The Mass Effect: How Opportunistic Workers Drift into Cybercrime

Presented at Black Hat USA 2021, Aug. 4, 2021, 3:20 p.m. (40 minutes)

By focusing on the most visible cybercriminals, our security community often overlooks the impact of massive groups supporting criminal activities. Yet, these groups act like the "mass effect", where a primary pathology generates an inflating mass that pressures its surrounding, increasing the initial problem's scale. This research was motivated by a desire to uncover the context and motivations of individuals involved in spreading the Geost banking Trojan, and ended with large-scale statistical analyses of behaviors in an informal online market, one of the largest out there. The market was found to host dubious activities through a hide in plain sight approach.

The research unexpectedly opened-up an alternative way of conceptualizing cybercrime economies, one that includes an ordinary working class, involved in any economic activity for the sake of little crumbs of profit. More than that, we realized that the motives of these individuals did not represent the excitement that is traditionally depicted by cybersecurity storytelling, nor they embodied the criminal ethos. What is concerning is rather their aggregated effect, their growing mass.

This presentation shares our research journey, depicting the actors involved in the operation of a botnet, their motivations, challenges, and an analysis of the informal market in which they grounded their criminal activities. By using machine learning techniques and a statistical analysis of the informal market population, we found other similar opportunistic entrepreneurs. The analysis also indicated that the informal market may be a revolving door to underground, more criminally-prone, communities.

Through this research, we hope to provide researchers, law enforcement officials and policy makers a better grasp on this type of cybercrime economy and a point of view that is closer to what these individuals actually experience.

Presenters:

• María José Erquiaga - Malware Researcher, Czech Technical University in Prague   as Maria Jose Erquiaga
  Maria Jose Erquiaga is a malware researcher from Argentina. She is a researcher at the Stratosphere laboratory at the CVUT, in Prague, Czech Republic and team leader of the Aposemat project, a joint project between the Stratosphere laboratory and Avast. Maria's work has been focused on executing and analyzing malware. She spoke at CACIC, ArgenCon, SIGCOMM, BotConf, WACCO, NotPink, Defcon, Black Hat and Ekoparty. You can follow her on Twitter @MaryJo_E
• Sebastián García - Assistant Professor , Czech Technical University in Prague   as Sebastian Garcia
  Sebastian Garcia is a network malware researcher and Assistant Professor that has extensive experience in machine learning applied to network traffic. He created the Stratosphere IPS project, a machine learning-based, free software IPS to protect the civil society. He likes to analyze network patterns and attacks with machine learning. As a researcher in the AIC group of Czech Technical University in Prague, he believes that free software and machine learning tools can help better protect users from abuse of their digital rights. He has been teaching in several countries and Universities and working on penetration testing for both corporations and governments. He was lucky enough to speak at Ekoparty, DeepSec, Hacktivity, Botconf, Hacklu, InBot, SecuritySessions, ECAI, CitizenLab, ArgenCon, Free Software Foundation Europe, VirusBulletin, BSides Vienna, HITB Singapore, CACIC, etc. As a co-founder of the MatesLab hackspace he is a free software advocate that worked on honeypots, malware detection, distributed scanning (dnmap) keystroke dynamics, Bluetooth analysis, privacy protection, intruder detection, robotics, microphone detection with SDR (Salamandra) and biohacking.
• Serge-Olivier Paquette - Senior Manager of Data Science, Secureworks
  Serge-Olivier Paquette is the senior manager of data science at Secureworks. His research focuses on the ability to infer, through machine learning, the context of security events from incomplete information. He also serves as President for Northsec, a non-profit organization that hosts a series of world-class technical cyber security events, held annually in Montreal.
• Masarah Paquet-Clouston - Security Researcher, GoSecure
  <p>Masarah Paquet-Clouston is a PhD candidate in criminology, a security researcher at GoSecure and a collaborator of the Stratosphere IPS project. She is also part of the outreach committee for the NorthSec organization. With her background in economics, criminology, and now cybersecurity, she specializes in the study of online economic crime. She presented at various international conferences including Black Hat USA, DEFCON, RSA, CERT-EU, Sector, NorthSec, and Virus Bulletin.</p>

Links:

• https://www.blackhat.com/us-21/briefings/schedule/#the-mass-effect-how-opportunistic-workers-drift-into-cybercrime-23129

Similar Presentations:

• VB2019 / Geost botnet. The discovery story of a new Android banking trojan from an OpSec error
• 31C3 (2014) / The Invisible Committee Returns with "Fuck Off Google": Cybernetics, Anti-Terrorism, and the ongoing case against the Tarnac 10
• Black Hat Europe 2019 / Money Doesn't Stink - Cybercriminal Business Insight of A New Android Botnet