Department of Computer Science and Technology

Cambridge Cybercrime Centre: Fifth Annual Cybercrime Conference, 5 September 2022

The Cambridge Cybercrime Centre's fifth one day conference on cybercrime on Monday, 5th September 2022.


For details of the 2016 event see here.

For details of the 2017 event see here.

For details of the 2018 event see here.

For details of the 2019 event see here.


The one day event is being held in the 'Computer Lab' on the West Cambridge site.


09:00 Registration

09:30 Cybercrime Offender Prevention - Digital Responsibility

Greg Francis, 4D Cyber Security

Abstract: Cybercrime is rising, vulnerabilities are increasing, offenders are getting younger. The Internet is an expansive, loosely regulated landscape, a digital wild west. The sheer volume of criminal actors, platforms and malware alongside inconsistent international legislation and nation state cooperation serve to inhibit effective regulation of cyberspace. Law enforcementacity to bring justice to those engaging in cybercrime at all levels is simply not attainable. Digital responsibility can provide a way forward by the early pinpointing and preserving of talent. It advocates Prevention through proactive, public/private partnerships that raise awareness of both the detriments of digital crime and opportunities through education and employment. It places ownership of cybercrime with all sectors of society: parents, educators, employers and enforcement, all have key roles to play. The presentation highlights and outlines initiatives and interventions that can be developed and implemented to build an effective Digital Responsibility framework.

10:00 Towards Improving Code Stylometry Analysis in Underground Forums

Michal Tereszkowski-Kaminski Kings College London

Abstract: Code Stylometry has emerged as a powerful mechanism to identify programmers. While there have been significant advances in the field, existing mechanisms underperform in challenging domains. One such domain is studying the provenance of code shared in underground forums, where code posts tend to have small or incomplete source code fragments. This paper proposes a method designed to deal with the idiosyncrasies of code snippets shared in these forums. Our system fuses a forum-specific learning pipeline with Conformal Prediction to generate predictions with precise confidence levels as a novelty. We see that identifying unreliable code snippets is paramount to generate high- accuracy predictions, and this is a task where traditional learning settings fail. Overall, our method performs as twice as well as the state-of-the-art in a constrained set- ting with a large number of authors (i.e., 100). When dealing with a smaller number of authors (i.e., 20), it performs at high accuracy (89%). We also evaluate our work on an open-world assumption and see that our method is more effective at retaining samples.

10:30 Coffee break

11:00 From the dark to the surface web: Scouting eBay for counterfeits

Felix Soldner Leibniz Institute for the Social Science

Abstract: Counterfeit goods harm consumers and companies, and current methods to detect them are inefficient and unable to deal with the large number of sales on online shopping platforms. Counterfeits are also openly sold on dark markets without an effort to conceal them. Knowing which products are sold as counterfeits presents us with the opportunity to use the information such listings contain, including images, titles, and descriptions, to search for matching listings on the surface web. We devised an automated method, which uses the information from 453 current dark market counterfeits to search for the respective products on eBay. We examined if offers changed over time by collecting eBay product information at two points in time with an interval of 4 months. For every dark market product, we collected 159 associated eBay products on average, resulting in a total of over 134 thousand products. We combined image and text similarity metrics into a single score to compare and find highly similar products across dark and surface web markets. By inspecting the top-ranked similar products, we found the same shoes, smartphones, bag charms, and watches across the dark and surface web, which could warrant further investigation as to whether they are indeed counterfeits.

11:30 Threat Miner -- A Text Analysis Engine for Threat Identification Using Dark Web Data

Anum Paracha Birmingham City University

Abstract: Cyber threats continue to grow with novel methods to attack computing systems, highlighting the need for sophisticated mechanisms and techniques to protect against such dynamic threats. Contemporary cyber defense mechanisms utilize a range of methods that rely on monitoring network or system-level events. However, with the growing use of the dark web by mal-actors to share exploits, breaches, and data leaks, the use of such information to strengthen defense mechanisms becomes an intriguing prospect. We have been working with the CrimeBB dataset to investigate using this data for effective cyber threat intelligence techniques. We have developed a framework which leverages machine learning techniques to identify influential entities through intelligent analysis of user profiles, interactions, and activities over the dark web forums. We present ThreatMiner, a text analysis engine that utilizes dark web forum data from the CrimeBB dataset to develop actionable cyber threat intelligence. Leveraging cutting-edge machine learning techniques and utilizing a bespoke threat dictionary, Threat Miner extracts useful information from dark web forums into STIX form, enabling it to be used with threat intelligence platforms. This research work also presents the results of a thorough evaluation of the developed scheme which was conducted with the CrimeBB dataset to understand the feasibility of the approach as well as its effectiveness in strengthening defense capability against cyber threats.

12:00 Getting Bored of Cyberwar: Exploring the Role of the Cybercrime Underground in the Russia-Ukraine Conflict

Anh V. Vu University of Cambridge

Abstract: There has been substantial commentary on the role of cyberattacks, hacktivists, and the cybercrime underground in the Russia-Ukraine conflict. Drawing on a range of data sources, we argue that the widely-held narrative of a cyberwar fought by committed 'hacktivists' linked to cybercrime groups is misleading. We collected 281K web defacement attacks, 1.7M reflected DDoS attacks, and 441 announcements (with 58K replies) of a volunteer hacking discussion group for two months before and four months after the invasion. To enrich our quantitative analysis, we conducted interviews with website defacers who were active in attacking sites in Russia and Ukraine during the period. Our findings indicate that the conflict briefly but significantly caught the attention of the low-level cybercrime community, with notable shifts in the geographical distribution of both defacement and DDoS attacks. However, the role of these players in so-called cyberwarfare is minor, and they do not resemble the 'hacktivists' imagined in popular criminological accounts. Initial waves of interest led to more defacers participating in attack campaigns, but rather than targeting critical infrastructure, there were mass attacks against random websites within '.ru' and '.ua'. We can find no evidence of high-profile actions of the kind hypothesised by the prevalent narrative. The much-vaunted role of the 'IT Army of Ukraine' co-ordination group is mixed; the targets they promoted were seldom defaced although they were often subjected to DDoS attacks. Our main finding is that there was a clear loss of interest in carrying out defacements and DDoS attacks after just a few weeks. Contrary to some expert predictions, the cybercrime underground's involvement in the conflict appears to have been minor and short-lived; it is unlikely to escalate further.

12:30 Lunch

13:30 Understanding Risk and Risk Perceptions of Cybercrime in Underground Forums

Maria Bada Queen Mary University of London

Abstract: Understanding the reasons and the pathways of people becoming involved in cybercrime has been an important topic for research within different disciplines. Studies have explored the pathways of skilled hackers into deviant behaviour with a focus on online gaming, however little research has been conducted around understanding risk perception of cybercrime. This study investigates both surface and dark web forums, focusing on a variety of topics from hacking to gaming. The aim of this study is to a) investigate the ways cybercrime is perceived among different members of underground forums; b) identify whether there is an emotional construct of cybercrime; and c) identify the level of knowledge around behaviours which are considered as cybercrime and are criminalised. The novelty of this study lies in the methodological approach taken to conduct qualitative and quantitative research on large text datasets. Our findings identified hacking as one of the main deviant behaviours. Our analysis shows a general optimistic bias influencing the perception of risk associated with cybercrime as well as a number of risk avoidance strategies.

14:00 PostCog: A tool for interdisciplinary research into underground forums at scale

Jack Hughes University of Cambridge

Abstract: Underground forums provide useful insights into cybercrime, where researchers analyse underlying economies, key actors, their discussions and interactions, as well as different types of cybercrime. This interdisciplinary topic of study incorporates expertise from diverse areas, including computer science, criminology, economics, psychology, and other social sciences. Historically, there were significant challenges around access to data, but there are now research datasets of millions of messages scraped from underground forums. The problems now stem from the size of these datasets and the technical nature of methods and tools available for data sampling and analysis at scale, which make data exploration difficult for non-technical users. PostCog has been developed to solve this problem, a web application developed to support users from both technical and non-technical backgrounds in forum analyses, such as search, information extraction and cross-forum comparison.

14:30 Coffee break

15:00 ExtremeBB

Lydia Wilson Murray Edwards College, University of Cambridge

Abstract: TBA

15:30 A 'sophisticated attack'? Innovation, technical sophistication, and creativity in the cybercrime ecosystem

Richard Clayton University of Cambridge

Abstract: We observe that almost every cybercrime is reported to be a "sophisticated attack" and explain how incentives align to misrepresent very run-of-the-mill events in this manner. We describe the cybercrime ecosystem, analysing the distinct parts and discussing what forms of sophistication and incentives can be found in each kind of work. We move on discuss how framing cybercrime as technically sophisticated attacks performed by skilled criminals has distorted criminological analysis and contributed to misaligned incentives within criminal justice and security policy. We conclude that the criminal justice system is aiming the wrong types of interventions at the wrong kinds of actor.

16:00 Cyber Prevent: Deter, Divert and Disrupt

Nishat Chowdhury and Tiffany Skinner National Crime Agency, UK

Abstract: The rationale, initiatives and interventions developed and implemented by the NCA National Cyber Crime Unit to Prevent those on the cusp of Cyber criminality or already immersed in low level offending.

16:30 The Cambridge Cybercrime Centre

Alice Hutchings Cambridge Cybercrime Centre

Abstract: A brief update as to what the Centre has been working on over the last few years, and future directions.

16:45 Social event

...back to main page