With hackers and the security research community constantly finding new ways to break every piece of software that touches the Internet, itâ€™s easy to get lost in the endless cycle of hacks and patches and hacks. But one team of Googlers and academic researchers has stepped back from that cycle to take a broader view of the maelstrom of scams, fraud and theft online. The result is a portrait of the digital underworld that goes beyond the traditional idea of corporate security to sketch the entire supply chain of online crime from hacking accounts to cashing outâ€”focusing on where that chain can be weakened or snapped.
In a research paper published Thursday on Googleâ€™s security blog, a group of researchers from Googleâ€™s fraud and abuse group and six universities pulled together a kind of meta-study on the anatomy of the cybercriminal underground, focusing on illicit sub-industries like spam, click fraud, scareware, ransomware, and credit card theft. None of the data in the paper is new. Instead, it reviews years of existing cybercrime research to look for patterns and methods of disrupting those illicit schemes. The researchersâ€™ conclusionâ€”perhaps a surprising one for a company as focused on technical security and engineering as Googleâ€”is that nuts-and-bolts technological security isnâ€™t enough for a company seeking to protect its users. Putting an actual dent in the cybercriminal economy requires using legal and economic strategies to directly attack the weakest points in its infrastructure: everything from botnet takedowns to payment processing.
Nuts-and-bolts technological security isn’t enough for a company seeking to protect its users.
â€œOur biggest takeaway is that though a lot of these problems seem intractable from a technical perspective, if you look at this from the supply chain and an economic light, they become solvable,â€ says Kurt Thomas, one of Googleâ€™s authors on the study. â€œWe wanted to collaborate with external researchers to figure out exactly how criminals make money from the black market and identify their brittle infrastructure thatâ€™s cost sensitive. If you raise those costs, you disrupt credit card fraud, spam, or these other forms of abuse.â€
WIRED spoke with Thomas, his fellow Google researcher Elie Bursztein, as well as their co-authors from New York University and the Universities of California at San Diego and Santa Barbara to ask them to pull a few lessons out of their sweeping study of the Internetâ€™s underbelly. Here are their recommendations:
Use the Black Market As A Mirror for Your Security
Rather than endlessly bolster security against imagined threats, the researchers recommend that companies infiltrate the online black markets inhabited by the actual criminals exploiting their systems. There they can see their own stolen data and hijacked or bot-operated accounts being sold and even track those commoditiesâ€™ prices. Thomas and Burzstein say that they closely follow the price of the bot-controlled Google accounts used for everything from YouTube and Chrome web store spam to fake reviews of malicious Android apps to hosting phishing sites on Google Drive. (They declined, however, to name the actual cybercriminal markets that they monitor.)
We use black markets as an oracle into how well our defenses are doing. Kurt Thomas
â€œWe use black markets as an oracle into how well our defenses are doing,â€ says Thomas. â€œOur systems are directly reflected in the price of those accounts. If the prices are going up, we know weâ€™re doing something right. If the price falls, thereâ€™s a problem.â€
In late 2013, for instance, Google found that the price of a bot-controlled Google account had fallen from around $170 per thousand accounts to just $60 per thousand. By analyzing their sign-ups, they were able to see that close to a quarter of the bot accounts had signed up using VoIP phone numbersâ€”a cheap way to circumvent Googleâ€™s method of limiting accounts to individual humans by tying them to phone numbers. So Google blocked certain commonly-abused VoIP services, and by doing so raised the price of the zombie accounts by between 30 percent and 40 percent. â€œWhen we cracked down on VOIP and criminals had to go back to using SIM cards, we significantly undercut their profit margins,â€ says Thomas. â€œBy targeting that specific bottleneck, we can improve things across the company.â€
Attack Fragile and Expensive Criminal Infrastructure
As in that VoIP example, the Google researchers recommend finding the point in the cybercriminal process where a single intervention can cause the biggest business disruption or price increase. But that point isnâ€™t always in a companyâ€™s own software. In many cases, the researchers suggest reaching beyond product defense to attack criminal infrastructure and even criminals themselves. â€œWe want to move people from a whack-a-mole strategy of finding a hole and fixing it to striking at key players in the marketplace to make abuse fundamentally less profitable,â€ says Thomas.
Thatâ€™s an unexpected approach from Google, which is better known for traditional, vulnerability-focused security; The company has long paid some of the largest â€œbug bountyâ€ rewards to hackers revealing vulnerabilities in its code, and employs a group of highly skilled hackers known as Project Zero to find those vulnerabilities in its own code and that of other companies.
In some cases, this new approach means working with law enforcement to target specific criminals and partner in investigations that lead to their arrest. But the researchers admit that individual criminals can be surprisingly elusiveâ€”they cite Microsoftâ€™s still unclaimed $250,000 bounty for the authors of the infamous Conficker worm and the FBIâ€™s still-standing $3 million bounty for Zeus trojan developer Evgeniy Mikhailovich Bogachev. Additionally, arrested cybercriminals are often immediately supplanted by competitors. They also suggest botnet takedowns through domain seizures, but note that tactic can lead to collateral damage, like Microsoftâ€™s controversial No-IP purge last year.
The most effective infrastructure point to attack, they suggest, may be payment systems: Pressuring banks and payment processors to drop shady customers can entirely cut off the ability of a spam or clickfraud campaign to actually generate profit, and force them to search out another processor among the limited number that tolerate crimeâ€”or switch to a more limited payment mechanism like bitcoin. â€œIt takes months to set up these kinds of relationships,â€ says Giovanni Vigna, a computer science professor at UCSB who collaborated on the study. â€œHitting that relationship through legal means inflicts the maximum amount of pain.â€
Collaborate With Academics
Looking at the whole criminal economy to find the ideal point of attack usually means talking to people outside your own company. That means collaborating with competitors, law enforcement, andâ€”in Googleâ€™s view, most importantlyâ€”university researchers. That also means cozying up to academia with grants and internship programs. â€œWe like universities because theyâ€™re neutral ground, theyâ€™re very useful to work with, and they help as many companies as they can,â€ says Burzstein. â€œCombatting the black market isnâ€™t something you can do by yourself.â€
Combatting the black market isn’t something you can do by yourself Elie Burzstein
Itâ€™s no coincidence that tip comes from a study in which Google partnered with half a dozen universities. But Thomas emphasizes that university researchers donâ€™t usually have a product to push or an agenda, as most security vendors or other tech companies do. And University of California at San Diego computer scientist Stefan Savage points out that academics have more legal and public relations leeway to dive into darker corners of the black market, allowing them to venture into questionable practices like purchasing illicit products to track criminals. â€œWe have freer reign,â€ says Savage, another of the studyâ€™s co-authors. Unlike Google, he says, â€œthereâ€™s no risk of brand impact for us when we buy counterfeit drugs and map the flow of money to banks in Azerbaijan and Eastern Europe.â€
But more importantly, says Savage, academics can give companies the perspective thatâ€™s missing when a security or fraud team is wrapped up in day-to-day firefighting. â€œPractically everyone employed by a company in an abuse group is working in a mode of constant crisis,â€ says Savage. â€œVery few have the luxury of taking a step back to study a problem for a year. We can.â€
Hereâ€™s the Googlersâ€™ and university researchersâ€™ full study:
Go Back to Top. Skip To: Start of Article.