A safer society through a deeper understanding of cybercriminals

It is not easy to get meaningful information from underground forums. There is certainly no shortage of underground communities. But many of them mostly trade obsolete and ineffective products. Plus, participants often scam each other. These kinds of markets hardly offer a serious threat. But a time-consuming investigation precedes such a conclusion. Moreover, underground communities technically go to great lengths to prevent law enforcement officials from extracting information from them. Campobasso's research therefore focused on two questions: how can we identify which cybercriminal markets support trade in innovative and truly effective criminal products and services? And how can we monitor their activities to evaluate their potential threat?

Three steps to getting the right answers

Campobasso decided to split the problem into three pieces. First, he mapped out what an "interesting market" looks like. To do this, he did a preliminary study to determine the relationship between their exclusivity (how difficult it is to access them) and the quality of the products offered. In addition, he investigated how information can be systematically extracted from these types of communities. For this, he implemented prototypical software that can acquire data from multiple underground markets without being caught.

Campobasso's second step was to clarify what a relevant threat looks like and what danger it poses. He identified an emerging market offering an innovative criminal service (which he named ‘Impersonation-as-a-Service, IMPaaS), which he then studied closely to find out how it operated. He collected live data from the market to get an estimate of revenue, number of victims and customer preferences. From this, he was able to conclude that IMPaaS is a mature service and threat, primarily affecting the richest areas of the world, and that attackers can use this service to steal from victims with deadly ease. IMPaaS is especially dangerous because it specifically targets people who do not have much experience with computers.

Third, Campobasso focused on better understanding the differences between markets that can support the emergence and distribution of serious threats (such as IMPaaS), and those that cannot. He investigated the trust issues that a buyer and a seller face when trading criminal products (for example, they cannot contact the police if they have been scammed when buying stolen credit cards), and how underground markets mitigate these problems. With this information he established a preliminary framework. This can be used to evaluate which markets are more likely to contain IMPaaS-like threats and which are not.

Keeping up with the evolutions in cybercrime

Campobasso’s work clearly portrays the diversity of underground markets. But despite that diversity, it proves to be possible to monitor the fraction of markets ``that matters''. This information could ease the monitoring of criminal activity and make intervention more effective. Furthermore, it increases the understanding of how criminals think, allowing society to keep up with the evolutions of cybercrime.

Title of PhD thesis: Understanding and Characterizing the Cybercriminal Ecosystem Enabling Attack Innovation at Scale
Supervisors: prof.dr. Sandro Etalle, dr. Luca Allodi