Underground Chrysovalantis Christodoulou World Wid ide Web - - PowerPoint PPT Presentation

The Underground

Chrysovalantis Christodoulou

World Wid ide Web

28/04/2020 12:06 PM CS682-The Undergraound 2

Trafficking Fraudulent Accounts: The Role le of f the Underground Market in in Twitter Spam and Abuse

Kurt Thomas† Damon McCoy‡ Chris Grier†∗ Alek Kolcz Vern Paxson†∗ † University of California, Berkeley ‡ George Mason University ∗ International Computer Science Institute Twitter {kthomas, grier, vern}@cs.berkeley.edu, mccoy@cs.gmu.edu, ark@twitter.com

28/04/2020 12:06 PM CS682-The Underground 3

Overview

❑ What are the most popular websites?

• Facebook, Google, Twitter, Instagram, etc.

➔ Perfect Target for abuse (Fraud Advertising, Fake News, etc.) ❑ Need for Fraudulent, Spam accounts

“Twitter has shut down up to 70 million fake and suspicious accounts- BBC 2018”

28/04/2020 12:06 PM CS682-The Underground 4

Contributions

• 1. Study the organization of the Underground market by monitoring

27 merchants profiting from the sale of Twitter accounts

• 2. Study merchants’ techniques for bypassing registration defenses

and how barriers affect the accounts’ price

• 3. Implement a classifier to identify fraudulent accounts
• 4. Study the impact of the classifier on Twitter spam

28/04/2020 12:06 PM CS682-The Underground 5

Methodology

28/04/2020 12:06 PM CS682-The Underground 6

Tracking merchants selling Twitter accounts Purchasing from Merchants Analyze the Market

Id Identify fy Merchants

❑ Total Number of identified Merchants: 27

28/04/2020 12:06 PM CS682-The Underground 7 10 5 12 2 4 6 8 10 12 14 Own Website BlackHat Forums Freelance sites

Merchants Distribution

Own Website BlackHat Forums Freelance sites

48 Hours Support

Purchasing fr from Merchants

❑ 144 orders -> 120K accounts ~ $5000 ❑ Bi-weekly basis from June 2012 – April 2013 ❑ Price Range: $1-20 ❑ Payment Methods:

28/04/2020 12:06 PM CS682-The Underground 8

Periods-Prices

28/04/2020 12:06 PM CS682-The Underground 9

Table 1: List of the merchants we track, the months monitored, total purchases performed (#), accounts purchased, and the price per 100 accounts. Source of solicitations include blackhat forums†, Fiverr, and Freelancer and web storefronts‡

Analysis

❑ Price: $0.04

Median account price

❑ Delivery: 1day

Median time before accounts arrive

❑ Fraud: 13%

Accounts resold (Access after sale)

➔ Excellent Service

28/04/2020 12:06 PM CS682-The Underground 10

Analysis (c (cont.)

28/04/2020 12:06 PM CS682-The Underground 11

Few changes on Prices due to high availability

Analysis – Price Comparison

❑ Prices from buyaccs.com

28/04/2020 12:06 PM CS682-The Underground 12

Web Services Price Per Thousand Hotmail.com (resale*) $2 Hotmail.com $4 Yahoo $6 Twitter $20 Google (PVA)** $100 Facebook (PVA)** $100

* Resale accounts indicates account that was previously used **PVA - Phone Verified Account

Existing Defenses

❑ IP Blacklisting, throttling ❑ Email challenge-response ❑ CAPTCHAs ❑ Phone verification

28/04/2020 12:06 PM CS682-The Underground 13

Merchants can circumvent those approaches

IP IP Blacklisting - Bypass

❑ Purchase accounts with unique registration IP: 79%

28/04/2020 12:06 PM CS682-The Underground 14

Registration Origin Popularity

India

8.50% Ukraine 7.23% Turkey 5.93% Thailand 5.40% Mexico 4.61% Other 68.33% Usually low- cost services

Email Confirmation - Bypass

❑ 77% of accounts was verified by a unique email address ❑ Hotmail & Yahoo Prices: $6/per thousand

28/04/2020 12:06 PM CS682-The Underground 16

Average Twitter Price without confirmation $30 Average Twitter Price with confirmation $47

CAPTCHAs - Bypass

❑ ~ 35% of accounts they purchase solved CAPTCHA ❑ Increase the cost of accounts ❑ ~ 92% of the attempts fails But they don’t really care because it’s an automated process

28/04/2020 12:06 PM CS682-The Underground 17

Detecting Fraudulent Accounts (C (Classifier)

❑ Purely based on registration signals ❑ Train on 120K purchased accounts Features:

28/04/2020 12:06 PM CS682-The Underground 18

Automatically generated naming regex e.g. Name: Maria Andreou Screen name: mariaksda Email: MariaAasdlka912@hotmail.com

1

Time of registration Timing = δfinish – δstart

3

Sequence of registration events e.g.

E1 E2 E3 EN Welcome Screen Registration Complete

2

Classifier Performance

Precision:

Percentage of identified accounts that are spam

Recall:

Percentage of all detected spam accounts

→ Really good Performance

28/04/2020 12:06 PM CS682-The Underground 19

95.08% 99.99%

Recall Over Time

28/04/2020 12:06 PM CS682-The Underground 20

Need for continuously purchasing

Im Impact on Twitter

❑ Apply the classifier to all register accounts between April 2012 – April 2013 ❑ Detect several million of spam accounts ❑ 27 Merchants was responsible for the 10-20% of all detected spam accounts

28/04/2020 12:06 PM CS682-The Underground 21

Im Impact on Twitter (c (cont.)

28/04/2020 12:06 PM CS682-The Underground 22

Estimated Revenue: $127-459K

Disrupting the Market?

❑ Monitoring False Positives

• Check how many user complaint about the suspension of their accounts
• Achieved Precision: 99.9942%

❑ Monitoring Market immediately after the application of the detector

28/04/2020 12:06 PM CS682-The Underground 23

All of the stock got suspended ... Not just mine .. It happened with all of the sellers .. Don’t know what twitter has done ... buyaccountsnow.com April 10, 2013 Temporarily not selling Twitter.com accounts buyaccs.com April 06, 2013

Market Fallout & Recovery ry

❑ Immediately after application of the algorithm → 90% of accounts suspended ❑ 2 weeks after application of the algorithm → 50% of accounts suspended ❑ Market recovers relatively fast, but authors achieve to disrupt it

28/04/2020 12:06 PM CS682-The Underground 24

Conclusions

❑ Buying accounts is relatively easy ❑ The market is responsible for the 10-20% of spam accounts on Twitter ❑ The market generates $127K-459K revenue per year ❑ The market bypass defenses but the cost of accounts get higher ❑ Proposed Machine Learning classifier achieve great, but temporal results ❑ Required stronger defenses after registration

28/04/2020 12:06 PM CS682-The Underground 25

PharmaLeaks: Understanding the Business

• f

f Online Pharmaceutical Affiliate Programs

Damon McCoy, George Mason University; Andreas Pitsillidis and Grant Jordan, University of California, San Diego; Nicholas Weaver and Christian Kreibich, University of California, San Diego, and International Computer Science Institute; Brian Krebs, KrebsOnSecurity.com; Geoffrey M. Voelker, Stefan Savage, and Kirill Levchenko, University of California, San Diego

Overview

28/04/2020 12:06 PM CS682-The Underground 27

User (Customer) Affiliate Program (Seller) Affiliate Marketer (Spammer) Spam Email Purchase/Delivery Buy Services (Commission)

1 2 3

Contributions

❑ The contribution of the paper is on its results Main Goal: Extensive study of the pharmacy affiliate programs, because they are a major sponsor of spam (email and web), in order to understand their main aspects, and ultimately, disrupt the whole market

28/04/2020 12:06 PM CS682-The Underground 28

Affiliate Programs

❑ Affiliate Programs operates as a normal business and thus they have the same needs:

1. Good relationship with marketers 2. Good relationship with suppliers (goods and shipping) 3. Easiness on Payment processing

➔ Let’s analyze these aspects!

28/04/2020 12:06 PM CS682-The Underground 29

Methodology

28/04/2020 12:06 PM CS682-The Underground 30

Leaked Datasets Analyze Data Outcomes

Customer Demographics Product Popularity Affiliates general

• peration

Leaked Datasets

❑ Numerous “leaked” sources of financial and operational data for 3 affiliate programs.

• Leaked data was a result of competitive hacking “war”

*SpamIt is a fork of GlavMed and probably they are operating with the same people

28/04/2020 12:06 PM CS682-The Underground 31

Customer Demographics

28/04/2020 12:06 PM CS682-The Underground 32

Country

Orders Revenue Rate (%) United States 1,044,173 74.8 Great Britain 88,823 6.4 Canada 53,113 3.8 Germany 39,353 2.8 Australia 31,918 2.3 France 29,581 2.1 Italy 15,406 1.1 Switzerland 10,478 0.8 Spain 9,578 0.7 Sweden 7,717 0.6 Other 65,277 4.6 Affiliate Program Repeated Customers Revenue (%)

GlavMed

27

SpamIt

38

RX-Promotion

9-23

Repeated Customers shows satisfaction

Product Demographics

28/04/2020 12:06 PM CS682-The Underground 33

SpamIt *Without ED products

Affiliates General Operation – Payments

28/04/2020 12:06 PM CS682-The Underground 34

Lose relationship with payment method (VISA)

Affiliates General Operation – Registrations

28/04/2020 12:06 PM CS682-The Underground 35

• Avg. new customers for:

GlavMed/SmaIt = ~ 3,500/week RX-Promotion = ~ 1,500/week

Market is growing

Affiliates General Operation - Marketers

❑ Marketers controlling botnets:

• 1. Rustock, botnet operator earned over $1.9M
• 2. Scorrp2, earned over $3M (Operates multiple botnets)
• 3. MegaD, botnet operator earned $308K (One of the largest botnets)

How dominates this market? ❑ Web-Based Advertising

✓Webplanned earned over $4.6M

28/04/2020 12:06 PM CS682-The Underground 36

Affiliates General Operation – Commissions

28/04/2020 12:06 PM CS682-The Underground 37

❑ GlavMed & RX Promotion have a lot of affiliate with annual revenue commission $20-$200 ❑ Most of the affiliates of the above programs fail ❑ SpamIt is a closed program and follows a different model. A great variety of affiliates get more than $100K annual revenue

*The “dots” on the graph denote the median annualized commissions for that program

Affiliates General Operation – Revenue

28/04/2020 12:06 PM CS682-The Underground 38

10% of affiliates (Marketers) are responsible for the ~80% of the revenue

There are few very successful affiliates ➔ Potential vulnerability

Affiliates General Operation - Profits

28/04/2020 12:06 PM CS682-The Underground 39

Affiliates General Operation – Profits (c (cont.)

28/04/2020 12:06 PM CS682-The Underground 40

ONLY 16.3% is the net profit of the affiliate programs

Pressure to government Attract Affiliates

Affiliates General Operation - PSP

28/04/2020 12:06 PM CS682-The Underground 41

❑GL, LT and LV are responsible for 84%

• f all revenue for GlavMed and

SpamIt ❑In the last five months of 2010 it appears that GlavMed/SpamIt experienced significant setbacks in processing capability

Payment services is one of the most fragile components

Conclusion

❑ “Canadian Pharmacy” market is very successful and unsaturated ❑ Most of the customers located to U.S ❑ Most of the products are related to ED ❑ Small number of affiliates (marketers) are dominating the market and are very successful ➔ Probably a vulnerability ❑ Three Payment service providers are responsible for the 84% of the transactions ➔ Another vulnerability

28/04/2020 12:06 PM CS682-The Underground 42

Thank you!

Chrysovalantis Christodoulou