Attacking Criminal Networks On the Internet

Hugh Pickens writes "Computer Scientists at Carnegie Mellon University are developing techniques to analyze and disrupt black markets on the internet, where criminals sell viruses, stolen data, and attack services estimated to total more than $37 million for the seven-month period they studied. To stem the flow of stolen credit cards and identity data, researchers have proposed two technical approaches to reducing the number of successful market transactions. One approach to disrupting the network is a slander attack where an attacker eliminates the verified status of a buyer or seller through false defamation. Another approach undercuts the cyber-crooks' network by creating a deceptive sales environment. 'Just like you need to verify that individuals are honest on E-bay, online criminals need to verify that they are dealing with "honest" criminals,' says Jason Franklin, one of the researchers."

...but next year....

[drakyri]

Uh, what's to stop the bad guys from taking these techniques and using them against existing networks, e.g., E-bay?

I'm not sure I like this idea....

legitimate transactions?

[vlk]

How long before the criminals turn around and use the same tools to disrupt legitimate (read: legal) marketplaces? More complex than a crude DDOS, more customizable, allows for a larger Profit!!! potential.

Re:How about...

[veganboyjosh]

If you can transfer the money to them then you can find them.

What about spam with no contact info? I posted about this once before, and someone responded with (i paraphrase) "spammers are like the rest of us; they forget to include attachments, too. When a spammer forgets, 6 million people find out about it."

I could see this happening sometimes, but the amount of crap I see with no contact info, no website, no product being sold, is amazing. It's like the spam is self aware and breeding. Or the spam churning robot is broken or something. I'd love to know what's behind this. Sometimes it's just the filter workaround "poetry", long lists of current event buzzwords, etc.

It's all about choices.

[R2.0]

"If we can find such a site...why don't we just find out whose using it and arrest them? Is this some new take on crime, that instead of arresting criminals we should discredit them? "

Choice A: Perform lengthy investigation, put in for extradition, wait forever, and then put on trial, all while said bad guy is still controlling and making money off his botnets.

Choice B: screw up bad guy's botnets so badly that he can't sell their services, causing him to spend more resources in the battle, until he gives up and picks an easier crime.

I'll take "B".

Wht can't criminals be "honest"?

[nate nice]

I've never really understood why there's this belief that criminals have trouble being honest. Often, a criminal is only such because society labels them that way and thus dishonest. But in reality, many of them are very nice people performing honest business transactions (unregulated at that!) for their clients. Many drug dealers, prostitutes, pirates, hackers, etc are very honest people in the sense they aren't scamming their customers. They will provide great value to them in fact.

Supporters of the free market can look to the very successful black market as an example of unregulated trade working well. Often in the black market, as this article eludes to, your reputation is everything. So there is no benefit in ripping someone off.

I've worked with many "honest", good people in my black market transactions.

fight fire with fire?

[Anonymous Coward]

I'm surprised that the banks haven't got together a honeypot botnet of their own (have every employee put a honeypot mirror router on their home PC, etc.) to flood these criminal networks with bogus data. Major ISPs might even buy-in to make their customers look less desirable, and donate random portions of their IP allocations for this on some rotation. Fake millions of clicks on the phishing email web page links from millions of IP addresses, and submit a bunch of false data mixed with some monitored CC numbers. Flood any phishing pages with bogus accounts/passwords for ebay/ppal/brokerage/etc, before trying to take them down. Fake any penny stock buy/sells from these bogus accounts so a lot of time is wasted trying to manipulate the market. The more the data collected becomes random, the less valuable it is to their "business".

Sort of like baiting 419 scammers into showing up on webcams, except on an industrial scale.

Re:legitimate transactions?

[analog_line]

Extortion also only really works in cases where the appearance of normalcy is more important to other trust relationships of the victim than whatever payment the extorter requires. That, or they have no recourse to the local law enforcement authorities for some reason.

From what I've heard, banks often get extorted successfully by Internet-based rings. They pay up, and shut up, because it's cheaper than the huge hit to the trust of their depositors in the institution. Look at what happened to Northern Rock when they stood up and did the right thing to ensure their depositors were safe by going to the Bank of England. The first run on an English bank in a century.

An auction site like eBay doesn't need my trust nearly as much. They don't have my credit card number (unless I use PayPal, but that's not a requirement to use eBay). I don't think I even had to put in an address to set up an eBay account to merely buy stuff. The only trust I need is in the particular seller. Now I'd be the first to admit that your average eBay seller is not toward the high end of the trustworthyness scale, and that the feedback system is abusable, but you're working from a pretty low baseline in any case. And what exactly does eBay have to lose if they broadcast to the world that some dastardly group threatened to make people think that eBay sellers are fraudsters?

Now your black market, that's a lot more like a bank in terms of amount of trust required. A bad deal on a black market doesn't mean you call up PayPal/eBay/bank and tell them that that bastard that promised you 100k of fresh credit card details ripped you, and you want your money back like the victim of a bad deal on a legal marketplace can. Hell, if you're an intelligent person doing business in a place like this, you know damn well that your buyer or seller might be a cop. A wasp doesn't complain too loudly when it gets stung. It's easier, and safer, to find another patch than try to rebuild trust in a compromised location. Not that it's asy, you need to rebuild trust in this new marketplace, which a determined poisoning scheme can probably easily deal with, so you'd theretically be forced into a more personal marketplace, where personal recommendation is required in order to be able to buy. Harder to crack, but WAY harder to use, and it keeps the cost of entry high enough to discourage all but the most determined criminal wannabes.

Re:Idea...

[Anonymous Coward]

I think you mean IPv8, because odd number IP versions are for beta, and even is for production. This is why we went from IPv4 to IPv6. For example, IPv5 was for Internet Stream Protocol (ST), which was an experimental protocol that never saw the light of day.