Slashdot Mirror
Attacking Criminal Networks On the Internet
Hugh Pickens writes "Computer Scientists at Carnegie Mellon University are developing techniques to analyze and disrupt black markets on the internet, where criminals sell viruses, stolen data, and attack services estimated to total more than $37 million for the seven-month period they studied. To stem the flow of stolen credit cards and identity data, researchers have proposed two technical approaches to reducing the number of successful market transactions. One approach to disrupting the network is a slander attack where an attacker eliminates the verified status of a buyer or seller through false defamation. Another approach undercuts the cyber-crooks' network by creating a deceptive sales environment. 'Just like you need to verify that individuals are honest on E-bay, online criminals need to verify that they are dealing with "honest" criminals,' says Jason Franklin, one of the researchers."
Syndicate
Pax,
Kilgore Trout
scruff mcgruff help take a bite out of e-crime.
Why not just implement violence support in ipv7? Who needs to undercut them, when you can uppercut (to the point of Toasty)?
As they have cracked every other attempt. I'll give it 2½ days :-)
If I had an Ass, I'd call it Fanny Bottom, then I could slap my Ass; Fanny Bottom, on the Arse.
how do I get in touch with one of these criminals to inquire about their services? Is there a secret handshake I'm supposed to give to the guy at the McDonald's drivethru, and he writes an ip addy on my happy meal?
Let's have a look at a black market that has been around a little bit longer: drugs. Why hasn't anyone thought of using these techniques for disrupting this black market? Mhhhhm... okay.
So it looks like their plan is to infiltrate the sites used by these people, and discredit them? The only way to be able to discredit them is to get in contact with them somehow or visit a site they visit regularly. If we can find such a site...why don't we just find out whose using it and arrest them? Is this some new take on crime, that instead of arresting criminals we should discredit them? What's the plan?
There are two kinds of fool One says 'This is old therefore good' Another says 'This is new therefore better'- Dean Ing
How about... simply arresting the criminals?
I have the feeling that the police in general just don't care about online crime. Much of it can't be that hard to track down.
Say the spam in my inbox selling pirated copies of MS office. If you can transfer the money to them then you can find them.
Uh, what's to stop the bad guys from taking these techniques and using them against existing networks, e.g., E-bay?
I'm not sure I like this idea....
How long before the criminals turn around and use the same tools to disrupt legitimate (read: legal) marketplaces? More complex than a crude DDOS, more customizable, allows for a larger Profit!!! potential.
http://en.wikipedia.org/wiki/Defamation
You see two auctions, one for a kewl expensive collectable car. They look identical in the search page.
One of them has a very low buy-it-now listing, and a gmail address to contact to be a 'qualified' bidder.
Which one of them is fishing for your eBay creds? I see these all of the time; I collect and restore specific models of classic cars, and I see one of these almost every week. If you alert eBay through LiveChat, they'll usually take them down. But if you have report an auction through their mind-numbing 100 questions forms method, you'll never get a fraudulent auction done because you'll explode before you get to the end of forms-- none of which says--> HEY, THIS IS AN OBVIOUS FRAUD!
You can discredit sellers, but sellers have options to restore their dignity if they want to do this-- although it's tough. PayPal can also interecede, as can buyer credit sources. Resources, except in the complaints department, are tilted towards buyers. But that doesn't mean that there are loads of phish attempts. You find them in amusing places, like when I tried to surf for an Apple notebook, and there were a hundred auctions for the same machine-- if you bought the story about getting it shipped from Italy.
---- Teach Peace. It's Cheaper Than War.
All of the devised methods listed in the article are probably not legal. Whichever organization employs such methods will be exposing itself to lawsuits. Sounds like these "computer scientists" need to add a good attorney to their team, just to make sure it's the hackers and not them who ends up with a legal headache.
Drug interdiction efforts in this country have been law enforcement based - interdict, arrest, trial, imprisonment. Intelligence is limited to that which can be used in court for trial - all else is forbidden.
The techniques referenced in the article are more in the style of warfare, where the objective isn't to arrest a lawbreaker, but defeat an enemy. Different rules apply. For instance, if an anonymous source gives you the key for Botnet A, you don't have to worry about gathering more evidence to be able to convict - just shut the sucker down, or poison it to turn on it's creators, etc.
The confusion between law enforcement and warfare is going to get worse and uglier as time goes on. And I'm not advocating using military thinking domestically on drug trafficking in the US - it doesn't work real well in foreign countries, and I think most drug laws themselves are misguided. But on botnets and international computer crimes? Oh yeah - it's definitely war.
"As God is my witness, I thought turkeys could fly." A. Carlson
You guys have both missed the real criminals ....
http://www.gop.org/
http://www.democrats.org/
of which the other two organizations you mention are wholly owned subsidiaries of these two, as is the other legislative and judicial branch are, along with most of the smaller regional syndicates.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
"If we can find such a site...why don't we just find out whose using it and arrest them? Is this some new take on crime, that instead of arresting criminals we should discredit them? "
Choice A: Perform lengthy investigation, put in for extradition, wait forever, and then put on trial, all while said bad guy is still controlling and making money off his botnets.
Choice B: screw up bad guy's botnets so badly that he can't sell their services, causing him to spend more resources in the battle, until he gives up and picks an easier crime.
I'll take "B".
"As God is my witness, I thought turkeys could fly." A. Carlson
Far too much of the fabric of social networks-- and that includes the internet-- is built on the assumption that people avoid doing things exactly like what's being proposed here.
Or, to phrase it differently... Superman used to fight for "truth, justice, and the American way." If you're going to be one of the good guys, how about keeping "truth" in there... it's actually something very valuable.
http://www.geoffreylandis.com
I've never really understood why there's this belief that criminals have trouble being honest. Often, a criminal is only such because society labels them that way and thus dishonest. But in reality, many of them are very nice people performing honest business transactions (unregulated at that!) for their clients. Many drug dealers, prostitutes, pirates, hackers, etc are very honest people in the sense they aren't scamming their customers. They will provide great value to them in fact.
Supporters of the free market can look to the very successful black market as an example of unregulated trade working well. Often in the black market, as this article eludes to, your reputation is everything. So there is no benefit in ripping someone off.
I've worked with many "honest", good people in my black market transactions.
"If you are a dreamer, a wisher, a liar, A hope-er, a pray-er, a magic bean buyer
I really don't think computer scientists are the best people to figure out how to infiltrate or disrupt criminal organizations. I mean, electrical engineers didn't try to figure out how phone based criminal networks operated; at best, they created technology to "listen in".
Seems to me this sort of thing should be left to the experts: criminologists, sociologists, and psychologists.
Thanks all for your support of the prosecution of this most dangerous group of individuals.
K. Trout, PatRIOT
If only there were people that would offer tantalizing but dishonest business deals. Ya, they could do it through email, or on some kind of online marketplace...
And if we could just find other people that would randomly make inflammatory accusations... basically just lurk in the shadows, and wait for unsuspecting victims. We could call them ogres, or maybe goblins...
Oh well, I guess even the internet isn't perfect.
This is about black markets, which may or may not be used by bad guys. When you talk about black markets, it's more of an us-vs-them situation, not a good-vs-evil situation.
This is merely warfare. There are no good guys or bad guys (well, they exist, but their moralities are are irrelevant for analysis, just as Nazi racism is irrelevant when talking about Blitzkrieg); there's just conflict of interest, and differing tactics meeting one another.
And good comes out of it, too. The "white" market is also under constant attack. If black markets are forced to deal with authentication issues, then eventually the technolo-- well, ok, not the technology, since it has been around for decades, but the social customs -- will spill over into the "white" market. Ultimately, explicit attacking of markets, out in the open where Joe Everyman can see it happening and understand it, will nudge all markets (including the ones that Good Guys just happen to operate within) to adapt. This can lead to a decrease in naivety.
When criminals have to go to extra trouble to check each other out before issuing trust, good guys will follow suit. Your next web browser might show better info about X509 cert issuers, for example, or support superior authentication schemes such as PGP. It might lead to the creation of distributed p2p networks where people vouch for one another's past histories, instead of relying on lame centralized servers like eBay.
Exactly, and that needs to change."Believe me!" -- Donald Trump
A government-funded body forcibly halting voluntary interactions is censorship.
Most criminals are only honest within their peer group. Probably because their peer group would likely kill them if they were not honest.
The idea of an honest criminal only applies to victimless crimes such as drugs, prostitution, gambling, etc. (To people that insist that self crime is not victimless crimes: stop touching yourself)
marines.com is actually a Marine Corps recruiting site. But since it's in .com, not .mil.us where it belongs or at least .mil or .gov, it's obviously a commercial organization.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
(Even more fun than null-routing them is using BGP to advertise a better route to their address, so the rest of the world also can't reach them, but of course any reputable ISP isn't going to let you do that.)
But spammers and phishers have known that for years - so spammer-friendly ISPs or hosting providers such as AGIS or OptInRealBig were easy to block, and it was easy to trace the people selling illegal goods, though you couldn't always prosecute them. So now they're using tricks like hosting their material on botnet armies (because you're not going to null-route a home broadband carrier whose customers might be hitting your customers' websites or who might be running P2P applications like gaming), and using DNS servers that are constantly changing the IP addresses they hand out so that any given zombie server's IP address is only exposed for a short time to a few people, so even if it gets blacklisted it'll only prevent a few hits.
So yeah, the spammers and phishers *are* dodging this.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
For instance, if a phisher is impersonating ExampleBank.com's website, it's perfectly fine for ExampleBank to impersonate suckers and go feed the phisher's site a million bogus bank account numbers and passwords that drop the phisher into their honeypot server as well as flooding the phisher's supply of account info from real suckers so it's harder to sell. And it's also mostly ok for ExampleCreditCard.com to feed the phisher a bunch of bogus credit or debit card numbers, though that's not as safe, because there's some risk that they'll use them at merchants who don't verify the card online if they've got the expiration date and security code.
Is it ok for ExampleCreditCard to sell the phishers a bunch of bogus card info? That's a tougher call - aside from avoiding illegal entrapment, the card company probably needs to take some losses by accepting those card numbers for small transactions because the card number buyer will do some testing, and otherwise they're likely to burn some legitimate merchants.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Sort of like baiting 419 scammers into showing up on webcams, except on an industrial scale.
Hope with this approach will help to prevent internet criminals... Says "NO" to INTERNET CRIMINALS...:-)
(shakes head at people referring to phishers and dealers in stolen ccards as "honest")
There are some interesting ideas on this thread. The "flooding" idea is probably both the most legally defensible and cost effective response (hey, it's a real concern). I mean, you get pretty pissed when someone floods your inbox with 100 times as much crap as you get in content, imagine if you had to check each one to see if it was crap or content?
People talk about just arresting the criminals - we have a pretty darned high bar for prosecution, and it requires a lot of man-hours for each case. To the point where, extradition issues aside, there simply aren't enough resources.
Yeah, it would be nice if there were. But there aren't, and I don't think we want to substantially lower the barriers to prosecution when we can just flood at least a portion of the crooks out of the market by making their work so time-consuming that it's unprofitable.
Yes, that applies less to DOS attackers, site hackers, and virus writers, and mainly to phishers and CC bandits of various kinds. The former still require those pesky investigations, but the population appears to be smaller.
It might not be a bad idea to simply monitor these "reputation systems" and target the highest rep d00dz for prosecution - make it unattractive to advertise for work in that field (it is illegal, after all).
I think the most destructive part about this affair is that, well, it's out in the open. So we may never know if it indeed worked because Slashdot Et Al have spread the word. So complicated yet so blown...as many here have said, nothing's stopping the bad guys from using it on the good ones now.
A workaround, for criminals, to this, I suppose is to make their existing operations a lot more secretive. No more E-Bay style auctioning or other easy and convenient routes of trade... to participate, you'd have to be privy to codewords and the like. And we're sort of back to square 1. Yes, the fun that was e-commerce dissipates but then again, that was never the main aim was it?
Just my 2 cents. :)
Just look at the article photo of that bespectacled nerd. Unless he is Superman or Harry Potter himself, he better not mess with organized online criminals (at least half of whom are directly connected to the russian maffia). In response to the slander attack he proposed they will just find Mr. Geek, step on his eyeglasses and make him sleep with the fishes.
OK, I know most geeks never slept with a girl, so they have no first-hand experience, but I can tell that you sleeping with fishes is even more dangerous to your health. Syphillis can be treated, HIV symptoms can be controlled but a slab of concrete cast around your legs never goes away, frankly.
Remmeber that american who went to Nigeria to find out about 419 scammers and ended up in a coffin, dismembered? Those negro are very docily compared to the ethnic jews who run the russian mafia!
Credit card fraud is a growing problem for online businesses and can hurt our business in many ways. Fraudulent credit card transactions are costing e-commerce businesses many millions of dollars annually. So, it is very important to verify the cardholder's identity. We can use software programs to detect fraudulent orders or we can manually check each transaction for possible fraud. Here are some steps that we can take as a merchant to reduce credit card fraud: 1) Check the buyers IP Address Location. Does this location match the cardholder's location? 2) Check the buyers e-mail domain. Criminals will use a free e-mail provider. 3) IP Address indicating anonymous or open proxies? 4) Check the bank identification number. 5) Call the credit card holder. You can ask the cardholder to verify the order. 6) Fax authorization with signature. You can ask the cardholder to verify the order by sending a signed fax. 7) Make your anti-fraud policy visible. 8) Utilize anti-fraud services.
In my opinion we cant fully curb network criminals as there are many ways and in each system there is a leak where someone can do their criminals work,for example we take credit card fraud.Credit card fraud is a growing problem for online businesses and can hurt your business in many ways.You can use software programs to detect fraudulent orders or you can manually check each transaction for possible fraud.
the only way to discredit them is to get in contact with them somehow or visit a site they visit regularly.
I'm working on methods to thwart cyber crime as well. I know I haven't provided any thing more than grotesquely vague details lacking any real substance, but just take my word on it.
Any half-decently configured web server isn't going to die if it gets a million hits over a couple of days, though it may reject some of the connection attempts if you overdo it. (For one day, that's about 11 hits/second, around 100kbps - 1 Mbps depending on how dense the input format is.) And while some hosting services blow out their bandwidth quota if they get more than 1-10GB per month, which is about how much you'd be sending, and either charge too much or (for free hosting) shut down for the month because of overuse, the perp is attempting to be in a profit-making business just like anybody else whose site becomes popular, and he's also spending a lot more bandwidth sending out email to people who don't reply. Many phishing servers are on zombies on residential broadband services, and some of them throttle down to 64kbps but don't also block home web servers, which could inconvenience the real owner or lead to a bandwidth-abuse contact from the owner's ISP; in either case that may be the only warning the owner has that he's become a zombie and needs to clean up. And in practice, zombie-based servers are usually run from a fast-flux DNS server so the load gets spread around a lot of different zombies.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I love the way that the researcher want to prove they are "honest" criminal. I think it's a good idea. As long as the criminal is honest I don't mind making business with them
New Internet Security Threat Research Reveals that Hackers are Adopting New Business-Like Strategies to Successfully Perform Malicious Activity.
cybercrime continues to be driven by financial gain, cyber criminals are now utilising more professional attack methods, tools and strategies to conduct malicious activity. how to solve this from happening... phishing is one of the method used by the attacker to get victims personal information. do not give your personal information on net. don/t believe in the SPAM messages that will be sent to your emails.
A vulnerability was discovered in the ICQ instant messaging protocol parsing routines of the ISS Protocol Analysis Module (PAM) component. The PAM module is a shared component of all current ISS host, server, and network protection software and devices. The flaw relates to incorrect parsing of the ICQ protocol which may lead to a buffer overflow condition.
i'm facing this problem very long ago and i don't know how to avoid this attacker from having my personal information. i never give any of my personal particulars to any spam messages... but still how????????
for god sake i really don get what question is about,thanks.
These criminals can really make lots of money out of others pocket. .. few personel information and there you go a criminal smilling wide on street.
These troublesome entrepreneurs even offer tech support and free updates for their malicious creations that run the gamut from denial of service attacks designed to overwhelm Web sites and servers to data stealing Trojan viruses. All of the devised methods listed in the article are probably not legal. Whichever organization employs such methods will be exposing itself to lawsuits. computer scientists people should add a good attorney to their team, just to make sure it's the hackers and not them who ends up with a legal headache..
usually the user know where to find the source for what they need.. they also don't really care if the source is not legal or from black market.. so, if we concern about this when there are a lot of people who still do the wrongdoings things, what we should really do? a lot of people still doesn't have knowledge about it..
how this culprits manage to get our credit number and use it for their transaction, is there any way for us to prevent this
have you ever e mailed a message to more than one person?
some method go too far and are known as "search engine spamming" , "spamdexing" , and "spammage".
jesus is not a spammer..was..How to become a christian.
In 1995, a loosely knit group of low-level "hackers" was arrested for using computer systems to steal credit card numbers. In 1996, low-level intruders accessed $1.9 million in the Czech Republic. The funds were recovered.
Organized crime groups have moved into the banking industry at an unprecedented rate With Russian organized crime's infiltration of Russian banking systems comes their easy access to the international banking community
A common factor in almost all activity detected and analyzed to date is the lack of technical sophistication. Even so, many were detected by accident rather than any particular warning from proper security procedures.
vital that threat assessments be used to analyze, understand and monitor these changes and to develop a clear understand of risk.
Because "spam" - junk e-mail - is so cheap and easy to create, fraudsters increasingly use it to find investors for bogus investment schemes or to spread false information about a company.
be a genius and you are consider a computer hacker
arrest them before they arrest our money
Some people buying on the Internet are not honest. The most common method is to use a stolen credit card. Savvy business owners suggested the following tips. Always be tactful with your customers as they may have accidently given you an incorrect digit. If you are shipping to a different address than the credit card billing address, always do additional checking.