Full text




Paper :“An inquiry into the nature and causes of the wealth of internet miscreants”


Jason Franklin &Vern Paxson presented by

Matimbila Lyuba at University of Birmingham 28/01/2013


Structure of presentation

Underground Market

Research analysis





•  Underground economy

- commoditization of activities like

 credit card fraud

 Identity theft

 Spamming

 Phishing

 Online credit theft

 Compromised host

 What other illegal activities ….?

-Underground market

 internet as the backbone of communication

 Internet Relay Chat(IRC) networks



•  Provide buyers and sellers a meeting place. •  How IRC works?

 A standard protocol for real-time message exchange over internet.

 Employes a client/server architecture/model


IRC terminologies

•  Seller

 A person capable to provide goods or service

•  Buyer

 A person who needs good or service

•  Cashier

 Convert accounts credentials into funds

•  Confirmer

 Pretends to be card owner

 Can be a buyer if reside in the same country where the victim account


•  Ripper

 Dishonest seller or buyer

•  Participant


The game

•  Hence fund is transferred through western union or


•  Demo for accessing the channel

•  What parameters can you easily identify …? •  What is track1 & track 2 …?


Accessing the market

•  Market administrator

 Insure participants have identifiers

 Notify participants about “rippers”

•  Client participation

 Start client program then connect to the network via server

 Provide nickname

 Provided with a seal of approval “+v”

 Choose channel

 Can PM

•  Verified status

 Attain to be trusted

 Provide sample of valid data

 Approximate 95% of participants post less than 18 sample to attain “+v”


Access the market


Market activities


What do you think is sold

on these channels?


Market activities



Research analysis

•  How study was conducted •  Data collection

 Connect to particular channel on different IRC networks

 Logging all subsequent public messages

 Format {timestamp, IRC server IP address, source identifier, channel

name, message}

•  Why not logging private messages …? •  Why logging in this format …..?

•  Dataset collected 2.4GB over a period of 7 months.

•  Messages collected 13 million from a total of more than


Market analysis

•  Most sensitive data

 Credit card data

 Financial data


Credit card data

•  No repetition

•  Checked against Luhn digit: a checksum value guide

against simple error in transmission

•  A necessary condition for a card validity •  A total of 100,490 unique cards numbers


Credit card arrival

•  Valid Luhn cards arrive at a rate of 402 cards per day •  Invalid Luhn cards arrive at a rate of 145 cards per day


Credit card arrival

•  Why many valid Luhn cards…?

Implies miscreants:

 Continuously collect data

 Posses large number of stolen then release in batches bases

•  Why invalid Luhn cards….?

 Novice miscreants


New vs repeated cards

•  With the channel

•  Between channels •  95% of card repeats


Financial data

•  Checking and saving account numbers with their balances

 Copied from the access webpage of banks  Effectiveness of phishing attacks…..?

 Demonstrating ability to access the stated accounts  Gain buyers trust

•  Validity

 Dynamicity of account…!


Financial data

•  Assume all amount is valid and successfully remove


Identity data

•  Social Security Number (SSNs)

 SSN==individual identity

 Falls with the issued range listed by Social Security Administration.  No proof whether they have issued

•  Majority are repeated •  Why…?


Market service


Activity level

 64,000 messages are seen per day

 Average of new messages per day is greater than 19,000  Repeated messages arrives at a rate of 45,000 per day

•  How?

•  automated scripts are used.. •  Why?


Participants identification

•  Lurkers

•  Idle sending zero public messages

•  Can monitor the channel ads and contacts seller via

private messages

•  Leechers

•  Looking for free financial data

•  Preventions services eg CardCops



•  An average of 1,500 nicks participate per day

•  New nicks arrives at an average rate of 553 nicks per day •  Active Lifetime

 Time between the nick’s first and last message

 Measure the extend of building relationship by maintaining a nick over a



•  95% of nicks have an active lifetime of 112.5 days

•  The longer you maintain nick the more relationship and


Channel services

•  Run by channel administrator •  Executed through command •  Provides useful services:

 Credit card limit check


Channel service bot commands

•  No service for free!

•  !chk,!cclimit,!cvv2 are fallacious

•  Returns deterministic results without querying the

database or attempting a transaction to infer the card’s limit!


Bot administrator use to steal other credit card numbers..! Does it mean “Return on investment” ?



•  Price for compromised host varies

•  For DDoS you can get 1,000 hosts for $10,000 •  Helps to analyse threat model


Client IP lookup

•  10% in CBL (Composed Block List)

•  Compromised host are used to connect to the market •  1% in SBL(Spamhaus Block List)


Total wealth of Miscreants

•  Estimation base on assumptions

 Add total loss from credit card frauds and financial theft  Include only cards with valid Luhn digit check

 Some are still retained by miscreants  Removal repetitions

 Only collection from public messaging

•  Reasons



•  Average funds loss per card credit/debit fraud $427.50

according to Internet Crime Complaint Centre Report (2006)

•  Total wealth from credit card only $37M •  Financial frauds $56M




•  Enforce laws such as:

 Locating and disabling hosting infrastructures

 Identifying and arresting market participants

•  Challenges

•  Multi-national cooperation may be

 time and resource consuming

 Cooperation to foreign law enforcement agencies is difficult

 Market can re-merge under new administration with new bulletproof

 Political differences


Low cost countermeasures

•  Sybil attack to the market

 Undercutting participant verification system

•  How..?

•  Sybil generation

 register as many nickname as equal to number of verified-sellers in the


•  Achieve verified status

 build the status for each identity

 for low-cost post or replay credit card seen in one channel to other


Low cost countermeasures

•  deceptive sales

 advertise goods and services for sale

 rapping

-request payment and fail providing goods or service

 make buyer unwilling to pay since can't differentiate honest sellers

 lemon market


Low cost countermeasures

•  Slander attack

•  Eliminate the verified status of buyers and sellers through

false defamation

 reduce the status of honest seller so buyers can turn to dishonest

who fails to deliver hence discourage the market Principals of economy


Learning with security in mind

•  Quantifying the security of systems

•  Forecasting and predict future state of internet security •  Understanding the true costs and benefits of deployed

security technologies, data breeches and new security protocols

•  Analysing the threat model

•  1,000 compromised hosts for $10,000 =DDoS

•  Estimate global trends that are difficult to measure

 Total number of compromised hosts on the internet







Special thanks

Tom Chothia

You all