure participants have identifiers Notify participants about “rippers”
• Client participation Start client program then connect to the network via server Provide nickname Provided with a seal of approval “+v” Choose channel Can PM
• Verified status Attain to be trusted Provide sample of valid data Approximate 95% of participants post less than 18 sample to attain “+v”
flag
Access the market • Data samples posted by participants to attain +v flag
Market activities
Question:
What do you think is sold on these channels?
Market activities
• Advertisement Types(Goods)
Market activities
SECTION II Research analysis • How study was conducted • Data collection
Connect to particular channel on different IRC networks Logging all subsequent public messages Format {timestamp, IRC server IP address, source identifier, channel
name, message}
• Why not logging private messages …? • Why logging in this format …..? • Dataset collected 2.4GB over a period of 7 months. • Messages collected 13 million from a total of more than
100,000 distinct nick names !!
Market analysis • Most sensitive data
Credit card data Financial data Identity data
Credit card data
• No repetition • Checked against Luhn digit: a checksum value guide
against simple error in transmission • A necessary condition for a card validity • A total of 100,490 unique cards numbers
Credit card arrival • Valid Luhn cards arrive at a rate of 402 cards per day • Invalid Luhn cards arrive at a rate of 145 cards per day
Credit card arrival • Why many valid Luhn cards…?
Implies miscreants: Continuously collect data Posses large number of stolen then release in batches bases
• Why invalid Luhn cards….? Novice miscreants Need to buy Gold for a price of Silver !!
New vs repeated cards • With the channel • Between channels • 95% of card repeats
Global data source
Financial data • Checking and saving account numbers with their balances
Copied from the access webpage of banks Effectiveness of phishing attacks…..? Demonstrating ability to access the stated accounts Gain buyers trust
• Validity Dynamicity of account…! Valid user can withdraw money at any time.
Financial data • Assume all amount is valid and successfully remove
from the account.!!!!
Identity data • Social Security Number (SSNs)
SSN==individual identity Falls with the issued range listed by Social Security Administration. No proof whether they have issued
• Majority are repeated • Why…?
Market service • Activity level
64,000 messages are seen per day Average of new messages per day is greater than 19,000 Repeated messages arrives at a rate of 45,000 per day
• How? • automated scripts are used.. • Why? • Participants joins the channel at different time
Participants identification • Lurkers • Idle sending zero public messages • Can monitor the channel ads and contacts seller via
private messages • Leechers • Looking for free financial data • Preventions services eg CardCops • http://www.adcops.com/account_takeover.htm
Participants • An average of 1,500 nicks participate per day • New nicks arrives at an average rate of 553 nicks per day • Active Lifetime
Time between the nick’s first and last message Measure the extend of building relationship by maintaining a nick over a
long period versus creating the new identity
Participants • 95% of nicks have an active lifetime of 112.5 days • The longer you maintain nick the more relationship and
credibility you build
Channel services • Run by channel administrator • Executed through command • Provides useful services:
Credit card limit check Access to BIN list
Channel service bot commands • No service for free! • !chk,!cclimit,!cvv2 are fallacious • Returns deterministic results without querying the
database or attempting a transaction to infer the card’s limit!
possible..? Bot administrator use to steal other credit card numbers..! Does it mean “Return on investment” ? Target: naïve participants
Pricing • Price for compromised host varies • For DDoS you can get 1,000 hosts for $10,000 • Helps to analyse threat model
Client IP lookup • 10% in CBL (Composed Block List) • Compromised host are used to connect to the market • 1% in SBL(Spamhaus Block List) • Spamming activities
Total wealth of Miscreants • Estimation base on assumptions
Add total loss from credit card frauds and financial theft Include only cards with valid Luhn digit check Some are still retained by miscreants Removal repetitions Only collection from public messaging
• Reasons Account dynamicity
Results
• Average funds loss per card credit/debit fraud $427.50 according to Internet Crime Complaint Centre Report (2006)
• Total wealth from credit card only $37M • Financial frauds $56M • Total $93M
SECTION III Countermeasures
• Enforce laws such as: Locating and disabling hosting infrastructures Identifying and arresting market participants
• Challenges • Multi-national cooperation may be
time and resource consuming Cooperation to foreign law enforcement agencies is difficult Market can re-merge under new administration with new bulletproof Political differences Who will be in-charge ….?
Low cost countermeasures • Sybil attack to the market
Undercutting participant verification system
• How..? • Sybil generation
register as many nickname as equal to number of verified-sellers in the market
• Achieve verified status build the status for each identity for low-cost post or replay credit card seen in one channel to other
channels
Low cost countermeasures • deceptive sales
advertise goods and services for sale
rapping -request payment and fail providing goods or service make buyer unwilling to pay since can't differentiate honest sellers
lemon market buyer can't distinguish the quality of goods
Low cost countermeasures • Slander attack • Eliminate the verified status of buyers and sellers through
false defamation reduce the status of honest seller so buyers can turn to dishonest
who fails to deliver hence discourage the market
Principals of economy
What are measures ….?
Learning with security in mind • Quantifying the security of systems • Forecasting and predict future state of internet security • Understanding the true costs and benefits of deployed
security technologies, data breeches and new security protocols
• Analysing the threat model • 1,000 compromised hosts for $10,000 =DDoS • Estimate global trends that are difficult to measure
Total number of compromised hosts on the internet
• What else …?
SECTION IV Conclusion
• MORE QUESTIONS AND DISCUSSION
Special thanks
• Tom Chothia • You all
• End of presentation