Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understanding Spam Economics Chris Kanich Computer Science & Engineering UC San Diego +=

Published byTamsyn McBride Modified over 8 years ago

Similar presentations

Presentation on theme: "Understanding Spam Economics Chris Kanich Computer Science & Engineering UC San Diego +="— Presentation transcript:

1 Understanding Spam Economics Chris Kanich Computer Science & Engineering UC San Diego +=

2 Why study spam economics? Computer security research focuses on technical mechanisms Modern adversaries are motivated by economic mechanisms: crime pays! Effective defenses should undermine the attacker’s profit motive Understanding the business processes underlying these attacks is the first step 2

3 Anatomy of a modern spam campaign Marketers Merchants Users

4 Spam marketer’s business model Spam fundamentally advertises goods for sale Business model is direct marketing Revenue, conversion rate, delivery cost Goal: Characterize the revenue how much and from where Kanich et al. Spamalytics: an Empirical Analysis of Spam Marketing Conversion. ACM CCS 2008. 4

5 Modern spam delivery Modern spam is delivered by botnets Botmasters must trust their bots The Storm Botnet: high profile, 2007-2008 – MessageLabs: storm sent 20% of all spam, April ’08 – InformationWeek: Storm botnet more powerful than top supercomputers Storm’s architecture allowed botnet infiltration – Observation from the spammer’s point of view 5

6 Received: from %^C0%^P%^R2- 6^%:qwertyuiopasdfghjklzxcvbnm^%.%^P%^R2- 6^%:qwertyuiopasdfghjklzxcvbnm^%^% ([%^C6%^I^%.%^I^%.%^I^%.%^I^%^%]) by %^A^% with Microsoft SMTPSVC(%^Fsvcver^%); %^D^% From: To: Subject: Say hello to bluepill! Received: from %^C0%^P%^R2- 6^%:qwertyuiopasdfghjklzxcvbnm^%.%^P%^R2- 6^%:qwertyuiopasdfghjklzxcvbnm^%^% ([%^C6%^I^%.%^I^%.%^I^%.%^I^%^%]) by %^A^% with Microsoft SMTPSVC(%^Fsvcver^%); %^D^% From: To: Subject: Say hello to bluepill! Received: from auz.xwzww ([132.233.197.74]) by dsl-189-188-79- 63.prod-infinitum.com.mx with Microsoft SMTPSVC(5.0.2195.6713); Wed, 6 Feb 2008 16:33:44 -0800 From: To: Subject: Say hello to bluepill! spammerdomain2.com Received: from auz.xwzww ([132.233.197.74]) by dsl-189-188-79- 63.prod-infinitum.com.mx with Microsoft SMTPSVC(5.0.2195.6713); Wed, 6 Feb 2008 16:33:44 -0800 From: To: Subject: Say hello to bluepill! spammerdomain1.com Received: from auz.xwzww ([132.233.197.74]) by dsl-189-188-79- 63.prod-infinitum.com.mx with Microsoft SMTPSVC(5.0.2195.6713); Wed, 6 Feb 2008 16:33:44 -0800 From: To: savage@cs.ucsd.edusavage@cs.ucsd.edu Subject: Say hello to bluepill! spammerdomain2.com The Storm botnet 6 Received: from dkjs.sgdsz ([132.233.197.74]) by dsl-189-188-79- 63.prod-infinitum.com.mx with Microsoft SMTPSVC(5.0.2195.6713); Wed, 6 Feb 2008 16:33:44 -0800 From: To: Subject: Say hello to bluepill! spammerdomain3.com

7 Goal: view and modify commands at proxy level Approach: infect virtual machines, interpose at the network level – GQ: containment-focused ‘honeyfarm’ environment Transparent to host Allow per-flow modification and filtering – Reverse engineer the bot’s operation: - Spam template language- Command & Control protocol - Communication protocol- Content scrambling algorithm Interposition on Storm 7 Kreibich et al. GQ: Practical Containment for Measuring Modern Malware Systems. IMC 2011

8 spammerdomain.com spammerdomain2.com spammerdomain3.com Instrumenting commands newdomain1.com newdomain2.com newdomain3.com Received: from dkjs.sgdsz ([132.233.197.74]) by dsl-189-188-79- 63.prod-infinitum.com.mx with Microsoft SMTPSVC(5.0.2195.6713); Wed, 6 Feb 2008 16:33:44 -0800 From: To: Subject: Say hello to bluepill! spammerdomain3.com Received: from dkjs.sgdsz ([132.233.197.74]) by dsl-189-188-79- 63.prod-infinitum.com.mx with Microsoft SMTPSVC(5.0.2195.6713); Wed, 6 Feb 2008 16:33:44 -0800 From: To: Subject: Say hello to bluepill! newdomain2.com Same destinations, different URL 8

9 Spam conversion pipeline 9 123.7 M 347.5M 31.2M (25%) 82.7M (24%) 6,548 (0.005%) 10,522 (0.003%) 541 (0.0004%) 28 (0.000008%) --- Pharmaceuticals: 12 M spam emails for one “purchase” SentAcceptedVisitsConversionsInbox Funny Joke: 1 in 10 visitors execute the binary Effects of Blacklisting Unused Effective Other filtering

10 The spammer’s bottom line We tracked the contents of shopping carts Using advertised prices, we can estimate the value of the purchases – 28 purchases for $2,731 over 25 days, or $100/day We only interposed on a fraction of the workers – Connected to approx 1.5% of workers – Extrapolated revenue $7k/day for entire botnet – Yearly revenue is $1.5M @ 50% commission 10

11 Customer handoff Marketer Merchant 11

12 12

13 Eva Pharmacy 752,000 distinct visitor IPs 3,089 distinct cart additions 13

14 Everybody visits… 14 75% of all customers in US 91% in Western Countries 14

15 Product demand 15 71% “recreational” 29% non-recreational pharmaceuticals 15

16 Order composition 16 US visitors 4x more likely to select non-recreational drugs than other Western visitors 16

17 Customer service Customer service email includes order ID# 17 482065,483939,496427 ! 17

18 Order throughput inference 18

19 Dataset 156 orders over 2 months 19

20 From orders to revenue Revenue = # orders x average order price Caveats: Order completion rate How many of each drug are ordered Which drugs are ordered 20

21 From orders to revenue Consistent with Rx-Promotion CC processor data 21

22 Markets for Cybercrime Tools and Stolen Data RAND Report

23 Black Markets Black markets are on the rise Buy/sell malicious code, compromised machines, stolen data In the past: hackers as ad hoc individuals, motivated by curiosity Now: organized groups, highly sophisticated, motivated by profit Hierarchy and specialization of roles/responsibilities Measurement is hard due to anonymous networks, encryption and cryptocurrency

24 Black vs Gray Markets Black markets are created for cybercrime – Deal in malicious software and stolen goods Grey markets focus on exchange of vulnerabilities and exploits – Not illegal

25 Trends Greater variety of products From stolen data and exploit kits to “stolen-to- order” property like intellectual property and zero-day exploits Rise of as-a-service models Point and click interfaces, online tutorials Accepting only cryptocurrencies Hard to track Prices are falling because the supply is getting bigger

26 The Players Varying levels of skill – Anyone can enter the market as targets have varying skill levels too Buying stolen goods, as-a-service attacks easy The highest skill focused on specific targets – Designing zero-day exploits – Targeting specific intellectual property – Hard to get to higher layers, requires personal connections and good reputation

27 The Players One expert’s estimate: – 70 percent individuals or small groups – 20 percent criminal organizations – 5 percent cyberterrorists – 4 percent state-sponsored players – 1 percent hacktivists (“pseudo cyberarmies,” not Anonymous) Groups of hackers organize together to combine skills and achieve higher stake in the market

28 The Players Sellers, buyers and intermediaries Buyers: individuals, criminal organizations, commercial vendors Intermediaries: verify and validate products and participants, facilitate transactions Hierarchies and specialized roles: administrators  subject-matter experts (e.g., rootkits)  intermediaries, brokers, vendors  buyers

29 The Players Mules needed for cash-out – Use stolen credit cards or e-commerce accounts to extract money – Complete wire transfers, ship stolen goods to foreign address – May be witting or unwitting participants

30 The Players

31 Mostly from China, Latin America, Eastern Europe – Rise in US participation Different groups operate in distinct spaces Vietnamese: E-commerce Eastern Europeans and Americans: financial crime Chinese: intellectual property

32 Communication Channels Digital: – Bulletin-board-style web forums, email, and instant-messaging platforms that support both private messaging or open chat rooms (IRC, ICQ, Jabber, QQ) E-commerce – Select goods and pay in crypto currency Increased use of encryption, anonymizing networks and hosting their own servers

33 Communication Channels

34 As-a-service Model In 2004 mainly used for adware and spyware By 2008-2009 DDoS as a service (booters) became popular – Select goods and pay in crypto currency Rise in rent-a-bot, placing custom code on them (also bought) Malware is stealthier, more sophisticated – Vendors will often guarantee malware lifespan before it is detected by antivirus

35 As-a-service Model Some vendors can track use of their service/software – Shut down anyone that is very noisy to avoid detection by defenders Rise in mobile malware – More targets, easy to monetize

36 Goods

37

38

39

40 Botnets and Black Markets

41 Botnets used for spamming, phishing, DDoS, password cracking, click-fraud, cryptocurrency mining As proxies for stolen credit card purchases From same geographical area, to avoid triggering security alerts Some “web hosting” companies rent bots for exclusive use

42 At a Glance

43 Possible Countermeasures Bug bounty or incentive programs by software makers Convert Black Hats into White Hats Fake goods for sale Honeypots for black markets Mandated encryption, password storage approach, chip and PIN credit cards

Download ppt "Understanding Spam Economics Chris Kanich Computer Science & Engineering UC San Diego +="

Similar presentations

Principles of Information Systems, Sixth Edition The Internet, Intranets, and Extranets Chapter 7.

Principles of Information Systems, Sixth Edition The Internet, Intranets, and Extranets Chapter 7.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Botcoin: Monetizing Stolen Cycles UC San Diego and George Mason University Presented By: Amanda Watson CSCI 780: Advanced Network Security.

Botcoin: Monetizing Stolen Cycles UC San Diego and George Mason University Presented By: Amanda Watson CSCI 780: Advanced Network Security.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Breaking Trust On The Internet

Breaking Trust On The Internet
The development of Internet A cow was lost in Jan 14th 2003. If you know where it is, please contact with me. My QQ number is 87881405. QQ is one of the.

The development of Internet A cow was lost in Jan 14th If you know where it is, please contact with me. My QQ number is QQ is one of the.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.

The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
Chapter 7: The Web and E-mail1 The Web and E-mail Chapter 7.

Chapter 7: The Web and 1 The Web and Chapter 7.
Using Economics to Quantify the Security of the Internet Jason Franklin.

Using Economics to Quantify the Security of the Internet Jason Franklin.
Australian High Tech Crime Centre What is cybercrime & trends Monday 5 November 2007.

Australian High Tech Crime Centre What is cybercrime & trends Monday 5 November 2007.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 The Internet, Intranets, and Extranets Chapter 7.

MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 The Internet, Intranets, and Extranets Chapter 7.
1 Chapter 9 Electronic Commerce and Electronic Business.

1 Chapter 9 Electronic Commerce and Electronic Business.
Electronic Commerce Systems

Electronic Commerce Systems
Chapter 9 e-Commerce Systems.

Chapter 9 e-Commerce Systems.
INFORMATION SECURITY AWARENESS PRESENTED BY KAMRON NELSON AND ROYCE WILKERSON.

INFORMATION SECURITY AWARENESS PRESENTED BY KAMRON NELSON AND ROYCE WILKERSON.
CERN - IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Update on the underground economy and making profit on the black market Wojciech Lapka.

CERN - IT Department CH-1211 Genève 23 Switzerland t Update on the underground economy and making profit on the black market Wojciech Lapka.
CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.

Similar presentations

Ads by Google