Profiling underground merchants based on network behavior

Srikanth Sundaresan, Damon McCoy, Sadia Afroz, Vern Paxson

    Research output: Chapter in Book/Report/Conference proceedingConference contribution


    Online underground forums serve a key role in facilitating information exchange and commerce between gray market or even cybercriminal actors. In order to streamline bilateral communication to complete sales, merchants often publicly post their IM contact details, such as their Skype handle. Merchants that publicly post their Skype handle potentially leak information, since Skype has a known protocol flaw that reveals the IP address(es) of a user when they are online. In this paper, we collect Skype handles of merchants from three underground forums-AntiChat, BlackHat World and Hack Forums-and longitudinally monitor their network behavior. Our analysis of their network behavior provides a rich profile of their likely locations, network behavior, work habits, and other dynamics. In particular, we show that these merchants do not frequently use VPN services, and even when they do, they often leak their likely geolocation by also directly using residential and cellular IP addresses.

    Original languageEnglish (US)
    Title of host publicationProceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016
    PublisherIEEE Computer Society
    Number of pages9
    ISBN (Electronic)9781509029228
    StatePublished - Jun 8 2016
    Event2016 APWG Symposium on Electronic Crime Research, eCrime 2016 - Toronto, Canada
    Duration: Jun 1 2016Jun 3 2016

    Publication series

    NameeCrime Researchers Summit, eCrime
    ISSN (Print)2159-1237
    ISSN (Electronic)2159-1245


    Other2016 APWG Symposium on Electronic Crime Research, eCrime 2016

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Computer Science Applications
    • Information Systems
    • Information Systems and Management


    Dive into the research topics of 'Profiling underground merchants based on network behavior'. Together they form a unique fingerprint.

    Cite this