Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones

  • Thorsten Holz
  • Markus Engelberth
  • Felix Freiling
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5789)


We study an active underground economy that trades stolen digital credentials. In particular, we investigate keylogger-based stealing of credentials via dropzones, anonymous collection points of illicitly collected data. Based on the collected data from more than 70 dropzones, we present an empirical study of this phenomenon, giving many first-hand details about the attacks that were observed during a seven-month period between April and October 2008. We found more than 33 GB of keylogger data, containing stolen information from more than 173,000 victims. Analyzing this data set helps us better understand the attacker’s motivation and the nature and size of these emerging underground marketplaces.


Credit Card Underground Economy Credit Card Number USENIX Security Symposium Underground Market 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Alexa, the Web Information Company. Global Top Sites (September 2008),
  2. 2.
    Anderson, D.S., Fleizach, C., Savage, S., Voelker, G.M.: Spamscatter: Characterizing Internet Scam Hosting Infrastructure. In: USENIX Security Symposium (2007)Google Scholar
  3. 3.
    Anonymous. Comment about posting “Good ol’ #CCpower” on honeyblog (June 2008),
  4. 4.
    AutoIt Script Home Page (2009),
  5. 5.
    Chandrasekaran, M., Chinchani, R., Upadhyaya, S.: PHONEY: Mimicking User Response to Detect Phishing Attacks. In: Symposium on World of Wireless, Mobile and Multimedia Networks, WoWMoM (2006)Google Scholar
  6. 6.
    Choi, T., Son, S., Gouda, M., Cobb, J.: Pharewell to Phishing. In: Symposium on Stabilization, Safety, and Security of Distributed Systems, SSS (2008)Google Scholar
  7. 7.
    Chou, N., Ledesma, R., Teraguchi, Y., Mitchell, J.C.: Client-Side Defense Against Web-Based Identity Theft. In: Network and Distributed System Security Symposium, NDSS (2004)Google Scholar
  8. 8.
    Dhamija, R., Tygar, J.D.: Battle Against Phishing: Dynamic Security Skins. In: Symposium on Usable Privacy and Security, SOUPS (2005)Google Scholar
  9. 9.
    Finjan: Malicious Page of the Month (April 2008),
  10. 10.
    Franklin, J., Paxson, V., Perrig, A., Savage, S.: An Inquiry Into the Nature and Causes of the Wealth of Internet Miscreants. In: Conference on Computer and Communications Security, CCS (2007)Google Scholar
  11. 11.
    Gajek, S., Sadeghi, A.-R.: A Forensic Framework for Tracing Phishers. In: IFIP WG 9.2, 9.6/11.6, 11.7/FIDIS International Summer School on The Future of Identity in the Information Society, Karlstad University, Sweden (August 2007)Google Scholar
  12. 12.
    Herley, C., Florencio, D.: How To Login From an Internet Cafe Without Worrying About Keyloggers. In: Symposium on Usable Privacy and Security, SOUPS (2006)Google Scholar
  13. 13.
    Holz, T., Engelberth, M., Freiling, F.: Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones. Technical Report TR-2008-006, University of Mannheim (2008)Google Scholar
  14. 14.
    Internet Crime Complaint Center (IC3). 2008 Internet Crime Report (March 2009),
  15. 15.
    Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G.M., Paxson, V., Savage, S.: Spamalytics: An Empirical Analysis of Spam Marketing Conversion. In: Conference on Computer and Communications Security, CCS (2008)Google Scholar
  16. 16.
    Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.: Behavior-based Spyware Detection. In: USENIX Security Symposium (2006)Google Scholar
  17. 17.
    Linn, C., Debray, S.: Obfuscation of Executable Code to Improve Resistance to Static Disassembly. In: Conference on Computer and Communications Security, CCS (2003)Google Scholar
  18. 18.
    MaxMind LLC. MaxMind GeoIP (August 2008),
  19. 19.
    Luhn, H.P.: Computer for Verifying Numbers (August 1960) U.S. Patent 2,950,048Google Scholar
  20. 20.
    Martin, J., Thomas, R.: The underground economy: priceless. USENIX; login: 31(6) (December 2006)Google Scholar
  21. 21.
    McCune, J.M., Perrig, A., Reiter, M.K.: Bump in the Ether: A Framework for Securing Sensitive User Input. In: USENIX Annual Technical Conference (2006)Google Scholar
  22. 22.
    Microsoft. Protected Storage (Pstore), Microsoft Developer Network (MSDN) (August 2008)Google Scholar
  23. 23.
    Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis. In: IEEE Symposium on Security and Privacy (2007)Google Scholar
  24. 24.
    Moser, A., Kruegel, C., Kirda, E.: Limits of Static Analysis for Malware Detection. In: Annual Computer Security Applications Conference, ACSAC (2007)Google Scholar
  25. 25.
    Newsome, J., Song, D.X.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In: Network and Distributed System Security Symposium, NDSS (2005)Google Scholar
  26. 26.
    Popov, I.V., Debray, S.K., Andrews, G.R.: Binary Obfuscation Using Signals. In: USENIX Security Symposium (2007)Google Scholar
  27. 27.
    The Honeynet Project. Know Your Enemy: Learning About Security Threats, 2nd edn. Addison-Wesley Longman (2004)Google Scholar
  28. 28.
    Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All Your iFRAMEs Point to Us. In: USENIX Security Symposium (2008)Google Scholar
  29. 29.
    Ramachandran, A., Feamster, N.: Understanding the Network-Level Behavior of Spammers. SIGCOMM Comput. Commun. Rev. 36(4), 291–302 (2006)CrossRefGoogle Scholar
  30. 30.
    SecureWorks. PRG Trojan (June 2007),
  31. 31.
    SecureWorks. Coreflood Report (August. 2008),
  32. 32.
    Stahlberg, M.: The Trojan Money Spinner. In: Virus Bulletin Conference (2007)Google Scholar
  33. 33.
    Symantec: Global Internet Security Threat Report: Trends for July – December 07 (April 2008)Google Scholar
  34. 34.
    Symantec. Report on the Underground Economy July 07 – June 08 (November 2008)Google Scholar
  35. 35.
    Wang, X., Li, Z., Li, N., Cho, J.Y.: PRECIP: Towards Practical and Retrofittable Confidential Information Protection. In: Network and Distributed System Security Symposium, NDSS (2008)Google Scholar
  36. 36.
    Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.T.: Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In: Network and Distributed System Security Symposium, NDSS (2006)Google Scholar
  37. 37.
    Willems, C., Holz, T., Freiling, F.: Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security & Privacy Magazine 5(2), 32–39 (2007)CrossRefGoogle Scholar
  38. 38.
    Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In: Conference on Computer and Communications Security, CCS (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Thorsten Holz
    • 1
    • 2
  • Markus Engelberth
    • 1
  • Felix Freiling
    • 1
  1. 1.Laboratory for Dependable Distributed SystemsUniversity of MannheimGermany
  2. 2.Secure Systems LabVienna University of TechnologyAustria

Personalised recommendations