Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attacking Criminal Networks On the Internet

Posted by kdawson on from the sowing-doubt dept.

Hugh Pickens writes "Computer Scientists at Carnegie Mellon University are developing techniques to analyze and disrupt black markets on the internet, where criminals sell viruses, stolen data, and attack services estimated to total more than $37 million for the seven-month period they studied. To stem the flow of stolen credit cards and identity data, researchers have proposed two technical approaches to reducing the number of successful market transactions. One approach to disrupting the network is a slander attack where an attacker eliminates the verified status of a buyer or seller through false defamation. Another approach undercuts the cyber-crooks' network by creating a deceptive sales environment. 'Just like you need to verify that individuals are honest on E-bay, online criminals need to verify that they are dealing with "honest" criminals,' says Jason Franklin, one of the researchers."

21 of 109 comments (clear)

  1. The World's Largest Crime by Anonymous Coward · · Score: 4, Funny


    Syndicate

    Pax,
    Kilgore Trout

    1. Re:The World's Largest Crime by OrangeTide · · Score: 2, Insightful

      I think House of Representives is a much larger criminal organization.

      --
      “Common sense is not so common.” — Voltaire
  2. Idea... by Hsien-Ko · · Score: 5, Funny

    Why not just implement violence support in ipv7? Who needs to undercut them, when you can uppercut (to the point of Toasty)?

  3. Re:e-crime by OrangeTide · · Score: 4, Insightful

    Help mcgruff by spreading lies and rumors in an attempt to get the criminals mad at each other? It's like spreading a rumor in prison that some inmate is an undercover cop.

    I wonder if anyone is going to get killed over the rumors spread by this anti e-crime technique?

    --
    “Common sense is not so common.” — Voltaire
  4. What I want to know is by Anonymous Coward · · Score: 2, Funny

    how do I get in touch with one of these criminals to inquire about their services? Is there a secret handshake I'm supposed to give to the guy at the McDonald's drivethru, and he writes an ip addy on my happy meal?

  5. Correct me if I'm wrong... by Jarjarthejedi · · Score: 4, Insightful

    So it looks like their plan is to infiltrate the sites used by these people, and discredit them? The only way to be able to discredit them is to get in contact with them somehow or visit a site they visit regularly. If we can find such a site...why don't we just find out whose using it and arrest them? Is this some new take on crime, that instead of arresting criminals we should discredit them? What's the plan?

    --
    There are two kinds of fool One says 'This is old therefore good' Another says 'This is new therefore better'- Dean Ing
  6. ...but next year.... by drakyri · · Score: 2, Interesting

    Uh, what's to stop the bad guys from taking these techniques and using them against existing networks, e.g., E-bay?

    I'm not sure I like this idea....

  7. legitimate transactions? by vlk · · Score: 2, Interesting

    How long before the criminals turn around and use the same tools to disrupt legitimate (read: legal) marketplaces? More complex than a crude DDOS, more customizable, allows for a larger Profit!!! potential.

    1. Re:legitimate transactions? by analog_line · · Score: 2, Interesting

      Extortion also only really works in cases where the appearance of normalcy is more important to other trust relationships of the victim than whatever payment the extorter requires. That, or they have no recourse to the local law enforcement authorities for some reason.

      From what I've heard, banks often get extorted successfully by Internet-based rings. They pay up, and shut up, because it's cheaper than the huge hit to the trust of their depositors in the institution. Look at what happened to Northern Rock when they stood up and did the right thing to ensure their depositors were safe by going to the Bank of England. The first run on an English bank in a century.

      An auction site like eBay doesn't need my trust nearly as much. They don't have my credit card number (unless I use PayPal, but that's not a requirement to use eBay). I don't think I even had to put in an address to set up an eBay account to merely buy stuff. The only trust I need is in the particular seller. Now I'd be the first to admit that your average eBay seller is not toward the high end of the trustworthyness scale, and that the feedback system is abusable, but you're working from a pretty low baseline in any case. And what exactly does eBay have to lose if they broadcast to the world that some dastardly group threatened to make people think that eBay sellers are fraudsters?

      Now your black market, that's a lot more like a bank in terms of amount of trust required. A bad deal on a black market doesn't mean you call up PayPal/eBay/bank and tell them that that bastard that promised you 100k of fresh credit card details ripped you, and you want your money back like the victim of a bad deal on a legal marketplace can. Hell, if you're an intelligent person doing business in a place like this, you know damn well that your buyer or seller might be a cop. A wasp doesn't complain too loudly when it gets stung. It's easier, and safer, to find another patch than try to rebuild trust in a compromised location. Not that it's asy, you need to rebuild trust in this new marketplace, which a determined poisoning scheme can probably easily deal with, so you'd theretically be forced into a more personal marketplace, where personal recommendation is required in order to be able to buy. Harder to crack, but WAY harder to use, and it keeps the cost of entry high enough to discourage all but the most determined criminal wannabes.

  8. Re:How about... by veganboyjosh · · Score: 2, Interesting

    If you can transfer the money to them then you can find them.

    What about spam with no contact info? I posted about this once before, and someone responded with (i paraphrase) "spammers are like the rest of us; they forget to include attachments, too. When a spammer forgets, 6 million people find out about it."

    I could see this happening sometimes, but the amount of crap I see with no contact info, no website, no product being sold, is amazing. It's like the spam is self aware and breeding. Or the spam churning robot is broken or something. I'd love to know what's behind this. Sometimes it's just the filter workaround "poetry", long lists of current event buzzwords, etc.

  9. The bad guys are already phishing on eBay by postbigbang · · Score: 4, Informative

    You see two auctions, one for a kewl expensive collectable car. They look identical in the search page.

    One of them has a very low buy-it-now listing, and a gmail address to contact to be a 'qualified' bidder.

    Which one of them is fishing for your eBay creds? I see these all of the time; I collect and restore specific models of classic cars, and I see one of these almost every week. If you alert eBay through LiveChat, they'll usually take them down. But if you have report an auction through their mind-numbing 100 questions forms method, you'll never get a fraudulent auction done because you'll explode before you get to the end of forms-- none of which says--> HEY, THIS IS AN OBVIOUS FRAUD!

    You can discredit sellers, but sellers have options to restore their dignity if they want to do this-- although it's tough. PayPal can also interecede, as can buyer credit sources. Resources, except in the complaints department, are tilted towards buyers. But that doesn't mean that there are loads of phish attempts. You find them in amusing places, like when I tried to surf for an Apple notebook, and there were a hundred auctions for the same machine-- if you bought the story about getting it shipped from Italy.

    --
    ---- Teach Peace. It's Cheaper Than War.
  10. Slander is a "technical approach"? by Venik · · Score: 2, Insightful

    All of the devised methods listed in the article are probably not legal. Whichever organization employs such methods will be exposing itself to lawsuits. Sounds like these "computer scientists" need to add a good attorney to their team, just to make sure it's the hackers and not them who ends up with a legal headache.

  11. Difference between law enforcement and warfare by R2.0 · · Score: 2, Insightful

    Drug interdiction efforts in this country have been law enforcement based - interdict, arrest, trial, imprisonment. Intelligence is limited to that which can be used in court for trial - all else is forbidden.

    The techniques referenced in the article are more in the style of warfare, where the objective isn't to arrest a lawbreaker, but defeat an enemy. Different rules apply. For instance, if an anonymous source gives you the key for Botnet A, you don't have to worry about gathering more evidence to be able to convict - just shut the sucker down, or poison it to turn on it's creators, etc.

    The confusion between law enforcement and warfare is going to get worse and uglier as time goes on. And I'm not advocating using military thinking domestically on drug trafficking in the US - it doesn't work real well in foreign countries, and I think most drug laws themselves are misguided. But on botnets and international computer crimes? Oh yeah - it's definitely war.

    --
    "As God is my witness, I thought turkeys could fly." A. Carlson
  12. Crime Syndicates by Archangel+Michael · · Score: 3, Insightful

    You guys have both missed the real criminals ....

    http://www.gop.org/
    http://www.democrats.org/

    of which the other two organizations you mention are wholly owned subsidiaries of these two, as is the other legislative and judicial branch are, along with most of the smaller regional syndicates.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  13. It's all about choices. by R2.0 · · Score: 2, Interesting

    "If we can find such a site...why don't we just find out whose using it and arrest them? Is this some new take on crime, that instead of arresting criminals we should discredit them? "

    Choice A: Perform lengthy investigation, put in for extradition, wait forever, and then put on trial, all while said bad guy is still controlling and making money off his botnets.

    Choice B: screw up bad guy's botnets so badly that he can't sell their services, causing him to spend more resources in the battle, until he gives up and picks an easier crime.

    I'll take "B".

    --
    "As God is my witness, I thought turkeys could fly." A. Carlson
  14. Wht can't criminals be "honest"? by nate+nice · · Score: 4, Interesting

    I've never really understood why there's this belief that criminals have trouble being honest. Often, a criminal is only such because society labels them that way and thus dishonest. But in reality, many of them are very nice people performing honest business transactions (unregulated at that!) for their clients. Many drug dealers, prostitutes, pirates, hackers, etc are very honest people in the sense they aren't scamming their customers. They will provide great value to them in fact.

    Supporters of the free market can look to the very successful black market as an example of unregulated trade working well. Often in the black market, as this article eludes to, your reputation is everything. So there is no benefit in ripping someone off.

    I've worked with many "honest", good people in my black market transactions.

    --
    "If you are a dreamer, a wisher, a liar, A hope-er, a pray-er, a magic bean buyer ..."
  15. Re:How about... by kurzweilfreak · · Score: 2, Funny
    Your products are intriguing to me and I wish to subscribe to your newsletter.

    What do you mean I'm already "subscribed"?

    --

    kurzweil_freak

    5th Kyu Genbukan Ninpo/KJJR student

    Be the darkness that allows the light to shine.

  16. Re:How about... by Kazoo+the+Clown · · Score: 3, Insightful

    They're probably trying to retrain the spam filters, in preparation for their next volley...

  17. "honest" for self preservation by vinn01 · · Score: 2, Insightful



    Most criminals are only honest within their peer group. Probably because their peer group would likely kill them if they were not honest.

    The idea of an honest criminal only applies to victimless crimes such as drugs, prostitution, gambling, etc. (To people that insist that self crime is not victimless crimes: stop touching yourself)

  18. Marines.com is obviously a mercenary gang by billstewart · · Score: 2, Insightful

    marines.com is actually a Marine Corps recruiting site. But since it's in .com, not .mil.us where it belongs or at least .mil or .gov, it's obviously a commercial organization.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  19. How? by angus_rg · · Score: 2

    I'm working on methods to thwart cyber crime as well. I know I haven't provided any thing more than grotesquely vague details lacking any real substance, but just take my word on it.