Introduction to Cybercrime

Thomas J. Holt

Professor

School of Criminal Justice

Michigan State University

holtt@msu.edu

517-353-9563

@spartandevilshn; @IIRCC1

IIRCC?

• The International Interdisciplinary Research Consortium on Cybercrime is an organization that links the social and technical sciences together with law enforcement and practitioners to understand cybercrime and cybersecurity issues• Participating faculty at institutions across the US, Canada, Europe, and

Oceania

• Seeking relationships with organizations, government, industry• Members are currently conducting research on all manner of cybercrime

• Funding from the Australian Research Council, Ford Foundation, US DHS, UK HO

3

The Digital Divide

• Computers and mobile devices are now ubiquitous• The availability of computer-mediated communications (CMC), like email,

text, Facebook, etc have changed the world

• This is a recent innovation, causing a generational divide• Digital Natives

• Digital Immigrants

4

5

Internet

• The Internet is an interconnected system of networks that connects computers around the world via the TCP/IP protocol• Interconnected networks

6

It’s a Series of Tubes

• The Internet is a series of interconnected computer networks that share and transmit data• Composed of many smaller networks around the world

• Contains a number of different services and functionalities• E-mail

• IRC

• FTP

• World Wide Web

• The Internet and World Wide Web are not the same

The Internet As We Don’t Know It

7

Criminological Theory

• Cybercrime is distinct in that it provides a venue for new offenses, while also enabling existing offenses• Old wine in new bottles, new wine but no bottles

• Applying existing criminological theories to these offenses demonstrate that some factors are consistent on and off-line

8

Defining Computer Misuse

• There are several key terms to define abuse and misuse of technology• Cyberdeviance are behaviors that may not be illegal but go against local

norms or values

• Cybercrimes occur when a perpetrator uses special knowledge of cyberspace to commit a crime

• Cyberterror involves the use of digital technology or CMCs to cause harm and force social change based on ideological or political beliefs

9

Why Is Cybercrime Attractive?

• There are several reasons why individuals may choose to engage in cybercrimes relative to real world offenses• Access

• Ease

• Diminished risk

• Difficulty policing

• Undercounting by victims

• MONEY!!!!!!!!!$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

10

Wall’s Typology of Cybercrime

• Cyber-trespass• Individuals cross boundaries of computer systems into areas

where ownership has already been established• Hackers, crackers, phreakers

• Cyber-Deception/Theft• Criminal acquisitions that can occur on-line

• Pirates, fraudsters, and hackers

11

Computer HackersHacking is a skill that has multiple applications

Theft

Terror

Espionage

Fraud

Hacking

Hacker Skills• Hackers vary significantly in terms of knowledge, skill,

and technical ability• How do we explain participation in hacking?

Skilled hackers

Semi-skilled attacker/hacker

Unskilled attacker/hacker

Innovator and game changer

Applied skillsFeeds off the top tiers to learn and attack

Motivations

• There are several recognized motives within the hacker community• Money

• Entertainment

• Ego

• Cause

• Entrance to a social group

• Status

• These motives are mutable, regionally influenced and impacted by macro and micro social trends

Criminological Theory and Hacking

• Hackers attempt to justify their actions through the application of techniques of neutralization

• Subcultural justifications which are learned through social interactions on and off-line

• There is some evidence hackers with greater skill may have higher levels of self-control, contrary to larger literature• They may also not be deterred through traditional mechanisms

15

Cybercrime As Service

• In previous years, most issues of hacking, malware, and data theft/reuse were thought to involve technically proficient actors

• The emergence of cybercrime as service markets have eliminated the need for skill• Monetized capability

• Monetized data

• Distributed infrastructure

Stolen Data Markets

Stresser/Booters Ops

Decision-making in Open Markets

• Few have considered the extent to which service providers accurately advertise their attack services• How do live attacks function relative to what they were hired to do?

• What is the origin of most attacks

• This study attempted to address these issues using packet capture analyses of 155 attacks from 21 different providers

Methods

• Attacks were conducted over a month period between December 2015 and January 2016• Attacks lasted 1-5 minutes depending

• Target was a Windows Server 2012 with 12GB ram on a dedicated commercial Internet connection • Data capture via an inline Barracuda Networks, Ethernet Tap on a separate

computer running Windows 7.

• Pcap logs analyzed via wireshark

Stresser Service Provider DetailsStresser Cost Stresser Cost1 $14 - 84 (Free) 12 $5 – 1252 $13 - 75 13 $5 – 3003 $2 – 60 14 $2 – 1504 $5 - 289 15 $5 – 555 $15 - 1980 16 $4 - 130 (Free)6 Free 17 $10 - 1757 $12 - 300 18 $10 -20 (Free)8 $5 - 30 (Free) 19 $10 - 809 $5 – 35 20 $5 -80 (Free)10 $15 - 49 21 $7 - 25011 $3 - 120

Attack Service Providers and AttacksStresser NTP SSYN CHARGEN DNS ACK UDP SSDP XML-RPC DOMINATE VSE SNMP JOOMLA XTS3 RIP GET POST RST PSH OVH

1 X X X X X

2 X X X X X X X X X X

3 X x

4 X X X X X X

5 x x x x x x x x

6 X

7 X X X

8 X X X X X X

9 X X X X X X X

10 X X X X X X X X

11 X X X X X X X X X X

12 x x x x x X

13 x

14 X X X X X

15 X X X X X

16 X X X

17 X X X X X X X X X X

18 X X X X X X X X X X

19 X X X X X

20 x

21 X X X X X X X

14 13 11 10 10 9 8 6 6 6 4 4 4 3 3 2 2 2 2

Percentage of Reflection Servers by CountryCharGen DNS SNMP

China 26.39% United States 30.27% United States 35.66%

United States 14.92% China 7.99% Russia 10.32%

Italy 11.04% Russia 6.04% Canada 4.08%South Korea 8.66% Japan 4.52% France 3.77%Taiwan 4.64% European Union 3.72% China 2.84%

NTP SSDP Joomla

United States 20.75% China 54.42% United States 30.77%

China 13.19% United States 13.77% Germany 6.79%Russia 6.20% Canada 5.97% Malaysia 5.43%

European Union 5.68% Vietnam 2.99% European Union 3.62%South Korea 4.50% Taiwan 1.99% Australia 3.17%

XML-RPC RIP

United States 41.64% United States 21.77%European Union 6.96% France 13.71%China 6.87% China 12.10%Germany 4.82% Russia 9.68%Japan 4.64% Ukraine 4.84%

Geographic Distribution of Servers

CN 6667

0

40%

US 3162

6

19%

CA 7394 4.5%

RU 4645 2.8%

KR 3674 2.2%

VT 3634 2.2%

TW 3322 2%

Shared Reflected ServersStresser (#) (%) (#) (%) (#) (%) (#) (%) (#) (%) (#) (%) (#) (%) (#) (%)

1 164 65% 598 58% --- --- --- --- --- --- 77 57% --- --- --- ---

2 --- --- 5763 20% 17438 1% 9512 1% --- --- --- --- --- --- --- ---

3 --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---

4 170 66% --- --- 1236 10% --- --- --- --- --- --- --- --- --- ---

5 860 57% 1210 66% 374 33% 3994 2% --- --- --- --- --- --- --- ---

6 --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---

7 --- --- --- --- --- --- --- --- 71 37% --- --- --- --- --- ---

8 296 39% --- --- 38 5% --- --- --- --- --- --- 688 10% --- ---

9 --- --- 594 20% --- --- --- --- --- --- --- --- --- --- --- ---

10 540 47% --- --- 598 28% --- --- --- --- --- --- --- --- --- ---

11 641 56% --- --- 732 12% --- --- 173 15% --- --- --- --- --- ---

12 2177 33% 915 68% --- --- --- --- --- --- 61 69% --- --- --- ---

13 --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---

14 --- --- 742 51% 1698 6% --- --- --- --- --- --- --- --- --- ---

15 130 80% --- --- 630 32% --- --- --- --- --- --- --- --- 504 6%

16 --- --- --- --- 226 8% 1354 3% --- --- --- --- --- --- --- ---

17 996 21% 1120 62% --- --- --- --- --- --- 57 72% 688 16% 60322 >1%

18 816 21% 781 68% --- --- --- --- --- --- --- --- --- --- --- ---

19 --- --- 419 55% 1536 6% --- --- --- --- --- --- --- --- --- ---

20 --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---

21 967 51% 873 59% --- --- --- --- --- --- --- --- --- --- --- ---

Total 7757 40.32% 13043 41.32% 24506 4.01% 14860 1.23% 244 21.31% 195 65.12% 1120 11.96% 60826 >1%

SNMP SSDPNTP Chargen DNS XML-RPC Joomla RIP

DRDoS Attack Accuracy By ProviderStresser Total Attacks Successful (%) As Advertised (%)

Combined

(%) Cost

6 1 1 100.00% 1 100.00% 100.00% 0

7 4 4 100.00% 4 100.00% 100.00% 12

20 1 1 100.00% 1 100.00% 100.00% 0

11 12 10 83.33% 10 100.00% 83.33% 3

15 5 5 100.00% 4 80.00% 80.00% 5

5 9 8 88.89% 7 87.50% 77.78% 15

17 11 8 72.73% 8 100.00% 72.73% 10

1 7 6 85.71% 5 83.33% 71.43% 14

21 10 8 80.00% 7 87.50% 70.00% 7

16 3 3 100.00% 2 66.67% 66.67% 0

19 6 5 83.33% 4 80.00% 66.67% 10

2 13 11 84.62% 8 72.73% 61.54% 13

14 5 5 100.00% 3 60.00% 60.00% 2

18 10 8 80.00% 6 75.00% 60.00% 0

3 7 5 71.43% 4 80.00% 57.14% 2

12 7 5 71.43% 4 80.00% 57.14% 5

4 11 9 81.82% 5 55.56% 45.45% 5

9 9 8 88.89% 4 50.00% 44.44% 5

8 11 7 63.64% 4 57.14% 36.36% 5

10 11 6 54.55% 4 66.67% 36.36% 15

13 2 0 0.00% 0 0.00% 0.00% 5

155 123 79.35% 95 77.24% 61.29%

Attack Type Launched By Provider

Stresser Advertised Launched Correct Cost Stresser Advertised Launched Correct Cost1 PORT MAP RPC 71.00% $14 10 CHARGEN NONE 36.00% $15

2 SSDP QUIC 69.00% $13 SSYN NONE

ES-SYN NONE SSDP QUIC

XMAS NONE DOMINATE NONE

S-UDP DNS GSS NONE

GET ACK CSGO NONE

3 NTP QUIC 57.00% $2 SNMP DNS

LAG NONE 11 SNMP NONE 83.00% $3

BOGUS NONE TCP-SYN NONE

4 XTS3 QUIC 45.00% $5 12 TCP-SYN ICMP 71.00% $5

VSE QUIC TCP-FIN NONE

TS3 UDP TCP-PSH NONE

DOMINATE NONE 13 XPOD NONE 0.00% $5

ATCP NONE R-UDP NONE

NSYN ACK 14 NTP DNS 60.00% $2

VSE STATIC NONE TS3 UDP

5 LAG DNS 78.00% $15 15 ACK SYN 80.00% $5

RST NONE 16 TCP AMP RIP 67.00% $0

8 SSDP QUIC 36.00% $5 17 DOMINATE NONE 73.00% $10

MS-SQL QUIC JOOMLA NONE

NETBOIS QUIC XMLRPC NONE

RUDY NONE 18 SSDP UDP NTP 60.00% $0

SLOWLORIS NONE TCP FLAG SYN

ARME NONE XML-RPC NONE

SYN NONE JOOMLA NONE

9 SSDP QUIC 44.00% $5 19 SSYN CHARGEN 67.00% $10

NTP QUIC TCP NONE

SSYN NONE 21 RST NONE 70.00% $7

KSS QUIC VSE NONE

OVH TCP CF BYPASS HTTP GET

Open Vs. Deep Vs. Dark

Tor-Based Markets

• Sites hosted using Tor comprise the ‘Dark Web’ • Websites and content considered "hidden services", in that they can only be

accessed via Tor

• Much attention has been paid to the presence of drug markets hosted on Tor• Few studies have examined data services

• Unknown what differences may be present in processes/structure

Forum Rus/Engl Number of Posts in Sample

Posts With Geographic Identifiers

TOR-basedNumber

Percent of

Total1 Engl/Rus 139 55 39.6% No2 Engl 861 825 95.8% No3 Rus 184 117 63.6% No4 Engl 1915 1638 85.5% No5 Rus 328 116 35.4% No6 Engl/Rus 498 375 75.3% No7 Engl 51 18 35.3% Yes8 Rus 634 411 64.8% No9 Rus 227 172 75.8% No10 Rus 368 80 21.7% No11 Engl 257 212 82.5% No12 Engl 6663 6244 93.7% No13 Engl 2647 0 0.0% No14 Engl 80 40 50.0% Yes15 Rus 90 30 33.3% No16 Rus 32 0 0.0% No17 Rus 236 236 100.0% No18 Rus 154 94 61.0% NoTotal n = 15,364 n = 10,663 69.4%

M = 853.6

SD = 1,456.7

M = 592.4

SD = 1,606.2

M = 56.3%

SD = 31.2%

Overall in the data we have only 1.29% (195) TOR-based advertisements.

Table 2: Shop Descriptive Statistics

Posts with Geographic

Identifiers

Number of

Shop Rus/Engl Posts in Sample Number Percentage Tor-based

1 Engl 16 16 100.0% Yes

2 Engl 2 2 100.0% Yes

3 Engl 4 4 100.0% Yes

4 Engl 3 3 100.0% Yes

5 Engl 3 3 100.0% Yes

6 Engl 1 1 100.0% Yes

7 Engl 21 0 0.0% Yes

8 Engl 2 2 100.0% Yes

9 Engl 2 2 100.0% Yes

10 Engl 1 1 100.0% Yes

11 Engl 2 2 100.0% Yes

12 Engl 2 2 100.0% Yes

13 Engl 2 2 100.0% Yes

14 Engl 1 1 100.0% Yes

15 Engl 2 2 100.0% Yes

Total n = 64 n = 43 67.2%

M = 4.3 M = 2.9 M = 93.3%

SD = 3.8 SD = 5.9 SD = 25.8%

The Sales Process

Seller Posts an Ad in Forum or Shop

• The sales process involves mutual association and participation

***Dumps Fresh Base ... EU-USA-CANADA-ASIA-OTHER.. Best Valid..*** PRICE LIST:*************USA***************1pcs CLASSIC/STANDARD= 20$1pcs GOLD/PLATINUM = 25$1pcs BUSINESS/SIGNATURE/PURCHASE/CORPORATE/WORLD = 30$1pcs AMEX = 20$*************CANADA************1pcs CLASSIC/STANDARD = 50$1pcs GOLD/PLATINUM/BUSINESS/SIGNATURE/PURCHASE/CORPORATE/WORLD = 70-200$*******EUROPE & ASIA & LATIN & OTHERS*********---[code 101 - non chip]---1pcs CLASSIC/STANDART = 110$1pcs GOLD/PLATINUM = 130$1pcs BUSINESS/SIGNATURE/PURCHASE/CORPORATE/WORLD = 150$1pcs INFINITE = 200$***********************

The Sales Process

Seller Posts an Ad in Forum or Shop

• The sales process involves mutual association and participation

RULES:(please read the rules carefully and follow all the steps, anyone breaking this rules shall expect to be fully ignored by service)1. Contact with one of the our supports and choose dumps u want.2. Calculate total price and submit your order.3. Send us money and your e-mail.4. We have 24 hours (maximum) to complete your order.(LR [Liberty Reserve Payment] INSTANT DELIEVERY )5. We replace only Pickup/Hold Call Dumps with in 24 hours after time period we are not responsiblePAYMENT INFO:LIBERTY RESERVESupport Icq: [removed]

Geographic Identifiers in Ads

Open web forums

Differences between Open and Tor forums

Tor forums Differences between Tor forums and shops

Tor shops Differences between Open forums and shops

No Geographic Identifiers

2,741 23.98% -10.39%

[-26.86, 6.08,]

11 34.38% 34.38%

[17.92, 50.83]

0a

0.00% 23.98% [23.20, 24.77]

Geographic Identifiers

8,687 76.01% 10.38%

[-6.08, 26.86]

21 65.63% -34.38%

[-50.83, -17.92,]

22 100.00% -23.98%

[-24.77, -23.20]

Total 11,428100.00%

32100.00%

22100.00%

Note: The percentages represent the percentage from columns’ total. The differences are statistically significant at .05 level; χ2(2) = 8.84, p=0.012, Fisher’s exact p = 0.004. Numbers

in square brackets are 95% confidence intervals for differences.a The expected count equals 5 for this cell.

Regions Open forums Differences between

Open and Tor forums

Tor forums Differences between Tor

forums and shops

Tor shops Differences between Open

forums and Tor shops

Europe 4,022

48.54% 19.13%

[-2.56, 40.81]

5

29.41% -20.59%

[-50.68, 9.51]

11

50.00% -1.46%

[-22.38, 19.46]North America 3,221

38.87% -14.06%

[-37.82, 9.68]

9

52.94% 2.94%

[-28.67, 34.56]

11

50.00% -11.13%

[-32.05, 9.79]Asia 470

5.67% 5.67%

[5.17, 6.17]

0

0.00% a 0%

0

0% a 5.67%

[5.17, 6.17]Australia and New Zealand 396

4.78% 4.78%

[4.32, 5.24]

0

0.00% a 0%

0

0% a 4.78%

[4.32, 5.24]South America 56

0.68% -5.21%

[-16.39, 5.97]

1

5.88% 5.88%

[-5.30,17.07]

0

0% a 0.68%

[0.50, 0.85]

Central America 53

0.64% -11.13%

[-26.44, 4.19]

2

11.76% 11.76%

[-3.55, 27.08]

0

0% a 0.64%

[0.47, 0.81]Middle East 57

0.69% 0.69%

[0.51,0.87]

0

0.00% a 0%

0

0% a 0.69%

[0.51,0.87]Africa 11

0.13% 0.13%

[0.05, 0.21]

0

0% a 0%

0

0% a 0.13%

[0.05, 0.21]

The Caribbean b -- -- --Total 8,286

100.00%

n/a

17

100.00%

n/a

22

100.00%

n/a

Wall’s Typology of Cybercrime

• Cyberporn/Obscenity• Sexting, prostitution, child sexual exploitation

• Challenging legal space depending on participants

• Cyber-violence• Cyber-stalking

• Cyber-hate

• Tech-talk

46

Pedophile Subculture

• The Internet has engendered the formation of a pedophile subculture where those with an attraction to children can express their interest with others

• This subculture provides justifications and rationalizations for relationships with children

• “Child love”

• Denial of injury

Cyber-Bullying

• Cyber-bullying involves intentional aggressive behavior performed through electronic means• Can cause social and emotional harm to victims similar to real-world bullying

• Can take place via numerous types of computer mediated communication

• There are clear risk factors for cyberbullying victimization in keeping with RAT• Females appear somewhat more likely to experience cyberbullying

• Age attenuation

• Participation in specific acts, not general time online

• Sharing more information on-line

• Real world bullying experiences increase risk

49

Sexting• Sexting involves the use of technology to send photos

or videos of oneself in sexual poses or acts, primarily through text or DM• Snapchat, Instagram, and other apps are uniquely suited to

this purpose

• Private on snapchat or tumblr also lets people monetize this practice

50

Sexting• Evidence suggests sexting rates vary by place and age of sample

• Some US data suggests as few as 2.5% have sent a nude photo while 7.1% received one

• Recent research from Australia is much higher, suggesting 50% of youth aged 13-15 sent a photo, while 60% received a photo

51

Revenge Porn

52

Revenge Porn

• This has created a whole new category of pornography, with sites either selling access or simply offering this content• Research suggests that 23% of those who send sexts/nudes

wind up having their content posted elsewhere

53

Revenge Porn

• Individuals who are victims of revenge porn report various negative consequences from the experience• emotional distress

• social impairment (especially at work)

• suicidal ideation (52%)

• 49% report being stalked or harassed as a result of this content

• 90% of revenge porn victims are women

54

The Threat Landscape• Range of groups with an interest in cyberattacks

• Far left

• Far Right

• Jihadist groups

• Unaffiliated ideological attackers

55

Ideological Cyberattacks

M. As-Salim,39 Ways to Serve and Participate in Jihad, 2003

Principle 34 (Electronic Jihad) on media operations and cyber attacks

Hacking “... is truly deserving of the term „electronic Jihad‟ since the term carries the meaning of force; to strike and to attack. So whoever is given knowledge in this field, then he should not be stingy with it in regards to using it to serve the Jihad. He should concentrate his efforts on destroying any American websites, as well as any sites that are Anti-Jihad and Mujahidin, Jewish websites, modernist and secular websites.”

Recent Notable EventsMalaysian ISIS hacker extradited to US for prosecution

“…[W]e are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts, we are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands!”

Recent Notable Events

Weev- aka Andrew Auernheimer

Ideological Attacks

• Using an ECDB-modeled open source collection model, we identified 30 total attacks performed by far left actors• ELF, ALF, Anonymous, Non-affiliated actors

Attack Method Date Range5 Doxxing incidents 2011-20168 Defacements 1996-2016

11 Data breaches 1996-20156 DDOS 2007-2015

Ideological Attacks

• Anonymous accounted for all doxing incidents

• Zoos, companies

• ALF- DDoS, Defacements, data breaches

• Furriers, leather goods, animal shooting range, labs

• 72% of data breaches targeted customer data

• ELF- defacements, DDOS, 1 data breach

• electronics manufactures, universities

• All involve an attempt to punish or embarrass

• To the owners of "The twisted pine fur and leather company" you have no excuse to sale the flesh, skin and fur of another creature. Your website lacks security. To the customers, you have no right to buy the flesh, skin or fur of another creature. You deserve this. You're lucky this is the only data we dumped. Exploiters, you've been warned. Expect us.

• | custFirst | custLast | custCity | custState | custZip | | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -| MIKE | WALLUP | peyton | CO | 80831 || chris | mccave | peyton | CO | 80831 || Kent | Smith | peyton | CO | 80831 |

• These were just some of the vulnerable columns in the "customers" table of the "twistedp_db" database:"custFirst" "custLast""custAdd1" "custAdd2" "custCity" "custState" "custZip" "custCountry""custEMail" "custPhone""cardType" "cardName" "cardExp" "cardCVS" "cardNumber"

• Can you really put that much faith into the security of a company that sales the fur, skin and flesh of dead animals to make a profit?

• We are Anonymous. We are Legion. We do not forgive. We do not forget.We are antisec.We are operation liberate.Expect us.

Discussion

• Cybercrime is an umbrella term encompassing a range of offenses• Offline and online impacts

• Criminological theory has partial success, but many limitations• Deterrence may be all but impossible

• Its evolution will be directly tied to mutable changes in uptake by consumers• Not clear how/when it will be disrupted

Questions?

• Thank you for having me! If you have any questions:• Please feel free to call: 517-353-9563

• Email: holtt@msu.edu

• Follow us on Twitter: @IIRCC1

Introduction to Cybercrime

Thomas J. Holt

Professor

School of Criminal Justice

Michigan State University

holtt@msu.edu

517-353-9563

@spartandevilshn; @IIRCC1