Curbing the For-Profit Cybercrime Food Chain

Google Underground Research

Researchers with Google and a handful of universities believe security practitioners need to focus on evaluating how cybercriminals adapt to interventions instead of trying to protect users.

Security specialists need to change the game and shift gears, researchers argue – instead of focusing on protecting their users and systems, they should narrow their sights on trying to shake up cybercrime’s seedy underbelly.

At least that’s how Kurt Thomas and Elie Bursztein, researchers at Google’s Anti-Fraud and Abuse Research team, see it. The two recruited another researcher from Google, David Wang, and a corps of researchers from the University of California, San Diego, Berkeley, and Santa Barbara, George Mason, and Michigan State, for a deep dive on the cybercrime underground and the best ways to disrupt it.

The paper detailing their research, “Framing Dependencies Introduced by Underground Commoditization” (.PDF) surfaced on Google’s Online Security Blog Thursday.

In particular the researchers looked at the relationship between highly refined criminal entrepreneurs, and how they fit into the for-profit cybercrime ecosystem. The researchers looked at miscreants behind spam and ransomware campaigns, credit card theft, and other forms of cybercrime, and devised a taxonomy to help connect the dots between the players in each field, but it was the commoditization part of the ecosystem that really struck a chord with the researchers.

It’s fairly simple – criminals hawking hacked wares, exploit kits and personally identifiable information spread spam links through fake accounts. Victims buy the goods, get looped through shady affiliate programs, and once everything is said and done, the spammer gets a cut from the affiliate program.

But by looking at the connections between how each party makes money, the researchers discovered “fragile dependencies” they describe as being “ripe targets for disruption.”

“Commoditization directly influences the kinds of business structures and labor agreements that drive recent cybercrime,” the researchers write.

While shutting down the black market is easier said than done, the paper notes a few ways to deter the behavior of attackers, if not fully break the chain.

Researchers note that trying to protect users and their systems – with firewalls, two factor authentication and so on – is one strategy, but its biggest fallback is that it doesn’t disincentivize fraud and abuse, instead likening the actions to a “never-ending firefight.”

“This reactive development cycle never affords defenders an opportunity to strike at the critical infrastructure or financial centers that underpin abuse, which might otherwise fundamentally change the war against for-profit abuse,” the researchers claim.

Instead the researchers trumpet alternative measures, like botnet takedowns – something that offers a “temporary reprieve” – and other methods that can limit the efficiency of attackers. The paper cites an incident in which Google blocked certain cell carriers and free VOIP providers that were being used to verify fake accounts. The attempt didn’t do away with scammers completely, but did help curb the cost of accounts being sold online from 30 to 40 percent.

“Increasing the cost of fake accounts, phone numbers, or compromised websites cuts into the profitability of abuse,” Thomas and Bursztein rationalized in the blog post about their research Thursday, “In the end, abuse propped up by cost-ineffective resources will crumble.”

“‘Everything’ is available for a price, though whether criminals actively buy into these services remains an open question for research,” they write.

They justify that finding a way to disrupt the flow of money in the cybercrime ecosystem, and persecuting actors behind campaigns, can also be effective, albeit to varying degrees.

Thomas, Bursztein and company point out that criminals can replace hosting infrastructure and domains, but banking relationships can be tenuous, volatile situations that are difficult to repair if broken. Arresting criminals responsible for botnets and carding forums is infrequent, but largely effective when done, the researchers point out, citing arrests of “Paunch,” and men involved with the Zeus Trojan.

While these aren’t new ideas by any means, the researchers reason that industry practitioners could benefit from researching them further, focusing on “data-driven interventions” and perseverating over how cybercriminals adapt to such interventions.

“We believe that researchers and industry can leverage our framework to evaluate novel approaches in undermining existing cybercrime operations and to predict future trajectories of Internet crime,” the researchers write.

Suggested articles