Understanding and Characterizing the Cybercriminal Ecosystem Enabling Attack Innovation at Scale

Eindhoven University of Technology, 2024-03
Campobasso, M.
PDF Slides

Abstract

The digitalization of our society has improved the quality of human life at large, but also created new opportunities for malicious (cyber) actors to exploit weaknesses of digital systems and to find new venues to perpetrate fraud. It is well known that a sizable portion of cybercriminals meet in hundreds of online communities (often in the so-called “dark” or “deep” web) to engage with like-minded individuals, share knowledge, and trade offensive tools and services. Monitoring and extracting information from these communities is a challenging task, yet crucial to obtain valuable threat intelligence, which can be used to better prepare against new threats and deploy tailored defenses to thwart attacks originating from the underground. Private sector and law enforcement agencies alike would then be able to better protect final users and societal institutions from the risks associated with criminal activities.

However, as of today it is unclear whether all hacking communities (generally in the form of forums) equally contribute to supporting cybercriminal activities and technological innovation. Many underground markets seem to only trade low-tech products like old password leaks and obsolete malware that is immediately detected from most existing defenses. Still, cybercrime and its economic and societal impact increase year by year. Considering this, it is critical to investigate the properties of marketplaces in relation to the traded products, to identify what are the characteristics that distinguish those where the trade of effective cybercriminal technology happens from those where it does not. Lacking this ability may lead to biased threat intelligence or overestimating the risks associated with petty crime or scammer activities. However, extracting forum data from underground criminal communities (particularly prominent ones) can be a non-trivial task, due to the scale of the phenomenon, their diversity in terms of access, interaction, language, and the countermeasures they put in place against internet crawlers. Hence, we formulate the following research question:

How can we identify which cybercriminal marketplaces can support the trade of innovative offensive products and services, and how can we effectively monitor their activity to evaluate the threat they pose?
We first conduct a preliminary study on the segregation of underground marketplaces in relation to the maturity of the offensive tools and services they provision. We aggregate information from industry reports and scientific literature, and we corroborate these findings by manually exploring 13 underground markets. Our study finds indication that more segregated markets tend to offer more mature offensive tools, and they tend to be better protected against unwanted access and monitoring activity. Following this, we must address the problem of circumventing network monitoring performed by markets to detect and thwart automated data extraction. Therefore, we investigate crawler detection mechanisms to devise a method and implement a prototypical crawler (THREAT/crawl) for stealthy automated data collection for segregated underground markets. We design the crawler to offer a simplified supervised procedure to learn how to crawl a forum and what data to collect, and we test it against 7 live forums. We publicly release the code and documentation of the crawler.

Making use of the techniques and insights developed in the first stage of this work, we then investigate the presence of prominent threats in the underground. During our investigation across 30+ underground forums, we discover Genesis Market, an (at the time) emerging market proposing a novel criminal service for Internet user impersonation at scale. After obtaining invitation codes to access the market from affiliate communities and users, we infiltrate it with multiple identities and use those to investigate its operations and derive a model of the threat it generates, that we called “Impersonation-as-a-Service” (IMPaaS). Further, we develop a specialized crawler based on THREAT/crawl to scrape the whole market’s offer, enabling us to assess the scale of the threat globally and perform statistical evaluation of products pricing in relation to their characteristics. We devise a rigorous statistical methodology based on dimensionality reduction and multi-factor analysis to account for the intrinsic limitations of data collection in this domain, to estimate market revenues, scale, and attacker (i.e., market customers) preferences, and evaluate the overall posed threat. We conclude that Genesis is a mature marketplace, and IMPaaS is a (now) established threat at scale that could be used as a convenient alternative for initial access to mount targeted attacks. The extracted datasets are available to interested researchers.

Finally, we condense findings and insights from our research to investigate the characteristics of cybercriminal marketplaces trading innovative threats like IMPaaS. We identify issues typical of “markets for lemons” and derive mitigating mechanisms employed by markets by manually investigating 20+ cybercriminal marketplaces and the relevant literature. We cast the obtained dimensions into a preliminary framework based on the Business Model Canvas to evaluate what business aspects affect the trade of innovative products. Our findings show that “functioning marketplaces” on average tend to be more segregated, scrutiny their sellers, and are concerned with offering a fair and competitive marketplace.

In conclusion, this thesis shows that the underground ecosystem is diverse, and it is possible to identify and stealthily monitor the fraction that convincingly solves trade problems and drives innovation, thus obtaining more refined threat intelligence, while better understanding the criminal decision-making process. Ultimately, we argue that identifying factors that support innovation in the cybercriminal landscape has the potential to provide insights on the criminal’s decision making, hence allowing defenders to, potentially, be prepared for the `next big attack’ before it arrives.