Computer Laboratory

Cambridge Cybercrime Centre: Fourth Annual Cybercrime Conference, 11 July 2019

The Cambridge Cybercrime Centre organised its third one day conference on cybercrime on Thursday, 11th July 2019.


For details of the 2016 event see here.

For details of the 2017 event see here.

For details of the 2018 event see here.


The one day event was held in the Faculty of Law, University of Cambridge, following immediately after the "Twelfth International Conference on Evidence Based Policing" organised by the Institute of Criminology which ran on the 8th-10th July 2019.


09:00 Registration

09:30 Tackling cybercrime - future threats and challenges

Jamie Saunders Visiting Professor, UCL Department of Security and Crime Science

Abstract: In this talk I will provide an assessment of the current state of Government and Law Enforcement efforts to prevent, detect and investigate cybercrime. I will then look ahead to emerging risk, and set out a number of questions for researchers seeking to contribute to the debate. This will support work underway with the World Economic Forum to advise businesses on what operational and policy steps might be required to prepare companies for the challenges ahead.

10:00 A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth

Sergio Pastrana Universidad Carlos III de Madrid

Slides in PDF format

Abstract: Illicit crypto-mining leverages resources stolen from victims to mine cryptocurrencies on behalf of criminals. While recent works have analyzed one side of this threat, i.e.: web-browser cryptojacking, only white papers and commercial reports have partially covered binary-based crypto-mining malware. In this talks, we present the largest measurement of crypto-mining malware to date, analyzing approximately 4.4 million malware samples (1 million malicious miners), over a period of twelve years from 2007 to 2018. Our analysis pipeline applies both static and dynamic analysis to extract information from the samples, such as wallet identifiers and mining pools. Together with OSINT data, this information is used to group samples into campaigns. We then analyze publicly- available payments sent to the wallets from mining-pools as a reward for mining, and estimate profits for the different campaigns. Our profit analysis reveals campaigns with multi-million earnings, associating over 4.3% of Monero with illicit mining. We analyze the infrastructure related with the different campaigns, showing that a high proportion of this ecosystem is supported by underground economies such as Pay-Per-Install services. We also uncover novel techniques that allow criminals to run successful campaigns.

In our study, we used the CrimeBB dataset as a starting point to analyse the current trends in crypto mining malware.

10:30 Coffee break

11:00 The not so Dark Side of the Darknet

Victoria Wang University of Portsmouth

Slides in PDF format

Abstract: In recent years, the Darknet has become one of the most discussed topics in cyber security circles. Most academic studies and media reports tend to highlight how the anonymous nature of the Darknet is used to facilitate criminal activities. This talk discusses a recent small-scale research project in four Darknet forums that reveals a different aspect of the Darknet. Drawing on the qualitative findings, it is suggested that some users of the Darknet might not perceive it as intrinsically criminogenic, despite their acknowledgement of various kinds of criminal activity in this network. Further, the research participants emphasised on the achievement of constructive socio-political values through the use of the Darknet. This achievement is enabled by various characteristics that are rooted in the Darknet's technological structure, such as anonymity, privacy, and the use of cryptocurrencies. These characteristics provide a wide range of opportunities for good as well as for evil.

11:30 An Analysis of Cybercrime Activity within an Underground Gaming Forum

Jack Hughes Computer Laboratory, University of Cambridge

Slides in PDF format

Abstract: Research into the role of gaming as an entry point into cybercrime is growing. For example, players of online games may use denial-of-service attacks to disrupt the network connection of opponents. With the availability of DDoS attacks-as- a-service, which are often marketed towards online gamers and do not require sophisticated technical knowledge, the barrier to entry is low. Exposure to, and use of, such services is believed to be a pathway into more serious cybercrime activities.

I further explore this relationship between online gaming and cybercrime. I analyse Multiplayer Game Hacking (MPGH), a gaming-specific underground hacking forum, to predict who is likely to be of interest to law enforcement. I apply open-source research tools created for analysis of a general underground hacking forum. I build upon this prior work which analysed key actors on the forum: members who are linked to cybercrime activity, including the distribution of tools used for hacking. This research can help identify pathways into cybercrime, which is important for understanding ways for effectively disrupting and preventing future offending.

In addition to applying these tools toMPGH, I compare the results with prior work, highlighting important similarities and discrepancies. This is followed by analysis of the role of gaming in relation to cybercrime activity. In addition to applying existing tools, I explore other machine learning and statistical techniques that can be applied to the forum, for the purpose of understanding the behaviour of key actors.

12:00 Cyber Prevent: Deter, Divert, Degrade, Disrupt

Greg Francis National Crime Agency

Slides in PDF format

Abstract: The rationale, initiatives and interventions developed and implemented by the NCA National Cyber Crime Unit to Prevent those on the periphery and/or immersed in Cyber Dependent Crime continuing on that pathway.

12:30 Lunch

13:30 Advertise publicly, trade privately? Analysing the Cybercrime-as-a-Service Offerings and Their Links to Private Communication Channels in Underground Forums

Ugur Akyazi Technische Universiteit Delft

Slides in PDF format

Abstract: Cybercrime-as-a-service (CaaS) has become a prominent component of the underground economy according to recent literature and reports. CaaS provides a new dimension to cybercrime by making it more automated, and accessible to criminals with limited technical skills. Like software companies, these crimeware offerings also now include everything from advertising and marketing to customer service, updates, and user manuals. Similar resources also tell that cybercriminals have increasingly taken to using specialist sites and forums to advertise their services, before conducting transactions on private communication channels like Telegram, Discord, Skype, Jabber, or IRC. This marketing shift is claimed to be a result of the loss of trust to darknet marketplaces after the seizure of Alphabay and Hansa underground markets by Law Enforcement Agencies. To better understand the risks to businesses and consumers, it's important to consider the types of products and services advertised within these underground platforms, and how cybercriminals are adapting to current trading and communication processes in order to continue making a profit. We have measured and explained the trends in commoditization of cybercrime on online anonymous markets in our previous study. Following that, in this study we will empirically analyze the volume and diversity of CaaS demands and supplies in the underground forums, using the CrimeBB dataset of the Cambridge Cybercrime Centre. We will also analyze how these offerings link to external trading platforms and private communication channels.

14:00 The Chilling Effect of Enforcement of Computer Misuse: Evidences from Online Hacker Forums

Qiu-Hong Wang Singapore Management University

Slides in PDF format

Abstract: To reduce the availability of hacking tools for violators in committing cybersecurity offences, many countries have enacted the legislation to criminalize the production, distribution and possession of computer misuse tools with offensive intent. However, the dual use nature of cybersecurity technology increases the difficulty in the legal process to recognize computer misuse tools and predict their harmful outcome, which leads to unintended impacts of the enforcement on the provision of techniques valuable for information security defense. Leveraging an external shock in online hacker forums, this study examines the potential impacts of the enforcement of computer misuse on users' contribution to information security knowledge sharing characterized by distinct intents for either offensive hacking or security defense, or by a neutral intent with potential for dual use. Via a user-level mixed nested logit model, we find that the enforcement reduces the average probability of neutral content contribution by 11.13% which provides the initial evidence of chilling effect, together with the presence of deterrence effect on offensive hacking content and substitution effect on defensive content. Our empirical findings further suggest that the chilling effect on neutral content could be reinforced by contribution incentives in social community, such as personal experience, audience attention and group size. Theoretical and policy implications are discussed.

14:30 Coffee break

15:00 "Gender and IoT": The Implications of smart technologies on victims and survivors of domestic and sexual violence and abuse

Leonie Tanczer University College London

Slides in PDF format

Abstract: In recent years, forms of online harassment and sexual abuse facilitated through information and communication technologies emerged. These ICT-supported assaults range from cyberstalking to online behavioural control. While many efforts to tackle technology-facilitated abuse ("tech abuse") are concerned with 'conventional' cyber risks such as abuses on social media platforms and restrictions to devices such as laptops and phones, emerging "Internet of Things" (IoT) technologies such as 'smart'meters, locks, and cameras expand domestic violence victim's risk trajectories further.

In this talk, findings from UCL's "Gender and IoT" (GIoT) research project will be outlined. GIoT runs in collaboration with a wide stakeholder group, including the London VAWG Consortium, the digital rights charity Privacy International, and the UK-wide PETRAS IoT Research Hub. The research project analyses evolving IoT privacy and security risks. It studies IoT technologies impact on gender-based domestic and sexual violence and abuse and the socio-technical measures that will need to be implemented in order to mitigate against those risks.

15:30 Using machine learning models to predict exploits

Diego Silva University of Oxford

Abstract: The proliferation of heterogeneous networks, resulting from a constantly evolving ICT industry, has produced an interdependence of disparate systems across the Internet. This environment has encouraged complex software stacks to develop, in-turn widening the attack surface for malicious hackers to probe, and making it an unenviable task for security professionals to not only manage their network estate, but to do so whilst also keeping abreast of the immediate threat landscape facing their organisation.

In this talk, I will present preliminary results of research that broadly aims to better understand adversaries by analysing what assets they have available to launch a cyber attack, and specifically, to attempt to predict which CVEs are likely to draw concomitant exploits being released.

16:00 Booting the Booters: Evaluating the Effects of Police Interventions in the Market for DoS Attacks

Ben Collier Cambridge Cybercrime Centre

Slides in PDF format

Abstract: Illegal booter services offer denial of service (DoS) attacks for a fee of a few tens of dollars a month. Internationally, police have implemented a range of different types of interventions aimed at those using and offering booter services, including arrest and website takedown. In order to measure the impact of these interventions we look at the usage reports that booters themselves provide and at measurements of reflected UDP DoS attacks, leveraging a five year measurement dataset that has been statistically demonstrated to have very high coverage. We analysed time series data (using a negative binomial regression model) to show that several interventions have had significant impact on the number of attacks. We show that takedowns of individual booters and high-profile court cases precede significant, but short-lived, reductions in recorded attack numbers whilst more wide-ranging disruptions targeting multiple booters or the shutdown of HackForums' booter market have much longer effects. We further draw from a range of qualitative interviews and scraped data from chat channels to develop explanations for why we believe the booter community appears to be so susceptible to law enforcement intervention.

16:30 The Cambridge Cybercrime Centre

Richard Clayton Cambridge Cybercrime Centre

Slides in PDF format

Abstract: This talk briefly discusses our legal framework for sharing cybercrime data with other academic researchers and give some examples of the type of data we have and what it is being used for.

16:45 Social event: Strawberries & Pimms

Thereafter, we plan, as is now traditional, to adjourn to The Anchor, a classic Cambridge pub!

...back to main page