The Cambridge Cybercrime Centre‘s seventh one day conference on cybercrime was held on Monday, 10th June 2024. 

Similar to previous “liveblog” coverage of conferences and workshops on Light Blue Touchpaper, here is a “liveblog”-style overview of the talks at this year’s conference.

L. Jean Camp – Global Cyber Resilience Using a Public Health Model of eCrime (Keynote)

Who gets phished? This still hasn’t changed much in 20 years. We still don’t know how people are targeted, or even if they are targeted. People need to identify security indicators, domain names, etc., and this is hard. Current practice with warnings does not provide what people need. While people can learn how to use bad interfaces, we can’t expect people to pay attention all the time and without interruption. Expertise alone is not adequate: LastPass devs were phished. She looked at phishing factors, and asked how good each population was at identifying phishing and legitimate websites, finding familiarity and gender did not have a significant difference for phishing websites, but found familiarity was important for identifying legitimate websites. Later, they asked participants about security expertise. We tend to write warnings for ourselves (security experts), rather than for end users. They also compared risk perception across populations. Overall, they found computer expertise (positive) and age (negative) were the primary factors in identifying phishing pages. How can we learn from public health to provide more effective warnings which work for the wider general population?

Gabriella Williams – Beyond Borders: Exploring Security, Privacy, Cultural, and Legal Challenges in Metaverse Sexual Harassment

PhD researcher in digital identity and age assurance methods to mitigate against virtual harms. The virtual reality environment (metaverse) has new risks and harms, by creating a new environment with anonymity where people can be whoever they want to be. Gabriella asks if sexual harassment is a crime in the metaverse? There is no legal framework currently, and there are varying jurisdictions online. Metaverse has cultural issues, with standing close to someone, making unwanted contact, and inappropriate jokes. How can this be moderated? Lots of issues with collecting metadata on social interactions, biometric data, and security issues with over reliance on automation and threats to authentication and integrity. Their current research is looking at challenges around implementing age assurance, and how identities can be authenticated.

Bomin Keum – The Incel Paradox: Does Collective Self-Loathing Facilitate Radicalisation or Belonging?

What don’t we know and why don’t we know it? We have a hard time agreeing on what radicalisation is, but this is a process rather than instances of extremist violence. Online radicalisation is facilitated through anonymity, perceived strength in numbers, and too much information spread and absorbed quickly. Bomin considers the use of the Us vs Them framework: collectively constructed perception differentiating the in-group from the out-group. Incel communities show negativity within the group as well as out, which is different to other communities. The Us vs Them framework has “us” as self-directed victimhood with men deprived of their “right to sex” whereas the “them” refers to a perception of society giving “too much freedom to women”. What are the self and other narrative framings, and which topics are associated with self vs other narrative frames? Bomin compares 2019 and 2020 datasets around the start of the pandemic. Internal group themes have helplessness and victimisation, whereas outside has unfair advantages and shameful other. Collectively, there are narratives of community, violence, and vision. They note you can’t take discussions at face value, as the language used can be quite extreme and text-level analysis may not reflect intent. Also, there is some shifting from blame to mockery of others. Not all radical actors commit violence but can inform facilitators behind intensification. Applying theories to these communities can be questionable, due to the unique aspects of the communities, and needs further data-driven research to improve on theory.

Jason Nurse – Ransomware Harms and the Victim Experience

Supply chain issue with St. Thomas’ Hospital last week, where a supplier of hospitals was hit by ransomware, and a critical incident was declared in London. Focus in the media on the financial impact, but what are the other harms of this, on both individuals and society? Jason carried out a literature review, and ran workshops and interviews alongside harm modelling to explore effects. What do we know already from the literature, and what can we learn from individuals? Interviews were focused on people who were subject to a ransomware attack or had professional experience of supporting organisations affected by ransomware. This includes cyber insurance organisations, which are now a big player. Gathering qualitative data from interviews, and using thematic analysis. Findings show this is a serious risk for all organisations, including small businesses: “everything you relied on yesterday doesn’t work today”. Can also create reputational harm for organisations. Applying the idea of orders of harm: first-order are harms directly to the person or org, second-order are downstream orgs and individuals, and third-order are the economy and society. Implications include a loss of trust in law enforcement, reduced faith in public services, and normalisation of cybercrime. Other impacts include harms to staff: staff members having to deal with the situation, including overworking to resolve issues. Highlights potential correlations between burnout and cybersecurity issues. Next, Jason looks at how to model harms. They gather data on well publicised events and to establish relationships between harms. This finds many downstream harms: we can more deeply explore harms arising throughout society rather than just “the data was encrypted”.

Ethan Thomas – Operation Brombenzyl and Operation Cronos

DDoS for hire continues to be a threat, enabling easy attacks against infrastructure, and these are targeted by site take downs and arrests. Finding a new way to provide a longer lasting impact, disrupting the marketplace. Using splash pages to deter users, and also creating law enforcement-run DDoS for hire websites. Some of the disguised sites were “seized”, others were “outed” as NCA controlled, and some are still running. Second operation is Cronos, again using deception but applied to ransomware attacks. Finding broad deterrence messaging doesn’t always work well, now there is focus on showing victims cases where cybercriminals did not uphold their promises.

Luis Adan Saavedra del Toro – Sideloading of Modded Apps: User Choice, Security and Piracy

What are modded apps, and why do users use them? Android users have the capability of installing any app they download from the internet, outside of the Google Play Store. Third-party stores have ads and user review features. Modded apps have unlocked pro features, such as a modded Spotify app to bypass ads and other paid features. Modded gaming apps have free in-app purchases. Luis found over 400 modded Android app markets, and crawled the 13 most popular, creating the ModZoo dataset. Most of these modded apps are games, and lots of duplicates across markets. None of the markets had any payment infrastructure. They discovered apps with changed code had added additional permissions and advertising libraries. Some apps with Ad IDs had been changed. 9% of those with modded code were malicious. iOS has misconceptions around jailbreaking. iOSModZoo has ~30k apps. iOSZoo is a dataset of ~55k free App Store apps. Most iOS modded apps are pirated copies of paid apps.

Felipe Moreno-Vera and Daniel S. Menasché – Beneath the Cream: Unveiling Relevant Information Points from CrimeBB with Its Ground Truth Labels

Looking at exploits which are shared on underground forums. The team used three types of labels: post-type, intent, and crime-type, which they used to complement their approach to tracking keywords, their usage, and different vulnerability levels discussed. They create a classifier for threats, so they can identify what is being discussed. They use regex to identify CVEs, and a function to identify language. They note the labels used were only available for one site, and later use ChatGPT to create more labels for posts. They find ChatGPT improves on existing labels.

Jeremy D. Seideman, Shoufu Luo, and Sven Dietrich – The Guy In The Chair: Examining How Cybercriminals Use External Resources to Supplement Underground Forum Conversations

“Guy in the chair” is the support network that “connects the dots”. They looked at underground forum conversations to identify what this support network is. Do people post URLs, do they advertise things, do they talk about other communications? What is the wider context? Past literature shows that forums work best as a social network, forming communities. Their project examines the use of offensive AI usage, presenting their data pipeline, which they use to clean data prior to using topic transfer models. Following this, they identified buckets of URLs. The majority of known links were other forums, code sharing, image hosting, and file sharing. Lots of the links had link rot. Future work will further explore the application of analysis methods used with archaeological count data to their dataset.

Anh V. Vu – Yet Another Diminishing Spark: Low-level Cyberattacks in the Israel-Gaza Conflict

Anh notes differing perspectives of cyberwar in the world media, with a strong focus on high-profile cyber attacks. However, what is happening with low-level cybercrime actors and the services supporting these attacks? They are using data from website defacement attacks and UDP amplification DDoS attacks, alongside collections of volunteer hacking discussions. They contrast the conflicts of Russia vs Ukraine and Israel vs. Gaza. Anh finds interest in low-level DDoS and defacement attacks dropped off quickly, although notes that these findings should not be confounded with state-sponsored cyber attacks.

Dalyapraz Manatova – Relationships Matter: Reconstructing the Organisational Structure of a Ransomware Group

Dalyapraz has been studying dynamics of cybercrime networks, thinking about these as a socio-technical complex system, with technical, economical, and social factors. Existing literature shows that eCrime has “communities”, with admins and moderators. When these communities are disrupted, they often move to other places. Participants often have different pseudonyms for who they are communicating with, e.g. as an administrator or to trade. However, these communities are more like organisations, with roles, tasks, scale, scope. Follows a similar structure to aaS services.

Marilyne Ordekian – Investigating Wrench Attacks: Physical Attacks Targeting Cryptocurrency Users

Wrench attacks have been around since the start of Bitcoin, yet have received little academic attention. Marilyne gathered data on wrench attacks through Bitcoin Talk discussions and interviews. Incidents were reported across different areas, from 2011 to 2021. There were peaks of incidents, which coincided with bitcoin reaching an all-time high. Why? Potential reasons include financial gain, theft is easier than hacking, and no account transfer limits. They found that 25% of these incidents occurred during in-person meet ups. Are wrench attacks reported? No, they are underreported. They propose safety mechanisms for individuals, including not bragging, diversifying of funds, and digital safety practices. Also, they suggest existing regulations could be strengthened, such as improved KYC verification to consider the risk of wrench attacks. System design changes could include redesigning apps to hide balance amounts.

Mariella Mischinger – Investigating and Comparing Discussion Topics in Multilingual Underground Forums

Mariella finds prior literature on forums is often missing understanding of the content and does not find niche topics. Also, there is a lack of research into multilingual underground forums, and a lack of data on invite-only forums. Datasets contain lots of noisy, informal language. They found sentence embeddings were useful to cluster the content into topics, as this included the context and intention in sentences. They extracted topics from the clusters of sentences using LDA, with cosine similarity then finding similar topics across languages. Mariella then finds this method can be used to find pockets of knowledge: topics only discussed in one language. Further work identified dark keywords, combining neologisms with groups of keywords.