Category Archives: Cybercrime

Three Paper Thursday: Broken Hearts and Empty Wallets

Academic papers, Cybercrime, Legal issues, Security economics, Security psychology, Three Paper Thursday

This is a guest post by Cassandra Cross.

Romance fraud (also known as romance scams or sweetheart swindles) affects millions of individuals globally each year. In 2019, the Internet Crime Complaint Centre (IC3) (USA) had over US$475 million reported lost to romance fraud. Similarly, in Australia, victims reported losing over $AUD80 million and British citizens reported over £50 million lost in 2018. Given the known under-reporting of fraud overall, and online fraud more specifically, these figures are likely to only be a minority of actual losses incurred.

Romance fraud occurs when an offender uses the guise of a legitimate relationship to gain a financial advantage from their victim. It differs from a bad relationship, in that from the outset, the offender is using lies and deception to obtain monetary rewards from their partner. Romance fraud capitalises on the fact that a potential victim is looking to establish a relationship and exhibits an express desire to connect with someone. Offenders use this to initiate a connection and start to build strong levels of trust and rapport.

As with all fraud, victims experience a wide range of impacts in the aftermath of victimisation. While many believe these to be only financial, in reality, it extends to a decline in both physical and emotional wellbeing, relationship breakdown, unemployment, homelessness, and in extreme cases, suicide. In the case of romance fraud, there is the additional trauma associated with grieving both the loss of the relationship as well as any funds they have transferred. For many victims, the loss of the relationship can be harder to cope with than the monetary aspect, with victims experiencing large degrees of betrayal and violation at the hands of their offender.

Sadly, there is also a large amount of victim blaming that exists with both romance fraud and fraud in general. Fraud is unique in that victims actively participate in the offence, through the transfer of money, albeit under false pretences. As a result, they are seen to be culpable for what occurs and are often blamed for their own circumstances. The stereotype of fraud victims as greedy, gullible and naïve persists, and presents as a barrier to disclosure as well as inhibiting their ability to report the incident and access any support services.

Given the magnitude of losses and impacts on romance fraud victims, there is an emerging body of scholarship that seeks to better understand the ways in which offenders are able to successfully target victims, the ways in which they are able to perpetrate their offences, and the impacts of victimisation on the individuals themselves. The following three articles each explore different aspects of romance fraud, to gain a more holistic understanding of this crime type.

Continue reading Three Paper Thursday: Broken Hearts and Empty Wallets

Hiring for the Cambridge Cybercrime Centre (Sep 2020 version)

Cybercrime, Jobs

We have yet another “post-doc” position in the Cambridge Cybercrime Centre: https://www.cambridgecybercrime.uk (for the happy reason that Ben is leaving us to become a Lecturer in Digital Methods in Edinburgh).

Hence, once again, we are looking for an enthusiastic researcher to join us to work on our datasets of cybercrime activity, collecting new types of data, maintaining existing datasets and doing innovative research using our data. The person we appoint will define their own goals and objectives and pursue them independently, or as part of a team.

We are specifically interested in determining how cybercrime has changed in response the COVID-19 pandemic and our funding requires us to identify new trends, to collect (and share) relevant data, and to rapidly provide an analysis of what is happening, with the aim of assisting in optimising technical and policy responses. We are also expanding our data collection into examining the online activities of extremist groups — with a specific focus on pandemic related issues.

An ideal candidate would identify datasets that can be collected, build the collection systems and then do cutting edge research on this data – whilst encouraging other academics to take our data and make their own contributions to the field. However, we recognise that candidates may be from a technical background and hence stronger at the collecting side, or from a social science background and hence stronger on providing compelling insights into what our data reveals. Along with a CV we expect to see a covering letter which sets out what type of research might be done and the skills which will be brought to bear, along with an indication where help would need to be sought from colleagues in our interdisciplinary environment.

Please follow this link to the advert to read the formal advertisement for the details about exactly who and what we’re looking for and how to apply — and please pay special attention to our request for a covering letter.

A measurement of link rot: 57%

Academic papers, Cybercrime

I submitted my PhD on the 31st August 2005 (9 months before Twitter started, almost two years before the first iPhone). The easiest version to find (click here) contains the minor revisions requested by my examiners and some typographical changes to fit it into the Computer Lab’s Technical Report series.

Since it seemed like a good idea at the time, my thesis has an annotated bibliography (so you can read a brief precis of what I referenced, which could assist you in deciding whether to follow it up). I also went to some effort to identify online versions of everything I cited, because it always helpful to just click on a link and immediately see the paper, news article or other material.

The thesis has 153 references, in two cases I provided two URLs, and in three cases I could not provide any URL — though I did note that the three ITU standards documents I cited were available from the ITU bookshop and it was possible to download a small number of standards without charge. That is, the bibliography contained 152 URLs.
Continue reading A measurement of link rot: 57%

Cambridge Cybercrime Centre: COVID briefing papers

Academic papers, Cybercrime

The current coronavirus pandemic has significantly disrupted all our societies and, we believe, it has also significantly disrupted cybercrime.

In the Cambridge Cybercrime Centre we collect crime-related datasets of many types and we expect, in due course, to be able to identify, measure and document this disruption. We will not be alone in doing so — a key aim of our centre is to make datasets available to other academic researchers so that they too can identify, measure and document. What’s more, we make this data available in a timely manner — sometimes before we have even looked at it ourselves!

When we have looked at the data and identified what might be changing (or where the criminals are exploiting new opportunities) then we shall of course be taking the traditional academic path of preparing papers, getting them peer reviewed, and then presenting them at conferences or publishing them in academic journals. However, that process is extremely slow — so we have decided to provide a faster route for getting out the message about what we find to be going on.

Our new series of “COVID Briefing Papers” are an ongoing series of short-form, open access reports aimed at academics, policymakers, and practitioners, which aim to provide an accessible summary of our ongoing research into the effects which the coronavirus pandemic (and government responses) are having on cybercrime. We’re hoping, at least for a while, to produce a new briefing paper each week … and you can now read the very first, where Ben Collier explains what has happened to illegal online drug markets… just click here!

Security and Human Behaviour 2020

Academic papers, Cybercrime, Politics, Privacy technology, Security economics, Security psychology, Usability

I’ll be liveblogging the workshop on security and human behaviour, which is online this year. My liveblogs will appear as followups to this post. This year my program co-chair is Alice Hutchings and we have invited a number of eminent criminologists to join us. Edited to add: here are the videos of the sessions.

Three Paper Thursday – Analysing social networks within underground forums

Academic papers, Cybercrime, Social networks, Three Paper Thursday,

One would be hard pressed to find an aspect of life where networks are not present. Interconnections are at the core of complex systems – such as society, or the world economy – allowing us to study and understand their dynamics. Some of the most transformative technologies are based on networks, be they hypertext documents making up the World Wide Web, interconnected networking devices forming the Internet, or the various neural network architectures used in deep learning. Social networks that are formed based on our interactions play a central role in our every day lives; they determine how ideas and knowledge spread and they affect behaviour. This is also true for cybercriminal networks present on underground forums, and social network analysis provides valuable insights to how these communities operate either on the dark web or the surface web.

For today’s post in the series `Three Paper Thursday’, I’ve selected three papers that highlight the valuable information we can learn from studying underground forums if we model them as networks. Network topology and large scale structure provide insights to information flow and interaction patterns. These properties along with discovering central nodes and the roles they play in a given community are useful not only for understanding the dynamics of these networks but for various purposes, such as devising disruption strategies.

Continue reading Three Paper Thursday – Analysing social networks within underground forums

Hiring for the Cambridge Cybercrime Centre

Cybercrime, Jobs

We have just advertised some short-term “post-doc” positions in the Cambridge Cybercrime Centre: https://www.cambridgecybercrime.uk.

We are specifically interested in extending our data collection to better record how cybercrime has changed in response the COVID-19 pandemic and we wish to mine our datasets in order to understand whether cybercrime has increased, decreased or displaced during 2020.

There are a lot of theories being proposed as to what may or may not have changed, often based on handfuls of anecdotes — we are looking for researchers who will help us provide data driven descriptions of what is (now) going on — which will feed into policy debates as to the future importance of cybercrime and how best to respond to it.

We are not necessarily looking for existing experience in researching cybercrime, although this would be a bonus. However, we are looking for strong programming skills — and experience with scripting languages and databases would be much preferred. Good knowledge of English and communication skills are important.

Since these posts are only guaranteed to be funded until the end of September, we will be shortlisting candidates for (online) interview as soon as possible (NOTE the application deadline is less than ONE WEEK AWAY) and will be giving preference to people who can take up a post without undue delay. The rapid timescale of the hiring process means that we will only be able to offer positions to candidates who already have permission to work in the UK (which, as a rough guide, means UK or EU citizens or those with existing appropriate visas).

We do not realistically expect to be permitted to return to our desks in the Computer Laboratory before the end of September, so it will be necessary for successful candidates to be able to successfully “work from home” … not necessarily within the UK.

Please follow this link to the advert to read the formal advertisement for the details about exactly who and what we’re looking for and how to apply.

Cybercrime is (often) boring

Academic papers, Cybercrime, Security economics, Security psychology

Much has been made in the cybersecurity literature of the transition of cybercrime to a service-based economy, with specialised services providing Denial of Service attacks, cash-out services, escrow, forum administration, botnet management, or ransomware configuration to less-skilled users. Despite this acknowledgement of the ‘industrialisation’ of much for the cybercrime economy, the picture of cybercrime painted by law enforcement and media reports is often one of ’sophisticated’ attacks, highly-skilled offenders, and massive payouts. In fact, as we argue in a recent paper accepted to the Workshop on the Economics of Information Security this year (and covered in KrebsOnSecurity last week), cybercrime-as-a-service relies on a great deal of tedious, low-income, and low-skilled manual administrative work.

Continue reading Cybercrime is (often) boring

Three Paper Thursday: Vulnerabilities! We’ve got vulnerabilities here! … See? Nobody cares.

Academic papers, Cybercrime, Programmable logic, Protocols, Security economics, Three Paper Thursday

Jurassic Park is often (mistakenly) left out of the hacker movie canon. It clearly demonstrated the risk of an insider attack on control systems (Velociraptor rampage, amongst other tragedies…) nearly a decade ahead of the Maroochy sewage incident, it’s the first film I know of with a digital troll (“ah, ah, ah, you didn’t say the magic word!”), and Samuel L. Jackson correctly assesses the possible consequence of a hard reset (namely, everyone dying), resulting in his legendary “Hold on to your butts”. The quotable mayhem is seeded early in the film, when biotech spy Lewis Dodgson gives a sack of money to InGen’s Dennis Nedry to steal some dino DNA. Dodgson’s caricatured OPSEC (complete with trilby and dark glasses) is mocked by Nedry shouting, “Dodgson! Dodgson! We’ve got Dodgson here! See, nobody cares…” Three decades later, this quote still comes to mind* whenever conventional wisdom doesn’t seem to square with observed reality, and today we’re going to apply it to the oft-maligned world of Industrial Control System (ICS) security.

There is plenty of literature on ICS security pre-2010, but people really sat up and started paying attention when we learned about Stuxnet. Possibly the most upsetting thing about Stuxnet (for security-complacent control system designers like me) was the apparent ease with which the “air gap” was bridged over and over again. Any remaining faith in the air gap was killed by Éireann Leverett’s demonstration (thesis and S4 presentation) that thousands of industrial systems were directly connected to the Internet — no air gap jumping required. Since then, we’ve observed a steady growth in Internet-connected ICS devices, due both to improved search techniques and increasingly-connectable ICS devices. On any given day you can find about 100,000 unique devices speaking industrial protocols on Censys and Shodan. These protocols are largely unauthenticated and unencrypted, allowing an attacker that can speak the protocol to remotely read state, issue commands, and even modify programmable logic without using an actual exploit.

This sounds (and is) bad, and people have (correctly) highlighted its badness on many occasions. The attacks, however, appear to be missing: we are not aware of a single instance of industrial damage initiated via an Internet-connected ICS device. In this Three Paper Thursday we’ll look at papers showing how easy it is to find and contextualise Internet-connected ICS devices, some evidence for lack of malicious interest, and some leading indicators that this happy conclusion (for which we don’t really deserve any credit) may be changing.

*Perhaps because guys of a certain age still laugh and say “Dodson! We’ve got Dodson here!” when they learn my surname. I try to explain that it’s spelt differently, but…
Continue reading Three Paper Thursday: Vulnerabilities! We’ve got vulnerabilities here! … See? Nobody cares.

Three Paper Thursday: Will we ever get IoT security right?

Cybercrime, Politics, Three Paper Thursday

Academia, governments and industry frequently talk about the importance of IoT security. Fundamentally, the IoT environment has similar problems to other technology platforms such as Android: a fragmented market with no clear responsibilities or incentives for vendors to provide regular updates, and consumers for whom its not clear how much (of a premium) they are willing to pay for (“better”) security and privacy.

Just two weeks ago, Belkin announced to shut down one of its cloud services, effectively transforming its several product lines of web cameras into useless bricks. Unlike other end-of-support announcements for IoT devices that (only) mean devices will never see an update again, many Belkin cameras simply refuse to work without the “cloud”. This is particularly disconcerting  as many see cloud-based IoT as one possible solution to improve device security by easing the user maintenance effort through remote update capabilities.

In this post, I would like to introduce three papers, each talking about different aspects of IoT security: 1) consumer purchasing behaviour, 2) vendor response, and 3) an assessment of the ever-growing literature on “best-practices” from industrial, governmental, and academic sources.
Continue reading Three Paper Thursday: Will we ever get IoT security right?