All posts by Maria Bada

An exploration of the cybercrime ecosystem around Shodan

By Maria Bada & Ildiko Pete

Internet of Things (IoT) solutions, which have permeated our everyday life, present a wide attack surface. They are present in our homes in the form of smart home solutions, and in industrial use cases where they provide automation. The potentially profound effects of IoT attacks have attracted much research attention. We decided to analyse the IoT landscape from a novel perspective, that of the hacking community. 

Our recent paper published at the 7th IEEE International Conference on Internet of Things: Systems, Management and Security (IOTSMS 2020) presents an analysis of underground forum discussions around Shodan, one of the most popular search engines of Internet facing devices and services. In particular, we explored the role Shodan plays in the cybercriminal ecosystem of IoT hacking and exploitation, the main motivations of using Shodan, and popular targets of exploits in scenarios where Shodan is used. 

To answer these questions, we followed a qualitative approach and performed a thematic analysis of threads and posts extracted from 19 underground forums presenting discussions from 2009 to 2020. The data were extracted from the CrimeBB dataset, collected and made available to researchers through a legal agreement by the Cambridge Cybercrime Centre (CCC). Specifically, the majority of posts we analysed stem from Hackforums (HF), one of the largest general purpose hacking forums covering a wide range of topics, including IoT. HF is also notable for being the platform where the source code of the Mirai malware was released in 2016 (Chen and Y. Luo, 2017). 

 The analysis revealed that Shodan provides easier access to targets and simplifies IoT hacking. This is demonstrated for example by discussions that centre around selling and buying Shodan exports, search results that can be readily used to target vulnerable devices and services. Forum members also expressed this view directly:

‘… Shodan and other tools, such as exploit-db make hacking almost like a recipe that you can follow.’

From the perspective of hackers a significant factor determining the utility of Shodan is if those targets can indeed be utilised. For example, whether all scanned hosts in scan results are active and whether they can be used for exploitation. Thus, the value of Shodan as a hacking tool is determined by its intended use cases.

The discussions were ripe with tutorials on various aspects of hacking, which provided a glimpse into the methodology of hacking in general, hacking IoT devices, and the role Shodan plays in IoT attacks.  The discussions show that Shodan and similar tools, such as Censys and Zoomeye, play a key role in passive information gathering and reconnaissance. The majority of users agree that Shodan provides value and is a useful tool and do suggest its use. They mention Shodan both in the context of searching for targets and exploiting devices or services with known vulnerabilities. As to the targets of information gathering and exploitation, we found multiple devices and services, including web cameras, industrial control systems, open databases, to mention a few.

Shodan is a versatile tool and plays a prominent role in various use cases. Since IoT devices can potentially expose personally identifiable information, such as health records, user names and passwords, members of underground forums actively discuss utilising Shodan for gathering such data. In particular, this can be achieved by exploiting open databases.

Members of forums discuss accessing remote devices for various reasons. In some cases, it is for fun, while more maliciously inclined actors can use such exploits to collect images and videos and use them in for example extortion use cases. Previous research has shown that camera systems represent easy targets for hackers. Accordingly, our findings highlight that these systems are one of the most popular targets, and they are widely discussed in the context of watching the video stream or listening to the audio stream of a compromised vulnerable cameras, or exposing someone through their camera recording. Users frequently discuss IP camera trolling, and we found posts sharing leaked video footage and websites that list hacked cameras. 

Shodan, and in particular the Shodan API can be used to automate scanning for devices which could be used to create a botnet:

…you don’t need fancy exploits to get bots just look for bad configurations on shodan.’

And finally, a major use case member discusses utilising Shodan in Distributed Reflection Denial of Service attacks, and specifically in the first step where Shodan can be used to gather a list of reflectors, for example, NTP servers.

 Discussions around selling or buying Shodan accounts show that forum members trade these accounts and associated assets due to Shodan’s credit model, which limits its use. To effectively utilise the output of Shodan queries, premium accounts are required as they provide the necessary scan, query and export credits.

Although Shodan and other search engines alike attract malicious actors, they are widely used by security professionals and for penetration testing to unveil IoT security issues. Raising awareness of vulnerabilities provides invaluable help in alleviating these issues. Shodan provides a variety of services, including Malware Hunter, which is a specialised Shodan crawler aimed at discovering malware command-and-control (CC) servers. The service is of great value to security professionals and in the fight against malware reducing its impact and ability to compromise targeted victims. This study contributes to IoT security research by highlighting the need for action towards securing the IoT ecosystem based on forum members’ discussions on underground forums. The findings suggest that more focus needs to be placed upon the security considerations while developing IoT devices, as a measure to prevent their malicious use.

Reference

F. Chen and Y. Luo, Industrial IoT Technologies and Applications: Second EAI International Conference, Industrial IoT 2017, Wuhu, China, March 25–26, 2017, Proceedings, ser. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering. Springer International Publishing, 2017.

Three Paper Thursday: Exploring the Impact of Online Crime Victimization

Just as in other types of victimization, victims of cybercrime can experience serious consequences, emotional or not. First of all, a repeat victim of a cyber-attack might face serious financial or emotional hardship. These victims are also more likely to require medical attention as a consequence of online fraud victimization. This means repeat victims have a unique set of support needs, including the need for counselling, and seeking support from the criminal justice system. There are also cases, such as in cyberbullying or sextortion, where victims will not speak to their family and friends. These victims feel too ashamed to share details with others and they will probably not receive any support. In such cases trauma can even lead to self-harm. Therefore, we see that online victimization can actually lead to physical harm. 

As a member of the National Risk Assessment (NRA) Behavioural Science Expert Group in the UK, working on the social and psychological impact of cyber-attacks on members of the public, I have identified for years now that the actual social or psychological impact of different types of cyber-attacks to victims or society as a whole is still not explored. Governments have been slow in identifying and analysing potential events online that may negatively impact individuals. In the UK, as well as in other countries, cybercrime has been added as part of a national risk assessment exercise only a few years ago. Therefore, our knowledge about the potential impact of cyber-attacks and their cascading effects are still being under research.  

This is often a very difficult area for lawyers and the courts to understand. Understanding victims’ needs and the responsibilities of the police, the judiciary and other authorities in dealing with such crimes is very important. This is why we need to further explore how and to what extent the situation and needs of victims of online crimes differ from those of traditional offline crimes. By sharing experiences and openly discussing about this issue, we will be able to engrain the cybersecurity mindset in our societies thus preventing victimization in some level. 

In this post I would like to introduce recent work in this area. The first one explores the social and psychological impact of cyber-attacks to individuals as well as nations, the second one explores the differences between the situation and needs of online and offline crime victims while the third one discusses the relationship between offending and victimization online.

Continue reading Three Paper Thursday: Exploring the Impact of Online Crime Victimization

Online suicide games: a form of digital self-harm or a myth?

By Maria Bada & Richard Clayton

October is ‘Cyber Security Month’, and you will see lots of warnings and advice about how to keep yourself safe online. Unfortunately, not every warning is entirely accurate and particularly egregious examples are warnings about ‘suicide games’ which are said to involve an escalating series of challenges ending in suicide.

Here at the Cambridge Cybercrime Centre, we’ve been looking into suicide games by interviewing teachers, child protection experts and NGOs; and by tracking mentions of games such as the ‘Blue Whale Challenge’ and ‘Momo’ in news stories and on UK Police and related websites.

We found that the stories about online suicide games have no discernable basis in fact and are linked to misperceptions about actual suicides. A key finding of our work is that media, social media and well-meaning (but baseless) warning releases by authorities are spreading the challenge culture and exaggerating fears.

To clarify, virally spreading challenges are real and some are unexpectedly dangerous such as the salt and ice challenge, the cinnamon challenge and more recently skin embroidery. Very sadly of course suicides are also real – but we are convinced that the combination has no basis in fact.

We’re not alone in our belief. Snopes investigated Blue Whale in 2017 and deemed the story ‘unproven’, while in 2019 the BBC posted a detailed history of Blue Whale showing there was no record of such a game prior to a single Russian media article of dubious accuracy. The UK Safer Internet Centre calls the claims around Momo ‘fake news’, while YouTube has found no evidence to support the claim that there are videos showing or promoting Momo on its platform.

Regardless of whether a challenge is dangerous or not, youngsters are especially motivated to take part, presumably because of a desire for attention and curiosity. The ‘challenge culture’ is a deeply rooted online phenomenon. Young people are constantly receiving media messages and new norms which not only inform their thinking, but also their values and beliefs. 

Although there is no evidence that the suicide games are ‘real’, authorities around the world have reacted by releasing warnings and creating information campaigns to warn youngsters and parents about the risks. However, a key concern when discussing, or warning of, suicide games is that this drives children towards the very content of concern and raises the risk of ‘suicide contagion’, which could turn stories into a tragic self-fulfilling prophecy for a small number of vulnerable youths.

Understanding what media content really means, what its source is and why a certain message has been constructed, is crucial for quality understanding and recognition of media mediated messages and their meaning. Adequate answers to all these questions can only be acquired by media literacy. However, in most countries media education is still a secondary activity that teachers or media educators deal with without training or proper material. 

Our research recommends that policy measures are taken such as: a) awareness and education to ensure that young people can handle risks online and offline; b) development of national and international strategies and guidelines for suicide prevention and how the news related to suicides is shown in media and social media; c) development of social media and media literacy; d) collaborative efforts of media, legal systems and education to prevent suicides; e) guidance for quality control of warning releases by authorities.

Maria Bada presented this work on 24-26th June 2019, at the 24th Annual CyberPsychology, CyberTherapy & Social Networking Conference (CYPSY24) in Norfolk, Virginia, USA. Click here  to access the abstract of this paper – the full version of the paper is currently in peer review and should be available soon.