APWG Announces Research Papers Accepted for Its 2024 eCrime Conference — Hard-Won Insights From Investigators at the Lawless Cyber Frontier

CAMBRIDGE, Mass., August 27, 2024 (Newswire.com) - The managing chairs of APWG’s Symposium on Electronic Crime Research (APWG eCrime) is proud to announce the accepted papers for its 2024 edition, this year presenting a thoroughly multi-disciplinary portfolio of research that interrogates the cybercrime experience from psychosocial dimensions of the hacker underground to leveraging ransomware payment events to track and parse ransomware enterprises.

Now in its 19th year as a peer-reviewed conference (proceedings published by IEEE since 2008), APWG eCrime has increased its topical focal point from a technology conference to a multidisciplinary platform for leading researchers worldwide to present their findings — often traversing research domains — to make important discoveries on behalf of cybercrime fighters everywhere.

"APWG eCrime’s research grapples with the monsters at large on the cybercrime frontier to point the way for the research community — and for industry which needs  those insights to animate crime-fighting innovations,” said APWG Secretary General Peter Cassidy, founder of the symposium. 

APWG eCrime, presented in Boston on September 24-26, is the world's only peer-reviewed publishing conference focused exclusively on cybercrime research, is proud to publish the abstracts and authors of this year's accepted papers. The abstracts and authors' roll for each of the research papers accepted for APWG eCrime 2024 are as follows:

Love Bytes Back: Cybercrime Following Relationship Breakdown

Quincy Taylor (University of Cambridge), Anna Talas (University of Cambridge), Alice Hutchings (University of Cambridge)

Relationship breakdown and dissolution can be a period of high stress and difficulty. This research uses a subset of underground cybercrime forum data to understand the motivations and discussions in response to a relationship breakdown. Underground cybercrime forums provide insights into cybercrime from the perspective of the perpetrator. To understand the connection between cybercrime and relationship breakdown, the researchers analyze a large, long-running English-language-based underground forum. To analyze data at scale, the Cambridge University investigators developed three machine learning classifiers that identify the relationship represented, motivation, and moderation of each of the posts. Additionally, the researchers use topic modeling techniques to surface prominent themes within the dataset. The researchers find forum posts related to relationship breakdown are frequently posted by very active users who utilize the community as a support system while they vent. The cybercrime types discussed are mostly motivated by an intention to spy, typically through gaining system access. Expanding prior research, the researchers systematically address the role of de-escalators on the platform and suggest improvements to dissuade illegal behaviors.

Exploring Content Concealment in Email

Lucas Betts (The University of Auckland, New Zealand), Robert Biddle (The University of Auckland, New Zealand), Danielle Lottridge (The University of Auckland, New Zealand), Giovanni Russello (The University of Auckland, New Zealand)

The never-ending barrage of malicious emails, such as spam and phishing, is of constant concern for users, who rely on countermeasures such as email filters to keep the intended recipient safe. Modern email filters, one of our few defense mechanisms against malicious emails, are often circumvented by sophisticated attackers. This study focuses on how attackers exploit HTML and CSS in emails to conceal arbitrary content, allowing for multiple permutations of a malicious email, some of which may evade detection by email filters. This concealed content remains undetected by the recipient, presenting a serious security risk. The investigators’ research involved developing and applying an email sampling and analysis procedure to a large-scale dataset of unsolicited emails. The researchers then identify the tactics attackers use to conceal content and the HTML and CSS techniques employed.

What To Do Against Ransomware? Evaluating Law Enforcement Interventions

Tom Meurs (University of Twente), Raphael Hoheisel (University of Twente), Marianne Junger (University of Twente), Abhishta Abhishta (University of Twente), Damon McCoy (NYU)

Ransomware poses an increasing challenge to society, yet there is a notable gap in research on the effectiveness of law enforcement interventions. A key insight from the researchers’ study is that the presence of victims' details on leak pages following double extortion ransomware attacks offers a unique opportunity to evaluate these interventions. Analyzing a dataset containing victims published by ransomware groups, the investigators assess the impact of five specific types of interventions: arresting group members, taking down leak page server infrastructure, freezing crypto assets, releasing decryptors, and imposing sanctions. From a collected list of interventions, the researchers categorize ransomware groups' responses into three actions: ceasing operations, continuing operations, or rebranding under a new name. Initial results show that nearly half of the interventions led to ransomware groups ceasing operations. Additionally, our findings suggest minimal crime displacement, with fewer victims attacked post-intervention if the groups continued their activities. Observed rebranding among these groups is also limited. The researchers discuss the implications and limitations of our research and conclude with two recommendations for law enforcement: prioritize quantity of interventions over quality and diversify the set of interventions to better counter the innovative nature of ransomware groups.

"Hey Google, Remind me to be Phished" Exploiting the Notifications of the Google (AI) Assistant on Android for Social Engineering Attacks

Marie Weinz (University of Liechtenstein), Saskia Laura Schroeer (University of Liechtenstein), Giovanni Apruzzese (University of Liechtenstein)

The University of Liechtenstein investigators showcase how to maliciously exploit a functionality of the Google ecosystem (specifically, of Android) by elucidating how the notifications generated by the Google Assistant may help phishers in reaching their goals. The University of Liechtenstein investigators found that Android users who have Google Assistant check their inbox will be reminded to carry out duties that are solicited in emails that have never been opened before. From a social-engineering perspective, attackers can send specific emails to Android users, and these users will receive notifications (from Google) “reminding” them that a task is soon due, thereby urging them to “fall for phish.” Just imagine: while going through your day, you suddenly receive a notification on your smartphone saying that “An outstanding task is soon due.” Tapping on the notification leads to opening an email which, if malicious, contains ill-purposed content, such as harmful links or malware attachments. The sense of urgency from the unexpected reminder may lead to overlooking some phishing cues—facilitating social engineering attacks. This subtle (and novel) threat is rooted in the quintessential functionalities of smart (AI-based) assistants that passively analyze our data to improve our digital well-being. Users of these tools must be made aware of this issue to prevent harmful consequences. Therefore, besides describing our discovery and analysing it under a security lens, the University of Liechtenstein investigators (i) carry out a user study to gauge the potential impact of this issue; and (ii) emphasize some practical takeaways for both users and developers. The University of Liechtenstein investigators disclosed their finding to Google, whose representatives acknowledged the possibility of attacks, but stated that no fix to their software will be made.

Multimodal Large Language Models for Phishing Webpage Detection and Identification

Jehyun Lee (Trustwave), Peiyuan Lim (National University of Singapore), Bryan Hooi (National University of Singapore), Dinil Mon Divakaran (A*STAR Institute for Infocomm Research)

To address the challenging problem of detecting phishing webpages, researchers have developed numerous solutions, in particular those based on machine learning (ML) algorithms. Among these, brand-based phishing detection that uses models from Computer Vision to detect if a given webpage is imitating a well-known brand has received widespread attention. However, such models are costly and difficult to maintain, as they need to be retrained with labeled dataset that has to be regularly and continuously collected. Besides, they also need to maintain a good reference list of well-known websites and related meta-data for effective performance. In this work, the researchers take steps to study the efficacy of large language models (LLMs), in particular the multimodal LLMs, in detecting phishing webpages. Given that the LLMs are pre-trained on a large corpus of data, the researchers aim to make use of their understanding of different aspects of a webpage (logo, theme, favicon, etc.) to identify the brand of a given webpage and compare the identified brand with the domain name in the URL to detect a phishing attack. The researchers propose a two-phase system employing LLMs in both phases: the first phase focuses on brand identification, while the second verifies the domain. The researchers carry out comprehensive evaluations on a newly collected dataset. Our experiments show that the LLM-based system achieves a high detection rate at high precision; importantly it also provides interpretable evidence for the decisions. The investigators' system, the researchers point up, also performs significantly better than a state-of-the-art brand-based phishing detection system while demonstrating robustness against two known adversarial attacks.

Typosquatting 3.0: Characterizing Squatting in Blockchain Naming Systems

Muhammad Muzammil (Stony Brook University), ZhengYu Wu (Stony Brook University), Lalith Harisha (Stony Brook University), Brian Kondracki (Stony Brook University), Nick Nikiforakis (Stony Brook University)

A Blockchain Name System (BNS) simplifies the process of sending cryptocurrencies by replacing complex cryptographic recipient addresses with human-readable names, making the transactions more convenient. Unfortunately, these names can be susceptible to typosquatting attacks, where attackers can take advantage of user typos by registering typographically similar BNS names. Unsuspecting users may accidentally mistype or misinterpret the intended name, resulting in an irreversible transfer of funds to an attacker’s address instead of the intended recipient. In this work, the Stony Brook University investigators present the first large-scale, intra-BNS typosquatting study. To understand the prevalence of typosquatting within BNSs, the researchers study three different services (Ethereum Name Service, Unstoppable Domains, and ADAHandles) spanning three blockchains (Ethereum, Polygon, and Cardano), collecting a total of 4.9M BNS names and 200M transactions—the largest dataset for BNSs to date. the Stony Brook University investigators describe the challenges involved in conducting name-squatting studies on these alternative naming systems, and then perform an in-depth quantitative analysis of our dataset. The researchers find that typosquatters are indeed active on BNSs, registering more malicious domains with each passing year. The researchers’ analysis reveals that users have sent thousands of transactions to squatters and that squatters target both globally popular BNS domain names as well as the domains owned by popular Twitter/X users. Lastly, the researchers document the complete lack of defenses against typosquatting in custodial and non-custodial wallets and propose straightforward countermeasures that can protect users without relying on third-party services.

ModZoo: A Large-Scale Study of Modded Android Apps and their Markets

Luis A. Saavedra (University of Cambridge), Hridoy S. Dutta (University of Cambridge), Alastair R. Beresford (University of Cambridge), Alice Hutchings (University of Cambridge)

The University of Cambridge investigators present the results of the first large-scale study into Android markets that offer modified or modded apps: apps whose features and functionality have been altered by a third-party. The researchers analyze over 146k (thousand) apps obtained from 13 of the most popular modded app markets. Around 90 percent of them are altered in some way when compared to the official counterparts on Google Play. Modifications include games cheats, such as infinite coins or lives; mainstream apps with premium features provided for free; and apps with modified advertising identifiers or excluded ads. The researchers find the original app developers lose significant potential revenue due to: the provision of paid for apps for free (around 5% of the apps across all markets); the free availability of premium features that require payment in the official app; and modified advertising identifiers. While some modded apps have all trackers and ads removed (3%), in general, the installation of these apps is significantly more risky for the user than the official version: modded apps are ten times more likely to be marked as malicious and often request additional permissions.

Owned, Pwned or Rented: Who's Domain Is It?

Mina Erfan (University of Ottawa, Ottawa, Canada), Paula Branco (University of Ottawa, Ottawa, Canada), Guy-Vincent Jourdan (University of Ottawa, Ottawa, Canada)

Phishing attacks continue to be a persistent threat, leading researchers to develop various detection approaches that leverage data sources like Certificate Transparency (CT) logs and Domain Name System (DNS) records. These techniques aim to identify newly registered domains associated with phishing campaigns. However, the extent to which these methods can effectively cover the diverse landscape of phishing activities remains unclear. This paper seeks to quantify the proportion of phishing attacks that utilize dedicated, attacker-owned domains - the primary target of techniques based on CT logs and domain registration data. By developing a taxonomy of phishing website ownership types, this study analyzes the percentage of phishing attacks that involve domains directly controlled by the attackers, versus those hosted on compromised or third-party hosting platforms. This analysis will provide valuable insights into the diverse phishing domain ownership patterns. The findings can guide the security community in developing more comprehensive solutions to mitigate this persistent threat.

Showing the Receipts: Understanding the Modern Ransomware Ecosystem

Jack Cable (None), Ian Gray (New York University), Damon McCoy (NYU)

Ransomware attacks continue to wreak havoc across the globe, with public reports of total ransomware payments topping billions of dollars annually. While the use of cryptocurrency presents an avenue to understand the tactics of ransomware actors, to date published research has been constrained by relatively limited public datasets of ransomware payments. The investigators present novel techniques to identify ransomware payments with low false positives, classifying nearly $700 million in previously-unreported ransomware payments. The researchers publish the largest public dataset of over $900 million in ransomware payments -- several times larger than any existing public dataset. The researchers then leverage this expanded dataset to present an analysis focused on understanding the activities of ransomware groups over time. This provides unique insights into ransomware behavior and a corpus for future study of ransomware cybercriminal activity.

Dark Web Dialogues: Analyzing Communication Platform Choices of Underground Forum Users

Raphael Hoheisel (University of Twente), Tom Meurs (University of Twente), Marianne Junger (University of Twente), Erik Tews (University of Twente), Abhishta Abhishta (University of Twente)

The University of Twente researchers investigate the utilization of private communication platforms by underground forum users. The researchers aim to bridge the knowledge gap regarding user preferences for communication platforms employed for private conversations within illicit contexts. The investigators employ social network analysis, topic modeling and statistical analysis on over 7.5 million posts and 260 thousand messages from a popular underground forum. They identify prevalent communication platforms and investigate the relationship between the context in which users share contact details and their social networks in relation to platform preferences. The University of Twente researchers’ contributions include an overview of prominent communication platforms used by forum users, highlighting Telegram's predominant popularity. The investigators show that in hacking related topic users choose platforms that provide higher security and privacy levels. Lastly, findings from our statistical model indicate a significant relationship between the centrality of users in the social network and their choice of communication platform. The researchers provide valuable insights for law enforcement agencies, helping them make strategic decisions and plan interventions combating cybercrime.

EagleEye: Attention to Unveil Malicious Event Sequences from Provenance Graphs

Philipp Gysel (Acronis Research), Candid Wüest (Acronis Research) Kenneth Nwafor (Acronis Research), Otakar Jašek (Acronis Research), Andrey Ustyuzhanin (Acronis Research), Dinil Mon Divakaran (A*STAR Institute for Infocomm Research)

Securing endpoints is challenging due to the evolving nature of threats and attacks. With endpoint logging systems becoming mature, provenance-graph representations enable the creation of sophisticated behavior rules. However, adapting to the pace of emerging attacks is not scalable with rules. This led to the development of ML models capable of learning from endpoint logs. However, there are still open challenges: i) malicious patterns of malware are spread across long sequences of events, and ii) ML classification results are not interpretable. To address these issues, the investigators develop and present EagleEye, a novel system that i) uses rich features from provenance graphs for behavior event representation, including command-line embeddings, ii) extracts long sequences of events and learns event embeddings, and iii) trains a lightweight Transformer model to classify behavior sequences as malicious or not. The researchers evaluate and compare EagleEye against state-of-the-art baselines on two datasets, namely a new real-world dataset from a corporate environment, and the public DARPA dataset. On the DARPA dataset, at a false-positive rate of 1%, EagleEye detects ≈≈ 89% of all malicious behavior, outperforming two state-of-the-art solutions by an absolute margin of 38.5%. Furthermore, the researchers show that the Transformer’s attention mechanism can be leveraged to highlight the most suspicious events in a long sequence, thereby providing interpretation of malware alerts.

A Sinister Fattening: Dissecting the Tales of Pig Butchering and other Cryptocurrency Scams

Marilyne Ordekian (UCL), Antonis Papasavva (UCL), Enrico Mariconti (UCL), Marie Vasek (UCL)

Cryptocurrency scams have risen in popularity with the mainstreaming of cryptocurrencies. People can fall victim to them because of their lack of knowledge, particularly when they gain a sense of trust in the ecosystem via a scammer. In this paper, the researchers analyze 143 cryptocurrency scams across 11 different types mined from 133 scam narratives collated by the government of California. Most of these are pig-butchering scams (101) where attackers interact with their victims, gain their trust, and introduce them to a (scam) cryptocurrency investment opportunity. These scams vary in lure which indicates the wide variety of scams in our sample. Scammers often portray themselves as the gender opposite their target; our results show greater financial gains using this approach. Furthermore, most scams end up communicating via messaging apps, regardless of how the scammer initially reached out to the victim. These cross platform movements indicate a leap of faith and trust in the scammer needed to scam the victim. While many of these scams involved a fake cryptocurrency trading platform (124), the researchers find 33 scams involving well known cryptocurrency exchanges, highlighting the need for legitimate cryptocurrency platforms to protect their (overwhelmingly new) users from these scams.

Risk Assessment & Mitigation for Core Security Capabilities

Marc Dupuis (University of Washington), Karen Renaud (Strathclyde University)

In assuring the cybersecurity of an organization's information and systems, the industry have come up with a number of metrics to help organizations to monitor their current state of play. These, when measured over time, could also help organizations to determine whether they are improving their stance or not. As the field has matured, a number of metric frameworks have been published. The investigators reviewed the literature on metrics and then consulted 12 cybersecurity professionals, working in industry, to take a snapshot of the status quo of metric and framework usage. The researchers report on what our respondents told us and conclude by explaining that, although they were aware of metrics, many only used minimal metrics, and few used any existing frameworks. This was primarily due to resource and other business constraints. It seems that the researchers have to encourage and engender more metric usage, and that an automated approach, with an associated dashboard to support reporting would be the best way to help organizations to harness this helpful mechanism.

Identifying Key Expert Actors in Cybercrime Forums Based on their Technical Expertise

Estelle Ruellan (Université de Montréal)

The advent of Big Data has made the collection and analysis of cyber threat intelligence challenging due to its volume, leading research to focus on identifying key threat actors; yet these studies have failed to consider the technical expertise of these actors. Expertise, especially towards specific attack patterns, is crucial for cybercrime intelligence, as it focuses on targeting actors with the knowledge and skills to attack enterprises. Using CVEs and CAPEC classifications to build a bimodal network, as well as community detection, k-means and a criminological framework, this study addresses the key hacker identification problem by identifying communities interested in specific attack patterns across cybercrime forums and their related key expert actors. The analyses reveal several key contributions. First, the community structure of the CAPEC-actor bimodal network shows that there exists groups of actors interested in similar attack patterns across cybercrime forums. Second, key actors identified in this study account for about 4% of the study population. Third, about half of the study population are amateurs who show little technical expertise. Finally, key actors highlighted in this study represent a promising scarcity for resources allocation in cyber threat intelligence production. Further research should look into how they develop and use their technical expertise in cybercrime forums.

NOTE: Discount ticket codes for eCrime 2024 are available for non-profit organizations’ personnel and members, unsubsidized university researchers, government personnel and law enforcement personnel. Delegates from those organizations can contact the event organizers at apwg_events@apwg.org.

The agenda is here: https://apwg.org/event/ecrime2024

The ticket registration console is at the top right of this page.

The accommodations registration page for the eCrime 2024’s conference hotel is here with instructions to reserve at the discounted symposium rate:

https://apwg.org/apwg-ecrime-2024-accommodations

ABOUT THE SYMPOSIUM ON ELECTRONIC CRIME RESEARCH

APWG eCrime is uniquely constructed to examine contemporary industrial responses to cybercrime as well as to showcase the latest academic research into  counter-cybercrime techniques and technologies.

As the only peer-reviewed, publishing (with IEEE Digital Xplore, since 2008) research conference focused exclusively on cyber-crime, APWG eCrime is the most important venue for discovering path-finding, thought-leading ideas and projects that can turn the tide against cybercrime in its third decade.

The Symposium on Electronic Crime Research (APWG eCrime) was founded in 2006 as the eCrime Researchers Summit, conceived by APWG Secretary General Peter Cassidy as a comprehensive, multi-disciplinary venue to present basic and applied research into electronic crime and engaging every aspect of its evolution – as well as spotlighting technologies and techniques for cybercrime detection, response, forensics and prevention.

Since then, what had been initially a technology focused conference has incrementally expanded its focus to cover behavioral, social, economic, and legal / policy dimensions as well as technical aspects of cybercrime, following the interests of our correspondent investigators, the symposium’s managers as well as the APWG’s own directors and steering committee members.

Scores upon scores of papers exploring these dimensions of cybercrime at APWG eCrime have been published by the IEEE <APWG | eCrime Research Papers> as well as by Taylor & Francis and the Association of Computing Machinery (in the very earliest years of the symposium).

With its multi-disciplinary approach, APWG eCrime every year brings together the most heterogeneous community of counter-eCrime researchers and industrial stakeholders to confer over the latest research, and to foster collaborations between the leading investigators in this still nascent field of cybercrime studies.

The power of that community, over the years, has been expressed in their contributions to research in academia and industry, cited in the papers above, their innovations for industry – and the globally scaled research projects they’ve organizing today.

Source: APWG eCrime Symposium