Attacking Criminal Networks On the Internet

Hugh Pickens writes "Computer Scientists at Carnegie Mellon University are developing techniques to analyze and disrupt black markets on the internet, where criminals sell viruses, stolen data, and attack services estimated to total more than $37 million for the seven-month period they studied. To stem the flow of stolen credit cards and identity data, researchers have proposed two technical approaches to reducing the number of successful market transactions. One approach to disrupting the network is a slander attack where an attacker eliminates the verified status of a buyer or seller through false defamation. Another approach undercuts the cyber-crooks' network by creating a deceptive sales environment. 'Just like you need to verify that individuals are honest on E-bay, online criminals need to verify that they are dealing with "honest" criminals,' says Jason Franklin, one of the researchers."

The World's Largest Crime

Syndicate [whitehouse.org]

Pax,
Kilgore Trout

Re:

I think House of Representives [house.gov] is a much larger criminal organization.

Re:

You got that [thesmokinggun.com] right.

Crime Syndicates

You guys have both missed the real criminals ....

http://www.gop.org/ [gop.org]
http://www.democrats.org/ [democrats.org]

of which the other two organizations you mention are wholly owned subsidiaries of these two, as is the other legislative and judicial branch are, along with most of the smaller regional syndicates.

Re:

Well those two organizations rent out services of the White House and Congress to the highest bigger.

Marines.com is obviously a mercenary gang

marines.com [marines.com] is actually a Marine Corps recruiting site. But since it's in .com, not .mil.us where it belongs or at least .mil or .gov, it's obviously a commercial organization.

Re:

How is the pirate party large? Few members, no money and no power. Seems like a small time operation to me. Certainly they have grand ambitions, but right now they aren't a large criminal organization. Bike theft rings in San Francisco are larger than the

Idea...

Why not just implement violence support in ipv7? Who needs to undercut them, when you can uppercut (to the point of Toasty)?

What I want to know is

how do I get in touch with one of these criminals to inquire about their services? Is there a secret handshake I'm supposed to give to the guy at the McDonald's drivethru, and he writes an ip addy on my happy meal?

Yeah, right

Let's have a look at a black market that has been around a little bit longer: drugs. Why hasn't anyone thought of using these techniques for disrupting this black market? Mhhhhm... okay.

Re:

> Why hasn't anyone thought of using these techniques for disrupting this black market?

Psst buddy, ever heard of a sting? Or an informant?

But seriously, I suspect in order to combat this, the spammers will roll out a web-of-trust network faster than we

Re:

Psst buddy, ever heard of a sting? Or an informant?

Sorry, I forgot to include the slashdotty "Oh, wait" line, that might have confused some of the irony impaired.

But seriously, I suspect in order to combat this, the spammers will roll out a web-of-tru

Difference between law enforcement and warfare

Drug interdiction efforts in this country have been law enforcement based - interdict, arrest, trial, imprisonment. Intelligence is limited to that which can be used in court for trial - all else is forbidden.

The techniques referenced in the article are m

Re:

The confusion between law enforcement and warfare is going to get worse...

The thing is, they're not all that different. The difference is that law enforcement asks "please" or gives warnings more often than soldiers/their commanders. They both derive t

Correct me if I'm wrong...

So it looks like their plan is to infiltrate the sites used by these people, and discredit them? The only way to be able to discredit them is to get in contact with them somehow or visit a site they visit regularly. If we can find such a site...why don't we just find out whose using it and arrest them? Is this some new take on crime, that instead of arresting criminals we should discredit them? What's the plan?

It's all about choices.

"If we can find such a site...why don't we just find out whose using it and arrest them? Is this some new take on crime, that instead of arresting criminals we should discredit them? "

Choice A: Perform lengthy investigation, put in for extradition, wait fo

Re:

The goal is to create mistrust and a breakdown in criminal networks you may not even be aware of yet. Create a negative environment in enough places and it will infect other sites, just like having enough bad experiences on EBay will poison your trust of

Giving Phishers Bad Account Info?

I'd expect that an obvious mechanism for attacking phishers would be to collect samples of the phishing spam, connect to their web sites, hand them bad account numbers, and see who's trying to use them. It's an arms race, of course, so it's probably more

Re:

You can't just shut them down, because they are hosted on the Russian Business Network's "bulletproof" hosting.

Re:

> You can't just shut them down, because they are hosted on the Russian Business Network's "bulletproof" hosting.

I love bulletproof hosters, really. So easy to null-route. Dodge this.

Fast-flux DNS, Botnets make null-routing too hard

Some kinds of "bulletproof hosting" are easy to catch - ISPs in Russia or China or whereever that have stable IP address ranges and no redeeming social value in their web sites, so none of your customers miss them, but if you're using routers you probably

Re:

Because it's basically impossible to find out who they are. The sites (generally speaking) aren't doing anything illegal and the users who are access through a mixture/combination of Tor and botnet proxies.

How about...

How about... simply arresting the criminals?

I have the feeling that the police in general just don't care about online crime. Much of it can't be that hard to track down.

Say the spam in my inbox selling pirated copies of MS office. If you can transfer the

Re:

If you can transfer the money to them then you can find them.

What about spam with no contact info? I posted about this once before, and someone responded with (i paraphrase) "spammers are like the rest of us; they forget to include attachments, too. Whe

Re:

I always figured that that type of spam are more probes then anything else. Stick a web bug in a GIF, which is itself a picture of text, and see if it's getting through to people.

I'm sure some of it is just a mistake but there is more to it then that for m

Re:

I could see this happening sometimes, but the amount of crap I see with no contact info, no website, no product being sold, is amazing.

Sorry, I forgot to include my contact info - please reply to this post for cheap rolex and v1agra.

Re:

Your products are intriguing to me and I wish to subscribe to your newsletter.

What do you mean I'm already "subscribed"?

Re:How about...

They're probably trying to retrain the spam filters, in preparation for their next volley...

...but next year....

Uh, what's to stop the bad guys from taking these techniques and using them against existing networks, e.g., E-bay?

I'm not sure I like this idea....

The bad guys are already phishing on eBay

You see two auctions, one for a kewl expensive collectable car. They look identical in the search page.

One of them has a very low buy-it-now listing, and a gmail address to contact to be a 'qualified' bidder.

Which one of them is fishing for your eBay creds? I see these all of the time; I collect and restore specific models of classic cars, and I see one of these almost every week. If you alert eBay through LiveChat, they'll usually take them down. But if you have report an auction through their mind-numbing 100 questions forms method, you'll never get a fraudulent auction done because you'll explode before you get to the end of forms-- none of which says--> HEY, THIS IS AN OBVIOUS FRAUD!

You can discredit sellers, but sellers have options to restore their dignity if they want to do this-- although it's tough. PayPal can also interecede, as can buyer credit sources. Resources, except in the complaints department, are tilted towards buyers. But that doesn't mean that there are loads of phish attempts. You find them in amusing places, like when I tried to surf for an Apple notebook, and there were a hundred auctions for the same machine-- if you bought the story about getting it shipped from Italy.

Re:

I remember back when the PS2 (I think) came out, there was a story of someone buying a box and receipt. There was nothing outright fraudulent about the auction, it listed exactly what it was selling - a PS2 box and receipt. Easy to miss the fine detail and

This is pretty encouraging

This is about black markets, which may or may not be used by bad guys. When you talk about black markets, it's more of an us-vs-them situation, not a good-vs-evil situation.

This is merely warfare. There are no good guys or bad guys (well, they exist, bu

In many cases it's just fine.

Sure, there are lots of attacks on spammers and phishers that are immoral - breaking their legs, etc. But there are many things you can do that are Just Fine.

For instance, if a phisher is impersonating ExampleBank.com's website, it's perfectly fine for Ex

Re:

it's perfectly fine for ExampleBank to impersonate suckers and go feed the phisher's site a million bogus bank account numbers and passwords that drop the phisher into their honeypot server as well as flooding the phisher's supply of account info from real

Re:

In addition to the moral issues is the legal question. If you rack up massive bandwidth bills for someone by deliberately flooding their server with bogus data, can you be held liable? What if you manage to crash their server, taking out a bunch of other s

legitimate transactions?

How long before the criminals turn around and use the same tools to disrupt legitimate (read: legal) marketplaces? More complex than a crude DDOS, more customizable, allows for a larger Profit!!! potential.

Re:

The only real way this could be used to profit by a "criminal" in the classical sense, is to facilitate extortion. "Pay us off or we'll make your auction site worthless." However at that point you get into the problem faced by every extortion racket, hid

Re:

Extortion also only really works in cases where the appearance of normalcy is more important to other trust relationships of the victim than whatever payment the extorter requires. That, or they have no recourse to the local law enforcement authorities fo

Slander is a "technical approach"?

All of the devised methods listed in the article are probably not legal. Whichever organization employs such methods will be exposing itself to lawsuits. Sounds like these "computer scientists" need to add a good attorney to their team, just to make sure it's the hackers and not them who ends up with a legal headache.

Re:

Whichever organization employs such methods will be exposing itself to lawsuits.

Think about it.

"That's right, your honor - the defendant slandered my cred though I was a legit merchant. I can demonstrate proof that I had a full one million stolen cred

Re:

This is not how it works. If your bot is posting information online with as much as a hint of any illegal activity on my part, and no court has yet found me guilty, it is called libel and you are exposing yourself to a lawsuit against which you cannot defe

Re:

The burden of proof is on the prosecution. A legitimate operation should have no problem distancing themselves from simple attacks like you describe.

Wht can't criminals be "honest"?

I've never really understood why there's this belief that criminals have trouble being honest. Often, a criminal is only such because society labels them that way and thus dishonest. But in reality, many of them are very nice people performing honest business transactions (unregulated at that!) for their clients. Many drug dealers, prostitutes, pirates, hackers, etc are very honest people in the sense they aren't scamming their customers. They will provide great value to them in fact.

Supporters of the free market can look to the very successful black market as an example of unregulated trade working well. Often in the black market, as this article eludes to, your reputation is everything. So there is no benefit in ripping someone off.

I've worked with many "honest", good people in my black market transactions.

Re:

Not scamming their customers, just everybody else. It's hard to reconcile the view of an 'honest person who happens to be engaged in something illegal' with identity theft, credit-card fraud and denial-of-service attacks.

"honest" for self preservation

Most criminals are only honest within their peer group. Probably because their peer group would likely kill them if they were not honest.

The idea of an honest criminal only applies to victimless crimes such as drugs, prostitution, gambling, etc. (To peop

Re:

Like most humans, we are only as honest as our options. If you deceive 1,000 people but would never lie to a group of 10 close friends, does that really make you honest?

Flooding...

(shakes head at people referring to phishers and dealers in stolen ccards as "honest")

There are some interesting ideas on this thread. The "flooding" idea is probably both the most legally defensible and cost effective response (hey, it's a real concern).

How?

I'm working on methods to thwart cyber crime as well. I know I haven't provided any thing more than grotesquely vague details lacking any real substance, but just take my word on it.

Re:e-crime

Help mcgruff by spreading lies and rumors in an attempt to get the criminals mad at each other? It's like spreading a rumor in prison that some inmate is an undercover cop.

I wonder if anyone is going to get killed over the rumors spread by this anti e-crime technique?

Re:

In:

http://slashdot.org/comments.pl?sid=326235&threshold=1&commentsort=0&mode=nested&cid=20952949 [slashdot.org]

TechForensics told us:

"However, there is a principle in law (or Equity) that one cannot do indirectly what he cannot do directly. An interesting