Combatting the black market isn’t something you can do by yourself Elie Burzstein
Rather than endlessly bolster security against imagined threats, the researchers recommend that companies infiltrate the online black markets inhabited by the actual criminals exploiting their systems. There they can see their own stolen data and hijacked or bot-operated accounts being sold and even track those commodities’ prices. Thomas and Burzstein say that they closely follow the price of the bot-controlled Google accounts used for everything from YouTube and Chrome web store spam to fake reviews of malicious Android apps to hosting phishing sites on Google Drive. (They declined, however, to name the actual cybercriminal markets that they monitor.)
But more importantly, says Savage, academics can give companies the perspective that’s missing when a security or fraud team is wrapped up in day-to-day firefighting. “Practically everyone employed by a company in an abuse group is working in a mode of constant crisis,” says Savage. “Very few have the luxury of taking a step back to study a problem for a year. We can.”
Looking at the whole criminal economy to find the ideal point of attack usually means talking to people outside your own company. That means collaborating with competitors, law enforcement, and—in Google’s view, most importantly—university researchers. That also means cozying up to academia with grants and internship programs. “We like universities because they’re neutral ground, they’re very useful to work with, and they help as many companies as they can,” says Burzstein. “Combatting the black market isn’t something you can do by yourself.”
It’s no coincidence that tip comes from a study in which Google partnered with half a dozen universities. But Thomas emphasizes that university researchers don’t usually have a product to push or an agenda, as most security vendors or other tech companies do. And University of California at San Diego computer scientist Stefan Savage points out that academics have more legal and public relations leeway to dive into darker corners of the black market, allowing them to venture into questionable practices like purchasing illicit products to track criminals. “We have freer reign,” says Savage, another of the study’s co-authors. Unlike Google, he says, “there’s no risk of brand impact for us when we buy counterfeit drugs and map the flow of money to banks in Azerbaijan and Eastern Europe.”
In a research paper published Thursday on Google’s security blog, a group of researchers from Google’s fraud and abuse group and six universities pulled together a kind of meta-study on the anatomy of the cybercriminal underground, focusing on illicit sub-industries like spam, click fraud, scareware, ransomware, and credit card theft. None of the data in the paper is new. Instead, it reviews years of existing cybercrime research to look for patterns and methods of disrupting those illicit schemes. The researchers’ conclusion—perhaps a surprising one for a company as focused on technical security and engineering as Google—is that nuts-and-bolts technological security isn’t enough for a company seeking to protect its users. Putting an actual dent in the cybercriminal economy requires using legal and economic strategies to directly attack the weakest points in its infrastructure: everything from botnet takedowns to payment processing.
In some cases, this new approach means working with law enforcement to target specific criminals and partner in investigations that lead to their arrest. But the researchers admit that individual criminals can be surprisingly elusive—they cite Microsoft’s still unclaimed $250,000 bounty for the authors of the infamous Conficker worm and the FBI’s still-standing $3 million bounty for Zeus trojan developer Evgeniy Mikhailovich Bogachev. Additionally, arrested cybercriminals are often immediately supplanted by competitors. They also suggest botnet takedowns through domain seizures, but note that tactic can lead to collateral damage, like Microsoft’s controversial No-IP purge last year.
As in that VoIP example, the Google researchers recommend finding the point in the cybercriminal process where a single intervention can cause the biggest business disruption or price increase. But that point isn’t always in a company’s own software. In many cases, the researchers suggest reaching beyond product defense to attack criminal infrastructure and even criminals themselves. “We want to move people from a whack-a-mole strategy of finding a hole and fixing it to striking at key players in the marketplace to make abuse fundamentally less profitable,” says Thomas.
The most effective infrastructure point to attack, they suggest, may be payment systems: Pressuring banks and payment processors to drop shady customers can entirely cut off the ability of a spam or clickfraud campaign to actually generate profit, and force them to search out another processor among the limited number that tolerate crime—or switch to a more limited payment mechanism like bitcoin. “It takes months to set up these kinds of relationships,” says Giovanni Vigna, a computer science professor at UCSB who collaborated on the study. “Hitting that relationship through legal means inflicts the maximum amount of pain.”
We use black markets as an oracle into how well our defenses are doing. Kurt Thomas
WIRED spoke with Thomas, his fellow Google researcher Elie Bursztein, as well as their co-authors from New York University and the Universities of California at San Diego and Santa Barbara to ask them to pull a few lessons out of their sweeping study of the Internet’s underbelly. Here are their recommendations:
“We use black markets as an oracle into how well our defenses are doing,” says Thomas. “Our systems are directly reflected in the price of those accounts. If the prices are going up, we know we’re doing something right. If the price falls, there’s a problem.”
That’s an unexpected approach from Google, which is better known for traditional, vulnerability-focused security; The company has long paid some of the largest “bug bounty” rewards to hackers revealing vulnerabilities in its code, and employs a group of highly skilled hackers known as Project Zero to find those vulnerabilities in its own code and that of other companies.
“Our biggest takeaway is that though a lot of these problems seem intractable from a technical perspective, if you look at this from the supply chain and an economic light, they become solvable,” says Kurt Thomas, one of Google’s authors on the study. “We wanted to collaborate with external researchers to figure out exactly how criminals make money from the black market and identify their brittle infrastructure that’s cost sensitive. If you raise those costs, you disrupt credit card fraud, spam, or these other forms of abuse.”
Framing Dependencies Introduced by Underground Commoditization
In late 2013, for instance, Google found that the price of a bot-controlled Google account had fallen from around $170 per thousand accounts to just $60 per thousand. By analyzing their sign-ups, they were able to see that close to a quarter of the bot accounts had signed up using VoIP phone numbers—a cheap way to circumvent Google’s method of limiting accounts to individual humans by tying them to phone numbers. So Google blocked certain commonly-abused VoIP services, and by doing so raised the price of the zombie accounts by between 30 percent and 40 percent. “When we cracked down on VOIP and criminals had to go back to using SIM cards, we significantly undercut their profit margins,” says Thomas. “By targeting that specific bottleneck, we can improve things across the company.”
With hackers and the security research community constantly finding new ways to break every piece of software that touches the Internet, it’s easy to get lost in the endless cycle of hacks and patches and hacks. But one team of Googlers and academic researchers has stepped back from that cycle to take a broader view of the maelstrom of scams, fraud and theft online. The result is a portrait of the digital underworld that goes beyond the traditional idea of corporate security to sketch the entire supply chain of online crime from hacking accounts to cashing out—focusing on where that chain can be weakened or snapped.
Here’s the Googlers’ and university researchers’ full study:
Nuts-and-bolts technological security isn’t enough for a company seeking to protect its users.
G20 Eyes October Deadline for Crypto Anti-Money Laundering Standard
G20 member countries are now looking at an October deadline for reviewing a global anti-money laundering (AML) standard on cryptocurrency, document shows.
According to a statement issued on Sunday,
300 Million User Data from Chinese Delivery Giant Sold For 2 Bitcoins On Dark Web
It is revealed that 300 million pieces of user data from China’s second largest courier SF Express (Chinese version of UPS) were compromised and priced at 2 bitcoins on the dark web.
A post on th
Crypto Exchange Coinbase Forms Political Action Committee
Cryptocurrency exchange Coinbase has formed a Political Action Committee (PAC), according to government documents published Friday night.
A disclosure published by the U.S. Federal Election Commiss
Malta Says Crypto Rules Aren't Yet In Force
Malta's new cryptocurrency regulatory framework has not taken effect just yet.
Three bills regarding cryptocurrencies, blockchain and distributed ledger technology, passed by Maltese Members of Par
Huobi Launches Service to Build Crypto Exchanges in the Cloud
Huobi, the world's third-largest cryptocurrency exchange platform by trade volume, is now offering a business arm to help customers build their own digital asset exchanges.
Dubbed the Huobi Cloud,
CoinMarketCap Announces Changes to Counter Fake Volume Concerns
The popular crypto data tracker CoinMarketCap is instituting changes in light of what it called "concerns" over fake volume figures.
In a blog post, published on July 19, the site said that it had
You Can't Ban Math: Crypto Unites to Call Out Congressman
In the span of a few hours, it became Crypto Twitter vs U.S. Representative Brad Sherman.
On Wednesday, Congress hosted a pair of back-to-back hearings on the topic of cryptocurrencies (read CoinD
TSMC Says Crypto Mining Demand Will Fall in Q3
Semiconductor manufacturing giant TSMC said Thursday that it expects demand for cryptocurrency mining-related products to cool off during the third quarter of this year.
The company – which manufac