Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Attacking Criminal Networks On the Internet

Posted by kdawson on Tue Oct 16, 2007 02:21 PM
from the sowing-doubt dept.
Security The Almighty Buck The Internet
Hugh Pickens writes "Computer Scientists at Carnegie Mellon University are developing techniques to analyze and disrupt black markets on the internet, where criminals sell viruses, stolen data, and attack services estimated to total more than $37 million for the seven-month period they studied. To stem the flow of stolen credit cards and identity data, researchers have proposed two technical approaches to reducing the number of successful market transactions. One approach to disrupting the network is a slander attack where an attacker eliminates the verified status of a buyer or seller through false defamation. Another approach undercuts the cyber-crooks' network by creating a deceptive sales environment. 'Just like you need to verify that individuals are honest on E-bay, online criminals need to verify that they are dealing with "honest" criminals,' says Jason Franklin, one of the researchers."
+ -
story

Related Stories

Submission: Attacking Criminal Networks on the Internet by pcol (577822)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Attacking Criminal Networks On the Internet 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • The World's Largest Crime (Score:4, Funny)

    by Anonymous Coward on Tuesday October 16 2007, @02:28PM (#21000353)

    Syndicate [whitehouse.org]

    Pax,
    Kilgore Trout

  • Idea... (Score:5, Funny)

    by Hsien-Ko (1090623) on Tuesday October 16 2007, @02:31PM (#21000389) Homepage
    Why not just implement violence support in ipv7? Who needs to undercut them, when you can uppercut (to the point of Toasty)?

  • What I want to know is (Score:2, Funny)

    by Anonymous Coward
    how do I get in touch with one of these criminals to inquire about their services? Is there a secret handshake I'm supposed to give to the guy at the McDonald's drivethru, and he writes an ip addy on my happy meal?
  • Let's have a look at a black market that has been around a little bit longer: drugs. Why hasn't anyone thought of using these techniques for disrupting this black market? Mhhhhm... okay.
    • > Why hasn't anyone thought of using these techniques for disrupting this black market?

      Psst buddy, ever heard of a sting? Or an informant?

      But seriously, I suspect in order to combat this, the spammers will roll out a web-of-trust network faster than we ever imagined possible. These guys are on the cutting edge of information security, and don't doubt that they have their own theory folks looking at the problem too.

      • Psst buddy, ever heard of a sting? Or an informant?

        Sorry, I forgot to include the slashdotty "Oh, wait" line, that might have confused some of the irony impaired.

        But seriously, I suspect in order to combat this, the spammers will roll out a web-of-trust network faster than we ever imagined possible. These guys are on the cutting edge of information security, and don't doubt that they have their own theory folks looking at the problem too.

        Sort of like what drug traders did. Buying botnets will be (or

    • Drug interdiction efforts in this country have been law enforcement based - interdict, arrest, trial, imprisonment. Intelligence is limited to that which can be used in court for trial - all else is forbidden.

      The techniques referenced in the article are more in the style of warfare, where the objective isn't to arrest a lawbreaker, but defeat an enemy. Different rules apply. For instance, if an anonymous source gives you the key for Botnet A, you don't have to worry about gathering more evidence to be ab
      • The confusion between law enforcement and warfare is going to get worse...

        The thing is, they're not all that different. The difference is that law enforcement asks "please" or gives warnings more often than soldiers/their commanders. They both derive their power" almost exclusively from (the threat of) violence.
  • So it looks like their plan is to infiltrate the sites used by these people, and discredit them? The only way to be able to discredit them is to get in contact with them somehow or visit a site they visit regularly. If we can find such a site...why don't we just find out whose using it and arrest them? Is this some new take on crime, that instead of arresting criminals we should discredit them? What's the plan?
    • "If we can find such a site...why don't we just find out whose using it and arrest them? Is this some new take on crime, that instead of arresting criminals we should discredit them? "

      Choice A: Perform lengthy investigation, put in for extradition, wait forever, and then put on trial, all while said bad guy is still controlling and making money off his botnets.

      Choice B: screw up bad guy's botnets so badly that he can't sell their services, causing him to spend more resources in the battle, until he gives up
    • The goal is to create mistrust and a breakdown in criminal networks you may not even be aware of yet. Create a negative environment in enough places and it will infect other sites, just like having enough bad experiences on EBay will poison your trust of the whole site. If they just go in and arrest people (assuming they can) then the crooks can just say "Well, as long as we hide from the cops we can still trust each other enough to do business."
      • I'd expect that an obvious mechanism for attacking phishers would be to collect samples of the phishing spam, connect to their web sites, hand them bad account numbers, and see who's trying to use them. It's an arms race, of course, so it's probably more effective to do low-volume in-depth investigation, but high-volume attacks are an alternative. Some things that could happen are
        • Banks/etc. start overloading phisher websites with bogus info. - lets them catch some users, but also increases the number o
    • You can't just shut them down, because they are hosted on the Russian Business Network's "bulletproof" hosting.
      • > You can't just shut them down, because they are hosted on the Russian Business Network's "bulletproof" hosting.

        I love bulletproof hosters, really. So easy to null-route. Dodge this.
        • Some kinds of "bulletproof hosting" are easy to catch - ISPs in Russia or China or whereever that have stable IP address ranges and no redeeming social value in their web sites, so none of your customers miss them, but if you're using routers you probably can't handle more than a couple thousand such routes; if you're trying to block a mail server or squid cache it's a lot easier.
          (Even more fun than null-routing them is using BGP to advertise a better route to their address, so the rest of the world also ca
    • Because it's basically impossible to find out who they are. The sites (generally speaking) aren't doing anything illegal and the users who are access through a mixture/combination of Tor and botnet proxies.
  • How about... simply arresting the criminals?

    I have the feeling that the police in general just don't care about online crime. Much of it can't be that hard to track down.

    Say the spam in my inbox selling pirated copies of MS office. If you can transfer the money to them then you can find them.

    • Re: (Score:3, Interesting)

      by veganboyjosh (896761)
      If you can transfer the money to them then you can find them.

      What about spam with no contact info? I posted about this once before, and someone responded with (i paraphrase) "spammers are like the rest of us; they forget to include attachments, too. When a spammer forgets, 6 million people find out about it."

      I could see this happening sometimes, but the amount of crap I see with no contact info, no website, no product being sold, is amazing. It's like the spam is self aware and breeding. Or the spam c
      • I always figured that that type of spam are more probes then anything else. Stick a web bug in a GIF, which is itself a picture of text, and see if it's getting through to people.

        I'm sure some of it is just a mistake but there is more to it then that for most spam I think. Another reason behind it might just be to raise "product awareness". Like if you assault people with enough Viagra ads then eventually they will seek out Viagra or respond to that spam that finally has some contact info.

        On top of that wha

      • I could see this happening sometimes, but the amount of crap I see with no contact info, no website, no product being sold, is amazing.
        Sorry, I forgot to include my contact info - please reply to this post for cheap rolex and v1agra.
        • Your products are intriguing to me and I wish to subscribe to your newsletter.

          What do you mean I'm already "subscribed"?

      • Re:How about... (Score:4, Insightful)

        by Kazoo the Clown (644526) on Tuesday October 16 2007, @04:10PM (#21001963)
        They're probably trying to retrain the spam filters, in preparation for their next volley...

  • ...but next year.... (Score:3, Interesting)

    by drakyri (727902) on Tuesday October 16 2007, @02:41PM (#21000537)
    Uh, what's to stop the bad guys from taking these techniques and using them against existing networks, e.g., E-bay?

    I'm not sure I like this idea....

    • The bad guys are already phishing on eBay (Score:5, Informative)

      by postbigbang (761081) on Tuesday October 16 2007, @02:51PM (#21000693)
      You see two auctions, one for a kewl expensive collectable car. They look identical in the search page.

      One of them has a very low buy-it-now listing, and a gmail address to contact to be a 'qualified' bidder.

      Which one of them is fishing for your eBay creds? I see these all of the time; I collect and restore specific models of classic cars, and I see one of these almost every week. If you alert eBay through LiveChat, they'll usually take them down. But if you have report an auction through their mind-numbing 100 questions forms method, you'll never get a fraudulent auction done because you'll explode before you get to the end of forms-- none of which says--> HEY, THIS IS AN OBVIOUS FRAUD!

      You can discredit sellers, but sellers have options to restore their dignity if they want to do this-- although it's tough. PayPal can also interecede, as can buyer credit sources. Resources, except in the complaints department, are tilted towards buyers. But that doesn't mean that there are loads of phish attempts. You find them in amusing places, like when I tried to surf for an Apple notebook, and there were a hundred auctions for the same machine-- if you bought the story about getting it shipped from Italy.
      • I remember back when the PS2 (I think) came out, there was a story of someone buying a box and receipt. There was nothing outright fraudulent about the auction, it listed exactly what it was selling - a PS2 box and receipt. Easy to miss the fine detail and allow yourself to assumed that you were buying a PS2 *with* box and receipt.

        I also remember a few years ago a rather more deceptive auction for some brand new, must-have model of phone. Lots of pictures, lots of description, huge great dense paragraph of

      • This is about black markets, which may or may not be used by bad guys. When you talk about black markets, it's more of an us-vs-them situation, not a good-vs-evil situation.

        This is merely warfare. There are no good guys or bad guys (well, they exist, but their moralities are are irrelevant for analysis, just as Nazi racism is irrelevant when talking about Blitzkrieg); there's just conflict of interest, and differing tactics meeting one another.

        And good comes out of it, too. The "white" market is also u

      • Sure, there are lots of attacks on spammers and phishers that are immoral - breaking their legs, etc. But there are many things you can do that are Just Fine.

        For instance, if a phisher is impersonating ExampleBank.com's website, it's perfectly fine for ExampleBank to impersonate suckers and go feed the phisher's site a million bogus bank account numbers and passwords that drop the phisher into their honeypot server as well as flooding the phisher's supply of account info from real suckers so it's harder to

        • it's perfectly fine for ExampleBank to impersonate suckers and go feed the phisher's site a million bogus bank account numbers and passwords that drop the phisher into their honeypot server as well as flooding the phisher's supply of account info from real suckers so it's harder to sell.

          Is it? Is there any concern for the site hosting the phisher's site? It's usually someone else's mismanaged server that's been owned by some worm or another. Isn't it vigilante justice to flood them with a million page

          • In addition to the moral issues is the legal question. If you rack up massive bandwidth bills for someone by deliberately flooding their server with bogus data, can you be held liable? What if you manage to crash their server, taking out a bunch of other sites hosted on it (by filling up disc space with the logs, for example)? Can they sue you for damages?

            While you can make a pretty strong case that you were just using their publically-accessible server as it was intended, I think there's also a pretty st

  • How long before the criminals turn around and use the same tools to disrupt legitimate (read: legal) marketplaces? More complex than a crude DDOS, more customizable, allows for a larger Profit!!! potential.
    • The only real way this could be used to profit by a "criminal" in the classical sense, is to facilitate extortion. "Pay us off or we'll make your auction site worthless." However at that point you get into the problem faced by every extortion racket, hiding your tracks, both financialy, and your communications. Easy enough to do the latter, a lot harder to do the former, especially if you pick a big fish with muscle to push an investigation.

        • Re: (Score:3, Interesting)

          by analog_line (465182)
          Extortion also only really works in cases where the appearance of normalcy is more important to other trust relationships of the victim than whatever payment the extorter requires. That, or they have no recourse to the local law enforcement authorities for some reason.

          From what I've heard, banks often get extorted successfully by Internet-based rings. They pay up, and shut up, because it's cheaper than the huge hit to the trust of their depositors in the institution. Look at what happened to Northern Roc

  • Slander is a "technical approach"? (Score:3, Insightful)

    by Venik (915777) on Tuesday October 16 2007, @02:55PM (#21000743)
    All of the devised methods listed in the article are probably not legal. Whichever organization employs such methods will be exposing itself to lawsuits. Sounds like these "computer scientists" need to add a good attorney to their team, just to make sure it's the hackers and not them who ends up with a legal headache.
    • Whichever organization employs such methods will be exposing itself to lawsuits.

      Think about it.

      "That's right, your honor - the defendant slandered my cred though I was a legit merchant. I can demonstrate proof that I had a full one million stolen credit card accounts in my possession. At $7 each, that entitles me to $7,000,000 plus legal fees to cover the stolen data that I was so rudely prevented from selling by this infidel."

      There's a reason that organized criminals are not litigious...
      • This is not how it works. If your bot is posting information online with as much as a hint of any illegal activity on my part, and no court has yet found me guilty, it is called libel and you are exposing yourself to a lawsuit against which you cannot defend. Criminals may not be litigious, but it will take just one lawsuit to shut down your operation.
        • The burden of proof is on the prosecution. A legitimate operation should have no problem distancing themselves from simple attacks like you describe.

  • Wht can't criminals be "honest"? (Score:5, Interesting)

    by nate nice (672391) on Tuesday October 16 2007, @03:30PM (#21001265) Journal
    I've never really understood why there's this belief that criminals have trouble being honest. Often, a criminal is only such because society labels them that way and thus dishonest. But in reality, many of them are very nice people performing honest business transactions (unregulated at that!) for their clients. Many drug dealers, prostitutes, pirates, hackers, etc are very honest people in the sense they aren't scamming their customers. They will provide great value to them in fact.

    Supporters of the free market can look to the very successful black market as an example of unregulated trade working well. Often in the black market, as this article eludes to, your reputation is everything. So there is no benefit in ripping someone off.

    I've worked with many "honest", good people in my black market transactions.
    • Not scamming their customers, just everybody else. It's hard to reconcile the view of an 'honest person who happens to be engaged in something illegal' with identity theft, credit-card fraud and denial-of-service attacks.



    • Most criminals are only honest within their peer group. Probably because their peer group would likely kill them if they were not honest.

      The idea of an honest criminal only applies to victimless crimes such as drugs, prostitution, gambling, etc. (To people that insist that self crime is not victimless crimes: stop touching yourself)

    • Like most humans, we are only as honest as our options. If you deceive 1,000 people but would never lie to a group of 10 close friends, does that really make you honest?
  • (shakes head at people referring to phishers and dealers in stolen ccards as "honest")

    There are some interesting ideas on this thread. The "flooding" idea is probably both the most legally defensible and cost effective response (hey, it's a real concern). I mean, you get pretty pissed when someone floods your inbox with 100 times as much crap as you get in content, imagine if you had to check each one to see if it was crap or content?

    People talk about just arresting the criminals - we have a pretty darned h
  • I'm working on methods to thwart cyber crime as well. I know I haven't provided any thing more than grotesquely vague details lacking any real substance, but just take my word on it.

    • Re:e-crime (Score:5, Insightful)

      by OrangeTide (124937) on Tuesday October 16 2007, @02:32PM (#21000397) Homepage Journal
      Help mcgruff by spreading lies and rumors in an attempt to get the criminals mad at each other? It's like spreading a rumor in prison that some inmate is an undercover cop.

      I wonder if anyone is going to get killed over the rumors spread by this anti e-crime technique?

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.