Profiling underground merchants based on network behavior

Srikanth Sundaresan; Damon McCoy; Sadia Afroz; Vern Paxson

doi:10.1109/ECRIME.2016.7487943

Profiling underground merchants based on network behavior

Srikanth Sundaresan, Damon McCoy, Sadia Afroz, Vern Paxson

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Online underground forums serve a key role in facilitating information exchange and commerce between gray market or even cybercriminal actors. In order to streamline bilateral communication to complete sales, merchants often publicly post their IM contact details, such as their Skype handle. Merchants that publicly post their Skype handle potentially leak information, since Skype has a known protocol flaw that reveals the IP address(es) of a user when they are online. In this paper, we collect Skype handles of merchants from three underground forums-AntiChat, BlackHat World and Hack Forums-and longitudinally monitor their network behavior. Our analysis of their network behavior provides a rich profile of their likely locations, network behavior, work habits, and other dynamics. In particular, we show that these merchants do not frequently use VPN services, and even when they do, they often leak their likely geolocation by also directly using residential and cellular IP addresses.

Original language	English (US)
Title of host publication	Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016
Publisher	IEEE Computer Society
Pages	62-70
Number of pages	9
ISBN (Electronic)	9781509029228
DOIs	https://doi.org/10.1109/ECRIME.2016.7487943
State	Published - Jun 8 2016
Event	2016 APWG Symposium on Electronic Crime Research, eCrime 2016 - Toronto, Canada Duration: Jun 1 2016 → Jun 3 2016

Publication series

Name	eCrime Researchers Summit, eCrime
Volume	2016-June
ISSN (Print)	2159-1237
ISSN (Electronic)	2159-1245

Other

Other	2016 APWG Symposium on Electronic Crime Research, eCrime 2016
Country/Territory	Canada
City	Toronto
Period	6/1/16 → 6/3/16

ASJC Scopus subject areas

Computer Networks and Communications
Computer Science Applications
Information Systems
Information Systems and Management

Access to Document

10.1109/ECRIME.2016.7487943

Cite this

Profiling underground merchants based on network behavior. / Sundaresan, Srikanth; McCoy, Damon; Afroz, Sadia et al.
Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016. IEEE Computer Society, 2016. p. 62-70 7487943 (eCrime Researchers Summit, eCrime; Vol. 2016-June).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Sundaresan, S, McCoy, D, Afroz, S & Paxson, V 2016, Profiling underground merchants based on network behavior. in Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016., 7487943, eCrime Researchers Summit, eCrime, vol. 2016-June, IEEE Computer Society, pp. 62-70, 2016 APWG Symposium on Electronic Crime Research, eCrime 2016, Toronto, Canada, 6/1/16. https://doi.org/10.1109/ECRIME.2016.7487943

@inproceedings{4d9fcec9436143628d1a5c7e4737fe96,

title = "Profiling underground merchants based on network behavior",

abstract = "Online underground forums serve a key role in facilitating information exchange and commerce between gray market or even cybercriminal actors. In order to streamline bilateral communication to complete sales, merchants often publicly post their IM contact details, such as their Skype handle. Merchants that publicly post their Skype handle potentially leak information, since Skype has a known protocol flaw that reveals the IP address(es) of a user when they are online. In this paper, we collect Skype handles of merchants from three underground forums-AntiChat, BlackHat World and Hack Forums-and longitudinally monitor their network behavior. Our analysis of their network behavior provides a rich profile of their likely locations, network behavior, work habits, and other dynamics. In particular, we show that these merchants do not frequently use VPN services, and even when they do, they often leak their likely geolocation by also directly using residential and cellular IP addresses.",

author = "Srikanth Sundaresan and Damon McCoy and Sadia Afroz and Vern Paxson",

year = "2016",

month = jun,

day = "8",

doi = "10.1109/ECRIME.2016.7487943",

language = "English (US)",

series = "eCrime Researchers Summit, eCrime",

publisher = "IEEE Computer Society",

pages = "62--70",

booktitle = "Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016",

note = "2016 APWG Symposium on Electronic Crime Research, eCrime 2016 ; Conference date: 01-06-2016 Through 03-06-2016",

}

TY - GEN

T1 - Profiling underground merchants based on network behavior

AU - Sundaresan, Srikanth

AU - McCoy, Damon

AU - Afroz, Sadia

AU - Paxson, Vern

PY - 2016/6/8

Y1 - 2016/6/8

N2 - Online underground forums serve a key role in facilitating information exchange and commerce between gray market or even cybercriminal actors. In order to streamline bilateral communication to complete sales, merchants often publicly post their IM contact details, such as their Skype handle. Merchants that publicly post their Skype handle potentially leak information, since Skype has a known protocol flaw that reveals the IP address(es) of a user when they are online. In this paper, we collect Skype handles of merchants from three underground forums-AntiChat, BlackHat World and Hack Forums-and longitudinally monitor their network behavior. Our analysis of their network behavior provides a rich profile of their likely locations, network behavior, work habits, and other dynamics. In particular, we show that these merchants do not frequently use VPN services, and even when they do, they often leak their likely geolocation by also directly using residential and cellular IP addresses.

AB - Online underground forums serve a key role in facilitating information exchange and commerce between gray market or even cybercriminal actors. In order to streamline bilateral communication to complete sales, merchants often publicly post their IM contact details, such as their Skype handle. Merchants that publicly post their Skype handle potentially leak information, since Skype has a known protocol flaw that reveals the IP address(es) of a user when they are online. In this paper, we collect Skype handles of merchants from three underground forums-AntiChat, BlackHat World and Hack Forums-and longitudinally monitor their network behavior. Our analysis of their network behavior provides a rich profile of their likely locations, network behavior, work habits, and other dynamics. In particular, we show that these merchants do not frequently use VPN services, and even when they do, they often leak their likely geolocation by also directly using residential and cellular IP addresses.

UR - http://www.scopus.com/inward/record.url?scp=84977275085&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84977275085&partnerID=8YFLogxK

U2 - 10.1109/ECRIME.2016.7487943

DO - 10.1109/ECRIME.2016.7487943

M3 - Conference contribution

AN - SCOPUS:84977275085

T3 - eCrime Researchers Summit, eCrime

SP - 62

EP - 70

BT - Proceedings of the 2016 APWG Symposium on Electronic Crime Research, eCrime 2016

PB - IEEE Computer Society

T2 - 2016 APWG Symposium on Electronic Crime Research, eCrime 2016

Y2 - 1 June 2016 through 3 June 2016

ER -

Profiling underground merchants based on network behavior

Abstract

Publication series

Other

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this