With hackers and the security research community constantly finding new ways to break every piece of software that touches the Internet, it's easy to get lost in the endless cycle of hacks and patches and hacks. But one team of Googlers and academic researchers has stepped back from that cycle to take a broader view of the maelstrom of scams, fraud and theft online. The result is a portrait of the digital underworld that goes beyond the traditional idea of corporate security to sketch the entire supply chain of online crime from hacking accounts to cashing out—focusing on where that chain can be weakened or snapped.
In a research paper published Thursday on Google's security blog, a group of researchers from Google's fraud and abuse group and six universities pulled together a kind of meta-study on the anatomy of the cybercriminal underground, focusing on illicit sub-industries like spam, click fraud, scareware, ransomware, and credit card theft. None of the data in the paper is new. Instead, it reviews years of existing cybercrime research to look for patterns and methods of disrupting those illicit schemes. The researchers' conclusion—perhaps a surprising one for a company as focused on technical security and engineering as Google—is that nuts-and-bolts technological security isn't enough for a company seeking to protect its users. Putting an actual dent in the cybercriminal economy requires using legal and economic strategies to directly attack the weakest points in its infrastructure: everything from botnet takedowns to payment processing.
"Our biggest takeaway is that though a lot of these problems seem intractable from a technical perspective, if you look at this from the supply chain and an economic light, they become solvable," says Kurt Thomas, one of Google's authors on the study. "We wanted to collaborate with external researchers to figure out exactly how criminals make money from the black market and identify their brittle infrastructure that’s cost sensitive. If you raise those costs, you disrupt credit card fraud, spam, or these other forms of abuse."
WIRED spoke with Thomas, his fellow Google researcher Elie Bursztein, as well as their co-authors from New York University and the Universities of California at San Diego and Santa Barbara to ask them to pull a few lessons out of their sweeping study of the Internet's underbelly. Here are their recommendations:
Rather than endlessly bolster security against imagined threats, the researchers recommend that companies infiltrate the online black markets inhabited by the actual criminals exploiting their systems. There they can see their own stolen data and hijacked or bot-operated accounts being sold and even track those commodities' prices. Thomas and Burzstein say that they closely follow the price of the bot-controlled Google accounts used for everything from YouTube and Chrome web store spam to fake reviews of malicious Android apps to hosting phishing sites on Google Drive. (They declined, however, to name the actual cybercriminal markets that they monitor.)
"We use black markets as an oracle into how well our defenses are doing," says Thomas. "Our systems are directly reflected in the price of those accounts. If the prices are going up, we know we're doing something right. If the price falls, there's a problem."
In late 2013, for instance, Google found that the price of a bot-controlled Google account had fallen from around $170 per thousand accounts to just $60 per thousand. By analyzing their sign-ups, they were able to see that close to a quarter of the bot accounts had signed up using VoIP phone numbers—a cheap way to circumvent Google's method of limiting accounts to individual humans by tying them to phone numbers. So Google blocked certain commonly-abused VoIP services, and by doing so raised the price of the zombie accounts by between 30 percent and 40 percent. "When we cracked down on VOIP and criminals had to go back to using SIM cards, we significantly undercut their profit margins," says Thomas. "By targeting that specific bottleneck, we can improve things across the company."
As in that VoIP example, the Google researchers recommend finding the point in the cybercriminal process where a single intervention can cause the biggest business disruption or price increase. But that point isn't always in a company's own software. In many cases, the researchers suggest reaching beyond product defense to attack criminal infrastructure and even criminals themselves. "We want to move people from a whack-a-mole strategy of finding a hole and fixing it to striking at key players in the marketplace to make abuse fundamentally less profitable," says Thomas.
That's an unexpected approach from Google, which is better known for traditional, vulnerability-focused security; The company has long paid some of the largest "bug bounty" rewards to hackers revealing vulnerabilities in its code, and employs a group of highly skilled hackers known as Project Zero to find those vulnerabilities in its own code and that of other companies.
In some cases, this new approach means working with law enforcement to target specific criminals and partner in investigations that lead to their arrest. But the researchers admit that individual criminals can be surprisingly elusive—they cite Microsoft's still unclaimed $250,000 bounty for the authors of the infamous Conficker worm and the FBI's still-standing $3 million bounty for Zeus trojan developer Evgeniy Mikhailovich Bogachev. Additionally, arrested cybercriminals are often immediately supplanted by competitors. They also suggest botnet takedowns through domain seizures, but note that tactic can lead to collateral damage, like Microsoft's controversial No-IP purge last year.
The most effective infrastructure point to attack, they suggest, may be payment systems: Pressuring banks and payment processors to drop shady customers can entirely cut off the ability of a spam or clickfraud campaign to actually generate profit, and force them to search out another processor among the limited number that tolerate crime—or switch to a more limited payment mechanism like bitcoin. "It takes months to set up these kinds of relationships," says Giovanni Vigna, a computer science professor at UCSB who collaborated on the study. "Hitting that relationship through legal means inflicts the maximum amount of pain."
Looking at the whole criminal economy to find the ideal point of attack usually means talking to people outside your own company. That means collaborating with competitors, law enforcement, and—in Google's view, most importantly—university researchers. That also means cozying up to academia with grants and internship programs. "We like universities because they’re neutral ground, they’re very useful to work with, and they help as many companies as they can," says Burzstein. "Combatting the black market isn't something you can do by yourself."
It's no coincidence that tip comes from a study in which Google partnered with half a dozen universities. But Thomas emphasizes that university researchers don't usually have a product to push or an agenda, as most security vendors or other tech companies do. And University of California at San Diego computer scientist Stefan Savage points out that academics have more legal and public relations leeway to dive into darker corners of the black market, allowing them to venture into questionable practices like purchasing illicit products to track criminals. "We have freer reign," says Savage, another of the study's co-authors. Unlike Google, he says, "there's no risk of brand impact for us when we buy counterfeit drugs and map the flow of money to banks in Azerbaijan and Eastern Europe."
But more importantly, says Savage, academics can give companies the perspective that's missing when a security or fraud team is wrapped up in day-to-day firefighting. "Practically everyone employed by a company in an abuse group is working in a mode of constant crisis," says Savage. "Very few have the luxury of taking a step back to study a problem for a year. We can."
Here's the Googlers' and university researchers' full study:
Framing Dependencies Introduced by Underground Commoditization
