Rebekah Overdorf,Carmela Troncoso,Rachel Greenstadt,Damon McCoy

DOI: https://doi.org/10.48550/arXiv.1805.04494

2018-05-12

Abstract:Underground forums where users discuss, buy, and sell illicit services and goods facilitate a better understanding of the economy and organization of cybercriminals. Prior work has shown that in particular private interactions provide a wealth of information about the cybercriminal ecosystem. Yet, those messages are seldom available to analysts, except when there is a leak. To address this problem we propose a supervised machine learning based method able to predict which public \threads will generate private messages, after a partial leak of such messages has occurred. To the best of our knowledge, we are the first to develop a solution to overcome the barrier posed by limited to no information on private activity for underground forum analysis. Additionally, we propose an automate method for labeling posts, significantly reducing the cost of our approach in the presence of real unlabeled data. This method can be tuned to focus on the likelihood of users receiving private messages, or \threads triggering private interactions. We evaluate the performance of our methods using data from three real forum leaks. Our results show that public information can indeed be used to predict private activity, although prediction models do not transfer well between forums. We also find that neither the length of the leak period nor the time between the leak and the prediction have significant impact on our technique's performance, and that NLP features dominate the prediction power.

Cryptography and Security

Yan Leng,Yijun Chen,Xiaowen Dong,Junfeng Wu,Guodong Shi

DOI: https://doi.org/10.2139/ssrn.3875878

2021-01-01

SSRN Electronic Journal

Abstract:There exists a growing concern about the privacy threats inherently encoded in the increasingly available behavioral data. In this paper, we focus on online service providers over which users reveal preferences (e.g., ratings or reviews) as publicly available behavioral data. We model users' strategic interactions in making these decisions as quadratic games on networks, where a user's payoff depends not only on their actions but also on their neighbors in a social interaction network. Based on the assumption that the observed preferences correspond to the Nash equilibrium of the game, we investigate whether eavesdroppers or competitors having access to such behavioral data could potentially infer or even thoroughly learn the hidden social interaction network from the observed user actions, leading to privacy risks at a system level for the platform. We introduce three notions of privacy risks on networks: fundamental privacy, conditional privacy, and practical privacy. We establish necessary and sufficient conditions for fundamental and conditional privacy of the social interaction structure, suggesting that at the system level, such interaction structure is not facing a critical risk of being fully exposed regardless of the amount of data available. To study practical privacy, we further propose and analyze a novel learning framework by solving a joint optimization problem for the network structure and the individual marginal benefits in the game. Extensive experiments on synthetic and real-world data demonstrate the effectiveness of the proposed framework, hence illustrating that behavioral data indeed present substantial privacy risks in practice. Broadly, this study enriches the network privacy literature and provides implications for online platforms by revealing the unexpected consequence of leaking network connections due to public consumer revealed preferences.

Michele Campobasso,Radu Rădulescu,Sylvan Brons,Luca Allodi

DOI: https://doi.org/10.48550/arXiv.2306.05898

2023-06-13

Abstract:The criminal underground is populated with forum marketplaces where, allegedly, cybercriminals share and trade knowledge, skills, and cybercrime products. However, it is still unclear whether all marketplaces matter the same in the overall threat landscape. To effectively support trade and avoid degenerating into scams-for-scammers places, underground markets must address fundamental economic problems (such as moral hazard, adverse selection) that enable the exchange of actual technology and cybercrime products (as opposed to repackaged malware or years-old password databases). From the relevant literature and manual investigation, we identify several mechanisms that marketplaces implement to mitigate these problems, and we condense them into a market evaluation framework based on the Business Model Canvas. We use this framework to evaluate which mechanisms `successful' marketplaces have in place, and whether these differ from those employed by `unsuccessful' marketplaces. We test the framework on 23 underground forum markets by searching 836 aliases of indicted cybercriminals to identify `successful' marketplaces. We find evidence that marketplaces whose administrators are impartial in trade, verify their sellers, and have the right economic incentives to keep the market functional are more likely to be credible sources of threat.

Cryptography and Security,Computers and Society,Social and Information Networks

Zhao Kangzhi,Zhang Yong,Xing Chunxiao,Li Weifeng,Chen Hsinchun

DOI: https://doi.org/10.1109/ISI.2016.7745450

2016-01-01

Abstract:With the rapid growth of online population, China has become the world's largest online market. This also gives rise to the Chinese underground market, which has facilitated many of the cybercrimes in China. Consequently, there is a need for research scrutinizing Chinese underground markets. One major challenge facing cybersecurity researchers is to understand the unfamiliar cybercriminal jargons. To this end, we are motivated to analyze jargons in Chinese underground market. Particularly, we utilize the recent advancements in unsupervised machine learning methods, word embedding and Latent Dirichlet Allocation. We evaluate our work on a research testbed encompassing 29 exclusive underground market QQ groups with 23,000 members. Specifically, we test the ability of the proposed approach to learn semantically similar words of known cybersecurity-related jargons. Results suggest the state-of-the-art unsupervised learning approaches can help better understand cybercriminal language, providing promising insights for future research on Chinese underground markets.

Ziming Zhao,Gail-Joon Ahn,Hongxin Hu,Deepinder Mahi

2012-01-01

Abstract:Existing research on net-centric attacks has focused on the detection of attack events on network side and the removal of rogue programs from client side. However, such approaches largely overlook the way on how attack tools and unwanted programs are developed and distributed. Recent studies in underground economy reveal that suspicious attackers heavily utilize online social networks to form special interest groups and distribute malicious code. Consequently, examining social dynamics, as a novel way to complement existing research efforts, is imperative to systematically identify attackers and tactically cope with net-centric threats. In this paper, we seek a way to understand and analyze social dynamics relevant to net-centric attacks and propose a suite of measures called SocialImpact for systematically discovering and mining adversarial evidence. We also demonstrate the feasibility and applicability of our approach by implementing a proof-of-concept prototype Cassandra with a case study on real-world data archived from the Internet.

Luca Allodi,Roy Ricaldi,Jai Wientjes,Adriana Radu

2024-11-25

Abstract:The cybercriminal underground consists of hundreds of forum communities that function as marketplaces and information-exchange platforms for both established and wannabe cybercriminals. The ecosystem is continuously evolving, with users migrating between forums and platforms. The emergence of cybercrime communities in Telegram and Discord only highlights the rising fragmentation and adaptability of the ecosystem. In this position paper, we explore the economic incentives and trust-building mechanisms that may drive a participant (hereafter, Dmitry) of the cybercriminal underground ecosystem to migrate from one forum or platform to another. What are the market signals that matter to Dmitry's decision of joining a specific community, and what roles and purposes do these communities or platforms play within the broader ecosystem? Ultimately, we build towards our thesis that by studying these mechanisms we could explain, and therefore act upon, Dmitry's choice of joining a criminal community rather than another. To build this argument, we first discuss previous work evaluating differences in trust signals depicted in criminal forums. We then present preliminary results evaluating criminal channels on Telegram using those same lenses. Further, we analyze the different roles these channels play in the criminal ecosystem. We then discuss implications for future research.

Cryptography and Security

Felipe Moreno-Vera

DOI: https://doi.org/10.1109/ICTC58733.2023.10393244

2024-05-07

Abstract:The increasing sophistication of cyber threats necessitates proactive measures to identify vulnerabilities and potential exploits. Underground hacking forums serve as breeding grounds for the exchange of hacking techniques and discussions related to exploitation. In this research, we propose an innovative approach using topic modeling to analyze and uncover key themes in vulnerabilities discussed within these forums. The objective of our study is to develop a machine learning-based model that can automatically detect and classify vulnerability-related discussions in underground hacking forums. By monitoring and analyzing the content of these forums, we aim to identify emerging vulnerabilities, exploit techniques, and potential threat actors. To achieve this, we collect a large-scale dataset consisting of posts and threads from multiple underground forums. We preprocess and clean the data to ensure accuracy and reliability. Leveraging topic modeling techniques, specifically Latent Dirichlet Allocation (LDA), we uncover latent topics and their associated keywords within the dataset. This enables us to identify recurring themes and prevalent discussions related to vulnerabilities, exploits, and potential targets.

Cryptography and Security,Artificial Intelligence,Computers and Society,Machine Learning

Felipe Moreno-Vera,Mateus Nogueira,Cainã Figueiredo,Daniel Sadoc Menasché,Miguel Bicudo,Ashton Woiwood,Enrico Lovat,Anton Kocheturov,Leandro Pfleger de Aguiar

2023-08-04

Abstract:This paper proposes a machine learning-based approach for detecting the exploitation of vulnerabilities in the wild by monitoring underground hacking forums. The increasing volume of posts discussing exploitation in the wild calls for an automatic approach to process threads and posts that will eventually trigger alarms depending on their content. To illustrate the proposed system, we use the CrimeBB dataset, which contains data scraped from multiple underground forums, and develop a supervised machine learning model that can filter threads citing CVEs and label them as Proof-of-Concept, Weaponization, or Exploitation. Leveraging random forests, we indicate that accuracy, precision and recall above 0.99 are attainable for the classification task. Additionally, we provide insights into the difference in nature between weaponization and exploitation, e.g., interpreting the output of a decision tree, and analyze the profits and other aspects related to the hacking communities. Overall, our work sheds insight into the exploitation of vulnerabilities in the wild and can be used to provide additional ground truth to models such as EPSS and Expected Exploitability.

Cryptography and Security,Machine Learning

Victor Adewopo,Bilal Gonen,Said Varlioglu,Murat Ozer

DOI: https://doi.org/10.48550/arXiv.2001.02300

2020-01-07

Cryptography and Security

Abstract:The availability of sophisticated technologies and methods of perpetrating criminogenic activities in the cyberspace is a pertinent societal problem. Darknet is an encrypted network technology that uses the internet infrastructure and can only be accessed using special network configuration and software tools to access its contents which are not indexed by search engines. Over the years darknets traditionally are used for criminogenic activities and famously acclaimed to promote cybercrime, procurements of illegal drugs, arms deals, and cryptocurrency markets. In countries with oppressive regimes, censorship of digital communications, and strict policies prompted journalists and freedom fighters to seek freedom using darknet technologies anonymously while others simply exploit it for illegal activities. Recently, MIT's Lincoln Laboratory of Artificial Intelligence augmented a tool that can be used to expose illegal activities behind the darknet. We studied relevant literature reviews to help researchers to better understand the darknet technologies, identify future areas of research on the darknet and ultimately to optimize how data-driven insights can be utilized to support governmental agencies in unraveling the depths of darknet technologies. This paper focuses on the use of the internet for crimes, deanonymization of TOR-services, darknet a new digital street for illicit drugs, research questions and hypothesis to guide researchers in further studies. Finally, in this study, we propose a model to examine and investigate anonymous online illicit markets.

Soumajyoti Sarkar,Mohammad Almukaynizi,Jana Shakarian,Paulo Shakarian

DOI: https://doi.org/10.1007/s13278-019-0603-9

2019-09-30

Social Network Analysis and Mining

Abstract:With the rise in security breaches over the past few years, there has been an increasing need to mine insights from social media platforms to raise alerts of possible attacks in an attempt to defend conflict during competition. In this study, we attempt to build a framework that utilizes unconventional signals from the darkweb forums by leveraging the reply network structure of user interactions with the goal of predicting enterprise-related external cyber attacks. We use both unsupervised and supervised learning models that address the challenges that come with the lack of enterprise attack metadata for ground-truth validation as well as insufficient data for training the models. We validate our models on a binary classification problem that attempts to predict cyber attacks on a daily basis for an organization. Using several controlled studies on features leveraging the network structure, we measure the extent to which the indicators from the darkweb forums can be successfully used to predict attacks. We use information from 53 forums in the darkweb over a span of 17 months for the task. Our framework to predict real-world organization cyber attacks of three different security events suggests that focusing on the reply path structure between groups of users based on random walk transitions and community structures has an advantage in terms of better performance solely relying on forum or user posting statistics prior to attacks.

Masarah Paquet-Clouston,Serge-Olivier Paquette,Sebastián García,María José Erquiaga

DOI: https://doi.org/10.1093/cybsec/tyac010

2022-02-03

Abstract:Many activities related to cybercrime operations do not require much secrecy, such as developing websites or translating texts. This research provides indications that many users of a popular public internet marketing forum have connections to cybercrime. It does so by investigating the involvement in cybercrime of a population of users interested in internet marketing, both at a micro and macro scale. The research starts with a case study of three users confirmed to be involved in cybercrime and their use of the public forum where users share information about online advertising. It provides a first glimpse that some business with cybercrime connection is being conducted in the clear. The study then pans out to investigate the forum population's ties with cybercrime by finding crossover users, who are users from the public forum who also comment on cybercrime forums. The cybercrime forums on which they discuss are analyzed and crossover users' strength of participation is reported. Also, to assess if they represent a sub-group of the forum population, their posting behavior on the public forum is compared with that of non-crossover users. This blend of analyses shows that (i) a minimum of 7.2% of the public forum population are crossover users that have ties with cybercrime forums; (ii) their participation in cybercrime forums is limited; and (iii) their posting behavior is relatively indistinguishable from that of non-crossover users. This is the first study to formally quantify how users of an internet marketing public forum, a space for informal exchanges, have ties to cybercrime activities. We conclude that crossover users are a substantial part of the population in the public forum, and, even though they have thus far been overlooked, their aggregated effect in the ecosystem must be considered.

Computers and Society,Cryptography and Security

Hanjo D. Boekhout,Arjan A.J. Blokland,Frank W. Takes

2024-05-10

Abstract:In this work we focus on identifying key players in dark net cryptomarkets that facilitate online trade of illegal goods. Law enforcement aims to disrupt criminal activity conducted through these markets by targeting key players vital to the market's existence and success. We particularly focus on detecting successful vendors responsible for the majority of illegal trade. Our methodology aims to uncover whether the task of key player identification should center around plainly measuring user and forum activity, or that it requires leveraging specific patterns of user communication. We focus on a large-scale dataset from the Evolution cryptomarket, which we model as an evolving communication network. Results indicate that user and forum activity, measured through topic engagement, is best able to identify successful vendors. Interestingly, considering users with higher betweenness centrality in the communication network further improves performance, also identifying successful vendors with moderate activity on the forum. But more importantly, analyzing the forum data over time, we find evidence that attaining a high betweenness score comes before vendor success. This suggests that the proposed network-driven approach of modelling user communication might prove useful as an early warning signal for key player identification.

Social and Information Networks

Nasser Alsalami,Bingsheng Zhang

DOI: https://doi.org/10.1109/iwqos49365.2020.9213064

2020-01-01

Abstract:Public blockchains can be abused to covertly store and disseminate potentially harmful digital content which poses a serious regulatory issue. In this work, we show the severity of the problem by demonstrating that blockchains can be exploited to surreptitiously distribute arbitrary content. More specifically, all major blockchain systems use randomized cryptographic primitives, such as digital signatures and non-interactive zero-knowledge proofs; we illustrate how the uncontrolled randomness in such primitives can be maliciously manipulated to enable covert communication and hidden persistent storage. To clarify the potential risk, we design, implement and evaluate our technique against the widely-used ECDSA signature scheme, the CryptoNote's ring signature scheme, and Monero's ring confidential transactions. Importantly, the significance of the demonstrated attacks stems from their undetectability, their adverse effect on the future of decentralized blockchains, and their serious repercussions on users' privacy and crypto funds. Finally, we present a generic framework to immunize blockchains against these attacks.

Zhicong Chen,Xiang Meng,Cheng-Jun Wang

DOI: https://doi.org/10.1057/s41599-023-02424-0

2023-01-01

Humanities and Social Sciences Communications

Abstract:The users of the Dark Web require a secure and highly anonymous environment to exchange information while protecting their online privacy, which presents a privacy dilemma. This paper examines the digital footprints of user behavior on the three most popular cryptomarket forums on the Dark Web, namely Silk Road 1, Silk Road 2, and Agora. The results indicate that users who engage in more conversations and employ a wider range of vocabulary are more likely to discontinue their participation on the forum. Intriguingly, no significant relationship is found between network characteristics and user engagement. These findings emphasize that the risk of exposure within anonymous communities primarily stems from the potency of information rather than social connections, which sheds light on the privacy dilemma inherent in the Dark Web and provides deeper insights into the online user behavior surrounding anonymity-granting technologies on the Internet.

Weifeng Li,Hsinchun Chen,Jay F. Nunamaker

DOI: https://doi.org/10.1080/07421222.2016.1267528

IF: 7.582

2016-10-01

Journal of Management Information Systems

Abstract:The past few years have witnessed millions of credit/debit cards flowing through the underground economy and ultimately causing significant financial loss. Examining key underground economy sellers has both practical and academic significance for cybercrime forensics and criminology research. Drawing on social media analytics, we have developed the AZSecure text mining system for identifying and profiling key sellers. The system identifies sellers using sentiment analysis of customer reviews and profiles sellers using topic modeling of advertisements. We evaluated the AZSecure system on eight international underground economy forums. The system significantly outperformed all benchmark machine-learning methods on identifying advertisement threads, classifying customer review sentiments, and profiling seller characteristics, with an average F-measure of about 80 percent to 90 percent. In our case study, we identified the famous carder, Rescator, who was affiliated with the Target breach, and captured important seller characteristics in terms of product type, payment options, and contact channels. Our research leverages social media analytics to probe into the underground economy in order to help law enforcement target key sellers and prevent future fraud. It also contributes to our understanding of the use of information technology in detecting deception in online systems.

information science & library science,management,computer science, information systems

Hao Yang,Xiulin Ma,Kun Du,Zhou Li,Haixin Duan,Xiaodong Su,Guang Liu,Zhifeng Geng,Jianping Wu

DOI: https://doi.org/10.1109/sp.2017.11

2017-01-01

Abstract:Online underground economy is an important channel that connects the merchants of illegal products and their buyers, which is also constantly monitored by legal authorities. As one common way for evasion, the merchants and buyers together create a vocabulary of jargons (called "black keywords" in this paper) to disguise the transaction (e.g., "smack" is one street name for "heroin" [1]). Black keywords are often "unfriendly" to the outsiders, which are created by either distorting the original meaning of common words or tweaking other black keywords. Understanding black keywords is of great importance to track and disrupt the underground economy, but it is also prohibitively difficult: the investigators have to infiltrate the inner circle of criminals to learn their meanings, a task both risky and time-consuming. In this paper, we make the first attempt towards capturing and understanding the ever-changing black keywords. We investigated the underground business promoted through blackhat SEO (search engine optimization) and demonstrate that the black keywords targeted by the SEOers can be discovered through a fully automated approach. Our insights are two-fold: first, the pages indexed under black keywords are more likely to contain malicious or fraudulent content (e.g., SEO pages) and alarmed by off-the-shelf detectors, second, people tend to query multiple similar black keywords to find the merchandise. Therefore, we could infer whether a search keyword is "black" by inspecting the associated search results and then use the related search queries to extend our findings. To this end, we built a system called KDES (Keywords Detection and Expansion System), and applied it to the search results of Baidu, China's top search engine. So far, we have already identified 478,879 black keywords which were clustered under 1,522 core words based on text similarity. We further extracted the information like emails, mobile phone numbers and instant messenger IDs from the pages and domains relevant to the underground business. Such information helps us gain better understanding about the underground economy of China in particular. In addition, our work could help search engine vendors purify the search results and disrupt the channel of the underground market. Our co-authors from Baidu compared our results with their blacklist, found many of them (e.g., long-tail and obfuscated keywords) were not in it, and then added them to Baidu's internal blacklist.

Zhuge Jianwei,Gu Liang,Duan Haixin

2012-01-01

Abstract:China’s online underground economy supports a variety of cybercrimes and has expanded rapidly in recent years, but its structure and economic impact is not well understood.In this paper, we describe four distinct value chains for cybercrime and provide empirical analysis of their characteristics, thus presenting the current state and emerging trends of the criminal economy on the Chinese Internet. Our estimation shows that in 2011 the overall damage caused by the Chinese online underground economy exceeded 5.36 billion RMB (852 million USD) and it involved over 90,000 participants. Activity and participation in the online underground economy is expected to continue to rise in the future unless effective countermeasures are taken by law enforcement agencies. Through correlating four high profile cybercrime cases with activity in our datasets of underground markets, we show how it is possible to monitor …

Panpan Zheng,Shuhan Yuan,Xintao Wu,Yubao Wu

DOI: https://doi.org/10.48550/arXiv.1911.04620

2019-11-12

Abstract:The darknet markets are notorious black markets in cyberspace, which involve selling or brokering drugs, weapons, stolen credit cards, and other illicit goods. To combat illicit transactions in the cyberspace, it is important to analyze the behaviors of participants in darknet markets. Currently, many studies focus on studying the behavior of vendors. However, there is no much work on analyzing buyers. The key challenge is that the buyers are anonymized in darknet markets. For most of the darknet markets, We only observe the first and last digits of a buyer's ID, such as ``a**b''. To tackle this challenge, we propose a hidden buyer identification model, called UNMIX, which can group the transactions from one hidden buyer into one cluster given a transaction sequence from an anonymized ID. UNMIX is able to model the temporal dynamics information as well as the product, comment, and vendor information associated with each transaction. As a result, the transactions with similar patterns in terms of time and content group together as the subsequence from one hidden buyer. Experiments on the data collected from three real-world darknet markets demonstrate the effectiveness of our approach measured by various clustering metrics. Case studies on real transaction sequences explicitly show that our approach can group transactions with similar patterns into the same clusters.

Machine Learning,Computers and Society,Social and Information Networks

Haaroon Yousaf

DOI: https://doi.org/10.48550/arXiv.2203.14684

2022-03-28

Abstract:This thesis presents techniques to investigate transactions in uncharted cryptocurrencies and services. Cryptocurrencies are used to securely send payments online. Payments via the first cryptocurrency, Bitcoin, use pseudonymous addresses that have limited privacy and anonymity guarantees. Research has shown that this pseudonymity can be broken, allowing users to be tracked using clustering and tagging heuristics. Such tracking allows crimes to be investigated. If a user has coins stolen, investigators can track addresses to identify the destination of the coins. This, combined with an explosion in the popularity of blockchain, has led to a vast increase in new coins and services. These offer new features ranging from coins focused on increased anonymity to scams shrouded as smart contracts. In this study, we investigated the extent to which transaction privacy has improved and whether users can still be tracked in these new ecosystems. We began by analysing the privacy-focused coin Zcash, a Bitcoin-forked cryptocurrency, that is considered to have strong anonymity properties due to its background in cryptographic research. We revealed that the user anonymity set can be considerably reduced using heuristics based on usage patterns. Next, we analysed cross-chain transactions collected from the exchange ShapeShift, revealing that users can be tracked as they move across different ledgers. Finally, we present a measurement study on the smart-contract pyramid scheme Forsage, a scam that cycled $267 million USD (of Ethereum) within its first year, showing that at least 88% of the participants in the scheme suffered a loss. The significance of this study is the revelation that users can be tracked in newer cryptocurrencies and services by using our new heuristics, which informs those conducting investigations and developing these technologies.

Cryptography and Security

Pengcheng Xia,Zhou Yu,Kailong Wang,Kai Ma,Shuo Chen,Xiapu Luo,Yajin Zhou,Lei Wu,Guangdong Bai

2024-04-07

Abstract:The dark web has emerged as the state-of-the-art solution for enhanced anonymity. Just like a double-edged sword, it also inadvertently becomes the safety net and breeding ground for illicit activities. Among them, cryptocurrencies have been prevalently abused to receive illicit income while evading regulations. Despite the continuing efforts to combat illicit activities, there is still a lack of an in-depth understanding regarding the characteristics and dynamics of cryptocurrency abuses on the dark web. In this work, we conduct a multi-dimensional and systematic study to track cryptocurrency-related illicit activities and campaigns on the dark web. We first harvest a dataset of 4,923 cryptocurrency-related onion sites with over 130K pages. Then, we detect and extract the illicit blockchain transactions to characterize the cryptocurrency abuses, targeting features from single/clustered addresses and illicit campaigns. Throughout our study, we have identified 2,564 illicit sites with 1,189 illicit blockchain addresses, which account for 90.8 BTC in revenue. Based on their inner connections, we further identify 66 campaigns behind them. Our exploration suggests that illicit activities on the dark web have strong correlations, which can guide us to identify new illicit blockchain addresses and onions, and raise alarms at the early stage of their deployment.

Cryptography and Security