WACCO 2023

Visualizing Cyber-Threats in Underground Forums

James Burroughs, Michal Tereszkowski-Kaminski and Guillermo Suarez-Tangil

In this paper, we develop a language-agnostic methodology to extract features of interest to an analyst from forum posts and visualize them in a way which facilitates identification and stratification of areas of interest in the forums, as well as further manual analysis of the text. We then apply this methodology to a specific Russian underground forum. The visualization acts as a 'thumbnail' for individual posts, conveying semantic metadata of post contents. By viewing the thumbnail, an analyst is provided with an immediate 'sense' of post length and key features present within a post, as well as their frequency and spatial arrangement. Using the generated visualizations of posts from the underground forum we speed up analyst identification of post subject matter by up to 72%. As a key novelty, we propose that the image output of our method has fractal properties that can be exploited when sorting threats and extracting highly technical posts. Thus, we use a method based on the Minkowski-Bouligand fractal dimension to prioritize analysis of posts which represent more sophisticated threats.

An Argument for Linguistic Expertise in Cyber Threat Analysis: LOLSec in Russian Language eCrime Landscape

Dalyapraz Manatova, L Jean Camp, Julia R Fox, Sandra Kuebler, Maria A Shardakova and Inna Kouper

In this position paper, we argue for a holistic perspective on threat analysis and other studies of state-sponsored or state-aligned eCrime groups. Specifically, we argue that understanding eCrime requires approaching it as a sociotechnical system and that studying such a system requires combining linguistic, regional, professional, and technical expertise. To illustrate it, we focus on the discourse of the Conti ransomware group in the context of the Russian invasion in Ukraine. We discuss the background of this group and their actions and provide examples of how the discourse and threats from such groups can be easily misunderstood without appropriate linguistic expertise.

Digital Drift and the Evolution of a Large Cybercrime Forum

Jack Hughes and Alice Hutchings

Cybercrime forum datasets are large and complex. Prior research uses aggregated time series data to create a picture of the whole dataset, or focuses on a smaller sample of cross sectional data, often for a specific subcommunity or crime time. This paper uses the longitudinal time series aspect of cybercrime forums to measure and observe the evolution of forums at a macro scale. Applying the Digital Drift theoretical framework, borrowed from criminology, we find a large amount of churn on the forum, with only a small proportion of users continuing long-term engagement. Measurements show a continual shift in forum activity, with year-based cohorts moving from starting in hacking discussions, towards starting in general discussions, and later towards e-whoring boards. The group of members who are active on the forum for over 12 months, typically have their last post in the marketplace, while other members, who are active for shorter periods of time, have their last post in hacking-related boards. Overall, we see an increasing trend towards financially-driven cybercrime, at both the user and forum level. Users post more in financially-related boards over time, and forum activity has trended away from gaming/social activity, trending towards more activity in market-related boards.

Applying Neutralisation Theory To Better Understand Ransomware Offenders

Lena Yuryna Connolly, Hervé Borrion, Budi Arief and Sanaa Kaddoura

The work presented in this paper investigates the crime of ransomware from the perspective of neutralisation theory. In particular, this research-in-progress paper aims to explore the feasibility of using neutralisation theory to better understand one of the key stakeholders in ransomware operations: the offenders. Individuals (including offenders) may employ techniques of neutralisation in order to justify their rule-breaking acts, and to diminish both the perceived consequences of their acts and the feeling of guilt. The focus of this work is on highly organised ransomware groups that not only conduct cyber attacks but also operate Ransomware-as-a-Service (RaaS) businesses. Secondary data was used in this research, including media interviews with alleged ransomware offenders. Data analysis is currently ongoing, but preliminary results show that ransomware offenders mainly use six neutralisation techniques to minimise the perceived impact and/or guilty feeling of their actions. These six neutralisation techniques are (1) denial of victim, (2) denial of injury, (3) claim of benefits, (4) claim of entitlement, (5) defence of necessity, and (6) claim of relative acceptability. The findings from this work can shed some light on the ransomware offending pathways, which in turn can be utilised to devise more effective countermeasures for combatting ransomware crime.

The Peculiar Case of Tailored Phishing against SMEs: Detection and Collective Defense Mechanisms at a Small IT Company

Pavlo Burda, Abdul Malek Altawekji, Nicola Zannone and Luca Allodi

Phishing attacks are increasingly more sophisticated, with attackers exploiting publicly available information on their targets to personalize their attacks. Although an increasing body of research has investigated the effectiveness of tailored phishing campaigns, researchers have primarily focused on large enterprises. Company size, composition, and resource availability (e.g., of security experts or a phishing response team handling incidents) play an important role in the studied dynamics. However, whether the same also applies to small and medium-sized enterprises (SMEs), which typically do not have those resources, is unclear. On the other hand, studying SME security is hard as they generally have no expertise in-house to run the required experiments. This work provides a first study filling this gap by investigating the effectiveness of tailored phishing campaigns against an SME IT company in Europe. To this end, we conducted a field experiment targeting 30 employees at an SME and, subsequently, interviewed nine employees to understand the cognitive processes underlying the detection and response of our phishing campaign as well as the group defense mechanisms at the SME. Our findings show that expectation mismatch was the primary method for detecting our phishing email and that the collective defense mechanism enabled a surprisingly prompt response and containment of the attack, possibly, due to the network dynamics of a small company.

On gaps in enterprise cyber attack reporting

Abu Hajizada and Tyler Moore

It has long been lamented that firms underreport cyber attacks. In recent years, regulators have begun mandating that certain organizations must publicly report when incidents occur. Adherence to these requirements is an empirical question that has been largely unexamined to date. In this paper, we study regulatory filings by U.S. public companies to the Securities Exchange Commission and to the Department Health and Human Services that discuss cyber attacks. We also compare the findings against crowdsourced reports of cyber incidents appearing in media outlets. We find substantial gaps in coverage, both in terms of attacks that make the news but do not appear in regulatory filings and vice versa. We conclude by discussing the implications for the study of cyber attack and defense as well as for policymakers.

Mapping the Cyberstalking Landscape: An Empirical Analysis of Federal U.S. Crimes

Sasha Romanosky and Peter Schirmer

Among the new forms of technology-facilitated abuses, cyberstalking has become a growing and important problem. Cyberstalking involves the use of technology to stalk, threaten, or harass one or more individuals. For example, it can include tracking and intimidating a victim over social media, email, or text messages, or threatening to expose someone’s intimate photographs (sextortion). Cyberstalking has become a mechanism used by current or former domestic or intimate-partners, lone perpetrators, individuals targeting victims based on their employment or public image, and members of extremist groups. The innovations of this research are twofold. First, using multiple data sets, we developed an automated capability to identify and collect the full set of all federally prosecuted cyberstalking cases in the U.S.. Second, we employ natural language processing, network analysis, and regression analysis methods to code and analyze these court records. We apply these methods in order to answer three main research questions: how many federal cyberstalking cases are there?; what kinds of stalking behavior are being committed?; and what characteristics are correlated with conviction and severity of punishment?

Enhancing Vulnerability Prioritization: Data-Driven Exploit Predictions with Community-Driven Insights

Sasha Romanosky, Jay Jacobs, Octavian Suciu, Benjamin Edwards and Armin Sarabi

The number of disclosed vulnerabilities has been steadily increasing over the years. At the same time, organizations face significant challenges patching their systems, leading to a need to prioritize vulnerability remediation in order to reduce the risk of attacks. Unfortunately, existing vulnerability scoring systems are either vendor-specific, proprietary, or are only commercially available. Moreover, these and other prioritization strategies based on vulnerability severity are poor predictors of actual vulnerability exploitation because they do not incorporate new information that might impact the likelihood of exploitation. In this paper we present the efforts behind building a Special Interest Group (SIG) that seeks to develop a completely data-driven exploit scoring system that produces scores for all known vulnerabilities, that is freely available, and which adapts to new information. The Exploit Prediction Scoring System (EPSS) SIG consists of more than 170 experts from around the world and across all industries, providing crowd-sourced expertise and feedback. Based on these collective insights, we describe the design decisions and trade-offs that lead to the development of the next version of EPSS. This new machine learning model provides an 82% performance improvement over past models in distinguishing vulnerabilities that are exploited in the wild and thus may be prioritized for remediation.

How Cryptocurrency Exchange Interruptions Create Arbitrage Opportunities

Andrew Morin and Tyler Moore

Centralized cryptocurrency exchanges offer users a more convenient platform to trade their digital assets at the cost of reduced control. As a result, when these exchanges suffer interruptions users struggle to access their funds or modify their orders. We investigate 41 events at the popular exchange Bitfinex, and measure the impact these events have on trades, volume, and pricing. We find that the volume to trade ratio increases during events, as fewer traders are moving large amounts of bitcoin. We also find that these interruptions often occur at the same time as arbitrage opportunities, with substantial profit opportunities.

"Not another Ponzi!": Comparing adverts for cryptocurrency investment scams across platforms

Gilberto Atondo Siu and Alice Hutchings

This work compares machine learning methods using supervised, semi-supervised and unsupervised learning, to classify advertisements for cryptocurrency related investment scams found in the online forum Bitcointalk, and the social media platform Reddit. We extract more than 24.2 million posts from Bitcointalk and use Reddit's API to collect 2,108 submissions. We train and compare several multi-class text classification approaches and use the models with highest accuracy and F-measure to identify cryptocurrency investment scam advertisements found on both platforms. We discover around five percent of all posts collected on both sites are potential scams. We then use another text classifier to identify the scam actors involved in these investment scam advertisements. We also discover the lures used within these fraudulent adverts and find the main differences in luring techniques used between Bitcointalk and Reddit. We identify that the most prevalent lure type uses the financial principle.

Measuring and Monitoring Malicious Social Media Behaviours

Rebekah Overdorf

From fake accounts to disinformation, malicious behaviour is evidently present on social media sites to anyone who uses them. However, actually measuring the different types of attacks and malicious behaviour presents many challenges. The correct data can be difficult to collect, the ground truth is often not concrete, and basic assumptions that we make about "normal" or "abnormal" behaviour often do not hold up to scrutiny. This keynote will illustrate some of these challenges through three different types of content-inflation attacks on social media that we uncovered over the past few years and discuss how they were overcome.

Closure and break