Narcos, Counterfeiters and Scammers: An Approach to Visualize Illegal Markets

Presented at Black Hat Europe 2016, Nov. 3, 2016, 2:30 p.m. (60 minutes)

Counterfeiting is a global issue - one that has become even more complex as this illegal activity has moved online. Cybercriminals create thousands of websites round-the-clock - at almost no cost - as part of their digital marketing strategy to lure unsuspecting shoppers. These fraudsters often stay one step ahead of law enforcement's countermeasures by using false identities and proxies to buy domain names in multiple countries. They are able to react quickly to takedown efforts. If need be, they can set up replacement websites within minutes thanks to an architecture of backup servers.<br> <br> To prevent scams or abuses, some typically monitor domain registrations and watch for new domain names. This way they hope to identify websites that could, in the future, be host to malicious activity. Unfortunately, this approach has several limitations that we will spell out in our presentation. For instance, the data source used – TLD zonefiles mainly – does not disclose subdomains when some potentially harmfull websites are hosted there. At the contrary, DNS requests disclose fully qualified domain names.<br> <br> In "Narcos, Counterfeiters and Scammers: An Approach to Visualize Illegal Markets," Andrew Lewman and Stevan Keraudy will present their new research which offers a more effective approach based on the analysis of billions of DNS requests that goes far beyond traditional zonefile studies.<br> <br> We will share our methodology, which includes an automatic detection, analysis and clustering of illegal websites in order to find relevant information on fraudsters and their online strategy. For a given example, we filtered data from over a billion DNS cache miss requests a day to a few thousand counterfeit websites. Among those, we identify several hundred of domain names that belong to the same illegal organization. We will present our results during the talk. To illustrate our method, we will present use cases on counterfeiters, narcos and scammers networks.


  • Stevan Keraudy - CTO, CybelAngel
    Stevan Keraudy is the Co-Founder & CTO of CybelAngel, a startup specialized in data leaks detection based in Paris, France. He has over a decade of experience in software engineering, data mining and machine learning. Stevan initially created the company's proprietary technology. He has been improving it for the past years. He is now managing a team of a dozen of software engineers and he is leading the R&D team. He holds a MSc in Engineering and Management from University École Centrale and a MSc in Machine Learning and Data Mining from Helsinki University of Technology (now Aalto University). He wrote his Master's Thesis on noise robust speech recognition. Prior to founding CybelAngel, he used to work as an IT consultant for major French banks.
  • Andrew Lewman - CRO, Farsight Security, Inc.
    Andrew Lewman is the Chief Revenue Officer for Farsight Security, Inc. Previously, Lewman served as SVP of Engineering at Norse Corporation, where he managed all aspects of engineering. Prior to Norse, he was the Executive Director and CEO of the Tor Project, a non-profit technology organization that provides online anonymity software tools used by over 2 million Internet users daily in more than 200 countries. Lewman grew Tor from a three-person organization to a company with more than 50 employees and contractors and over 6,000 volunteers in over 89 countries worldwide. Before the Tor Project, he served as VP of Engineering on the original startup team for online IT media firm, TechTarget. Lewman earned his B.S. from Framingham State University.


Similar Presentations: