Profiling underground merchants based on network behavior

Srikanth Sundaresan, Damon McCoy, Sadia Afroz, Vern Paxson

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Online underground forums serve a key role in facilitating information exchange and commerce between gray market or even cybercriminal actors. In order to streamline bilateral communication to complete sales, merchants often publicly post their IM contact details, such as their Skype handle. Merchants that publicly post their Skype handle potentially leak information, since Skype has a known protocol flaw that reveals the IP address(es) of a user when they are online. In this paper, we collect Skype handles of merchants from three underground forums-AntiChat, BlackHat World and Hack Forums-and longitudinally monitor their network behavior. Our analysis of their network behavior provides a rich profile of their likely locations, network behavior, work habits, and other dynamics. In particular, we show that these merchants do not frequently use VPN services, and even when they do, they often leak their likely geolocation by also directly using residential and cellular IP addresses.

    Original languageEnglish (US)
    Title of host publicationProceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016
    PublisherIEEE Computer Society
    Pages62-70
    Number of pages9
    Volume2016-June
    ISBN (Electronic)9781509029228
    DOIs
    StatePublished - Jun 8 2016
    Event2016 APWG Symposium on Electronic Crime Research, eCrime 2016 - Toronto, Canada
    Duration: Jun 1 2016Jun 3 2016

    Other

    Other2016 APWG Symposium on Electronic Crime Research, eCrime 2016
    CountryCanada
    CityToronto
    Period6/1/166/3/16

    Fingerprint

    Sales
    Defects
    Communication
    Merchants
    Profiling

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Computer Science Applications
    • Information Systems
    • Information Systems and Management

    Cite this

    Sundaresan, S., McCoy, D., Afroz, S., & Paxson, V. (2016). Profiling underground merchants based on network behavior. In Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016 (Vol. 2016-June, pp. 62-70). [7487943] IEEE Computer Society. https://doi.org/10.1109/ECRIME.2016.7487943

    Profiling underground merchants based on network behavior. / Sundaresan, Srikanth; McCoy, Damon; Afroz, Sadia; Paxson, Vern.

    Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016. Vol. 2016-June IEEE Computer Society, 2016. p. 62-70 7487943.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Sundaresan, S, McCoy, D, Afroz, S & Paxson, V 2016, Profiling underground merchants based on network behavior. in Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016. vol. 2016-June, 7487943, IEEE Computer Society, pp. 62-70, 2016 APWG Symposium on Electronic Crime Research, eCrime 2016, Toronto, Canada, 6/1/16. https://doi.org/10.1109/ECRIME.2016.7487943
    Sundaresan S, McCoy D, Afroz S, Paxson V. Profiling underground merchants based on network behavior. In Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016. Vol. 2016-June. IEEE Computer Society. 2016. p. 62-70. 7487943 https://doi.org/10.1109/ECRIME.2016.7487943
    Sundaresan, Srikanth ; McCoy, Damon ; Afroz, Sadia ; Paxson, Vern. / Profiling underground merchants based on network behavior. Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016. Vol. 2016-June IEEE Computer Society, 2016. pp. 62-70
    @inproceedings{4d9fcec9436143628d1a5c7e4737fe96,
    title = "Profiling underground merchants based on network behavior",
    abstract = "Online underground forums serve a key role in facilitating information exchange and commerce between gray market or even cybercriminal actors. In order to streamline bilateral communication to complete sales, merchants often publicly post their IM contact details, such as their Skype handle. Merchants that publicly post their Skype handle potentially leak information, since Skype has a known protocol flaw that reveals the IP address(es) of a user when they are online. In this paper, we collect Skype handles of merchants from three underground forums-AntiChat, BlackHat World and Hack Forums-and longitudinally monitor their network behavior. Our analysis of their network behavior provides a rich profile of their likely locations, network behavior, work habits, and other dynamics. In particular, we show that these merchants do not frequently use VPN services, and even when they do, they often leak their likely geolocation by also directly using residential and cellular IP addresses.",
    author = "Srikanth Sundaresan and Damon McCoy and Sadia Afroz and Vern Paxson",
    year = "2016",
    month = "6",
    day = "8",
    doi = "10.1109/ECRIME.2016.7487943",
    language = "English (US)",
    volume = "2016-June",
    pages = "62--70",
    booktitle = "Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016",
    publisher = "IEEE Computer Society",
    address = "United States",

    }

    TY - GEN

    T1 - Profiling underground merchants based on network behavior

    AU - Sundaresan, Srikanth

    AU - McCoy, Damon

    AU - Afroz, Sadia

    AU - Paxson, Vern

    PY - 2016/6/8

    Y1 - 2016/6/8

    N2 - Online underground forums serve a key role in facilitating information exchange and commerce between gray market or even cybercriminal actors. In order to streamline bilateral communication to complete sales, merchants often publicly post their IM contact details, such as their Skype handle. Merchants that publicly post their Skype handle potentially leak information, since Skype has a known protocol flaw that reveals the IP address(es) of a user when they are online. In this paper, we collect Skype handles of merchants from three underground forums-AntiChat, BlackHat World and Hack Forums-and longitudinally monitor their network behavior. Our analysis of their network behavior provides a rich profile of their likely locations, network behavior, work habits, and other dynamics. In particular, we show that these merchants do not frequently use VPN services, and even when they do, they often leak their likely geolocation by also directly using residential and cellular IP addresses.

    AB - Online underground forums serve a key role in facilitating information exchange and commerce between gray market or even cybercriminal actors. In order to streamline bilateral communication to complete sales, merchants often publicly post their IM contact details, such as their Skype handle. Merchants that publicly post their Skype handle potentially leak information, since Skype has a known protocol flaw that reveals the IP address(es) of a user when they are online. In this paper, we collect Skype handles of merchants from three underground forums-AntiChat, BlackHat World and Hack Forums-and longitudinally monitor their network behavior. Our analysis of their network behavior provides a rich profile of their likely locations, network behavior, work habits, and other dynamics. In particular, we show that these merchants do not frequently use VPN services, and even when they do, they often leak their likely geolocation by also directly using residential and cellular IP addresses.

    UR - http://www.scopus.com/inward/record.url?scp=84977275085&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84977275085&partnerID=8YFLogxK

    U2 - 10.1109/ECRIME.2016.7487943

    DO - 10.1109/ECRIME.2016.7487943

    M3 - Conference contribution

    AN - SCOPUS:84977275085

    VL - 2016-June

    SP - 62

    EP - 70

    BT - Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016

    PB - IEEE Computer Society

    ER -