WACCO 2020



2nd Workshop on Attackers and Cyber-Crime Operations

IEEE European Symposium on Security and Privacy 2020

September 7 - Virtual Conference

Important News - All-digital conference rescheduled
IEEE European Symposium on Security and Privacy 2020 conference is being rescheduled to September 7-11, 2020 and will be an all-digital conference.
More information can be found on the EuroS&P website

The emergence and commoditization of cyber-criminal activities calls for new empirical methods, measures, and technologies to quantify and understand offender operations across all forms of cyber-crime: from malware engineering and attack delivery, to running underground operations trading illegal goods such as drugs and illegal pornography, to spreading disinformation and planning (cyber-)terrorism operations. Without appropriate scientific measures of cyber-offender and attacker operations, capabilities, and resources, it remains impossible to derive sound policies, strategies and technologies that appropriately address realistic and evidence-based attacker and offender models.

The 2nd Workshop on Attackers and Cyber-Crime Operations (WACCO 2020) aims to provide a venue for research and discussion on cyber-criminal activities. WACCO 2020 is co-located with the 5th IEEE European Symposium on Security and Privacy (EuroS&P 2020).

Call for Papers

WACCO 2020 calls for all contributions aiming at providing methods, measures, metrics, and technologies or tools to quantitatively or qualitatively evaluate cyber-offenders and attackers from technical and non-technical angles. The workshop invites contributions from, but not limited to, the fields of computer science and computer security, criminology, psychology, law, and economics addressing this issue.
Topics of interest include, but are not limited to:

  • Empirical studies on attacker operations and communities
  • Novel methods to perform attacker measurements at scale across several communities
  • Cooperation and trust as a source of attackers’ effectiveness
  • Attackers’ skill set
  • Attackers’ operational security
  • Measuring the spread of false information campaigns on social media
  • Quantitative and qualitative methods to measure, track, and counter cybercrime
  • Cybercrime measurement and networks
  • Cybercrime policy
  • Economics of cybercrime
  • Profiling of cybercriminals
  • Security metric design and evaluation
  • Security patch measurement
  • Statistical exploration and prediction of security incidents
  • Open Source Intelligence and digital footprints

The workshop is co-located with the 5th IEEE European Symposium on Security and Privacy (EuroS&P 2020).

Important Dates

All deadlines are Anywhere on Earth (AoE = UTC-12h).

First cycle paper submissions due February 21, 2020   March 9, 2020 11:59 pm   [EXTENDED]
First cycle acceptance notice to authors April 10, 2020
Second cycle paper submissions due May 18, 2020
Second cycle acceptance notice to authors June 10, 2020
Camera ready for accepted papers June 24, 2020
Virtual Workshop September 7, 2020

Accepted Papers

Full Papers:

  • A Social Network Analysis and Comparison of Six Dark Web Forums

    Ildikó Pete, Jack Hughes, Yi Ting Chua and Maria Bada


  • A tight scrape: methodological approaches to cybercrime research data collection in adversarial environments

    Kieron Turk, Sergio Pastrana and Ben Collier


  • Growth and Commoditization of Remote Access Trojans

    Veronica Valeros and Sebastian Garcia


  • How can data from fitness trackers be obtained and analyzed with a forensic approach?

    Florian Hantke and Andreas Dewald


  • My Boss is Really Cool: Malware-Induced Misperception in Workplace Communication Through Covert Linguistic Manipulation of Emails

    Filipo Sharevski, Peter Jachim, Paige Treebridge, Audrey Li and Adam Babin


  • #ISIS vs #ActionCountersTerrorism: A Computational Analysis of Extremist and Counter-extremist Twitter Narratives

    Fatima Zahrah, Jason Nurse and Michael Goldsmith

Short Papers:

  • A Measurement Study on the Advertisements Displayed to Web Users Coming from the Regular Web and from Tor

    Dario Adriano Bermudez Villalva, Gianluca Stringhini and Mirco Musolesi


  • Are You a Favorite Target For Cryptojacking? A Case-Control Study On The Cryptojacking Ecosystem

    Giorgio Di Tizio and Chan Nam Ngo


  • Don’t Forget the Human: a Crowdsourced Approach to Automate Response and Containment Against Spear Phishing Attacks

    Pavlo Burda, Luca Allodi and Nicola Zannone


  • Knowledge is power: An analysis of discussions on hacking forums

    John McAlaney, Emily Kimpton and Helen Thackray


  • Mapping the Geography of Cybercrime: A Review of Indices of Digital Offending by Country

    Jonathan Lusthaus, Miranda Bruce and Nigel Phair


  • Towards Automatic Identification of Typosquatting Attacks in PyPI

    Duc Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate and Antonino Sabetta


Program


The workshop will have live talks (10 minutes presentation + 5 minutes Q&A). We will run a modified version of REFSQ where authors are asked to bootstrap the discussion with questions to other fellow presenters in a session.

Session 1: Scoping cybercrime

14:00 - 15:00 (Timezone: CEST (UTC+02:00))

A tight scrape: methodological approaches to cybercrime research data collection in adversarial environments - Abstract - Pre-print

14:00 - 14:15

Kieron Turk, Sergio Pastrana and Ben Collier

We outline in this article a study of ‘adversarial scraping’ for academic research, which involves the collection of data from websites that implement defences against traditional web scraping tools. Although this is primarily a research methods article, it also constitutes a valuable systematic accounting of the different defensive techniques used by the administrators of illicit online services. Some of these administrators intentionally implement functionality which attempts to prevent web scrapers from gathering data from their site, and some will unintentionally design their sites in ways that make data gathering harder. This is of particular importance for criminological research, where websites such as cryptomarkets and underground forums are publicly available (and hence there is an ethical case for data collection), but the illicit activity involved means that the administrators of these services limit scraping. We classify different anti-crawling techniques taken by websites and outline our developed countermeasures. Based on this, we evaluate which of these methods do and do not succeed at preventing data gathering from a website, as well as those which impact the scraper but do not necessarily prevent the data from being obtained. We find that there are some defences that, if used together, might thwart scraping. There are also a series of defences that are successful at slowing down scrapers, making historical scraping more difficult. On the other hand, we show that many defences are easy to work around and do not impact scraping.

#ISIS vs #ActionCountersTerrorism: A Computational Analysis of Extremist and Counter-extremist Twitter Narratives - Abstract

14:15 - 14:30

Fatima Zahrah, Jason Nurse and Michael Goldsmith

The rapid expansion of cyberspace has greatly facilitated the strategic shift of traditional crimes to online platforms. This has included malicious actors, such as extremist organisations, making use of online networks to disseminate propaganda and incite violence through radicalising individuals. In this article, we seek to advance current research by exploring how supporters of extremist organisations craft and disseminate their content, and how posts from counter-extremism agencies compare to them. In particular, this study will apply computational techniques to analyse the narratives of various pro-extremist and counter-extremist Twitter accounts, and investigate how the psychological motivation behind the messages compares between pro-ISIS and counter-extremism narratives. Our findings show that pro-extremist accounts often use different strategies to disseminate content (such as the types of hashtags used) when compared to counter-extremist accounts across different types of organisations, including accounts of governments and NGOs. Through this study, we provide unique insights into both extremist and counter-extremist narratives on social media platforms. Furthermore, we define several avenues for discussion regarding the extent to which counter-messaging may be effective at diminishing the online influence of extremist and other criminal organisations.

Mapping the Geography of Cybercrime: A Review of Indices of Digital Offending by Country - Abstract

14:30 - 14:45

Jonathan Lusthaus, Miranda Bruce and Nigel Phair

The acknowledgement that cybercrime offenders are embedded within local contexts presents a broad vector for further study. But research in this area is still in its early days and many topics need to be developed further. Foremost among these is the geography of cybercrime. This endeavour has an important policy contribution to make. For example, if we can determine which countries are producing cybercrime at more significant levels, preventative measures can be specifically targeted to those countries. The first step within such a research agenda must be the development of an index of cybercriminality by country, as this is foundational to identifying hubs of digital offending and the factors driving the emergence of these hubs. This paper is methodological in its contribution, and does not offer its own empirical findings. Instead, it aims to provide some broad foundational thinking for a very challenging research exercise, and it is intended to support later, more refined, efforts to develop indices. It consists of two components. First, it reviews existing attempts to identify and rank cybercrime hotspots. Second, it draws important lessons from these works towards developing a successful index. Some methodological points are made on what the way forward may be for this emerging field, and how a reliable and valid index on cybercriminality could be crafted.

Break & Discussion

14:45 - 15:00

Session Chair: Fabio Massacci (University of Trento)

Session 2: Tecno-social aspects of malware

15:00 - 16:00 (Timezone: CEST (UTC+02:00))

Growth and Commoditization of Remote Access Trojans - Abstract

15:00 - 15:15

Veronica Valeros and Sebastián García

In the last three decades there have been significant changes in the cybercrime world in terms of organization, type of attacks, and tools. Remote Access Trojans (RAT) are an intrinsic part of traditional cybercriminal activities but they have become a standard tool in advanced espionage and scams attacks. The overly specialized research in our community on Remote Access Trojans has resulted in a seemingly lack of general perspective and understanding on how RATs have evolved as a phenomenon. This work presents a new generalist perspective on Remote Access Trojans, an analysis of their growth in the last 30 years, and a discussion on how they have become a commodity in the last decade. We found that the amount of RATs increased drastically in the last ten years and that nowadays they have become standardized commodity products that are no very different from each other.

My Boss is Really Cool: Malware-Induced Misperception in Workplace Communication Through Covert Linguistic Manipulation of Emails - Abstract

15:15 - 15:30

Filipo Sharevski, Peter Jachim, Paige Treebridge, Audrey Li and Adam Babin

This paper introduces a social engineering attack called Malware-Induced Misperception (MIM). Social engineering attacks are usually carried over emails and ”phish” for the receiver’s assets, e.g. passwords. The MIM also uses email as an attack vector but instead ”phishes” for the receiver’s perception. Since email is one of the main lines of communication in a workplace, individuals are trained how to spot traditional phishing but not emails aiming to induce misperception. A study was conducted to test the effect of the MIM attack in covertly manipulating the perception of the individual’s working relationship in a realistic workplace email interaction (N = 173). The misperception-inducing malware was packaged as a browser extension that manipulated the ”politeness” formatting of an email request through covert linguistic rearrangements. The results indicate that the attack is capable of creating misperceptions that: (1) an email request seems more demanding than it actually is; and (2) the sender seems more polite and ”cool” than they actually are. The results also show that the attack nudges the receivers to match the level of politeness in their response to the one in the email request. The overall findings are consistent with the politeness theory applied in computer-mediated communication settings.

Don’t Forget the Human: a Crowdsourced Approach to Automate Response and Containment Against Spear Phishing Attacks - Abstract - Pre-print

15:30 - 15:45

Pavlo Burda, Luca Allodi and Nicola Zannone

Organizations are increasingly facing sophisticated social engineering attacks that exploit human vulnerabilities and overcome commonly available countermeasures. Spear-phishing campaigns are becoming the most prevalent attack and source of compromise for most organizations. We argue that existing prevention and detection countermeasures are fundamentally ineffective against this class of attacks. In this work, we propose a novel approach to address the limitations of existing countermeasures. Our proposition is a new course of action to exploit human detection capabilities as a basis of automated response strategies. Preliminary results unveil users’ mental models for phishing detection and reporting as a way to improve the phishing reporting process altogether. A real word case study is provided to promote the feasibility of our proposal.

Break & Discussion

15:45 - 16:00

Session Chair: Sergio Pastrana (University Carlos III of Madrid)

Session 3: Ecosystem measurements

16:00 - 17:00 (Timezone: CEST (UTC+02:00))

Knowledge is power: An analysis of discussions on hacking forums - Abstract

16:00 - 16:15

John McAlaney, Emily Kimpton and Helen Thackray

There remains a lack of understanding on the social factors that influence the behaviours and beliefs of people who have an interest in hacking. This research sought to address that gap by exploring the conversations that take place on hacking forums and subreddits. Text in hacking related threads was collected from these sites over a period of several months. Linguistic Inquiry and Word Count (LIWC) software was used to determine the linguistic characteristics of each forum/subreddit. Thematic analysis was then conducted on a subset of text from each source. The results of the LIWC analysis indicated that there are variations in several psychologically relevant factors between these forums and subreddits, including the degree to which users used language that indicated they were being honest, confident, analytical and emotional. There were several results that were inconsistent with stereotypes of hackers, such as a relative absence of language indicating anger. The thematic analysis identified several themes relating to knowledge, skills acquisition, honesty legality and risk. Overall, this research demonstrates that there exists an established online community of hackers, which are likely to be encountered by any young person who becomes interested in cybersecurity and hacking. These communities may potentially act as an important source of social support and social identity for their members. Understanding the dynamics of these communities may better help us steer people towards legitimate cybersecurity careers, where their passion and skills can be used for societal good.

A Social Network Analysis and Comparison of Six Dark Web Forums - Abstract

16:15 - 16:30

Ildikó Pete, Jack Hughes, Yi Ting Chua and Maria Bada

With increasing monitoring and regulation by platforms, communities with criminal interests are moving to the dark web, which hosts content ranging from whistleblowing and privacy, to drugs, terrorism, and hacking. Using post discussion data from six dark web forums we construct six interaction graphs and use social network analysis tools to study these underground communities. We observe the structure of each network to highlight structural patterns and identify nodes of importance through network centrality analysis. Our findings suggest that in the majority of the forums some members are highly connected and form hubs, while most members have a lower number of connections. When examining the posting activities of central nodes we found that most of the central nodes post in sub-forums with broader topics, such as general discussions and tutorials. These members play different roles in the different forums, and within each forum we identified diverse user profiles.

A Measurement Study on the Advertisements Displayed to Web Users Coming from the Regular Web and from Tor - Abstract

16:30 - 16:45

Dario Adriano Bermudez Villalva, Gianluca Stringhini and Mirco Musolesi

Online advertising is an effective way for businesses to find new customers and expand their reach to a great variety of audiences. Due to the large number of participants interacting in the process, advertising networks act as brokers between website owners and businesses facilitating the display of advertisements. Unfortunately, this system is abused by cybercriminals to perform illegal activities such as malvertising. In this paper, we perform a measurement of malvertising from the user point of view. Our goal is to collect advertisements from a regular Internet connection and using The Onion Router in an attempt to understand whether using different technologies to access the Web could influence the probability of infection. We compare the data from our experiments to find differences in the malvertising activity observed. We show that the level of maliciousness is similar between the two types of accesses. Nevertheless, there are significant differences related to the malicious landing pages delivered in each type of access. Our results provide the research community with insights into how ad traffic is treated depending on the way users access Web content.

Break & Discussion

16:45 - 17:00

Session Chair: Marie Vasek (University College London)

Session 4: Attack opportunities and deployment

17:00 - 17:45 (Timezone: CEST (UTC+02:00))

How can data from fitness trackers be obtained and analyzed with a forensic approach? - Abstract

17:00 - 17:15

Florian Hantke and Andreas Dewald

The use of Internet of Things devices is continuously increasing: People buy devices to make their lives more comfortable by using smart assistants or track sports activities and assess them. Moreover, these devices can support digital investigators with valuable information when it is involved in a crime scene, since its data may provide information about the circumstances of the crime. One group of those devices are fitness trackers, which hold data such as walked steps. Accordingly, analysts can see activities, routines, and inconsistencies. We inspected three different common fitness trackers and developed a tool to analyze them in a standardized and forensically sound way. To collect data, we analyzed the Bluetooth communication, data on the phone, and internet communication. Our tool can analyze the different sources automatically and subsequently presents the results on a self-hosted web application. It is open-source and easily scalable so that developers can implement new extensions to support more than the three analyzed trackers.

Towards Automatic Identification of Typosquatting Attacks in PyPI - Abstract - Pre-print

17:15 - 17:30

Duc Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate and Antonino Sabetta

Limited automated controls integrated into the Python Package Index (PyPI) package uploading process make PyPI an attractive target for attackers to trick developers into using malicious packages. Several times this goal has been achieved via the combosquatting and typosquatting attacks when attackers give malicious packages similar names to already existing legitimate ones. In this paper, we study the attacks, identify potential attack targets, and propose an approach to identify combosquatting and typosquatting package names automatically. The approach might serve as a basis for an automated system that ensures the security of the packages uploaded and distributed via PyPI.

Are You a Favorite Target For Cryptojacking? A Case-Control Study On The Cryptojacking Ecosystem - Abstract - Pre-print

17:30 - 17:45

Giorgio Di Tizio and Chan Nam Ngo

Illicitly hijacking visitors’ computational resources for mining cryptocurrency via compromised websites is a consolidated activity. Previous works mainly focused on large-scale analysis of the cryptojacking ecosystem, technical means to detect browser-based mining as well as economic incentives of cryptojacking. So far, no one has studied if certain technical characteristics of a website can increase (decrease) the likelihood of being compromised for cryptojacking campaigns. In this paper, we propose to address this unanswered question by conducting a case-control study with cryptojacking websites obtained crawling the web using Minesweeper. Our preliminary analysis shows some association for certain website characteristics, however, the results obtained are not statistically significant. Thus, more data must be collected and further analysis must be conducted to obtain a better insight into the impact of these relations.

Session Chair: Alice Hutchings (University of Cambridge)

Submission

Papers should be written in English and formatted following the IEEE guidelines for EuroS&P 2020 reported here. Papers must be typeset in LaTeX in A4 format (not "US Letter") using the IEEE conference proceeding template supplied by IEEE EuroS&P. We suggest you first compile the supplied LaTeX source as is, checking that you obtain the same PDF as the one supplied, and then write your paper into the LaTeX template, replacing the boilerplate text. Please do not use other IEEE templates. Failure to adhere to the page limit and formatting requirements can be grounds for rejection.
WACCO welcomes full as well as position papers for submission. Length limits are of 10 pages and 6 pages respectively. Position papers should present new open and interesting questions that the community should address or open questions that past research papers have not yet addressed. We expect position papers to be presented in panels or poster-platform sessions.

Anonymous submissions

Papers should be fully anonymized before review: author names or affiliations may not appear or be revealed in the text. Previous work of the authors should be referred to the third person. In the unusual case that an anonymous reference is not possible, the authors should blind the reference (e.g. “[x] Blinded citation to preserve submission anonymity”). Papers that are not properly anonymized may be desk rejected.

Publications

All papers will be published by IEEE CS and posted on the IEEE digital libraries. At least an author for each accepted paper is expected to present their paper at the workshop.

This year WACCO will adopt the REFSQ model for paper presentation, where authors and audience are structurally engaged in the discussion. As a highly multidisciplinary workshop, we expect this model to foster discussion and exchanges from a multitude of different perspectives. Presenting authors and members of the audience will be contacted by the chairs before the workshop for the (short) necessary preparations.

Submission site

Please submit your paper through EasyChair here.

Program Committee Co-chairs

Luca Allodi Eindhoven University of Technology
Alice Hutchings University of Cambridge
Fabio Massacci University of Trento
Sergio Pastrana University Carlos III of Madrid
Marie Vasek University College London

Organization

Publicity-Chair Giorgio Di Tizio University of Trento
Publicity-Chair Jack Hughes University of Cambridge

Program Committee

Registration

The workshop is co-located with the 5th IEEE European Symposium on Security and Privacy (EuroS&P 2020). To register please visit the registration page of the main event.