{"title":"Monitoring a fast flux botnet using recursive and passive DNS: A case study","authors":"Dhia Mahjoub","doi":"10.1109/ECRS.2013.6805783","DOIUrl":"https://doi.org/10.1109/ECRS.2013.6805783","url":null,"abstract":"Fast flux, an evasion technique that has been around for years, continues to be widely used by cybercriminals today. In this case study, we describe a real-time monitoring and detection system that leverages recursive and passive DNS to track the Kelihos fast flux botnet. We track how the botnet grows its population of infected hosts, and detect, in real-time, the newest Kelihos fast flux domains that are being hosted by the botnet. Our analysis will present results on various components and attributes of the infrastructure leveraged by the Kelihos fast flux botnet. These include: domain TLD distribution, botnet geo-distribution, botnet daily cycles, distribution of operating systems used by the botnet machines, daily-discovered fast flux domains, domain and IP lifetime distribution, as well as specific examples of usage that highlight malicious campaigns.","PeriodicalId":110678,"journal":{"name":"2013 APWG eCrime Researchers Summit","volume":"76 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122516430","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Sadia Afroz, Vaibhav Garg, Damon McCoy, R. Greenstadt
{"title":"Honor among thieves: A common's analysis of cybercrime economies","authors":"Sadia Afroz, Vaibhav Garg, Damon McCoy, R. Greenstadt","doi":"10.1109/ECRS.2013.6805778","DOIUrl":"https://doi.org/10.1109/ECRS.2013.6805778","url":null,"abstract":"Underground forums enable technical innovation among criminals as well as allow for specialization, thereby making cybercrime economically efficient. The success of these forums is contingent on collective action twixt a variety of stakeholders. What distinguishes sustainable forums from those that fail? We begin to address these questions by examining underground forums under an economic framework that has been used to prescribe institutional choices in other domains, such as fisheries and forests. This framework examines the sustainability of cybercrime forums given a self governance model for a common-pool resource. We analyze five distinct forums: AntiChat (AC), BadHackerZ (BH), BlackhatWorld (BW), Carders (CC), and L33tCrew (LC). Our analyses indicate that successful/sustainable forums: 1) have easy/cheap community monitoring, 2) show moderate increase in new members, 3) do not witness reduced connectivity as the network size increases, 4) limit privileged access, and 5) enforce bans or fines on offending members. We define success as forums demonstrating small world effect.","PeriodicalId":110678,"journal":{"name":"2013 APWG eCrime Researchers Summit","volume":"74 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131517558","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Folex: An analysis of an herbal and counterfeit luxury goods affiliate program","authors":"Mohammad Karami, Shiva Ghaemi, Damon McCoy","doi":"10.1109/ECRS.2013.6805782","DOIUrl":"https://doi.org/10.1109/ECRS.2013.6805782","url":null,"abstract":"The profitability of the underground criminal business of counterfeit or unauthorized products is a major funding source that drives the illegal online advertisement industry. While it is clear that underground online affiliate-based programs are profitable for their owners, the precise business operations of such organizations are unknown to a large extent. In this study, we present the results of our analysis of a replica and herbal supplements affiliate program based on leaked ground truth data. The dataset covers a period of over two years and includes more than $6 million in sale records for an affiliate program known as Tower of Power (TowPow) focusing on the herbal supplements and counterfeit luxury goods market. In this paper we provide a detailed empirical analysis of the participating affiliates, sales dynamics, revenue sharing, domain usage patterns and conversion rates.","PeriodicalId":110678,"journal":{"name":"2013 APWG eCrime Researchers Summit","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114656298","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Password advice shouldn't be boring: Visualizing password guessing attacks","authors":"L. Zhang-Kennedy, S. Chiasson, R. Biddle","doi":"10.1109/ECRS.2013.6805770","DOIUrl":"https://doi.org/10.1109/ECRS.2013.6805770","url":null,"abstract":"Users are susceptible to password guessing attacks when they create weak passwords. Despite an abundance of text-based password advice, it appears insufficient to help home users create strong memorable passwords. We propose that users would be empowered to make better password choices if they understood how password guessing attacks work through visual communication. We created three infographic posters and an online educational comic to help users to learn about the threats. We conducted two studies to assess their effectiveness. All four methods led to superior learning outcomes than the text-alone approach. Our pre-test questionnaires also highlighted that users' understanding of password guessing attacks is limited to a “target” mental model. One week after viewing our materials, the majority of users created strong sample passwords, and correctly described all three attacks: targeted, dictionary, and brute-force.","PeriodicalId":110678,"journal":{"name":"2013 APWG eCrime Researchers Summit","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128367524","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}