Thinking Like They Do: An Inside Look At Cybercriminal Operations
1. Thinking Like They Do:
An Inside Look at Cybercriminal Operations
Gianluca Stringhini
University College London
2. Cybercrime is a growing problem
An Inside Look at Cybercriminal Operations 2
3. Cybercrime is a growing problem
An Inside Look at Cybercriminal Operations 3
4. Cybercrime is a growing problem
An Inside Look at Cybercriminal Operations 4
Source: Levchenko et al. 2011
5. Spammer
Anatomy of a spam operation
An Inside Look at Cybercriminal Operations 5
Harvester
Botmaster
6. How can we effectively disrupt
spamming botnets?
We need to get a better understanding of these
cybercriminal operations
Over the last years we have been studying spamming
botnets by
• Observing the actors involved
• Getting an inside look into a real botnet
An Inside Look at Cybercriminal Operations 6
7. Fingerprinting a spam operation
An Inside Look at Cybercriminal Operations 7
The actors in the underground market are
linked by long-lasting trust relations
More details in “The Harvester, the Botmaster, and the Spammer: On the Relations
Between the Different Actors in the Spam Landscape” from AsiaCCS 2014
8. Spammers buy bots in different
countries – Lethic
An Inside Look at Cybercriminal Operations 8
9. Spammers buy bots in different
countries - Cutwail
An Inside Look at Cybercriminal Operations 9
10. An inside look into a
real spamming botnet
An Inside Look at Cybercriminal Operations 10
11. The Cutwail takedown
In 2010 we participated in an attempted takedown –
we tried to disrupt the botnet by seizing the C&C
servers
We obtained access to 24 C&C servers
• 30% of the botnet
• Each server rent by a different spammer
• Detailed statistics on the spammers’ campaigns
An Inside Look at Cybercriminal Operations 11
12. Some Statistics
The logs of the C&C servers contained information about
• 9 spammers who rented one or more C&Cs
• More than 2M bot IP addresses
• More than 500B spam emails sent
An Inside Look at Cybercriminal Operations 12
The performance of spam operations varies a
lot: the most successful spammer sent 7B emails
per day, the least successful only 5.5M
More details in “The Underground Economy of Spam: A Botmaster’s Perspective
of Coordinating Large-Scale Spam Campaigns” from LEET 2011
13. Botnets need to be efficient
engineering systems
An Inside Look at Cybercriminal Operations 13
Additional constraints:
• Infected computers are usually on bad Internet connections
• Adversarial actions can severely disrupt the botnet (victims cleaning up infected
computers, law enforcement seizing control servers)
14. If we identify the elements
that make a botnet work
well, we can develop better
mitigation techniques
An Inside Look at Cybercriminal Operations 14
15. Spammers split an email list among
many bots – we can use this to find
additional bots!
An Inside Look at Cybercriminal Operations 15
More details in “BotMagnifier: Detecting Spambots on the Internet” from USENIX 2011
16. What makes a spam operation
successful?
Good “housekeeping”
• Clean up email lists for non-existing addresses
• Limit bots to 5,000 at most
Bots have bad Internet connections
Instruct bots to retry sending emails multiple times
Interesting fact: the geographic location of bots does not
influence the performance of the botnet!
An Inside Look at Cybercriminal Operations 16
More details in “The Tricks of the Trade: What Makes Spam Campaigns
Successful?” from IWCC 2014
17. Possible mitigations
Tamper with spammers cleaning up email lists
[Stringhini et al., USENIX 2012]
Exhausting the C&C’s bandwidth by connecting fake bots
[Work in progress]
Use network errors for spam detection
[Kakavelakis et al., LISA 2011]
An Inside Look at Cybercriminal Operations 17
18. Conclusions
Cybercrime is a worldwide phenomenon, and we need
effective countermeasures to fight it
Botnets can be modeled as a distributed systems, and
mitigations can be designed to make such distributed
system perform poorly
Other types of cybercriminal operations require different
techniques
• Identity theft
• Ransomware
• Financial fraud
An Inside Look at Cybercriminal Operations 18