1 CCIED Looking Forward. Context After four years… u 50+ papers, multiple awards, significant...
-
Upload
colin-quentin-armstrong -
Category
Documents
-
view
212 -
download
0
Transcript of 1 CCIED Looking Forward. Context After four years… u 50+ papers, multiple awards, significant...
1
CCIED Looking ForwardCCIED Looking Forward
ContextContext• After four years…
50+ papers, multiple awards, significant advances on state of the art, two new workshops, lots of tech transfer, many students trained, etc
• But…We didn’t stop Internet worms,
let alone malware, let alone cybercrime…
nor did anyone else. At best, moved it around a bit.
By any meaningful metric things are worse than when we started…
• Mistake: looking at this primarily as a technical problem
Key threat transformations Key threat transformations of the 21of the 21stst century century
• Efficient large-scale compromises Internet communications model Software homogeneity User naïveity/fatigue
• Centralized control Cheap scalability for criminal applications
(e.g. spam, info theft, DDoS, etc)
• Profit-driven applications Commodity resources
(IP, bandwidth, storage, CPU) Unique resources
(PII/credentials, CD-Keys, address book, etc)
3
Emergence of Emergence of Economic Drivers Economic Drivers • In last five years, emergence of profit-making malware
Anti-spam efforts force spammers to launder e-mail through compromised machines (starts with MyDoom.A, SoBig)
“Virtuous” economic cycle transforms nature of threat
• Commoditization of compromised hosts Fluid third-party exchange market (millions of hosts)
» Raw bots (range from pennies to dollars)» Value added tier: SPAM proxying (more expensive)
• Innovation in both host substrate and its uses Sophisticated infection and command/control networks: platform SPAM, piracy, phishing, identity theft, DDoS are all applications
DDoS for saleDDoS for sale• Emergence of economic engine for Internet crime
SPAM, phishing, spyware, etc
• Fluid third party markets for illicit digital goods/services Bots ~$0.5/host, special orders, value added tiers Cards, malware, exploits, DDoS, cashout, etc.
6
• 3.6 cents per bot week
• 6 cents per bot week
• 2.5 cents per bot week
September 2004 postings to SpecialHam.com, Spamforum.biz
>20-30k always online SOCKs4, url is de-duped and updated> every 10 minutes. 900/weekly, Samples will be sent on
> request. Monthly payments arranged at discount prices.
>$350.00/weekly - $1,000/monthly (USD) >Type of service: Exclusive (One slot only)
>Always Online: 5,000 - 6,000>Updated every: 10 minutes
>$220.00/weekly - $800.00/monthly (USD)>Type of service: Shared (4 slots)
>Always Online: 9,000 - 10,000>Updated every: 5 minutes
Botnet Spammer Rental RatesBotnet Spammer Rental Rates
Bot PayloadsBot Payloads
Structural asymmetriesStructural asymmetries
• Defenders reactive, attackers proactive Defenses public, attacker develops/tests in private Arms race where best case for defender is to “catch up”
• New defenses expensive, new attacks cheap Defenses sunk costs/business model,
attacker agile and not tied to particular technology
• Minimal deterrent effect Functional anonymity on the Internet; very hard to fix
• Defenses hard to measure, attacks easy to measure Few security metrics (no “evidence-based” security),
attackers measure monetization which drives attack quality
10
Example: brief history Example: brief history of the spam arms raceof the spam arms race
Anti-spam action
1. Real-time IP blacklisting
2. Clean up open relays/proxies
3. Content-based learning
4. Site takedown
5. CAPTCHAs
11
Spammer response
1. Send via open relays/proxies
2. Delivery via compromised botnets
3. Content chaff, polymorphic spam generators, img spam
4. Fast-flux redirect and transparent proxies
5. CAPTCHA outsourcing, OCR-based breaking
The problem The problem • We think about this in terms of technical means for
securing computer systems• Most of 50-100B IT budget on cyber security is spent on
securing the end host AV, firewalls, IDS, encryption, etc… Single most expensive front to secure Single hardest front to secure
• But individual end hosts are not that valuable to the bad guys?
Maybe $1.50? Even less in bulk…
• We need to focus on their economic bottlenecks• Which means we need to understand their economics
13
Internet Criminal EconomicsInternet Criminal Economics
• Our experience so far Underground market analysis [CCS 07] Spam [USEC ‘07, LEET ‘08/’09, CCS ’08]
• Where we’re going In-depth analysis of Market enablers Large-scale analysis of vertical markets Technical defenses based on market enablers Empirical defense assessment (“evidence-based security”)
14
Elements of the Internet Elements of the Internet “underground economy”“underground economy”• Acquisition of illicit digital goods
Tier-1 goods (e.g. credit card data, paypal, etc) » Directly valued in “real world”; single step liquidity
Tier-2 goods (e.g. bots, malware, $ services)» Valued only in UE, rented for service, or used to produce value in scam
• Trade/Sale in such goods On-line markets and market enablers (IRC/Web Forums)
• Scams (capital investment to extract new value) Combine digital goods with value creation strategy SPAM, phishing, DDoS extortion, pump/dump, etc
• Liquidation of goods (cash out) Indirect: SPAM/Adware (potentially legal), Click fraud, pump/dump,
gambling Direct: cash out (WU, eGold, WebMoney), wire transfer, card “tracking”,
mules/drops
ExampleExample
• Scammer runs phishing campaign Buys phishing kit from software specialist Buys mailing list Buys bots for mail relay or rents remailing net Buys host(s) for phishing server Gets credit cards plus PII & CVV2 info (“fulls”)
• Trade fulls on-line for money or other digital goods
• Can use to buy physical goods Drop/remailer: launders physical goods
• Cashier will cash-out fulls for percentage of take E.g. WU: drop receives cash, confirmer “fakes” true owner
Market is public channel active on independent IRC networks (#ccpower)
Common channel activity and admin. creates unified market
IRC log dataset (2.4GB) 13 million public messages From Jan. ’06 to Aug. ’06 Think QVC, not NASDAQ
Market
SS
S
IRC Network
CC
M
Msgs
…S
S
S
IRC Network
CC
M
Msgs
Dataset
Market data collectionMarket data collection
• 1. Posting advertisements Sales and want ads for
goods and services
• 2. Posting sensitive personal information
Full personal information freely pasted to channel
Establishes credibility
• Unstructured quasi-english Need automatic techniques
to identify ads and sensitive data
”have hacked hosts, mail lists, php mailer
send to all inbox”
Market
SSS
Buy, Sell, & Trade
Market ActivityMarket Activity
“i have verified paypal accounts with good balance…and i can cashout paypals”
Name: Phil PhishedAddress: 100 Scammed Ln
Phone: 555-687-5309Card Num: 4123 4567 8901 2345
Exp: 10/09 CVV:123SSN: 123-45-6789
What’s on the market?What’s on the market?Financial instrumentsFinancial instruments
i sell CVV2s at $0.90, hacked hosts at $8, paypals at 8, fullz at $10, and wells fargo logins. IM me at XXXX DO NOT ASK FOR TESTS OR FREE CARDS. Thank you :)
What’s on the market?What’s on the market?Financial servicesFinancial services
i am boa cashout and wellsfargo including chase
westernunion confirmercan confirm males and females have drops in usa I AM VERIFIED MSG ME
looking good and legit drop from USA for stuff (laptop, mobile phones, TV plasma etc)
Ad Type (Goods)
Per
cen
tag
e o
f L
abe
led
Dat
a Hacked Host Sale (3%)
Mailer Sale (3%)
Scam Page Sale (1.5%)
Email List Sale (2%)
PhishingShopping List
GoodsGoods
courtesy Jason Franklin
Some high bitsSome high bits
• Value of “goodwill data” 87k unique credit cards (w/valid Luhn and BIN #)
» Estimate $427.50 exposure = $37M Declared value of bank accounts = $54M But these are only the public numbers, not trades
• Reputation Few miscreants will deal with unknown buyers/sellers New entrants establish reputation by providing free samples
or services» Post raw credit card, bank account, etc
Poor behavior is systematically reported» #rippers channel
Leads to many questions…Leads to many questions…
• Vertical integration vs open markets? How much is each? How much transparency?
• Who dominates market volume? A small number of bigger players? A large number of small players?
• What dominates value creation in each segment?• Can we use market data to directly value threat risk?• Where are the bottlenecks?
Cashout? Market friction (reputation issues) Which bottlenecks amenable to technical means vs economic
means/state power.
• All unknown… and fairly critical
Vertical market segment:Vertical market segment:Spam-based marketingSpam-based marketing
• 100B+ spam e-mails sent per day [Ironport] Most focused on product/service advertising Some as vector for malware, etc. >$1B in direct costs [IDC], larger indirect costs 10-100x
• Range of enablers Botnet-based mail delivery, spaming software, address list,
redirection infrastructure, hosting infrastructure, payment processing, fulfillment
• Direct marketing business model Cost of delivery < marginal revenue * conversion rate Only works because someone is buying?
• Very little empirical data on any of this…
24
Courtesy Stuart Brownmodernlifisrubbish.co.uk
Anatomy of a modern pharma Anatomy of a modern pharma spam campaignspam campaign
Andreson, Fleizach, Savage and Voelker, Spamscatter: Characterizing Internet Scam hosting Infrastrcuture, USENIX Security 2007.
SpamscatterSpamscatter
• Goal: Measure and analyze Internet scam hosting infrastructure
• Mine spam for URLs to scam sites hosting ad Probe machines hosting the scams over time Follow all redirections (separate redirection infrastructure from
hosting infrastructure) Render pages and cluster sites based on image similarity
(image shingling)
Spam Campaign LifetimeSpam Campaign LifetimeHow long do spam campaigns last for a scam?How long do spam campaigns last for a scam?
Spam campaigns relatively short
88% last < 20 hours 8% > 2 days
On average... 12 hours of spam Scam site up 1 week
April 21, 2023
< 20 hours
< 2 days
Scam Lifetime & StabilityScam Lifetime & StabilityHow long are scams active, and how reliable are the hosts?How long are scams active, and how reliable are the hosts?
• Scam sites long-lived 50+% lifetime as long as
probe time (1 week)
• Multiple hosts extend scam lifetime
• Web servers and hosts have same lifetime
Hosts likely blocked
• Overall availability high 97% downloads
successful
Shared InfrastructureShared InfrastructureTo what extent do multiple scams share infrastructure?To what extent do multiple scams share infrastructure?
• Substantial sharing
38% of scams share IP with another scam
10 IPs hosted 10 or more scams
• Reasons? Same scammer,
multiple scams Or, sites rented to
multiple scammers...
Looking inside Looking inside spam campaignsspam campaigns
• Virtually all analysis of spam is from standpoint of recipient How many received, from whom, content of msg, etc?
• We really care much more about standpoint of spammer How many sent, how many delivered, to whom, for how long, sent
how, what kind of countermeasures, how many site visits in response, how many conversions, how much cost, how much revenue?
But generally not visible, except to spammer
• Approach: botnet infiltration Spam sent via botnets, botnets have trust problem wrt
compromised hosts Instrumented botnet host offers window into spam operations
30
StormStorm
• Storm is a well-known peer-to-peer botnet• Storm has a hierarchical architecture
Workers perform tasks (send spam, launch DDoS attacks, etc.) Proxies organize workers, connect to HTTP proxies Master servers controlled directly by botmaster
• Workers and proxies are compromised hosts (bots) Use a Distributed Hash Table protocol (Overnet) for rendezvous Roughly 20,000 actives bots at any time in April [Kanich08]
• Master servers run in “bullet-proof” hosting centers Communicate with proxies and workers via command and
control (C&C) protocol over TCP
Spamalytics 31Kanich, Levchenko, Enright, Voelker and Savage, The Heisenbot Uncertainty Problem: Challenges in Separating Bots from Chaff, LEET 2008.
Storm architectureStorm architecture
32
Dr. Evil
Masterservers
Proxybots
Workerbots
Storm spam campaignsStorm spam campaigns
Workers request “updates” to send spam [Kreibich08] Dictionaries: names, domains, URLs, etc. Email templates for producing polymorphic spam
» Macros instantiate fields: %^Fdomains^% from domains dict Lists of target email addresses (batches of 500-1000 at a time)
Workers immediately act on these updates Create a unique message for each email address Send the message to the target Report the results (success, failure) back to proxies Send harvested e-mail addresses
Many campaign types Self-propagation malware, pharmaceutical, stocks, phishing, …
33Kreibich, Kanich, Levchenko, Enright, Voelker, Paxson and Savage, On the Spam Campaign Trail, LEET 2008.
Storm templatesStorm templates
Example Storm spam template and instantiation
34
Macro expansion to insert target email address
Received: from %^C0%^P%^R2-6^%:qwertyuiopasdfghjklzxcvbnm^%.%^P%^R2-6^%:qwertyuiopasdfghjklzxcvbnm^%^% ([%^C6%^I^%.%^I^%.%^I^%.%^I^%^%]) by %^A^% with Microsoft SMTPSVC(%^Fsvcver^%); %^D^%From: <%^Fnames^%@%^Fdomains^%>To: <%^0^%>Subject: Say hello to bluepill!<%^Fpharma_links^%>
Received: from %^C0%^P%^R2-6^%:qwertyuiopasdfghjklzxcvbnm^%.%^P%^R2-6^%:qwertyuiopasdfghjklzxcvbnm^%^% ([%^C6%^I^%.%^I^%.%^I^%.%^I^%^%]) by %^A^% with Microsoft SMTPSVC(%^Fsvcver^%); %^D^%From: <%^Fnames^%@%^Fdomains^%>To: <%^0^%>Subject: Say hello to bluepill!<%^Fpharma_links^%>
Received: from auz.xwzww ([132.233.197.74]) by dsl-189-188-79-63.prod-infinitum.com.mx with Microsoft SMTPSVC(5.0.2195.6713); Wed, 6 Feb 2008 16:33:44 -0800From: <[email protected]>To: <[email protected]> Subject: Say hello to bluepill!spammerdomain2.com
Received: from auz.xwzww ([132.233.197.74]) by dsl-189-188-79-63.prod-infinitum.com.mx with Microsoft SMTPSVC(5.0.2195.6713); Wed, 6 Feb 2008 16:33:44 -0800From: <[email protected]>To: <[email protected]>Subject: Say hello to bluepill!spammerdomain1.com
Received: from auz.xwzww ([132.233.197.74]) by dsl-189-188-79-63.prod-infinitum.com.mx with Microsoft SMTPSVC(5.0.2195.6713); Wed, 6 Feb 2008 16:33:44 -0800From: <[email protected]>To: [email protected]: Say hello to bluepill!spammerdomain2.com
Storm in actionStorm in action
1224704030~!pharma_links~!spammerdomain1.comspammerdomain2.comspammerdomain3.com…
1224720409~!names~!eduardorafaelkatierachrisjohnny…
[email protected]@[email protected]@icir.org...
35
Received: from dkjs.sgdsz ([132.233.197.74]) by dsl-189-188-79-63.prod-infinitum.com.mx with Microsoft SMTPSVC(5.0.2195.6713); Wed, 6 Feb 2008 16:33:44 -0800From: <[email protected]>To: <[email protected]>Subject: Say hello to bluepill!spammerdomain3.com
Data Collection: Data Collection: C&C CrawlerC&C Crawler
Data Collection: Proxy Data Collection: Proxy OperationOperation
@@
@@@@
@@
Data Collection: SummaryData Collection: Summary
• Crawler-based dataset Nov 20 2007 – Nov 11 2008 492,491 C&C requests (to 2,794 proxies) 536,607 templates (23% unique)
• Proxy dataset March 9 2008 – April 02 2008 94,335 workers 813,655 templates (52% unique) 1,212,971 harvested addresses (49% unique)
• Harvest injection dataset April 26 2008 – May 6 2008 1,820,360 harvested addresses (50% unique) 87,846 marker addresses injected 1,957 markers targeted (2.2%) 1,017 spams delivered to markers
Kreibich, Kanich, Levchenko, Enright, Voelker, Paxson and Savage, Spamcraft: An Inside LookAt Spam Campaign Orchestration, LEET 2009.
Who gets spammed?Who gets spammed?
39
Campaigns: The Big PictureCampaigns: The Big Picture
Long campaignsuse few types
Stock scams took a break
Others don't last,but have many types(types ~ instances)
Domain Use & UsabilityDomain Use & Usability• JwSpamSpy
• 557 pharma 2LDs, 94% on blacklist
• Average use 5.6 days
• Shortest use is single dictionary
• Longest is 86 days
• 12.9 domains per hour
• Registration -> use: 21 days
• Use -> block: 18 minutes
Registrations in batchesused at the same time
Domains are abandonedafter being blocked
No more .cn, shorter timeto use, longer use
Address SourcingAddress Sourcing
• 10,000 addresses sampled from harvests and target lists• Web-searches on Google• Only available on infected machines:
76% of harvested addresses 87% of targeted addresses
• Web crawling for addresses unlikely
Affiliate linkageAffiliate linkage
• Evidence of pharma affiliate scheme Web server error message leaked into dictionaries 21 days Nov 20 2007 – Feb 11 2008
<div style="padding-left:165px;padding-top:40px;"><img src="img/logo.gif" border="0" alt="Spamit.com"></div>
<div style="padding-bottom:3px;padding-top:26px; font-size: 14px;"><br /><strong>The system is temporary busy, try to access it later. No data can be lost.</strong></div>
<div>Copyright © SpamIt.com 2007, All rights reserved.</div>
Estimating spam profitsEstimating spam profits
• Key basic inequality:
(Delivery Cost) < (Conversion Rate) x (Marginal Revenue)
• We have some handle on two of these Delivery cost to send spam
» Outsourced cost: retail purchase price < $70/M addrs» In-house cost: development/management labor
Marginal revenue
» Average pharma sale of $100, affiliate commissions ≈ 50%
• Conversion rate is hard to measure directly• We provided first empirical measurement of conversion• By rewriting requests sent through proxies under our control
44
spammerdomain.com
spammerdomain2.com
spammerdomain3.com
Modifying template linksModifying template links
newdomain1.com
newdomain2.com
newdomain3.com
Received: from dkjs.sgdsz ([132.233.197.74]) by dsl-189-188-79-63.prod-infinitum.com.mx with Microsoft SMTPSVC(5.0.2195.6713); Wed, 6 Feb 2008 16:33:44 -0800From: <[email protected]>To: <[email protected]>Subject: Say hello to bluepill!spammerdomain3.com
Received: from dkjs.sgdsz ([132.233.197.74]) by dsl-189-188-79-63.prod-infinitum.com.mx with Microsoft SMTPSVC(5.0.2195.6713); Wed, 6 Feb 2008 16:33:44 -0800From: <[email protected]>To: <[email protected]>Subject: Say hello to bluepill!newdomain2.com
• Create two sites that mirror actual sites in spam E-card (self-propagation) and pharmaceutical Replace dictionaries with URLs to our sites
• E-card (self-prop) site Link to benign executable that POSTs to our server Log all POSTs to track downloads and executions
• Pharma site Log all accesses up through clicks on “purchase” Track the contents of shopping carts
• Strive for verisimilitude to remove bias (spam filtering) Site content is similar, URLs have same format as originals, …
Measuring click-throughMeasuring click-through
46
Measuring DeliveryMeasuring Delivery
• Create various test email accounts At Web mail providers: Hotmail, Yahoo!, Gmail Behind a commercial spam filtering appliance As SMTP sinks: accept every message delivered
• Put email addresses in Storm target delivery lists
• Log all emails delivered to these addresses Both labeled as spam (“Junk E-mail”) and in inbox
47
Ethical contextEthical context
• Consequentialism• First, do no harm (users no worse off than before)
We do not send any spam» Proxies are relays, worker bots send spam
We do not enable additional spam to be sent» Workers would have connected to some other proxy
We do not enable spam to be sent to additional users» Users are already on target lists, only add control addresses
• Second, reduce harm where possible Our pharma sites don’t take credit card info Our e-card sites don’t export malicious code
48
Legal contextLegal context
• Warning: IANAL• CAN*SPAM
• Subject to strong definition of “initiator”; we don’t fit it
• ECPA• Our proxy is directly addressed by worker bots
(“party to” communication carve out)
• CFAA• We do not contact worker bots, they contact us
(“unauthorized access”?)• We do not cause any information to be extracted or any
fundamentally new activity to take place • Hard to find a good theory of damages
(functionally indistinguishable -- consequentialism)49
But…But…
• In this kind of work there is little precedent• No agency to get permission; no way to get indemnity• Lawyers tend to say “I believe this activity has low risk
of…”• We worked with two different lawyers to make sure
• Thus, we communicate our activities to a lot of people• Security researchers in industry, academia• Affected network operators/registrars• Law enforcement• FTC
50
Spam pipelineSpam pipeline
51
83.6 M
347.5M
21.1M (25%)
82.7M (24%)
3,827 (0.005%)
10,522 (0.003%)
316 (0.00037%)
28 (0.000008%)
---
Pharma: 12 M spam emails for one “purchase”Pharma: 12 M spam emails for one “purchase”
Sent MTA Visits ConversionsInbox
40.1 M 10.1M (25%) 2,721 (0.005%) 225 (0.00056%)
E-card: 1 in 10 visitors execute the binaryE-card: 1 in 10 visitors execute the binary
Spam filtering software• The fraction of spam delivered into user inboxes
depends on the spam filtering software used Combination of site filtering (e.g., blacklists) and
content filtering (e.g., spamassassin)
• Difficult to generalize, but we can use our test accounts for specific services
Fraction of spam sent that was delivered to inboxes
Effects of Blacklisting (CBL Feed)
Unused
Effective
Other filtering
Response rates by country
Two orders of magnitude
No large aberrations based on email topic
The spammer’s bottom lineThe spammer’s bottom line
• Recall that we tracked the contents of shopping carts• Using the prices on the actual site, we can estimate the
value of the purchases 28 purchases for $2,731 over 25 days, or $100/day ($140 active)
• We only interposed on a fraction of the workers Connected to approx 1.5% of workers Back-of-the-envelope (be very careful)
$7-10k/day for all, or ~$3M/year With a 50% affiliate commission, $1.5M/year revenue Not enough to be profitable unless spammer = botnet owner
• For self-propagation Roughly 3-9k new bots/day
52
We’re on the cusp…We’re on the cusp…
• This is a wide open area with huge impact potential• We have tremendous momentum and experience here• Over several years we’ve brokered the commercial
partnerships necessary to do this work (plus fed advice)
• Key agreements in UC: active purchasing experiments
53
Active Research Partnerships Active Data Providers
Going forward…Going forward…
• Epidemiology Characterizing value chain for different scams
» Spammers, botnets, fast flux, affiliates, processing, fulfillment, Mining social network of underground providers Analyzing market enablers (cost structure and characteristics)
» E.g., mules, domain registration, traffic selling, de-CAPTCHA Mapping monetization via financial credential honeytokens Characterization of phishing defense effectiveness Nation-state vs e-crime infrastructure
• Defenses Botnet-driven spam filtering Proactive URL blocking via on-line learning Proactive phishing defense via machine vision
54
Click Trajectory projectClick Trajectory project
• 10,000 foot idea: We’ve gone deep into one spam campaign Like to understand the relationship between all the elements of the
value chain involved across the spam industry
• Value-chain characterization Front end (visible via network)
» Spamming groups» Botnets (& hosters)» Fast flux networks (& hosters/registrars)» Affiliate programs (& hosters)
Back end » Payment processing» Fulfillment
55
Unraveling Unraveling front end value chainfront end value chain
• Expanding honeyfarm to host all major botnets (safely) Log C&C and spam traffic; additional reversing too All URLs tagged and stored in database
• 1st and 3rd spam feeds and bad url feeds (many) URLs into same database (with source tag)
• Crawl all pages, referrers and metadata (DNS, whois)• Database allows direct association of
Distinct scams (Web page matching and text matching) Distinct botnets (via source tag) Distinct fast flux networks (mapped during crawl) Distinct affiliate programs (via both cookies and templates – also
partner infiltrating affiliate programs to validate) Have IP, DNS and registrar data for everything…
56
Unraveling back end Unraveling back end of value chainof value chain
• Purchasing wide range of spam-advertized products (note: actual purchasing not using any NSF money)
Watches Herbal, Pharma (via partner)
• Cluster purchases based on Merchant and processor Packaging (postmark, forensic analysis of paper) Artifacts of manufacturing process (e.g., FT-NIR on drugs,
analysis of movement similarity for watches)
5757
Crawling underground social networks
Underground criminals have implicit social network Who offers which services, who partners with whom, etc... Use multiple pseudo-identities, but significant structure still can
be reconstructed manually Goal: build social network via crawling/datamining
Identifiers (ICQ, phone, etc) Web page content, linkage on forum sites (who referenced
whom, etc)
CAPTCHA solving analysis Webmail based spam
Web bots hard to filter; launder reputation of Web mail provider But bots must solve CAPTCHA to create account; key enabler
De-catpcha services ($2/1k solved, 33% margin) Study: purchase solving from range of such services Key questions
Human vs vision-based solving (via error variation) For Humans,
» Native language (language primes)» Size of operation (via queuing)
For computers» Accuracy variation, differential pricing» Capacity
Mule recruitment “Mules” are used to launder money or goods (remailers)
Recruited via spam Building classifier that identifies mule spam
automatically; cluster based on e-mail content and site Engage in automated conversation with e-mail sender Goal:
Infer size of mule operation, turn-over, level of sophistication,changes in demand, etc.
Traffic selling On-line underground market for click traffic (parallel to
Google/Yahoo) For direction to particular scams (e.g. pharma, counterfeits, etc) For use in click fraud/PTC scams
Active purchasing of traffic streams Characterize traffic streams themselves
» Real people, country of origin, time on site, click through, etc» Survey of subset of people (why are you here)
Differential pricing for different click streams
Financial honeytokens Range of scams that steal financial credentials Question: do they share monetization infrastructure?
Money mules, wire cashout, layering via purchase, carding, trading, etc
Methodology: Purposely “lose” financial credentials
» Infostealing malware, phishing site, on open market See how accounts are monetized
» Fingerprinting test transactions» Merchant for large transfers
Exploring solo version and via Partnership with financial servicescompany
Scam domain registration Web-based crime is built on cheap and easy domain
registration, but little understood We now have full feed for .com, .net and .org (others)
Look at pattern of use for scam domains (ala w/Storm) Time to use, length of use, registrar agility, etc Different between FF domains and hosting domains
Mining registrant records Either identify template or tie into social network
Phishing defense valuePhishing defense value
• We have three kinds of phishing defenses Spam filtering: stops subset from getting known e-mails lures Toolbars: stop subset from clicking on a known phishing site Takedown: stop everyone from reaching known phishing site
• But… how much do they each matter (i.e., to the phisher) and which is worth additional investment?
• Dataset Categorize phish e-mail and send through current filters Track current toolbar blacklists Track site lifetime (i.e. takedown) Estimating click through (Taylor webalizer trick, DNS caching)
64
Assessing Attacks Assessing Attacks By Nation-StatesBy Nation-States
• AirJaldi is the ISP for the Nation of Tibet 20,000 users in wireless deployment in Dharamsala (nation-in-exile) Maintains Tibetan nation’s web presence (San Jose)
• At both locations we’ve deployed Bro monitors• Goal: can we observe attacks originating for nation-state
purposes rather than cybercrime? San Jose location has “control”: AirJaldi has non-Tibetan customers
too, can partition address space Control for Dharamsala deployment harder, but working on it … Initial data captured prior to GhostNet story indeed exhibits
GhostNet infections = direct subversion from China
• Meta-question: how much similarity between e-crime/nation-state methods/infrastructure?
Proactive phishing defenseProactive phishing defense
• Virtually all anti-phishing defenses are reactive• Proactive defense via browser-based logo identification
Phishing campaigns all use logos or variations as trust cues
• SIFT feature matching invariant (rotation, shearing, scale)
66
Proactive phishing defenseProactive phishing defense
• Query brand provider (ala SPF for domains) on recognized logo – is IP address authorized to display
• Delay notification until user attempts to enter data
67
Warning: you are attempting to enter data into a site that is not
authorized to use the Bank of America trademark.
It is likely that this isa scam
68
Proactive detection Of Proactive detection Of malicious web sitesmalicious web sites
Predict what is safe without
committing to risky actions
• Safe URL?
• Web exploit?
• Spam-advertised site?
• Phishing site?
URL = Uniform Resource Locator
http://www.cs.mcgill.ca/~icml2009/abstracts.html
http://www.bfuduuioo1fp.mobi/ws/ebayisapi.dll
http://fblight.com
http://mail.ru
Joint work w/Lawrence Saul
69
Problem in a NutshellProblem in a Nutshell URL features to identify malicious Web sites Different classes of URLs
Benign, spam, phishing, exploits, scams... For now, distinguish benign vs. malicious
facebook.com fblight.com
70
Live URL Classification SystemLive URL Classification System
Label Example Hypothesis
71
Feature vector constructionFeature vector constructionhttp://www.bfuduuioo1fp.mobi/ws/ebayisapi.dll
WHOIS registration: 3/25/2009Hosted from 208.78.240.0/22IP hosted in San MateoConnection speed: T1Has DNS PTR record? YesRegistrant “Chad”...
[ _ _ … 0 0 0 1 1 1 … 1 0 1 1 …]Real-valued Host-based Lexical
60+ features 1.8 million 1.1 millionGROWING
72
Which online algorithms?Which online algorithms?
99% accuracy w/on-line classifier
Confidence-Weighted
LR w/ SGD
Perceptron
Meta-points on URL Meta-points on URL classificationclassification
• Two big practical issues for using machine learning Much work doesn’t scale to large-scale problems Batch SVM-type strategies adapt slowly and don’t work well in
practice (adversary just changes from day-to-day)
• We’ve been working closely with a large Web-mail provider on this project
Scales to their problem size Online update adapts quickly Performs better than their current strategy
(they have reimplemented our scheme and tested w/live data)
73
• Observations– Modest number of bots send most spam– Virtually all bots use templates with simple rules to
describe polymorphism
– Templates+dictionaries ≈ regex describing spam to be
generated
– If we can extract or infer these from the botnets, we have a perfect filter for all the spam generated by the botnet
– Very specific filters, extremely low FP risk
Bot-based spam filter generationBot-based spam filter generation
http://www.marshal.com/trace/spam_statistics.asp
random letters and numbers
phrases from a dictionary
Full automated algorithmAlmost perfect in testing
(~0 false positives, very few false negatives)Exploring live testing
SummarySummary
• We think that the economic structures underlying e-crime are far weaker than their technical vulnerabilities
• Quantitative empirical data is key both for driving technical innovations and policy
• We think we’re uniquely positioned to do this work
76
Questions?Questions?
Yahoo! 77
Collaborative Center for Internet Epidemiology and Defenses
http://ccied.org