Skip to main content

Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 5789)

Abstract

We study an active underground economy that trades stolen digital credentials. In particular, we investigate keylogger-based stealing of credentials via dropzones, anonymous collection points of illicitly collected data. Based on the collected data from more than 70 dropzones, we present an empirical study of this phenomenon, giving many first-hand details about the attacks that were observed during a seven-month period between April and October 2008. We found more than 33 GB of keylogger data, containing stolen information from more than 173,000 victims. Analyzing this data set helps us better understand the attacker’s motivation and the nature and size of these emerging underground marketplaces.

Keywords

  • Credit Card
  • Underground Economy
  • Credit Card Number
  • USENIX Security Symposium
  • Underground Market

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. Alexa, the Web Information Company. Global Top Sites (September 2008), http://alexa.com/site/ds/top_sites?ts_mode=global

  2. Anderson, D.S., Fleizach, C., Savage, S., Voelker, G.M.: Spamscatter: Characterizing Internet Scam Hosting Infrastructure. In: USENIX Security Symposium (2007)

    Google Scholar 

  3. Anonymous. Comment about posting “Good ol’ #CCpower” on honeyblog (June 2008), http://honeyblog.org/archives/194-CCpower-Only-Scam.html

  4. AutoIt Script Home Page (2009), http://www.autoitscript.com/

  5. Chandrasekaran, M., Chinchani, R., Upadhyaya, S.: PHONEY: Mimicking User Response to Detect Phishing Attacks. In: Symposium on World of Wireless, Mobile and Multimedia Networks, WoWMoM (2006)

    Google Scholar 

  6. Choi, T., Son, S., Gouda, M., Cobb, J.: Pharewell to Phishing. In: Symposium on Stabilization, Safety, and Security of Distributed Systems, SSS (2008)

    Google Scholar 

  7. Chou, N., Ledesma, R., Teraguchi, Y., Mitchell, J.C.: Client-Side Defense Against Web-Based Identity Theft. In: Network and Distributed System Security Symposium, NDSS (2004)

    Google Scholar 

  8. Dhamija, R., Tygar, J.D.: Battle Against Phishing: Dynamic Security Skins. In: Symposium on Usable Privacy and Security, SOUPS (2005)

    Google Scholar 

  9. Finjan: Malicious Page of the Month (April 2008), http://www.finjan.com/Content.aspx?id=1367

  10. Franklin, J., Paxson, V., Perrig, A., Savage, S.: An Inquiry Into the Nature and Causes of the Wealth of Internet Miscreants. In: Conference on Computer and Communications Security, CCS (2007)

    Google Scholar 

  11. Gajek, S., Sadeghi, A.-R.: A Forensic Framework for Tracing Phishers. In: IFIP WG 9.2, 9.6/11.6, 11.7/FIDIS International Summer School on The Future of Identity in the Information Society, Karlstad University, Sweden (August 2007)

    Google Scholar 

  12. Herley, C., Florencio, D.: How To Login From an Internet Cafe Without Worrying About Keyloggers. In: Symposium on Usable Privacy and Security, SOUPS (2006)

    Google Scholar 

  13. Holz, T., Engelberth, M., Freiling, F.: Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones. Technical Report TR-2008-006, University of Mannheim (2008)

    Google Scholar 

  14. Internet Crime Complaint Center (IC3). 2008 Internet Crime Report (March 2009), http://www.ic3.gov/media/annualreports.aspx

  15. Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G.M., Paxson, V., Savage, S.: Spamalytics: An Empirical Analysis of Spam Marketing Conversion. In: Conference on Computer and Communications Security, CCS (2008)

    Google Scholar 

  16. Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.: Behavior-based Spyware Detection. In: USENIX Security Symposium (2006)

    Google Scholar 

  17. Linn, C., Debray, S.: Obfuscation of Executable Code to Improve Resistance to Static Disassembly. In: Conference on Computer and Communications Security, CCS (2003)

    Google Scholar 

  18. MaxMind LLC. MaxMind GeoIP (August 2008), http://www.maxmind.com/app/ip-location

  19. Luhn, H.P.: Computer for Verifying Numbers (August 1960) U.S. Patent 2,950,048

    Google Scholar 

  20. Martin, J., Thomas, R.: The underground economy: priceless. USENIX; login: 31(6) (December 2006)

    Google Scholar 

  21. McCune, J.M., Perrig, A., Reiter, M.K.: Bump in the Ether: A Framework for Securing Sensitive User Input. In: USENIX Annual Technical Conference (2006)

    Google Scholar 

  22. Microsoft. Protected Storage (Pstore), Microsoft Developer Network (MSDN) (August 2008)

    Google Scholar 

  23. Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis. In: IEEE Symposium on Security and Privacy (2007)

    Google Scholar 

  24. Moser, A., Kruegel, C., Kirda, E.: Limits of Static Analysis for Malware Detection. In: Annual Computer Security Applications Conference, ACSAC (2007)

    Google Scholar 

  25. Newsome, J., Song, D.X.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In: Network and Distributed System Security Symposium, NDSS (2005)

    Google Scholar 

  26. Popov, I.V., Debray, S.K., Andrews, G.R.: Binary Obfuscation Using Signals. In: USENIX Security Symposium (2007)

    Google Scholar 

  27. The Honeynet Project. Know Your Enemy: Learning About Security Threats, 2nd edn. Addison-Wesley Longman (2004)

    Google Scholar 

  28. Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All Your iFRAMEs Point to Us. In: USENIX Security Symposium (2008)

    Google Scholar 

  29. Ramachandran, A., Feamster, N.: Understanding the Network-Level Behavior of Spammers. SIGCOMM Comput. Commun. Rev. 36(4), 291–302 (2006)

    CrossRef  Google Scholar 

  30. SecureWorks. PRG Trojan (June 2007), http://www.secureworks.com/research/threats/prgtrojan/

  31. SecureWorks. Coreflood Report (August. 2008), http://www.secureworks.com/research/threats/coreflood-report/

  32. Stahlberg, M.: The Trojan Money Spinner. In: Virus Bulletin Conference (2007)

    Google Scholar 

  33. Symantec: Global Internet Security Threat Report: Trends for July – December 07 (April 2008)

    Google Scholar 

  34. Symantec. Report on the Underground Economy July 07 – June 08 (November 2008)

    Google Scholar 

  35. Wang, X., Li, Z., Li, N., Cho, J.Y.: PRECIP: Towards Practical and Retrofittable Confidential Information Protection. In: Network and Distributed System Security Symposium, NDSS (2008)

    Google Scholar 

  36. Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.T.: Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In: Network and Distributed System Security Symposium, NDSS (2006)

    Google Scholar 

  37. Willems, C., Holz, T., Freiling, F.: Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security & Privacy Magazine 5(2), 32–39 (2007)

    CrossRef  Google Scholar 

  38. Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis. In: Conference on Computer and Communications Security, CCS (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Holz, T., Engelberth, M., Freiling, F. (2009). Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones. In: Backes, M., Ning, P. (eds) Computer Security – ESORICS 2009. ESORICS 2009. Lecture Notes in Computer Science, vol 5789. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04444-1_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04444-1_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04443-4

  • Online ISBN: 978-3-642-04444-1

  • eBook Packages: Computer ScienceComputer Science (R0)