Forgot your password?
typodupeerror
Security The Almighty Buck The Internet

Attacking Criminal Networks On the Internet 109

Posted by kdawson
from the sowing-doubt dept.
Hugh Pickens writes "Computer Scientists at Carnegie Mellon University are developing techniques to analyze and disrupt black markets on the internet, where criminals sell viruses, stolen data, and attack services estimated to total more than $37 million for the seven-month period they studied. To stem the flow of stolen credit cards and identity data, researchers have proposed two technical approaches to reducing the number of successful market transactions. One approach to disrupting the network is a slander attack where an attacker eliminates the verified status of a buyer or seller through false defamation. Another approach undercuts the cyber-crooks' network by creating a deceptive sales environment. 'Just like you need to verify that individuals are honest on E-bay, online criminals need to verify that they are dealing with "honest" criminals,' says Jason Franklin, one of the researchers."
This discussion has been archived. No new comments can be posted.

Attacking Criminal Networks On the Internet

Comments Filter:
  • by Anonymous Coward on Tuesday October 16, 2007 @03:28PM (#21000353)

    Syndicate [whitehouse.org]

    Pax,
    Kilgore Trout
  • Idea... (Score:5, Funny)

    by Hsien-Ko (1090623) on Tuesday October 16, 2007 @03:31PM (#21000389)
    Why not just implement violence support in ipv7? Who needs to undercut them, when you can uppercut (to the point of Toasty)?
    • Re: (Score:1, Interesting)

      by Anonymous Coward
      I think you mean IPv8, because odd number IP versions are for beta, and even is for production. This is why we went from IPv4 to IPv6. For example, IPv5 was for Internet Stream Protocol (ST), which was an experimental protocol that never saw the light of day.
  • by Anonymous Coward
    how do I get in touch with one of these criminals to inquire about their services? Is there a secret handshake I'm supposed to give to the guy at the McDonald's drivethru, and he writes an ip addy on my happy meal?
  • Let's have a look at a black market that has been around a little bit longer: drugs. Why hasn't anyone thought of using these techniques for disrupting this black market? Mhhhhm... okay.
    • by nuzak (959558)
      > Why hasn't anyone thought of using these techniques for disrupting this black market?

      Psst buddy, ever heard of a sting? Or an informant?

      But seriously, I suspect in order to combat this, the spammers will roll out a web-of-trust network faster than we ever imagined possible. These guys are on the cutting edge of information security, and don't doubt that they have their own theory folks looking at the problem too.
      • Psst buddy, ever heard of a sting? Or an informant?

        Sorry, I forgot to include the slashdotty "Oh, wait" line, that might have confused some of the irony impaired.

        But seriously, I suspect in order to combat this, the spammers will roll out a web-of-trust network faster than we ever imagined possible. These guys are on the cutting edge of information security, and don't doubt that they have their own theory folks looking at the problem too.

        Sort of like what drug traders did. Buying botnets will be (or

    • Drug interdiction efforts in this country have been law enforcement based - interdict, arrest, trial, imprisonment. Intelligence is limited to that which can be used in court for trial - all else is forbidden.

      The techniques referenced in the article are more in the style of warfare, where the objective isn't to arrest a lawbreaker, but defeat an enemy. Different rules apply. For instance, if an anonymous source gives you the key for Botnet A, you don't have to worry about gathering more evidence to be ab
      • by cromar (1103585)
        The confusion between law enforcement and warfare is going to get worse...

        The thing is, they're not all that different. The difference is that law enforcement asks "please" or gives warnings more often than soldiers/their commanders. They both derive their power" almost exclusively from (the threat of) violence.
  • by Jarjarthejedi (996957) <christianpinch@NosPaM.gmail.com> on Tuesday October 16, 2007 @03:41PM (#21000527) Journal
    So it looks like their plan is to infiltrate the sites used by these people, and discredit them? The only way to be able to discredit them is to get in contact with them somehow or visit a site they visit regularly. If we can find such a site...why don't we just find out whose using it and arrest them? Is this some new take on crime, that instead of arresting criminals we should discredit them? What's the plan?
    • by R2.0 (532027)
      "If we can find such a site...why don't we just find out whose using it and arrest them? Is this some new take on crime, that instead of arresting criminals we should discredit them? "

      Choice A: Perform lengthy investigation, put in for extradition, wait forever, and then put on trial, all while said bad guy is still controlling and making money off his botnets.

      Choice B: screw up bad guy's botnets so badly that he can't sell their services, causing him to spend more resources in the battle, until he gives up
    • The goal is to create mistrust and a breakdown in criminal networks you may not even be aware of yet. Create a negative environment in enough places and it will infect other sites, just like having enough bad experiences on EBay will poison your trust of the whole site. If they just go in and arrest people (assuming they can) then the crooks can just say "Well, as long as we hide from the cops we can still trust each other enough to do business."
      • I'd expect that an obvious mechanism for attacking phishers would be to collect samples of the phishing spam, connect to their web sites, hand them bad account numbers, and see who's trying to use them. It's an arms race, of course, so it's probably more effective to do low-volume in-depth investigation, but high-volume attacks are an alternative. Some things that could happen are
        • Banks/etc. start overloading phisher websites with bogus info. - lets them catch some users, but also increases the number o
    • by bendodge (998616)
      You can't just shut them down, because they are hosted on the Russian Business Network's "bulletproof" hosting.
      • by nuzak (959558)
        > You can't just shut them down, because they are hosted on the Russian Business Network's "bulletproof" hosting.

        I love bulletproof hosters, really. So easy to null-route. Dodge this.
        • Some kinds of "bulletproof hosting" are easy to catch - ISPs in Russia or China or whereever that have stable IP address ranges and no redeeming social value in their web sites, so none of your customers miss them, but if you're using routers you probably can't handle more than a couple thousand such routes; if you're trying to block a mail server or squid cache it's a lot easier.
          (Even more fun than null-routing them is using BGP to advertise a better route to their address, so the rest of the world also ca
    • Because it's basically impossible to find out who they are. The sites (generally speaking) aren't doing anything illegal and the users who are access through a mixture/combination of Tor and botnet proxies.
    • by TT077136 (1167021)
      crimes are increasing and we need to the appropriate action. i agree with you uncle, we need to arrest them and discredit them. but how the goverment going to implement this?????????? okey he he...
  • How about... simply arresting the criminals?

    I have the feeling that the police in general just don't care about online crime. Much of it can't be that hard to track down.

    Say the spam in my inbox selling pirated copies of MS office. If you can transfer the money to them then you can find them.
    • Re: (Score:3, Interesting)

      by veganboyjosh (896761)
      If you can transfer the money to them then you can find them.

      What about spam with no contact info? I posted about this once before, and someone responded with (i paraphrase) "spammers are like the rest of us; they forget to include attachments, too. When a spammer forgets, 6 million people find out about it."

      I could see this happening sometimes, but the amount of crap I see with no contact info, no website, no product being sold, is amazing. It's like the spam is self aware and breeding. Or the spam c
      • I always figured that that type of spam are more probes then anything else. Stick a web bug in a GIF, which is itself a picture of text, and see if it's getting through to people.

        I'm sure some of it is just a mistake but there is more to it then that for most spam I think. Another reason behind it might just be to raise "product awareness". Like if you assault people with enough Viagra ads then eventually they will seek out Viagra or respond to that spam that finally has some contact info.

        On top of that wha
      • I could see this happening sometimes, but the amount of crap I see with no contact info, no website, no product being sold, is amazing.
        Sorry, I forgot to include my contact info - please reply to this post for cheap rolex and v1agra.
        • Re: (Score:2, Funny)

          by kurzweilfreak (829276)
          Your products are intriguing to me and I wish to subscribe to your newsletter.

          What do you mean I'm already "subscribed"?

      • Re:How about... (Score:4, Insightful)

        by Kazoo the Clown (644526) on Tuesday October 16, 2007 @05:10PM (#21001963)
        They're probably trying to retrain the spam filters, in preparation for their next volley...
        • by NAshiqin (1175667)
          It is not that the police don't want to get involve, it's just that there aren't many easy-to-detect criminals (who usually are amateurs) if compared with the hard-to-get criminals. Why bother with the little fishes while the big fishes are roaming the sea? If only the public can restraint themselves from going to phishing sites and stop doing any other activities that can 'help' these criminals then only the crime will stop. Most of the victims are those people with little exposure and awareness to Interne
    • ...can't simply arrest people in countries that don't have laws against this kind of thing (provided you can track them down). What we can do is try to make it more difficult for them to do their job.

      Online crime, agreed - somewhere between don't care and don't understand...
  • ...but next year.... (Score:3, Interesting)

    by drakyri (727902) on Tuesday October 16, 2007 @03:41PM (#21000537)
    Uh, what's to stop the bad guys from taking these techniques and using them against existing networks, e.g., E-bay?

    I'm not sure I like this idea....
    • by postbigbang (761081) on Tuesday October 16, 2007 @03:51PM (#21000693)
      You see two auctions, one for a kewl expensive collectable car. They look identical in the search page.

      One of them has a very low buy-it-now listing, and a gmail address to contact to be a 'qualified' bidder.

      Which one of them is fishing for your eBay creds? I see these all of the time; I collect and restore specific models of classic cars, and I see one of these almost every week. If you alert eBay through LiveChat, they'll usually take them down. But if you have report an auction through their mind-numbing 100 questions forms method, you'll never get a fraudulent auction done because you'll explode before you get to the end of forms-- none of which says--> HEY, THIS IS AN OBVIOUS FRAUD!

      You can discredit sellers, but sellers have options to restore their dignity if they want to do this-- although it's tough. PayPal can also interecede, as can buyer credit sources. Resources, except in the complaints department, are tilted towards buyers. But that doesn't mean that there are loads of phish attempts. You find them in amusing places, like when I tried to surf for an Apple notebook, and there were a hundred auctions for the same machine-- if you bought the story about getting it shipped from Italy.
      • by Tim C (15259)
        I remember back when the PS2 (I think) came out, there was a story of someone buying a box and receipt. There was nothing outright fraudulent about the auction, it listed exactly what it was selling - a PS2 box and receipt. Easy to miss the fine detail and allow yourself to assumed that you were buying a PS2 *with* box and receipt.

        I also remember a few years ago a rather more deceptive auction for some brand new, must-have model of phone. Lots of pictures, lots of description, huge great dense paragraph of
    • I find this pretty frightening. The whole point of the good guys is that they act like good guys. I don't think that implementing a policy of lying, slander and attacking the trust of the social network is a good idea, period-- it's not good when the bad guys do it, and it's not good if the good guys do it. "It's ok for us to lie and cheat because we're on the side of truth and justice" is a justification that sounds awful easy to bend.

      Far too much of the fabric of social networks-- and that includes t

      • This is about black markets, which may or may not be used by bad guys. When you talk about black markets, it's more of an us-vs-them situation, not a good-vs-evil situation.

        This is merely warfare. There are no good guys or bad guys (well, they exist, but their moralities are are irrelevant for analysis, just as Nazi racism is irrelevant when talking about Blitzkrieg); there's just conflict of interest, and differing tactics meeting one another.

        And good comes out of it, too. The "white" market is also u

      • by KDR_11k (778916)
        I don't think anyone's trying to look good here, at this point we just want the spammers dead, NOW.
      • Sure, there are lots of attacks on spammers and phishers that are immoral - breaking their legs, etc. But there are many things you can do that are Just Fine.

        For instance, if a phisher is impersonating ExampleBank.com's website, it's perfectly fine for ExampleBank to impersonate suckers and go feed the phisher's site a million bogus bank account numbers and passwords that drop the phisher into their honeypot server as well as flooding the phisher's supply of account info from real suckers so it's harder to

        • by plover (150551) *

          it's perfectly fine for ExampleBank to impersonate suckers and go feed the phisher's site a million bogus bank account numbers and passwords that drop the phisher into their honeypot server as well as flooding the phisher's supply of account info from real suckers so it's harder to sell.

          Is it? Is there any concern for the site hosting the phisher's site? It's usually someone else's mismanaged server that's been owned by some worm or another. Isn't it vigilante justice to flood them with a million page

          • In addition to the moral issues is the legal question. If you rack up massive bandwidth bills for someone by deliberately flooding their server with bogus data, can you be held liable? What if you manage to crash their server, taking out a bunch of other sites hosted on it (by filling up disc space with the logs, for example)? Can they sue you for damages?

            While you can make a pretty strong case that you were just using their publically-accessible server as it was intended, I think there's also a pretty st

            • First of all, I wasn't talking about a Denial of Service level of attack on the phisher (though those can be entertaining as well) or even a Rack Up Bandwidth Bills attack (there have been groups like "Artists Against 419" that do that to Nigerian 419 websites.) I was talking about handing the phisher enough bogus account data that it's hard to find any accounts from real suckers between the bogus accounts, and reducing the phisher's reputation with the people he sells stolen numbers to.

              Any half-decently c

  • by vlk (775733)
    How long before the criminals turn around and use the same tools to disrupt legitimate (read: legal) marketplaces? More complex than a crude DDOS, more customizable, allows for a larger Profit!!! potential.
    • The only real way this could be used to profit by a "criminal" in the classical sense, is to facilitate extortion. "Pay us off or we'll make your auction site worthless." However at that point you get into the problem faced by every extortion racket, hiding your tracks, both financialy, and your communications. Easy enough to do the latter, a lot harder to do the former, especially if you pick a big fish with muscle to push an investigation.
      • by vlk (775733)
        Certainly difficult, but not impossible, evidenced by the fact that extortion racket still exists, as does the money laundering business. But I do agree with you that the difficulty is probably more or less directly proportional to the resources of the victim.

        On a smaller scale, this could also be targeted against individual participants of said marketplace, or groups, for example those that sell a certain type of product or service.
        • Re: (Score:3, Interesting)

          by analog_line (465182)
          Extortion also only really works in cases where the appearance of normalcy is more important to other trust relationships of the victim than whatever payment the extorter requires. That, or they have no recourse to the local law enforcement authorities for some reason.

          From what I've heard, banks often get extorted successfully by Internet-based rings. They pay up, and shut up, because it's cheaper than the huge hit to the trust of their depositors in the institution. Look at what happened to Northern Roc
  • by Venik (915777) on Tuesday October 16, 2007 @03:55PM (#21000743)
    All of the devised methods listed in the article are probably not legal. Whichever organization employs such methods will be exposing itself to lawsuits. Sounds like these "computer scientists" need to add a good attorney to their team, just to make sure it's the hackers and not them who ends up with a legal headache.
    • by skelly33 (891182)
      Whichever organization employs such methods will be exposing itself to lawsuits.

      Think about it.

      "That's right, your honor - the defendant slandered my cred though I was a legit merchant. I can demonstrate proof that I had a full one million stolen credit card accounts in my possession. At $7 each, that entitles me to $7,000,000 plus legal fees to cover the stolen data that I was so rudely prevented from selling by this infidel."

      There's a reason that organized criminals are not litigious...
      • by Venik (915777)
        This is not how it works. If your bot is posting information online with as much as a hint of any illegal activity on my part, and no court has yet found me guilty, it is called libel and you are exposing yourself to a lawsuit against which you cannot defend. Criminals may not be litigious, but it will take just one lawsuit to shut down your operation.
        • by skelly33 (891182)
          The burden of proof is on the prosecution. A legitimate operation should have no problem distancing themselves from simple attacks like you describe.
  • by nate nice (672391) on Tuesday October 16, 2007 @04:30PM (#21001265) Journal
    I've never really understood why there's this belief that criminals have trouble being honest. Often, a criminal is only such because society labels them that way and thus dishonest. But in reality, many of them are very nice people performing honest business transactions (unregulated at that!) for their clients. Many drug dealers, prostitutes, pirates, hackers, etc are very honest people in the sense they aren't scamming their customers. They will provide great value to them in fact.

    Supporters of the free market can look to the very successful black market as an example of unregulated trade working well. Often in the black market, as this article eludes to, your reputation is everything. So there is no benefit in ripping someone off.

    I've worked with many "honest", good people in my black market transactions.
    • by cfulmer (3166)
      Not scamming their customers, just everybody else. It's hard to reconcile the view of an 'honest person who happens to be engaged in something illegal' with identity theft, credit-card fraud and denial-of-service attacks.



    • Most criminals are only honest within their peer group. Probably because their peer group would likely kill them if they were not honest.

      The idea of an honest criminal only applies to victimless crimes such as drugs, prostitution, gambling, etc. (To people that insist that self crime is not victimless crimes: stop touching yourself)

    • by Durrok (912509)
      Like most humans, we are only as honest as our options. If you deceive 1,000 people but would never lie to a group of 10 close friends, does that really make you honest?
    • wow looks like you understand them very well. Maybe you could ask them to open a college to teach a new crime-to-be about honesty in business
  • by Anonymous Coward
    I'm surprised that the banks haven't got together a honeypot botnet of their own (have every employee put a honeypot mirror router on their home PC, etc.) to flood these criminal networks with bogus data. Major ISPs might even buy-in to make their customers look less desirable, and donate random portions of their IP allocations for this on some rotation. Fake millions of clicks on the phishing email web page links from millions of IP addresses, and submit a bunch of false data mixed with some monitored CC
  • Hope with this approach will help to prevent internet criminals... Says "NO" to INTERNET CRIMINALS...:-)
  • (shakes head at people referring to phishers and dealers in stolen ccards as "honest")

    There are some interesting ideas on this thread. The "flooding" idea is probably both the most legally defensible and cost effective response (hey, it's a real concern). I mean, you get pretty pissed when someone floods your inbox with 100 times as much crap as you get in content, imagine if you had to check each one to see if it was crap or content?

    People talk about just arresting the criminals - we have a pretty darned h
  • I think the most destructive part about this affair is that, well, it's out in the open. So we may never know if it indeed worked because Slashdot Et Al have spread the word. So complicated yet so blown...as many here have said, nothing's stopping the bad guys from using it on the good ones now.

    A workaround, for criminals, to this, I suppose is to make their existing operations a lot more secretive. No more E-Bay style auctioning or other easy and convenient routes of trade... to participate, you'd have

  • by Anonymous Coward
    Just look at the article photo of that bespectacled nerd. Unless he is Superman or Harry Potter himself, he better not mess with organized online criminals (at least half of whom are directly connected to the russian maffia). In response to the slander attack he proposed they will just find Mr. Geek, step on his eyeglasses and make him sleep with the fishes.

    OK, I know most geeks never slept with a girl, so they have no first-hand experience, but I can tell that you sleeping with fishes is even more dangerou
  • I'm working on methods to thwart cyber crime as well. I know I haven't provided any thing more than grotesquely vague details lacking any real substance, but just take my word on it.
  • I love the way that the researcher want to prove they are "honest" criminal. I think it's a good idea. As long as the criminal is honest I don't mind making business with them
    • Some people buying on the Internet are not honest. The most common method is to use a stolen credit card. Savvy business owners suggested the following tips. Always be tactful with your customers as they may have accidently given you an incorrect digit. If you are shipping to a different address than the credit card billing address, always do additional checking.
  • New Internet Security Threat Research Reveals that Hackers are Adopting New Business-Like Strategies to Successfully Perform Malicious Activity.
  • cybercrime continues to be driven by financial gain, cyber criminals are now utilising more professional attack methods, tools and strategies to conduct malicious activity. how to solve this from happening... phishing is one of the method used by the attacker to get victims personal information. do not give your personal information on net. don/t believe in the SPAM messages that will be sent to your emails.
  • A vulnerability was discovered in the ICQ instant messaging protocol parsing routines of the ISS Protocol Analysis Module (PAM) component. The PAM module is a shared component of all current ISS host, server, and network protection software and devices. The flaw relates to incorrect parsing of the ICQ protocol which may lead to a buffer overflow condition.
  • i'm facing this problem very long ago and i don't know how to avoid this attacker from having my personal information. i never give any of my personal particulars to any spam messages... but still how????????
  • for god sake i really don get what question is about,thanks.
  • These troublesome entrepreneurs even offer tech support and free updates for their malicious creations that run the gamut from denial of service attacks designed to overwhelm Web sites and servers to data stealing Trojan viruses. All of the devised methods listed in the article are probably not legal. Whichever organization employs such methods will be exposing itself to lawsuits. computer scientists people should add a good attorney to their team, just to make sure it's the hackers and not them who ends up
  • usually the user know where to find the source for what they need.. they also don't really care if the source is not legal or from black market.. so, if we concern about this when there are a lot of people who still do the wrongdoings things, what we should really do? a lot of people still doesn't have knowledge about it..
  • how this culprits manage to get our credit number and use it for their transaction, is there any way for us to prevent this
  • In 1995, a loosely knit group of low-level "hackers" was arrested for using computer systems to steal credit card numbers. In 1996, low-level intruders accessed $1.9 million in the Czech Republic. The funds were recovered.
  • Organized crime groups have moved into the banking industry at an unprecedented rate With Russian organized crime's infiltration of Russian banking systems comes their easy access to the international banking community
  • A common factor in almost all activity detected and analyzed to date is the lack of technical sophistication. Even so, many were detected by accident rather than any particular warning from proper security procedures.
  • vital that threat assessments be used to analyze, understand and monitor these changes and to develop a clear understand of risk.

Machines certainly can solve problems, store information, correlate, and play games -- but not with pleasure. -- Leo Rosten

Working...