Computer Laboratory

Cambridge Cybercrime Centre: Second Annual Cybercrime Conference, 13 July 2017

The Cambridge Cybercrime Centre organised its second one day conference on cybercrime on Thursday, 13th July 2017.

For details of the 2016 event see here.

In future years we intend to focus on research that has been carried out using datasets provided by the Cybercrime Centre, but for this year we had a stellar group of invited speakers who are at the forefront of their fields. They will present various aspects of cybercrime from the point of view of criminology, law, security economics and policing.

The one day event, was held in the Faculty of Law, University of Cambridge and followed immediately after the "Tenth International Conference on Evidence Based Policing" organised by the Institute of Criminology which ran on the 11th and 12th July 2017.


09:00 Registration

09:30 Operation Polarity (the 'Titanium Stresser' case)

Bart Haley Eastern Region Special Operations Unit (ERSOU)

Slides in PDF format

Abstract: Following a complex investigation by the ERSOU Regional Cyber Crime Unit, working with the National Crime Agency, officers tracked down Adam Mudd, 19, of Toms Lane, Kings Langley in Hertfordshire. Mudd admitted three counts of computer misuse which involved creating and administrating the stressor tool, "code named the titanium stressor", which was used by other cyber criminals internationally, and a count of money laundering in relation to the financial gains he made as a result. In April 2017 Mudd was sentenced to 24 months imprisonment for his own DDoS attacks, 9 months for running the DDoS service and 24 months for money laundering the proceeds made from the stressor service, all to run concurrently.

The police operation into Mudd was internationally recognised, with investigators receiving the National Police Chiefs Council (NPCC) Blue Light Digital Award for its use of advanced digital forensics last month. During the case the Central Criminal Court heard that Mudd had developed tools for DDoS attacks and a website to market them. The teenager sold the tool on the Internet and ran his stressor as a business, gaining proceeds from its distribution to other cyber criminals. Analysis of the tool showed that it had been used by others in more than 1.7 million denial of service attacks against victims worldwide. In total, Mudd had benefited to the tune of approximately $300,000 worth of ill-gotten gains, though the final amount will be confirmed in future confiscation hearings.

10:00 1000 days of UDP amplification DDoS attacks

Daniel Thomas Cambridge Cybercrime Centre

Slides in PDF format

Abstract: Distributed Denial of Service (DDoS) attacks employing reflected UDP amplification are regularly used to disrupt networks and systems. The amplification allows one rented server to generate significant volumes of data, while the reflection hides the identity of the attacker. Consequently this is an attractive, low risk, strategy for criminals bent on vandalism and extortion. To measure the uptake of this strategy we ran a network of honeypot UDP reflectors (median size 65 nodes) from July 2014 onwards. In this talk I will explore the life cycle of attacks that use our reflectors, from the scanning phase used to detect our honeypot machines, through to their use in attacks. We see a median of 1450 malicious scanners per day across all UDP protocols, and have recorded details of 5.18 million subsequent attacks involving in excess of 3.31 trillion packets. Using a capture-recapture statistical technique, we estimate that our reflectors can see between 85.1% and 96.6% of UDP reflection attacks over our measurement period. We validated our technique using leaked data from booter services.

10:30 Coffee break

11:00 Exploring the travel fraud economy

Alice Hutchings Cambridge Cybercrime Centre

Abstract: This talk delves into the illicit trade of cheap airline tickets online, a global crime type that has remained largely hidden. I interviewed relevant stakeholders, and found that there are many facets to this trade. On online black markets, tickets are are purchased by complicit travellers and resellers. Often, travellers on these tickets are using them to commit other crimes. Victim travellers obtain tickets from fake travel agencies or from malicious insiders within the travel industry. Tickets are also traded through word-of-mouth, mainly through close-knit communities. The various cybercrime techniques used to obtain the tickets illicitly will be outlined, as well as the problems faced by law enforcement when policing this trade.

11:30 Offline and Local: The Hidden Face of Cybercrime

Jonathan Lusthaus Director, Human Cybercriminal Project, Extra-Legal Governance Institute, University of Oxford

Slides in PDF format

Abstract: The conventional wisdom is that cybercrime is a largely anonymous activity that exists essentially in cyberspace. The supposed anonymity of attackers feeds into a narrative that cybercrime is strange, new, ubiquitous and ultimately very difficult to counteract. The central purpose of this talk is to dispute this view. When one looks for it, there is actually a strong offline and local element within cybercrime, alongside the online dimension. In order to investigate this claim and its implications for policing, the core of this talk is dedicated to a case study of Romania.

12:00 Don't distract me while I am winning this auction: the psychology of auction fraud

David Modic Cambridge Cybercrime Centre

Slides in PDF format

Abstract: Online auctions are big business -- the largest online auction house, eBay, has a monthly turnover worth millions of pounds across millions of transactions. This presents an opportunity and an incentive for scammers. In the previous years we ran several victimisation surveys where we asked an opportunistic sample of respondents whether they have fallen victim of auction fraud. The results show that between 2 and 5% of the respondents have at least responded to fraudulent auctions. In the present article, we ran a series of studies designed to help us better understand which cues to deception help potential victims to avoid being scammed and which are largely ignored. Furthermore, we established which personality traits and mechanisms of persuasion play a role in compliance with fraudulent offers, when it comes to auctions. In Study 1 6609 participants answered general victimisation questions and filled out the Susceptibility to Persuasion II scale. The preliminary results show that persuasive mechanisms such as the need for uniqueness, normative social influence, and sensation seeking (intensity) play a significant role in auction fraud compliance. In Study 2 we focused on victims of auction fraud, where 115 participants answered detailed questions about their particular case defined in three phases: (a) what happened before the scam, (b) what was the scam and (c) what were the consequences. In the second part of Study 2, we asked the respondents to fill out the HEXACO personality scale, modified UPPS-IBS (Impulsivity scale), and others. The results show that while no full personality domains are significant regressors of auction fraud compliance, a number of sub domains play a significant role.

12:30 Lunch

13:30 Preventing and remediating criminal abuse of hosting infrastructure

Michel van Eeten Delft University of Technology

Slides in PDF format

Abstract: Advances in detecting and predicting malicious activity on the Internet, impressive as they are, tend to obscure a humbling question: Who is actually acting against these abusive resources? The reality is that the bulk of the fight against criminal activity depends critically on the voluntary actions of many thousands of providers and resource owners who receive abuse reports. Each day, millions of abuse reports are sent out across the Internet via a variety of mechanisms, from personal messages to automated emails to public trackers to queryable blacklists with thousands of hacked sites or millions of spambots. In this presentation, I will share the outcomes of different experimental studies that provide insight into how well this mechanism is working. A similar mechanism is emerging on the prevention side: informing owners and providers about vulnerabilities discover during large-scale scans. This mechanism has also been experimentally studied and we will discuss these findings as well. Overall, we are interested in finding out how effective these informal, voluntary and large-scale mechanisms are at preventing or remediating crime -- and how they could be improved.

14:00 Armed With A PACER Account and Not Afraid to Use it: What we've learned about US government hacking

Nicholas Weaver International Computer Science Institute (ICSI), UC Berkeley

Abstract: We've now seen multiple cases how both with and without a warrant, the FBI or others in law enforcement use targeted hacking as part of the law enforcement mission. The most common are simply system/user identification techniques, which they initially called a CIPAV (Computer and Protocol Address Verifier) but now call a NIT (Network Investigatory Technique). This is often very limited malcode that exploits a target and executes a phone-home back over the clear Internet. When the FBI uses this they've played slightly loose with jurisdictional requirements (which are now corrected thanks to the revised Rule 41) and been somewhat vague but the technology itself is often reasonable (if somewhat overpriced at times). There are also other cases, most notably the Silk Road case, where an FBI agent apparently hacked into a computer without getting a warrant at all, nearly throwing away the case if it wasn't for the incompetence of the defense. Along the way there are a whole host of amusing anecdotes, stories, and other bits that all impacted my beer budget which I diverted to pay for my PACER account.

14:30 Coffee break

15:00 Becoming Delinquent Online

Andrew Goldsmith Crime and Security Research Centre, Flinders University

Slides in PDF format

Abstract: This presentation will provide an overview of a recently commenced longitudinal study of adolescent activities online. It will outline the theoretical background to the study, the methodological approach, and the pilot study and its findings. The study is based in part upon the concept of "digital drift" (Goldsmith and Brewer 2015) which suggests a highly contingent and variable relationship between adolescent online activities and involvement in different kinds of computer- and Internet-mediated delinquency.

15:30 The data breaches' European legal (un)patch(ed)work

Maria Grazia Porcedda School of Law, University of Leeds

Abstract: The fight against data breaches in Europe rests on 5 legal instruments that contain incentives for entities to implement appropriate security and privacy measures, based on a risk assessment/management approach. But is this working? The evidence available to date is mixed. Moreover, obligations (and liability) vary with respect to different addressees and the technology they rely upon, which risks paving the way for 'unpatched' areas. One such potential area I will focus on is cloud computing.

16:00 Understanding the use of stolen account credentials by cybercriminals

Gianluca Stringhini Department of Security and Crime Science, University College London

Slides in PDF format

Abstract: Despite the large amount of research carried out by the research community on cybercrime, we still lack an understanding of what criminals do after compromising victim accounts. In this talk, I will provide our overview of our research in investigating the use of stolen Google accounts by cybercriminals. I will first describe a honeypot infrastructure that we developed, which allows us to monitor the actions performed by miscreants on decoy accounts under our control. I will then describe the results of a number of experiments that we carried out, to understand how the way that account credentials are obtained, as well as the information known to criminals about an accounts and the language of the account influences criminal behaviour.

16:30 The Cambridge Cybercrime Centre

Richard Clayton and others Cambridge Cybercrime Centre

Slides in PDF format

Abstract: We discuss our legal framework for sharing cybercrime data with other academic researchers and give some examples of the type of data we have.

16:45 Social event: Strawberries & Pimms

...back to main page