Lecture 05 - Cybercrime.pdf

Full Transcript

IT and Society
Lecture 5: Security – Cybercrime

Prof. Jens Grossklags, Ph.D.
Professorship of Cyber Trust
Department of Computer Science
School of Computation, Information and Technology
Technical University of Munich
May 13, 2024
Recap – Societal Privacy

Two lectures ago: GDPR
Last lecture:
– Development of law is a messy and haphazard process
– Privacy activism plays a critical role in various ways to make
data protection a reality
Discussed examples of law „development“ and activism

2
 Lecture 5

Security – Introduction
Focus on Cybercrime

3
An Overview of Cybercrimes

Before discussing, which countermeasures are
appropriate, need to understand the large diversity of
issues
– Combining aspects of traditional crimes with newly emerging
approaches

4
Large Number of Sources
2012

2019

Focus of today‘s lecture

5
What is a Cybercrime? 3 Facets.

Traditional forms of crime such as fraud or forgery, though
committed over electronic communication networks and
information systems
Publication of illegal content over electronic media (e.g.,
child sexual abuse material or incitement to racial hatred)
Crimes unique to electronic networks, e.g., attacks
against information systems, denial of service and
hacking
Definition from “Towards a general policy on the fight against cyber crime”
European Commission 6
What a crime!

A matter for the police?

Should eBay help?

7
Framework to Think about Impact

Source: Measuring the
e.g., a scam e.g., Botnet cost of cybercrime 8
Criminal Revenue

Revenue from crime
– Criminal earnings
– Minus criminal inputs (investments)
Example Phishing:
– Earnings: Money received from victim accounts
– Criminal input: Amount Phisherman pays to spammers or
botnet owners for distributing Phishing mails

9
Direct Losses

Value of (monetary) losses, damage, or other suffering
felt by the victims as a consequence of a cybercrime
Examples:
– Money stolen/withdrawn from victim accounts
– Time and effort to reset account credentials after compromise
(for both banks and consumers)
– Lost attention and bandwidth caused by spam messages

10
Indirect Losses
Value of the losses and opportunity costs imposed on
society by the fact that a certain type of cybercrime is
carried out
– Cannot easily be attributed to individual perpetrators or victims
Examples:
– Loss of trust in online banking, leading to reduced revenues
– Sales foregone by online retailers
– Reduced uptake by citizens of electronic services whether from
companies or governments
11
Defense Cost
Costs of prevention efforts
– Security products
– Security services provided to individuals (e.g., awareness training)
– Security services provided to industry (e.g., website ‘take-down’ services;
fraud detection and recovery efforts)
– Law enforcement
Like indirect losses, defense costs are largely
independent of individual perpetrators and victims, or
types of cybercrime
12
Total Cost of Cybercrime

Sum of direct losses, indirect losses, and defense costs

What is largest of these three parts?

13
Costs >> Cybercriminal Revenue

Criminal revenue is typically significantly lower than direct
losses and much lower than total losses
– Example case:
Botnet earned about $3m a year by promoting unlicensed Viagra sales
on hijacked websites
Cost is about a hundred times that much  responsible for a third of
the world’s spam in 2011 (total spam cost to industry about $1bn a
year)

14
 Sewage works in Etzelmühle

Offline Example

Metal theft (vandalism for profit)
Where is that?
Costs:
– Replacement of damaged/stolen parts
– Shutdown of services, e.g., 155000 minutes train delay in
Germany in 2011
– Prevention (video surveillance)  Investment plan of Euro 85M
for video surveillance by German train service and federal
police
https://www.fr.de/wirtschaft/tonnen-schienen-angebot-11719029.html
https://www.heise.de/newsticker/meldung/Deutsche-Bahn-Videoueberwachung-zahlt-sich-aus-3186103.html
15
High-profile
target?

Worth
protection?

How much?

16
https://www.op-marburg.de/Landkreis/Hinterland/Metalldiebe-schlagen-zweimal-zu
Listing of recent
cyberincidents in
German
communities
(2023/2024)

https://kommunaler-
notbetrieb.de/

Data loss
External influence
Internal cause
External attack
Disruption
(soft-/hardware) 17
Policy Question

Who will (or should) pay to stop cybercrime?

Companies: Investments in protection to reduce direct costs?

Governments: Investments in collective defense?

Citizen: Vigilance & avoidance of “unsafe“ activities, and
individual protection efforts
Opinions?
18
Law Enforcement Challenges

Perpetrators and victims are often in different jurisdictions
– Reducing the motivation and the opportunity for police action
Mutual legal assistance across borders was not intended
for routine police and criminal justice cooperation but for
rare and serious cross-border crimes (except EU)
– Is spamming to sell Viagra a rare and serious cross-border
crime? Is selling unlicensed Viagra online such a ‘rare and
serious’ crime?

19
Mapping the global
geography of
cybercrime (2024)

Focus:
geographical
location of
cybercrime offenders

Based on insights
from international
experts (survey)

https://doi.org/
20
10.1371/journal.pone.0297312
Law Enforcement Reality
(U.S. Perspective)
Potentially thousands of hours in research and cyber forensic analysis:
– Identifying, preserving, retrieving, analyzing and presenting data as a form of evidence
– For evidence to be admissible in court: Police need to obtain a warrant to seize computers etc.
– Special technical skills needed when obtaining and analyzing the evidence (e.g., ability to decrypt
encrypted files, recover deleted files, crack passwords)  Specialized cybercrime units are
assembled (i.e., not possible for regular police departments)
If conviction is successful: sentencing and penalties vary
– Hacking is considered a federal offense (i.e., form of fraud)
Penalty: small fine; or serving up to 20 years in prison
– Spam: Minimum punishment of a fine up to $11,000. Additional fines possible; jail if fraud
– Identity Theft: jail up to 5 years

What crimes/criminals would you pursue, if you work for the FBI?

21
https://us.norton.com/internetsecurity-emerging-threats-how-do-cybercriminals-get-caught.html
Details about Cybercrime Categories
(see Measuring the Cost of Cybercrime
research paper)

22
Online Card Fraud

“Bellwether of online property crime overall”
Big picture:
– Payment fraud has about doubled in total/absolute value since
2012, but it has fallen slightly as a percentage of turnover
Electronic payment systems have gotten much bigger,
and slightly more efficient
– While a large problem, considered to be an “accepted loss” by
financial institutions (convenience overcomes security)
 Hard to fully secure: https://www.usenix.org/conference/usenixsecurity21/presentation/basin
23
Online Banking Fraud

Different mechanisms than online card fraud:
– Phished or stolen credentials (e.g., using malware); mobile malware to
sidestep 2-Factor Authentication
UK figures: Online bank fraud more than doubled, from £51.1M in
2011 to £121.4M in 2017
Authorized push payment (APP) scams: New category with
£236M over 43,875 incidents
– Bank account holder is tricked into transferring money to the fraudster,
who typically poses as a bank employee and uses some combination of
social engineering skills and technical mechanisms
24
In-person Payment Card Fraud
EMV (originally: “Europay, Mastercard, and Visa”):
– Payment method using smart payment cards as technical standard
– Costs of EMV-rollout are large (Billions Euro)
Success: Almost all counterfeit card fraud against
European cards is now at terminals outside the EU
– Need to update payment (point-of-sale (POS)) terminals worldwide!
What will be the long-term trend, once POS
are updated worldwide?

25
Ransomware and Cryptocrime
Ransomware exists about 20 years: Niche crime at first
– Read research by Young/Yung (1996 & 2007): Cryptovirology
and Kleptography
Interesting interaction effect:
– After ransomware malware authors adapted to cryptocurrencies, their
revenues increased substantially
Pure cryptocurrency crimes:
– Ponzi schemes with new emerging cryptocurrencies
– Crypto-mining malware (vs. content payment at websites)
– Fraud (insider), e.g., Mt. Gox; hacking incidents
26
Fraudulent Marketing and
Distribution
Ad Fraud
Unlicensed and patent-infringing pharmaceuticals
Coupon and loyalty-program fraud
Travel fraud

Copyright-infringing software Long-standing discussion
about economic impact
Copyright-infringing music and video
27
Example: Who pays for Ad Fraud?

Total sum
Over 2 Billion
disabled fraudulent
accounts in first
quarter of 2019 at
Facebook
– Once these accounts
are discovered, are
advertisers reimbursed
for ads shown to these
accounts?
– Is “not reimbursing”
fraud?
28
Fake Antivirus and Tech
Support Scams
Fake Antivirus: Being scared into purchasing software
that at best does nothing and at worst leaves your
computer open to other attacks
Complemented by so-called ‘tech support’ scams involve
telephone calls (claim: from ISP or Microsoft)
– Caller explains that some sort of problem with the victim’s
computer has been detection; tries to pressure-sell some (fake)
security software

29
Compromised Email Accounts
Some large-scale breaches: e.g., Yahoo‘s loss of 3 Billion
accounts
Exploiting accounts being done as part of diverse set of
scams
Costs: e.g., business value
– $350 Million reduction in sale price when the breaches came to
light, while Yahoo was sold to Verizon
– Expected court costs and penalties/settlements

Has your email been part of a data breach? How would you find out? 30
‘Fake Escrow’ Scams and Other
Fake Company Scams
Escrow: Third party holds and regulates payment
of funds when two parties or more are involved in
a given transaction
Large variety of scams, for example:
– Majority of the websites offering pedigree puppies for sale are believed to
be fake
– Victims pay not only for a non-existent puppy but also for its air
transportation and then further expenses when the puppy is said to be
stranded at an intermediate airport without food or water

31
Advance Fee Fraud

Victim must pay out a small amount of money (a tax, a
bribe or just a bank account opening fee) in the
expectation of a large sum of money being released
– Also referred to as ‘419 fraud’ after the relevant article of the
Nigerian criminal code
– Large number of formats
Cormac Herley (Microsoft Research): Why are scam
emails so “silly“?  Try to identify most gullible people
32
 Business Email Compromise

Scam Process:
– Fraudulent email message being sent to a company's financial manager,
comptroller, or someone else with authority to execute wire transfers
– Email falsely claims to be from the CEO or other person of authority within
the company and instructs the receiver to initiate a wire transfer to a
foreign bank account under control of the criminal
Successful because they prey on the
victim’s instinct to respond quickly to a
request from a person of authority in U.S. Data (FBI IC3)
the company
For 2020 IC3 data: https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf
33
Recent variation: https://www.microsoft.com/security/blog/2021/05/06/business-email-compromise-campaign-targets-wide-range-of-orgs-with-gift-card-scam/
 Telecom-related Fraud
including PABX Fraud
Communications Fraud Control Association (CFCA)
publishes data on fraud losses associated with telephony,
both fixed and mobile
– Costly calls are now mainly to premium rate numbers both
domestic and international
Good news: Down to $29.2 Billion (2017 report data), with
a fall of 23.2% from 2016

PABX = Private Automatic Branch Exchange 34
Industrial Cyber-espionage
and Extortion
Conjecture: Enormous problem
– Criminal cases in court
– But impact hard to measure
For example: Failure to find any case with quantifiable losses where a
drug company could not file a patent because of unauthorized prior
disclosure, or any major software copyright infringement cases brought
by western tech firms against international competitors (e.g., from China)
Extortion: Previously mentioned ransomware cases
– Industrial facilities that went offline due to ransomware
35
Fiscal Fraud

Tax fraud and welfare fraud
– Computer crime under the EU definition, as almost all tax
returns and welfare claims are now online in many countries
Third-party tax fraud
– Criminals impersonating citizens by electronically filing
fraudulent tax returns
– Billions of U.S. $ in damages just in the U.S. system

36
Other Frauds and Scams

Think creatively:
– Just about every business-to-business, business-to-consumer,
and consumer-to-consumer transaction in any type of economic
activity from auctions to travel is subject to fraud
Abusive competition:
– Submitting negative reviews about competitors
Romance scams
– Related to Nigerian 419 scams
37
Overview and Estimates

What is surprising?

38
Large-scale Victimization Studies

39
U.S. National Crime
Victimization Study (NCVS)
Supplement survey on U.S. identity theft: Credit card and bank
account fraud
– About 10% of American residents affected in 2016 (7% in 2014)
– About half were contacted by their institution about suspicious activity; other half
noticed fraudulent charges or missing money
– Only about a quarter knew how the compromise occurred
– Most (88.4%) dealt with their bank and some (6.8%) with the police
– Only 12% ended up suffering losses: 15% (of these 12%) made substantial
losses ($1,000 or more)

40
UK Victimization Study by
Office of National Statistics

Survey only added cybercrime component in 2015
– Created a substantial discontinuity in the data: Previously, it
was believed that overall victimization was sinking;
apparently an illusion
Inclusion of fraud and computer offenses has
increased the total from about 6 million offenses to
about 11 million offenses

41
Takeaways – Questions
How do we „manage“ this huge diversity of cybercrimes?
– How to invest more effectively?
Protection
Mitigation/Recovery/Self-Insurance
Risk-transfer/Cyber-Insurance
Do nothing
– Similar to privacy: Substantial externalities (e.g., bots)
Can we deal with niche crimes; especially if
originating in different jurisdictional settings?
42
It‘s time to leave. The End. For Today.

See you next week in two weeks.

43