SlideShare a Scribd company logo

Thinking Like They Do: An Inside Look At Cybercriminal Operations

Download as PPTX, PDF
Gianluca Stringhini
Gianluca Stringhini

Thinkinl Like They Do: An Inside Look at Cybercriminal Operations Slides of my #IACAC15 talk on understanding and mitigating spamming botnets

Technology
1 of 19
Thinking Like They Do: An Inside Look at Cybercriminal Operations Gianluca Stringhini University College London
Cybercrime is a growing problem An Inside Look at Cybercriminal Operations 2
Cybercrime is a growing problem An Inside Look at Cybercriminal Operations 3
Cybercrime is a growing problem An Inside Look at Cybercriminal Operations 4 Source: Levchenko et al. 2011
Spammer Anatomy of a spam operation An Inside Look at Cybercriminal Operations 5 Harvester Botmaster
How can we effectively disrupt spamming botnets? We need to get a better understanding of these cybercriminal operations Over the last years we have been studying spamming botnets by • Observing the actors involved • Getting an inside look into a real botnet An Inside Look at Cybercriminal Operations 6
Fingerprinting a spam operation An Inside Look at Cybercriminal Operations 7 The actors in the underground market are linked by long-lasting trust relations More details in “The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape” from AsiaCCS 2014
Spammers buy bots in different countries – Lethic An Inside Look at Cybercriminal Operations 8
Spammers buy bots in different countries - Cutwail An Inside Look at Cybercriminal Operations 9
An inside look into a real spamming botnet An Inside Look at Cybercriminal Operations 10
The Cutwail takedown In 2010 we participated in an attempted takedown – we tried to disrupt the botnet by seizing the C&C servers We obtained access to 24 C&C servers • 30% of the botnet • Each server rent by a different spammer • Detailed statistics on the spammers’ campaigns An Inside Look at Cybercriminal Operations 11
Some Statistics The logs of the C&C servers contained information about • 9 spammers who rented one or more C&Cs • More than 2M bot IP addresses • More than 500B spam emails sent An Inside Look at Cybercriminal Operations 12 The performance of spam operations varies a lot: the most successful spammer sent 7B emails per day, the least successful only 5.5M More details in “The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns” from LEET 2011
Botnets need to be efficient engineering systems An Inside Look at Cybercriminal Operations 13 Additional constraints: • Infected computers are usually on bad Internet connections • Adversarial actions can severely disrupt the botnet (victims cleaning up infected computers, law enforcement seizing control servers)
If we identify the elements that make a botnet work well, we can develop better mitigation techniques An Inside Look at Cybercriminal Operations 14
Spammers split an email list among many bots – we can use this to find additional bots! An Inside Look at Cybercriminal Operations 15 More details in “BotMagnifier: Detecting Spambots on the Internet” from USENIX 2011
What makes a spam operation successful? Good “housekeeping” • Clean up email lists for non-existing addresses • Limit bots to 5,000 at most Bots have bad Internet connections Instruct bots to retry sending emails multiple times Interesting fact: the geographic location of bots does not influence the performance of the botnet! An Inside Look at Cybercriminal Operations 16 More details in “The Tricks of the Trade: What Makes Spam Campaigns Successful?” from IWCC 2014
Possible mitigations Tamper with spammers cleaning up email lists [Stringhini et al., USENIX 2012] Exhausting the C&C’s bandwidth by connecting fake bots [Work in progress] Use network errors for spam detection [Kakavelakis et al., LISA 2011] An Inside Look at Cybercriminal Operations 17
Conclusions Cybercrime is a worldwide phenomenon, and we need effective countermeasures to fight it Botnets can be modeled as a distributed systems, and mitigations can be designed to make such distributed system perform poorly Other types of cybercriminal operations require different techniques • Identity theft • Ransomware • Financial fraud An Inside Look at Cybercriminal Operations 18
Questions? g.stringhini@ucl.ac.uk @gianluca_string

Recommended

A Public Safety Organisation
A Public Safety OrganisationA Public Safety Organisation
A Public Safety OrganisationIBM Big Data and Analytics UK
 
Policing gets smarter
Policing gets smarterPolicing gets smarter
Policing gets smarterVostrikov Arkady
 
Use of blockchain in telecom and media industry
Use of blockchain in telecom and media industryUse of blockchain in telecom and media industry
Use of blockchain in telecom and media industryBlockchain Council
 
Cyber Crime in Numbers
Cyber Crime in NumbersCyber Crime in Numbers
Cyber Crime in NumbersMihajlo Prerad
 
Combatting cyberterrorism
Combatting cyberterrorismCombatting cyberterrorism
Combatting cyberterrorismkelvingg
 
Cyber terrorism
Cyber terrorismCyber terrorism
Cyber terrorismAltacit Global
 
Cyber Terrorism
Cyber TerrorismCyber Terrorism
Cyber Terrorismloverakk187
 
CYBER TERRORISM
CYBER TERRORISM CYBER TERRORISM
CYBER TERRORISM Tejesh Dhaypule
 

Recommended

A Public Safety Organisation
A Public Safety OrganisationA Public Safety Organisation
A Public Safety OrganisationIBM Big Data and Analytics UK
 
Policing gets smarter
Policing gets smarterPolicing gets smarter
Policing gets smarterVostrikov Arkady
 
Use of blockchain in telecom and media industry
Use of blockchain in telecom and media industryUse of blockchain in telecom and media industry
Use of blockchain in telecom and media industryBlockchain Council
 
Cyber Crime in Numbers
Cyber Crime in NumbersCyber Crime in Numbers
Cyber Crime in NumbersMihajlo Prerad
 
Combatting cyberterrorism
Combatting cyberterrorismCombatting cyberterrorism
Combatting cyberterrorismkelvingg
 
Cyber terrorism
Cyber terrorismCyber terrorism
Cyber terrorismAltacit Global
 
Cyber Terrorism
Cyber TerrorismCyber Terrorism
Cyber Terrorismloverakk187
 
CYBER TERRORISM
CYBER TERRORISM CYBER TERRORISM
CYBER TERRORISM Tejesh Dhaypule
 
The Tricks of the Trade: What Makes Spam Campaigns Successful?
The Tricks of the Trade: What Makes Spam Campaigns Successful?The Tricks of the Trade: What Makes Spam Campaigns Successful?
The Tricks of the Trade: What Makes Spam Campaigns Successful?Gianluca Stringhini
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksLondon School of Cyber Security
 
What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...
What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...
What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...Jeremiah Onaolapo
 
Understanding the Botnet Phenomenon
Understanding the Botnet PhenomenonUnderstanding the Botnet Phenomenon
Understanding the Botnet PhenomenonDr. Amarjeet Singh
 
cyber crime technology
cyber crime technologycyber crime technology
cyber crime technologyBinu p jayan
 
As computer forensic investigators we are asked to take an image of .pdf
As computer forensic investigators we are asked to take an image of .pdfAs computer forensic investigators we are asked to take an image of .pdf
As computer forensic investigators we are asked to take an image of .pdfannammalassociates
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniquesijsrd.com
 
CYBERCRIME AND THE JUDICIAL SERVICE .docx
CYBERCRIME AND THE JUDICIAL SERVICE .docx CYBERCRIME AND THE JUDICIAL SERVICE .docx
CYBERCRIME AND THE JUDICIAL SERVICE .docxMARRY7
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The BotmasterIJERA Editor
 
It act and cyber crime
It act and cyber crimeIt act and cyber crime
It act and cyber crimeDheeraj Dani
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeMahabubur Rahman
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkEditor IJCATR
 
Detection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P BotnetsDetection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P BotnetsCSCJournals
 
Cyber crime report
Cyber crime reportCyber crime report
Cyber crime reportRonson Calvin Fernandes
 
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...Gianluca Stringhini
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Aniq Eastrarulkhair
 
The Dark web - Why the hidden part of the web is even more dangerous?
The Dark web - Why the hidden part of the web is even more dangerous?The Dark web - Why the hidden part of the web is even more dangerous?
The Dark web - Why the hidden part of the web is even more dangerous?Pierluigi Paganini
 
Cyber crime and issues
Cyber crime and issuesCyber crime and issues
Cyber crime and issuesRoshan Mastana
 
A Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior AnalysisA Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior Analysisidescitation
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeDebayon Saha
 
EvilCohort: Detecting Communities of Malicious Accounts on Online Services
EvilCohort: Detecting Communities of Malicious Accounts on Online ServicesEvilCohort: Detecting Communities of Malicious Accounts on Online Services
EvilCohort: Detecting Communities of Malicious Accounts on Online ServicesGianluca Stringhini
 
That Ain't You: Detecting Spearphishing Through Behavioral Modelling
That Ain't You: Detecting Spearphishing Through Behavioral ModellingThat Ain't You: Detecting Spearphishing Through Behavioral Modelling
That Ain't You: Detecting Spearphishing Through Behavioral ModellingGianluca Stringhini
 

More Related Content

Similar to Thinking Like They Do: An Inside Look At Cybercriminal Operations

The Tricks of the Trade: What Makes Spam Campaigns Successful?
The Tricks of the Trade: What Makes Spam Campaigns Successful?The Tricks of the Trade: What Makes Spam Campaigns Successful?
The Tricks of the Trade: What Makes Spam Campaigns Successful?Gianluca Stringhini
 
What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...
What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...
What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...Jeremiah Onaolapo
 
Understanding the Botnet Phenomenon
Understanding the Botnet PhenomenonUnderstanding the Botnet Phenomenon
Understanding the Botnet PhenomenonDr. Amarjeet Singh
 
cyber crime technology
cyber crime technologycyber crime technology
cyber crime technologyBinu p jayan
 
As computer forensic investigators we are asked to take an image of .pdf
As computer forensic investigators we are asked to take an image of .pdfAs computer forensic investigators we are asked to take an image of .pdf
As computer forensic investigators we are asked to take an image of .pdfannammalassociates
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniquesijsrd.com
 
CYBERCRIME AND THE JUDICIAL SERVICE .docx
CYBERCRIME AND THE JUDICIAL SERVICE .docx CYBERCRIME AND THE JUDICIAL SERVICE .docx
CYBERCRIME AND THE JUDICIAL SERVICE .docxMARRY7
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The BotmasterIJERA Editor
 
It act and cyber crime
It act and cyber crimeIt act and cyber crime
It act and cyber crimeDheeraj Dani
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkEditor IJCATR
 
Detection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P BotnetsDetection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P BotnetsCSCJournals
 
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...Gianluca Stringhini
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Aniq Eastrarulkhair
 
The Dark web - Why the hidden part of the web is even more dangerous?
The Dark web - Why the hidden part of the web is even more dangerous?The Dark web - Why the hidden part of the web is even more dangerous?
The Dark web - Why the hidden part of the web is even more dangerous?Pierluigi Paganini
 
Cyber crime and issues
Cyber crime and issuesCyber crime and issues
Cyber crime and issuesRoshan Mastana
 
A Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior AnalysisA Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior Analysisidescitation
 

Similar to Thinking Like They Do: An Inside Look At Cybercriminal Operations (20)

The Tricks of the Trade: What Makes Spam Campaigns Successful?
The Tricks of the Trade: What Makes Spam Campaigns Successful?The Tricks of the Trade: What Makes Spam Campaigns Successful?
The Tricks of the Trade: What Makes Spam Campaigns Successful?
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...
What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...
What Happens After You Are Pwnd: Understanding The Use Of Leaked Webmail Cred...
 
Understanding the Botnet Phenomenon
Understanding the Botnet PhenomenonUnderstanding the Botnet Phenomenon
Understanding the Botnet Phenomenon
 
cyber crime technology
cyber crime technologycyber crime technology
cyber crime technology
 
As computer forensic investigators we are asked to take an image of .pdf
As computer forensic investigators we are asked to take an image of .pdfAs computer forensic investigators we are asked to take an image of .pdf
As computer forensic investigators we are asked to take an image of .pdf
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniques
 
CYBERCRIME AND THE JUDICIAL SERVICE .docx
CYBERCRIME AND THE JUDICIAL SERVICE .docx CYBERCRIME AND THE JUDICIAL SERVICE .docx
CYBERCRIME AND THE JUDICIAL SERVICE .docx
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The Botmaster
 
It act and cyber crime
It act and cyber crimeIt act and cyber crime
It act and cyber crime
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social Network
 
Detection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P BotnetsDetection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P Botnets
 
Cyber crime report
Cyber crime reportCyber crime report
Cyber crime report
 
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1
 
The Dark web - Why the hidden part of the web is even more dangerous?
The Dark web - Why the hidden part of the web is even more dangerous?The Dark web - Why the hidden part of the web is even more dangerous?
The Dark web - Why the hidden part of the web is even more dangerous?
 
Cyber crime and issues
Cyber crime and issuesCyber crime and issues
Cyber crime and issues
 
A Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior AnalysisA Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior Analysis
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 

More from Gianluca Stringhini

EvilCohort: Detecting Communities of Malicious Accounts on Online Services
EvilCohort: Detecting Communities of Malicious Accounts on Online ServicesEvilCohort: Detecting Communities of Malicious Accounts on Online Services
EvilCohort: Detecting Communities of Malicious Accounts on Online ServicesGianluca Stringhini
 
That Ain't You: Detecting Spearphishing Through Behavioral Modelling
That Ain't You: Detecting Spearphishing Through Behavioral ModellingThat Ain't You: Detecting Spearphishing Through Behavioral Modelling
That Ain't You: Detecting Spearphishing Through Behavioral ModellingGianluca Stringhini
 
The Harvester, the Botmaster, and the Spammer: On the Relations Between the D...
The Harvester, the Botmaster, and the Spammer: On the Relations Between the D...The Harvester, the Botmaster, and the Spammer: On the Relations Between the D...
The Harvester, the Botmaster, and the Spammer: On the Relations Between the D...Gianluca Stringhini
 
Shady Paths: Leveraging Surfing Crowds to Detect Malicious Web Pages
Shady Paths: Leveraging Surfing Crowds to Detect Malicious Web PagesShady Paths: Leveraging Surfing Crowds to Detect Malicious Web Pages
Shady Paths: Leveraging Surfing Crowds to Detect Malicious Web PagesGianluca Stringhini
 
Follow the Green: Growth and Dynamics on Twitter Follower Markets
Follow the Green: Growth and Dynamics on Twitter Follower MarketsFollow the Green: Growth and Dynamics on Twitter Follower Markets
Follow the Green: Growth and Dynamics on Twitter Follower MarketsGianluca Stringhini
 
Detecting Spammers on Social Networks
Detecting Spammers on Social NetworksDetecting Spammers on Social Networks
Detecting Spammers on Social NetworksGianluca Stringhini
 
BotMagnifier: Locating Spambots on the Internet
BotMagnifier: Locating Spambots on the InternetBotMagnifier: Locating Spambots on the Internet
BotMagnifier: Locating Spambots on the InternetGianluca Stringhini
 

More from Gianluca Stringhini (7)

EvilCohort: Detecting Communities of Malicious Accounts on Online Services
EvilCohort: Detecting Communities of Malicious Accounts on Online ServicesEvilCohort: Detecting Communities of Malicious Accounts on Online Services
EvilCohort: Detecting Communities of Malicious Accounts on Online Services
 
That Ain't You: Detecting Spearphishing Through Behavioral Modelling
That Ain't You: Detecting Spearphishing Through Behavioral ModellingThat Ain't You: Detecting Spearphishing Through Behavioral Modelling
That Ain't You: Detecting Spearphishing Through Behavioral Modelling
 
The Harvester, the Botmaster, and the Spammer: On the Relations Between the D...
The Harvester, the Botmaster, and the Spammer: On the Relations Between the D...The Harvester, the Botmaster, and the Spammer: On the Relations Between the D...
The Harvester, the Botmaster, and the Spammer: On the Relations Between the D...
 
Shady Paths: Leveraging Surfing Crowds to Detect Malicious Web Pages
Shady Paths: Leveraging Surfing Crowds to Detect Malicious Web PagesShady Paths: Leveraging Surfing Crowds to Detect Malicious Web Pages
Shady Paths: Leveraging Surfing Crowds to Detect Malicious Web Pages
 
Follow the Green: Growth and Dynamics on Twitter Follower Markets
Follow the Green: Growth and Dynamics on Twitter Follower MarketsFollow the Green: Growth and Dynamics on Twitter Follower Markets
Follow the Green: Growth and Dynamics on Twitter Follower Markets
 
Detecting Spammers on Social Networks
Detecting Spammers on Social NetworksDetecting Spammers on Social Networks
Detecting Spammers on Social Networks
 
BotMagnifier: Locating Spambots on the Internet
BotMagnifier: Locating Spambots on the InternetBotMagnifier: Locating Spambots on the Internet
BotMagnifier: Locating Spambots on the Internet
 

Recently uploaded

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Thinking Like They Do: An Inside Look At Cybercriminal Operations

  • 1. Thinking Like They Do: An Inside Look at Cybercriminal Operations Gianluca Stringhini University College London
  • 2. Cybercrime is a growing problem An Inside Look at Cybercriminal Operations 2
  • 3. Cybercrime is a growing problem An Inside Look at Cybercriminal Operations 3
  • 4. Cybercrime is a growing problem An Inside Look at Cybercriminal Operations 4 Source: Levchenko et al. 2011
  • 5. Spammer Anatomy of a spam operation An Inside Look at Cybercriminal Operations 5 Harvester Botmaster
  • 6. How can we effectively disrupt spamming botnets? We need to get a better understanding of these cybercriminal operations Over the last years we have been studying spamming botnets by • Observing the actors involved • Getting an inside look into a real botnet An Inside Look at Cybercriminal Operations 6
  • 7. Fingerprinting a spam operation An Inside Look at Cybercriminal Operations 7 The actors in the underground market are linked by long-lasting trust relations More details in “The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape” from AsiaCCS 2014
  • 8. Spammers buy bots in different countries – Lethic An Inside Look at Cybercriminal Operations 8
  • 9. Spammers buy bots in different countries - Cutwail An Inside Look at Cybercriminal Operations 9
  • 10. An inside look into a real spamming botnet An Inside Look at Cybercriminal Operations 10
  • 11. The Cutwail takedown In 2010 we participated in an attempted takedown – we tried to disrupt the botnet by seizing the C&C servers We obtained access to 24 C&C servers • 30% of the botnet • Each server rent by a different spammer • Detailed statistics on the spammers’ campaigns An Inside Look at Cybercriminal Operations 11
  • 12. Some Statistics The logs of the C&C servers contained information about • 9 spammers who rented one or more C&Cs • More than 2M bot IP addresses • More than 500B spam emails sent An Inside Look at Cybercriminal Operations 12 The performance of spam operations varies a lot: the most successful spammer sent 7B emails per day, the least successful only 5.5M More details in “The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns” from LEET 2011
  • 13. Botnets need to be efficient engineering systems An Inside Look at Cybercriminal Operations 13 Additional constraints: • Infected computers are usually on bad Internet connections • Adversarial actions can severely disrupt the botnet (victims cleaning up infected computers, law enforcement seizing control servers)
  • 14. If we identify the elements that make a botnet work well, we can develop better mitigation techniques An Inside Look at Cybercriminal Operations 14
  • 15. Spammers split an email list among many bots – we can use this to find additional bots! An Inside Look at Cybercriminal Operations 15 More details in “BotMagnifier: Detecting Spambots on the Internet” from USENIX 2011
  • 16. What makes a spam operation successful? Good “housekeeping” • Clean up email lists for non-existing addresses • Limit bots to 5,000 at most Bots have bad Internet connections Instruct bots to retry sending emails multiple times Interesting fact: the geographic location of bots does not influence the performance of the botnet! An Inside Look at Cybercriminal Operations 16 More details in “The Tricks of the Trade: What Makes Spam Campaigns Successful?” from IWCC 2014
  • 17. Possible mitigations Tamper with spammers cleaning up email lists [Stringhini et al., USENIX 2012] Exhausting the C&C’s bandwidth by connecting fake bots [Work in progress] Use network errors for spam detection [Kakavelakis et al., LISA 2011] An Inside Look at Cybercriminal Operations 17
  • 18. Conclusions Cybercrime is a worldwide phenomenon, and we need effective countermeasures to fight it Botnets can be modeled as a distributed systems, and mitigations can be designed to make such distributed system perform poorly Other types of cybercriminal operations require different techniques • Identity theft • Ransomware • Financial fraud An Inside Look at Cybercriminal Operations 18