Phighting cybercrime together

The first annual eCrime Researchers Sync-Up, organized by the Anti-Phishing Working Group (APWG) in conjunction with University College Dublin’s Centre for Cybercrime Investigation, was described as ‘a two-day exchange of presentations and discussions related to eCrime research in progress – and for networking of researchers within the disciplines that are defining the eCrime research field today’. However, when I first looked at the programme for the Sync-Up, I have to admit to thinking that it might be too much of an academic event.

I wasn’t worried about my own presentation (on evaluating spam filters) not being academic enough – in fact, having spent some time in academia, I thought this would be a good opportunity to dust off my mathematical notations to make simple things look a little more complicated. Rather, cybercrime is a very serious issue and I didn’t believe it would benefit greatly from being discussed on a purely academic level.

However, I needn’t have been concerned – not only were the participating academics involved up to their elbows in the task of fighting online threats on a daily basis, but participants came from all areas of the field: from those dealing with user education, via those whose job it is to protect the users, to those involved in hunting down the cybercriminals and bringing them to justice. There were also representatives of perhaps the most prominent victims of online crime: financial institutions. In fact, many of the participants wore multiple hats.

The benefit of having such a broad range of participants became obvious during a discussion of the naming of malware families and botnets. When it was suggested that this was an exercise of little relevance in today’s world of fast-changing threats (the naming practice dating from an era when just a handful of new samples were seen every day), a delegate who worked with law enforcement agencies stood up and said that, for them, naming and labelling is extremely important: these agencies frequently have to decide which are the most relevant threats and where they should dedicate their limited time and resources: Stuxnet, Rustock, ZeuS or perhaps a gang of eBay fraudsters?

Having a good idea of which are the biggest threats, and which are linked, is essential for making such decisions. It is thus important to have a good idea of the size of threats, from spam to botnets, and to represent these correctly. Presentations by Trend Micro’s David Perry, APWG’s Pat Cain and Randy Vaughn of Baylor University dealt with some aspects of the far from trivial task of threat measurement.

Indeed, a lack of resources is a constant struggle for those working in law enforcement and the current economic downturn and subsequent public sector cuts have not made things any easier. But, rather than bemoan the difficult nature of their jobs under such circumstances, participants discussed ways in which they could use resources more effectively and ways to convince both governments and the general public about the severity of these online threats.

The fact that online crime is a serious problem was demonstrated by data showing that, in the US, the amount of money lost per year through online crime is significantly greater than the amount lost through bank robberies. If nothing else, the data reinforced the idea that collaboration is needed to drive forward the fight against cybercrime – and a proposal to set up an ‘eCrime Collaborative Research Center’ was examined in a roundtable discussion.

For those, like me, who do not dissect malware and botnets on a daily basis, a presentation on the Patcher rootkit was particularly interesting. It certainly showed that phishing has evolved a great deal since the days when websites only vaguely resembled those of banks and victims were expected to fill in their credit card details, their social security number and their PayPal password.

Patcher ‘patches’ a number of Windows files in a near-undetectable way so that traffic between the user and their bank is intercepted and modified. Not only does the malware steal money from the user’s account, it also hides these transactions and modifies the account balance whenever the user visits the bank’s website.

With researchers digging so deep into the crooks’ systems, it is easy to lose sight of the ethical principles guiding IT research, and this topic was addressed in a presentation by Erin Kenneally of eLCHEMY Inc.

But fighting cybercrime is not just about fighting specific gangs or detecting specific pieces of malware. Just as important in the fight against crime and the protection of users, is to detect and block the tools used by the crooks.

One example of such a tool is fast-flux DNS, where malicious domains point to constantly changing IP addresses to prevent detection and make the corresponding websites less vulnerable to actions against the hosts. Marc Vilanova, of la Caixa, described a method to track such networks, while other presentations dealt with IP reputation using network topology estimation and botnet detection and remediation.

Phishing is traditionally seen as a threat involving email and websites, and these subjects were discussed as well. A presentation by Richard Urbanski of AIB dealt with avoiding automated detection by using ‘homoglyphs’ (for instance by substituting the Cyrillic ‘a’ for the Latin ‘a’), while Brendan Bowles, of University College Dublin, discussed language models to detect phishing.

As demonstrated by recent examples of previously silenced botnets being resurrected, and disconnected spammers continuing to ply their trade, the only effective way to stop cybercriminals is to find them, arrest them and bring them to court. This is something that requires more than simple cooperation between researchers, industry experts and law enforcement agencies; it also requires significant technical knowledge among the latter group.

I was therefore particularly interested to learn that a number of universities – University College Dublin, host of the event, among them – have set up courses on cybercrime specifically for law enforcement. These courses are essential, not just to educate a new generation of police officers, but also to educate existing officers, for whom dealing with cybercrime has become an increasingly prominent part of their work, yet who often lack the knowledge required to deal with it.

There are many events dealing with the fight against cybercrime; indeed, in the same week as the APWG Sync-Up another anti-cybercrime event took place in London. It is important that these events are organized and that experts get plenty of opportunities to meet.

For an event to be successful, it is important not just for the talks to be of good quality, but also for there to be ample time for discussion. At the APWG Sync-Up there were plenty such opportunities for discussion, and I left Dublin not just with the pleasing feeling of having met many friendly and like-minded people, but also with fresh inspiration to continue my daily job.