Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Attacking Criminal Networks On the Internet

kdawson posted about 7 years ago | from the sowing-doubt dept.

Security 109

Hugh Pickens writes "Computer Scientists at Carnegie Mellon University are developing techniques to analyze and disrupt black markets on the internet, where criminals sell viruses, stolen data, and attack services estimated to total more than $37 million for the seven-month period they studied. To stem the flow of stolen credit cards and identity data, researchers have proposed two technical approaches to reducing the number of successful market transactions. One approach to disrupting the network is a slander attack where an attacker eliminates the verified status of a buyer or seller through false defamation. Another approach undercuts the cyber-crooks' network by creating a deceptive sales environment. 'Just like you need to verify that individuals are honest on E-bay, online criminals need to verify that they are dealing with "honest" criminals,' says Jason Franklin, one of the researchers."

Sorry! There are no comments related to the filter you selected.

The World's Largest Crime (4, Funny)

Anonymous Coward | about 7 years ago | (#21000353)


Syndicate [whitehouse.org]

Pax,
Kilgore Trout

Re:The World's Largest Crime (2, Insightful)

OrangeTide (124937) | about 7 years ago | (#21000373)

I think House of Representives [house.gov] is a much larger criminal organization.

Re:The World's Largest Crime (1)

Penguinshit (591885) | about 7 years ago | (#21000819)

You got that [thesmokinggun.com] right.

Crime Syndicates (3, Insightful)

Archangel Michael (180766) | about 7 years ago | (#21000821)

You guys have both missed the real criminals ....

http://www.gop.org/ [gop.org]
http://www.democrats.org/ [democrats.org]

of which the other two organizations you mention are wholly owned subsidiaries of these two, as is the other legislative and judicial branch are, along with most of the smaller regional syndicates.

Re:Crime Syndicates (1)

OrangeTide (124937) | about 7 years ago | (#21001403)

Well those two organizations rent out services of the White House and Congress to the highest bigger.

Dear Slashdot Democracy Supporters (0)

Anonymous Coward | about 7 years ago | (#21001471)


Thanks all for your support of the prosecution of this most dangerous group of individuals.

K. Trout, PatRIOT

Re:Dear Slashdot Democracy Supporters (0)

Anonymous Coward | about 7 years ago | (#21001955)

I've been spitting in their food at taco bell. Keep on fighting friends!

Marines.com is obviously a mercenary gang (2, Insightful)

billstewart (78916) | about 7 years ago | (#21003651)

marines.com [marines.com] is actually a Marine Corps recruiting site. But since it's in .com, not .mil.us where it belongs or at least .mil or .gov, it's obviously a commercial organization.

Re:The World's Largest Crime (0)

Anonymous Coward | about 7 years ago | (#21010065)

I think the pirate party is a much larger criminal organization than the House of Representatives.

Hey, look at me! I can also make unfounded strawman arguments! Mod me up!

Re:The World's Largest Crime (1)

OrangeTide (124937) | about 7 years ago | (#21014393)

How is the pirate party large? Few members, no money and no power. Seems like a small time operation to me. Certainly they have grand ambitions, but right now they aren't a large criminal organization. Bike theft rings in San Francisco are larger than the Pirate Party.

Why is there no "CENSORSHIP" tag? (0)

Anonymous Coward | about 7 years ago | (#21001639)

A government-funded body forcibly halting voluntary interactions is censorship.

Re:Why is there no "CENSORSHIP" tag? (0)

Anonymous Coward | about 7 years ago | (#21001861)

So, if I steal a purse, head into a back alley to sell it, and get caught by a cop during the transaction, its censorship if I get arrested?

Re:The World's Largest Crime (1)

rinaazlin (1162815) | about 7 years ago | (#21021969)

One of the honest criminal considered himself a straight-talking guy http://www.realchange.org/bushjr.htm [realchange.org]

CRIMINALS ARE RICH (1)

pk077299 (1174477) | about 7 years ago | (#21027771)

These criminals can really make lots of money out of others pocket. .. few personel information and there you go a criminal smilling wide on street.

e-crime (0)

Anonymous Coward | about 7 years ago | (#21000365)

scruff mcgruff help take a bite out of e-crime.

Re:e-crime (4, Insightful)

OrangeTide (124937) | about 7 years ago | (#21000397)

Help mcgruff by spreading lies and rumors in an attempt to get the criminals mad at each other? It's like spreading a rumor in prison that some inmate is an undercover cop.

I wonder if anyone is going to get killed over the rumors spread by this anti e-crime technique?

Re:e-crime (1)

KDR_11k (778916) | about 7 years ago | (#21001613)

I wonder if anyone is going to get killed over the rumors spread by this anti e-crime technique?

We can only hope so.

(sorry but mentioning McGruff made me recall a bunch of Sam & Max quotes...)

Re:e-crime (1)

davidsyes (765062) | about 7 years ago | (#21003509)

In:

http://slashdot.org/comments.pl?sid=326235&threshold=1&commentsort=0&mode=nested&cid=20952949 [slashdot.org]

TechForensics told us:

"However, there is a principle in law (or Equity) that one cannot do indirectly what he cannot do directly. An interesting question for practicing lawyers (I am a retired one and not up on all of this) would be, is there a way to attribute the Plaintiff's actions to Microsoft, canceling their GPL rights? Would it in fact be too late to do this based on their provable support of SCO (the massive loans arranged by MS to keep SCO afloat)? I'd sure like to hear what Eben Moglen has to say about this."

So, I would suspect that unless the laws are rewritten, scientists and police cannot get together and just create a melee among criminals where there is the possibility (high possibility) of criminals killing each other off and then dragging the public into it, too.

Besides, some politicians will just fill the power/crime vacuum in short order, I bet.

Re:e-crime (1)

TT077136 (1167021) | about 7 years ago | (#21023735)

who knows maybe someone will be killed, only god knows...

Idea... (5, Funny)

Hsien-Ko (1090623) | about 7 years ago | (#21000389)

Why not just implement violence support in ipv7? Who needs to undercut them, when you can uppercut (to the point of Toasty)?

Re:Idea... (1, Interesting)

Anonymous Coward | about 7 years ago | (#21010115)

I think you mean IPv8, because odd number IP versions are for beta, and even is for production. This is why we went from IPv4 to IPv6. For example, IPv5 was for Internet Stream Protocol (ST), which was an experimental protocol that never saw the light of day.

The criminals will crack it. (1)

Finallyjoined!!! (1158431) | about 7 years ago | (#21000425)

As they have cracked every other attempt. I'll give it 2½ days :-)

What I want to know is (2, Funny)

Anonymous Coward | about 7 years ago | (#21000429)

how do I get in touch with one of these criminals to inquire about their services? Is there a secret handshake I'm supposed to give to the guy at the McDonald's drivethru, and he writes an ip addy on my happy meal?

Re:What I want to know is (0)

Anonymous Coward | about 7 years ago | (#21001391)

> how do I get in touch with one of these criminals to inquire about their services? Is there a secret handshake I'm supposed to give to the guy at the McDonald's drivethru, and he writes an ip addy on my happy meal?

I hear the Uplink [uplink.co.uk] corporation is hiring...

For a game written in 2001, certain elements of the storyline (shadowy corporation acting as an anonymous market between criminals and customers, purchase of cracking tools online, shadowier corporations hijacking competitors' networks for even shadowier goals) bear an uncanny resemblance to current events.

Re:What I want to know is (1)

surajbarkale (877769) | about 7 years ago | (#21010869)

You can try blackle [blackle.com] to search them.

Yeah, right (1)

archeopterix (594938) | about 7 years ago | (#21000463)

Let's have a look at a black market that has been around a little bit longer: drugs. Why hasn't anyone thought of using these techniques for disrupting this black market? Mhhhhm... okay.

Re:Yeah, right (1)

nuzak (959558) | about 7 years ago | (#21000753)

> Why hasn't anyone thought of using these techniques for disrupting this black market?

Psst buddy, ever heard of a sting? Or an informant?

But seriously, I suspect in order to combat this, the spammers will roll out a web-of-trust network faster than we ever imagined possible. These guys are on the cutting edge of information security, and don't doubt that they have their own theory folks looking at the problem too.

Re:Yeah, right (1)

archeopterix (594938) | about 7 years ago | (#21000923)

Psst buddy, ever heard of a sting? Or an informant?
Sorry, I forgot to include the slashdotty "Oh, wait" line, that might have confused some of the irony impaired.

But seriously, I suspect in order to combat this, the spammers will roll out a web-of-trust network faster than we ever imagined possible. These guys are on the cutting edge of information security, and don't doubt that they have their own theory folks looking at the problem too.
Sort of like what drug traders did. Buying botnets will be (or already is) similar to buying drugs - know someone who knows someone. DEA & company have already tested the disruptive techniques against this business model. Go figure.

Difference between law enforcement and warfare (2, Insightful)

R2.0 (532027) | about 7 years ago | (#21000777)

Drug interdiction efforts in this country have been law enforcement based - interdict, arrest, trial, imprisonment. Intelligence is limited to that which can be used in court for trial - all else is forbidden.

The techniques referenced in the article are more in the style of warfare, where the objective isn't to arrest a lawbreaker, but defeat an enemy. Different rules apply. For instance, if an anonymous source gives you the key for Botnet A, you don't have to worry about gathering more evidence to be able to convict - just shut the sucker down, or poison it to turn on it's creators, etc.

The confusion between law enforcement and warfare is going to get worse and uglier as time goes on. And I'm not advocating using military thinking domestically on drug trafficking in the US - it doesn't work real well in foreign countries, and I think most drug laws themselves are misguided. But on botnets and international computer crimes? Oh yeah - it's definitely war.

Re:Difference between law enforcement and warfare (1)

cromar (1103585) | about 7 years ago | (#21001331)

The confusion between law enforcement and warfare is going to get worse...

The thing is, they're not all that different. The difference is that law enforcement asks "please" or gives warnings more often than soldiers/their commanders. They both derive their power" almost exclusively from (the threat of) violence.

Correct me if I'm wrong... (4, Insightful)

Jarjarthejedi (996957) | about 7 years ago | (#21000527)

So it looks like their plan is to infiltrate the sites used by these people, and discredit them? The only way to be able to discredit them is to get in contact with them somehow or visit a site they visit regularly. If we can find such a site...why don't we just find out whose using it and arrest them? Is this some new take on crime, that instead of arresting criminals we should discredit them? What's the plan?

It's all about choices. (2, Interesting)

R2.0 (532027) | about 7 years ago | (#21000879)

"If we can find such a site...why don't we just find out whose using it and arrest them? Is this some new take on crime, that instead of arresting criminals we should discredit them? "

Choice A: Perform lengthy investigation, put in for extradition, wait forever, and then put on trial, all while said bad guy is still controlling and making money off his botnets.

Choice B: screw up bad guy's botnets so badly that he can't sell their services, causing him to spend more resources in the battle, until he gives up and picks an easier crime.

I'll take "B".

Re:Correct me if I'm wrong... (1)

Hoi Polloi (522990) | about 7 years ago | (#21001843)

The goal is to create mistrust and a breakdown in criminal networks you may not even be aware of yet. Create a negative environment in enough places and it will infect other sites, just like having enough bad experiences on EBay will poison your trust of the whole site. If they just go in and arrest people (assuming they can) then the crooks can just say "Well, as long as we hide from the cops we can still trust each other enough to do business."

Giving Phishers Bad Account Info? (1)

billstewart (78916) | about 7 years ago | (#21004033)

I'd expect that an obvious mechanism for attacking phishers would be to collect samples of the phishing spam, connect to their web sites, hand them bad account numbers, and see who's trying to use them. It's an arms race, of course, so it's probably more effective to do low-volume in-depth investigation, but high-volume attacks are an alternative. Some things that could happen are
  • Banks/etc. start overloading phisher websites with bogus info. - lets them catch some users, but also increases the number of bad cards that the phishers are selling to their customers so their customers aren't willing to pay as much for them.
  • Phishers start discarding lots of records from the same IP address and maybe trading suspicious IP addresses.
  • Banks start using _lots_ of IP addresses (e.g. get employees or volunteers to run phish-hunter from their home broadband, or get DSL carriers to lend you lots of addresses.
  • Phishers start using CAPTCHAs on their sites, but this annoys the suckers.
    • Banks occasionally catch anti-phishing researchers :-)

Re:Correct me if I'm wrong... (1)

bendodge (998616) | about 7 years ago | (#21002335)

You can't just shut them down, because they are hosted on the Russian Business Network's "bulletproof" hosting.

Re:Correct me if I'm wrong... (1)

nuzak (959558) | about 7 years ago | (#21002947)

> You can't just shut them down, because they are hosted on the Russian Business Network's "bulletproof" hosting.

I love bulletproof hosters, really. So easy to null-route. Dodge this.

Fast-flux DNS, Botnets make null-routing too hard (1)

billstewart (78916) | about 7 years ago | (#21004391)

Some kinds of "bulletproof hosting" are easy to catch - ISPs in Russia or China or whereever that have stable IP address ranges and no redeeming social value in their web sites, so none of your customers miss them, but if you're using routers you probably can't handle more than a couple thousand such routes; if you're trying to block a mail server or squid cache it's a lot easier.
(Even more fun than null-routing them is using BGP to advertise a better route to their address, so the rest of the world also can't reach them, but of course any reputable ISP isn't going to let you do that.)


But spammers and phishers have known that for years - so spammer-friendly ISPs or hosting providers such as AGIS or OptInRealBig were easy to block, and it was easy to trace the people selling illegal goods, though you couldn't always prosecute them. So now they're using tricks like hosting their material on botnet armies (because you're not going to null-route a home broadband carrier whose customers might be hitting your customers' websites or who might be running P2P applications like gaming), and using DNS servers that are constantly changing the IP addresses they hand out so that any given zombie server's IP address is only exposed for a short time to a few people, so even if it gets blacklisted it'll only prevent a few hits.


So yeah, the spammers and phishers *are* dodging this.

Re:Correct me if I'm wrong... (0)

Anonymous Coward | about 7 years ago | (#21002893)

why don't we just find out whose using it and arrest them?

It's spelt "who's". Well, you did say "Correct me if I'm wrong"...

Re:Correct me if I'm wrong... (0)

Anonymous Coward | about 7 years ago | (#21004719)

Is this some new take on crime, that instead of arresting criminals we should discredit them? What's the plan?


What part of first grade playground politics didn't you get?

Boris and Andre both have poopy pants and that's all I'll say on the matter.

Re:Correct me if I'm wrong... (1)

hairykrishna (740240) | about 7 years ago | (#21008355)

Because it's basically impossible to find out who they are. The sites (generally speaking) aren't doing anything illegal and the users who are access through a mixture/combination of Tor and botnet proxies.

How about... (1)

thue (121682) | about 7 years ago | (#21000531)

How about... simply arresting the criminals?

I have the feeling that the police in general just don't care about online crime. Much of it can't be that hard to track down.

Say the spam in my inbox selling pirated copies of MS office. If you can transfer the money to them then you can find them.

Re:How about... (2, Interesting)

veganboyjosh (896761) | about 7 years ago | (#21000621)

If you can transfer the money to them then you can find them.

What about spam with no contact info? I posted about this once before, and someone responded with (i paraphrase) "spammers are like the rest of us; they forget to include attachments, too. When a spammer forgets, 6 million people find out about it."

I could see this happening sometimes, but the amount of crap I see with no contact info, no website, no product being sold, is amazing. It's like the spam is self aware and breeding. Or the spam churning robot is broken or something. I'd love to know what's behind this. Sometimes it's just the filter workaround "poetry", long lists of current event buzzwords, etc.

Re:How about... (1)

just_another_sean (919159) | about 7 years ago | (#21000787)

I always figured that that type of spam are more probes then anything else. Stick a web bug in a GIF, which is itself a picture of text, and see if it's getting through to people.

I'm sure some of it is just a mistake but there is more to it then that for most spam I think. Another reason behind it might just be to raise "product awareness". Like if you assault people with enough Viagra ads then eventually they will seek out Viagra or respond to that spam that finally has some contact info.

On top of that what recourse does local law enforcement have if the spammer is outside their jurisdiction? IANAL and I know extradition and international law are complicated subjects but I figure that's why local law enforcement doesn't try to follow up on a lot of online crime, simply because it is complicated and probably a hassle for them to deal with.

Re:How about... (0)

Anonymous Coward | about 7 years ago | (#21000801)

I could see this happening sometimes, but the amount of crap I see with no contact info, no website, no product being sold, is amazing

It's how we beat traffic analysis when we want to send someone a message without informing the listener who the received is. By broadcasting the message, we hide the recipient. We don't even need to know the recipient, all that matters is that the broadcast is broad enough.
The message is hidden by making it look like spam. In reality it's orders to hidden Al Queda's cells.

Re:How about... (0)

Anonymous Coward | about 7 years ago | (#21000975)

Those Al Queda cells must have truely huge weapons and really great finance by now

Re:How about... (1)

archeopterix (594938) | about 7 years ago | (#21000989)

I could see this happening sometimes, but the amount of crap I see with no contact info, no website, no product being sold, is amazing.
Sorry, I forgot to include my contact info - please reply to this post for cheap rolex and v1agra.

Re:How about... (2, Funny)

kurzweilfreak (829276) | about 7 years ago | (#21001713)

Your products are intriguing to me and I wish to subscribe to your newsletter.

What do you mean I'm already "subscribed"?

Re:How about... (3, Insightful)

Kazoo the Clown (644526) | about 7 years ago | (#21001963)

They're probably trying to retrain the spam filters, in preparation for their next volley...

Re:How about... (1)

NAshiqin (1175667) | about 7 years ago | (#21022045)

It is not that the police don't want to get involve, it's just that there aren't many easy-to-detect criminals (who usually are amateurs) if compared with the hard-to-get criminals. Why bother with the little fishes while the big fishes are roaming the sea? If only the public can restraint themselves from going to phishing sites and stop doing any other activities that can 'help' these criminals then only the crime will stop. Most of the victims are those people with little exposure and awareness to Internet security and they need to be educated. There is no point to detect and arrest a criminal while another malicious site is being created to 'phish' these people. If the respond stops then the crime will stop too.

Re:How about... (1)

The Notorious ASP (628859) | about 7 years ago | (#21001793)

...can't simply arrest people in countries that don't have laws against this kind of thing (provided you can track them down). What we can do is try to make it more difficult for them to do their job.

Online crime, agreed - somewhere between don't care and don't understand...

...but next year.... (2, Interesting)

drakyri (727902) | about 7 years ago | (#21000537)

Uh, what's to stop the bad guys from taking these techniques and using them against existing networks, e.g., E-bay?

I'm not sure I like this idea....

The bad guys are already phishing on eBay (4, Informative)

postbigbang (761081) | about 7 years ago | (#21000693)

You see two auctions, one for a kewl expensive collectable car. They look identical in the search page.

One of them has a very low buy-it-now listing, and a gmail address to contact to be a 'qualified' bidder.

Which one of them is fishing for your eBay creds? I see these all of the time; I collect and restore specific models of classic cars, and I see one of these almost every week. If you alert eBay through LiveChat, they'll usually take them down. But if you have report an auction through their mind-numbing 100 questions forms method, you'll never get a fraudulent auction done because you'll explode before you get to the end of forms-- none of which says--> HEY, THIS IS AN OBVIOUS FRAUD!

You can discredit sellers, but sellers have options to restore their dignity if they want to do this-- although it's tough. PayPal can also interecede, as can buyer credit sources. Resources, except in the complaints department, are tilted towards buyers. But that doesn't mean that there are loads of phish attempts. You find them in amusing places, like when I tried to surf for an Apple notebook, and there were a hundred auctions for the same machine-- if you bought the story about getting it shipped from Italy.

Re:The bad guys are already phishing on eBay (1)

Tim C (15259) | about 7 years ago | (#21002285)

I remember back when the PS2 (I think) came out, there was a story of someone buying a box and receipt. There was nothing outright fraudulent about the auction, it listed exactly what it was selling - a PS2 box and receipt. Easy to miss the fine detail and allow yourself to assumed that you were buying a PS2 *with* box and receipt.

I also remember a few years ago a rather more deceptive auction for some brand new, must-have model of phone. Lots of pictures, lots of description, huge great dense paragraph of text detailing the phone's specs... and right at the very end a line saying something like "Note you are only buying a picture of the phone". Sure, it said it right there on the page - but buried where very few people would have read it.

This is pretty frightening (1)

Geoffrey.landis (926948) | about 7 years ago | (#21001091)

I find this pretty frightening. The whole point of the good guys is that they act like good guys. I don't think that implementing a policy of lying, slander and attacking the trust of the social network is a good idea, period-- it's not good when the bad guys do it, and it's not good if the good guys do it. "It's ok for us to lie and cheat because we're on the side of truth and justice" is a justification that sounds awful easy to bend.

Far too much of the fabric of social networks-- and that includes the internet-- is built on the assumption that people avoid doing things exactly like what's being proposed here.

Or, to phrase it differently... Superman used to fight for "truth, justice, and the American way." If you're going to be one of the good guys, how about keeping "truth" in there... it's actually something very valuable.

This is pretty encouraging (1)

Cajun Hell (725246) | about 7 years ago | (#21001637)

This is about black markets, which may or may not be used by bad guys. When you talk about black markets, it's more of an us-vs-them situation, not a good-vs-evil situation.

This is merely warfare. There are no good guys or bad guys (well, they exist, but their moralities are are irrelevant for analysis, just as Nazi racism is irrelevant when talking about Blitzkrieg); there's just conflict of interest, and differing tactics meeting one another.

And good comes out of it, too. The "white" market is also under constant attack. If black markets are forced to deal with authentication issues, then eventually the technolo-- well, ok, not the technology, since it has been around for decades, but the social customs -- will spill over into the "white" market. Ultimately, explicit attacking of markets, out in the open where Joe Everyman can see it happening and understand it, will nudge all markets (including the ones that Good Guys just happen to operate within) to adapt. This can lead to a decrease in naivety.

When criminals have to go to extra trouble to check each other out before issuing trust, good guys will follow suit. Your next web browser might show better info about X509 cert issuers, for example, or support superior authentication schemes such as PGP. It might lead to the creation of distributed p2p networks where people vouch for one another's past histories, instead of relying on lame centralized servers like eBay.

Far too much of the fabric of social networks-- and that includes the internet-- is built on the assumption that people avoid doing things exactly like what's being proposed here.
Exactly, and that needs to change.

Re:This is pretty frightening (1)

KDR_11k (778916) | about 7 years ago | (#21001767)

I don't think anyone's trying to look good here, at this point we just want the spammers dead, NOW.

In many cases it's just fine. (1)

billstewart (78916) | about 7 years ago | (#21004455)

Sure, there are lots of attacks on spammers and phishers that are immoral - breaking their legs, etc. But there are many things you can do that are Just Fine.


For instance, if a phisher is impersonating ExampleBank.com's website, it's perfectly fine for ExampleBank to impersonate suckers and go feed the phisher's site a million bogus bank account numbers and passwords that drop the phisher into their honeypot server as well as flooding the phisher's supply of account info from real suckers so it's harder to sell. And it's also mostly ok for ExampleCreditCard.com to feed the phisher a bunch of bogus credit or debit card numbers, though that's not as safe, because there's some risk that they'll use them at merchants who don't verify the card online if they've got the expiration date and security code.


Is it ok for ExampleCreditCard to sell the phishers a bunch of bogus card info? That's a tougher call - aside from avoiding illegal entrapment, the card company probably needs to take some losses by accepting those card numbers for small transactions because the card number buyer will do some testing, and otherwise they're likely to burn some legitimate merchants.

Re:In many cases it's just fine. (1)

plover (150551) | about 7 years ago | (#21005649)

it's perfectly fine for ExampleBank to impersonate suckers and go feed the phisher's site a million bogus bank account numbers and passwords that drop the phisher into their honeypot server as well as flooding the phisher's supply of account info from real suckers so it's harder to sell.

Is it? Is there any concern for the site hosting the phisher's site? It's usually someone else's mismanaged server that's been owned by some worm or another. Isn't it vigilante justice to flood them with a million page submissions, sticking them with a giant bandwidth tab?

(Just so we're clear, that's purely a "devil's advocate" question. I'm all in favor of poisoning the phisherman's well, regardless of the cost to the poorly maintained machine. I consider it part of the price of negligence.)

Re:In many cases it's just fine. (1)

totally bogus dude (1040246) | about 7 years ago | (#21007189)

In addition to the moral issues is the legal question. If you rack up massive bandwidth bills for someone by deliberately flooding their server with bogus data, can you be held liable? What if you manage to crash their server, taking out a bunch of other sites hosted on it (by filling up disc space with the logs, for example)? Can they sue you for damages?

While you can make a pretty strong case that you were just using their publically-accessible server as it was intended, I think there's also a pretty strong case to be made that you're making a deliberate, pre-meditated attack on it. You could probably also prove beyond reasonable doubt that the people flooding the contact form knew it wasn't put there by the site owners, but decided to attack the owner's server anyway. It's definitely an iffy proposition from either side, and not something I'd want to be stuck fighting.

Re:Flooding Phishers with bad data (1)

billstewart (78916) | about 7 years ago | (#21015223)

First of all, I wasn't talking about a Denial of Service level of attack on the phisher (though those can be entertaining as well) or even a Rack Up Bandwidth Bills attack (there have been groups like "Artists Against 419" that do that to Nigerian 419 websites.) I was talking about handing the phisher enough bogus account data that it's hard to find any accounts from real suckers between the bogus accounts, and reducing the phisher's reputation with the people he sells stolen numbers to.


Any half-decently configured web server isn't going to die if it gets a million hits over a couple of days, though it may reject some of the connection attempts if you overdo it. (For one day, that's about 11 hits/second, around 100kbps - 1 Mbps depending on how dense the input format is.) And while some hosting services blow out their bandwidth quota if they get more than 1-10GB per month, which is about how much you'd be sending, and either charge too much or (for free hosting) shut down for the month because of overuse, the perp is attempting to be in a profit-making business just like anybody else whose site becomes popular, and he's also spending a lot more bandwidth sending out email to people who don't reply. Many phishing servers are on zombies on residential broadband services, and some of them throttle down to 64kbps but don't also block home web servers, which could inconvenience the real owner or lead to a bandwidth-abuse contact from the owner's ISP; in either case that may be the only warning the owner has that he's become a zombie and needs to clean up. And in practice, zombie-based servers are usually run from a fast-flux DNS server so the load gets spread around a lot of different zombies.

legitimate transactions? (2, Interesting)

vlk (775733) | about 7 years ago | (#21000615)

How long before the criminals turn around and use the same tools to disrupt legitimate (read: legal) marketplaces? More complex than a crude DDOS, more customizable, allows for a larger Profit!!! potential.

Re:legitimate transactions? (1)

analog_line (465182) | about 7 years ago | (#21004603)

The only real way this could be used to profit by a "criminal" in the classical sense, is to facilitate extortion. "Pay us off or we'll make your auction site worthless." However at that point you get into the problem faced by every extortion racket, hiding your tracks, both financialy, and your communications. Easy enough to do the latter, a lot harder to do the former, especially if you pick a big fish with muscle to push an investigation.

Re:legitimate transactions? (1)

vlk (775733) | about 7 years ago | (#21005495)

Certainly difficult, but not impossible, evidenced by the fact that extortion racket still exists, as does the money laundering business. But I do agree with you that the difficulty is probably more or less directly proportional to the resources of the victim.

On a smaller scale, this could also be targeted against individual participants of said marketplace, or groups, for example those that sell a certain type of product or service.

Re:legitimate transactions? (2, Interesting)

analog_line (465182) | about 7 years ago | (#21005825)

Extortion also only really works in cases where the appearance of normalcy is more important to other trust relationships of the victim than whatever payment the extorter requires. That, or they have no recourse to the local law enforcement authorities for some reason.

From what I've heard, banks often get extorted successfully by Internet-based rings. They pay up, and shut up, because it's cheaper than the huge hit to the trust of their depositors in the institution. Look at what happened to Northern Rock when they stood up and did the right thing to ensure their depositors were safe by going to the Bank of England. The first run on an English bank in a century.

An auction site like eBay doesn't need my trust nearly as much. They don't have my credit card number (unless I use PayPal, but that's not a requirement to use eBay). I don't think I even had to put in an address to set up an eBay account to merely buy stuff. The only trust I need is in the particular seller. Now I'd be the first to admit that your average eBay seller is not toward the high end of the trustworthyness scale, and that the feedback system is abusable, but you're working from a pretty low baseline in any case. And what exactly does eBay have to lose if they broadcast to the world that some dastardly group threatened to make people think that eBay sellers are fraudsters?

Now your black market, that's a lot more like a bank in terms of amount of trust required. A bad deal on a black market doesn't mean you call up PayPal/eBay/bank and tell them that that bastard that promised you 100k of fresh credit card details ripped you, and you want your money back like the victim of a bad deal on a legal marketplace can. Hell, if you're an intelligent person doing business in a place like this, you know damn well that your buyer or seller might be a cop. A wasp doesn't complain too loudly when it gets stung. It's easier, and safer, to find another patch than try to rebuild trust in a compromised location. Not that it's asy, you need to rebuild trust in this new marketplace, which a determined poisoning scheme can probably easily deal with, so you'd theretically be forced into a more personal marketplace, where personal recommendation is required in order to be able to buy. Harder to crack, but WAY harder to use, and it keeps the cost of entry high enough to discourage all but the most determined criminal wannabes.

False Defamation? (0)

Anonymous Coward | about 7 years ago | (#21000625)

One approach to disrupting the network is a slander attack where an attacker eliminates the verified status of a buyer or seller through false defamation.
Defamation by definition is false.
http://en.wikipedia.org/wiki/Defamation [wikipedia.org]

Slander is a "technical approach"? (2, Insightful)

Venik (915777) | about 7 years ago | (#21000743)

All of the devised methods listed in the article are probably not legal. Whichever organization employs such methods will be exposing itself to lawsuits. Sounds like these "computer scientists" need to add a good attorney to their team, just to make sure it's the hackers and not them who ends up with a legal headache.

Re:Slander is a "technical approach"? (1)

skelly33 (891182) | about 7 years ago | (#21001641)

Whichever organization employs such methods will be exposing itself to lawsuits.

Think about it.

"That's right, your honor - the defendant slandered my cred though I was a legit merchant. I can demonstrate proof that I had a full one million stolen credit card accounts in my possession. At $7 each, that entitles me to $7,000,000 plus legal fees to cover the stolen data that I was so rudely prevented from selling by this infidel."

There's a reason that organized criminals are not litigious...

Re:Slander is a "technical approach"? (0)

Anonymous Coward | about 7 years ago | (#21003779)

Guess that means you'll have to skip the 'law' thing and go straight to the 'assassination' thing? :D

Re:Slander is a "technical approach"? (1)

Venik (915777) | about 7 years ago | (#21011539)

This is not how it works. If your bot is posting information online with as much as a hint of any illegal activity on my part, and no court has yet found me guilty, it is called libel and you are exposing yourself to a lawsuit against which you cannot defend. Criminals may not be litigious, but it will take just one lawsuit to shut down your operation.

Re:Slander is a "technical approach"? (1)

skelly33 (891182) | about 7 years ago | (#21012157)

The burden of proof is on the prosecution. A legitimate operation should have no problem distancing themselves from simple attacks like you describe.

Wht can't criminals be "honest"? (4, Interesting)

nate nice (672391) | about 7 years ago | (#21001265)

I've never really understood why there's this belief that criminals have trouble being honest. Often, a criminal is only such because society labels them that way and thus dishonest. But in reality, many of them are very nice people performing honest business transactions (unregulated at that!) for their clients. Many drug dealers, prostitutes, pirates, hackers, etc are very honest people in the sense they aren't scamming their customers. They will provide great value to them in fact.

Supporters of the free market can look to the very successful black market as an example of unregulated trade working well. Often in the black market, as this article eludes to, your reputation is everything. So there is no benefit in ripping someone off.

I've worked with many "honest", good people in my black market transactions.

Re:Wht can't criminals be "honest"? (1)

cfulmer (3166) | about 7 years ago | (#21001425)

Not scamming their customers, just everybody else. It's hard to reconcile the view of an 'honest person who happens to be engaged in something illegal' with identity theft, credit-card fraud and denial-of-service attacks.

"honest" for self preservation (2, Insightful)

vinn01 (178295) | about 7 years ago | (#21002363)



Most criminals are only honest within their peer group. Probably because their peer group would likely kill them if they were not honest.

The idea of an honest criminal only applies to victimless crimes such as drugs, prostitution, gambling, etc. (To people that insist that self crime is not victimless crimes: stop touching yourself)

Re:Wht can't criminals be "honest"? (1)

Durrok (912509) | about 7 years ago | (#21003975)

Like most humans, we are only as honest as our options. If you deceive 1,000 people but would never lie to a group of 10 close friends, does that really make you honest?

Re:Wht can't criminals be "honest"? (1)

rinaazlin (1162815) | about 7 years ago | (#21021897)

wow looks like you understand them very well. Maybe you could ask them to open a college to teach a new crime-to-be about honesty in business

computer scientists? (0)

Anonymous Coward | about 7 years ago | (#21001369)

I really don't think computer scientists are the best people to figure out how to infiltrate or disrupt criminal organizations. I mean, electrical engineers didn't try to figure out how phone based criminal networks operated; at best, they created technology to "listen in".

Seems to me this sort of thing should be left to the experts: criminologists, sociologists, and psychologists.

Something's missing here (0)

Anonymous Coward | about 7 years ago | (#21001567)

If only there were people that would offer tantalizing but dishonest business deals. Ya, they could do it through email, or on some kind of online marketplace...

And if we could just find other people that would randomly make inflammatory accusations... basically just lurk in the shadows, and wait for unsuspecting victims. We could call them ogres, or maybe goblins...

Oh well, I guess even the internet isn't perfect.

Re:Something's missing here (0)

Anonymous Coward | about 7 years ago | (#21003397)

Well played

f1agoRz (-1, Flamebait)

Anonymous Coward | about 7 years ago | (#21003661)

and executes a 7hese chaalenges Users With Large

fight fire with fire? (1, Interesting)

Anonymous Coward | about 7 years ago | (#21004895)

I'm surprised that the banks haven't got together a honeypot botnet of their own (have every employee put a honeypot mirror router on their home PC, etc.) to flood these criminal networks with bogus data. Major ISPs might even buy-in to make their customers look less desirable, and donate random portions of their IP allocations for this on some rotation. Fake millions of clicks on the phishing email web page links from millions of IP addresses, and submit a bunch of false data mixed with some monitored CC numbers. Flood any phishing pages with bogus accounts/passwords for ebay/ppal/brokerage/etc, before trying to take them down. Fake any penny stock buy/sells from these bogus accounts so a lot of time is wasted trying to manipulate the market. The more the data collected becomes random, the less valuable it is to their "business".

Sort of like baiting 419 scammers into showing up on webcams, except on an industrial scale.

Prevent Criminals (1)

TT076743 (1169351) | about 7 years ago | (#21005349)

Hope with this approach will help to prevent internet criminals... Says "NO" to INTERNET CRIMINALS...:-)

Flooding... (1)

Merovign (557032) | about 7 years ago | (#21005609)

(shakes head at people referring to phishers and dealers in stolen ccards as "honest")

There are some interesting ideas on this thread. The "flooding" idea is probably both the most legally defensible and cost effective response (hey, it's a real concern). I mean, you get pretty pissed when someone floods your inbox with 100 times as much crap as you get in content, imagine if you had to check each one to see if it was crap or content?

People talk about just arresting the criminals - we have a pretty darned high bar for prosecution, and it requires a lot of man-hours for each case. To the point where, extradition issues aside, there simply aren't enough resources.

Yeah, it would be nice if there were. But there aren't, and I don't think we want to substantially lower the barriers to prosecution when we can just flood at least a portion of the crooks out of the market by making their work so time-consuming that it's unprofitable.

Yes, that applies less to DOS attackers, site hackers, and virus writers, and mainly to phishers and CC bandits of various kinds. The former still require those pesky investigations, but the population appears to be smaller.

It might not be a bad idea to simply monitor these "reputation systems" and target the highest rep d00dz for prosecution - make it unattractive to advertise for work in that field (it is illegal, after all).

If it's going to work, why tell us? (1)

Wizard052 (1003511) | about 7 years ago | (#21007219)

I think the most destructive part about this affair is that, well, it's out in the open. So we may never know if it indeed worked because Slashdot Et Al have spread the word. So complicated yet so blown...as many here have said, nothing's stopping the bad guys from using it on the good ones now.

A workaround, for criminals, to this, I suppose is to make their existing operations a lot more secretive. No more E-Bay style auctioning or other easy and convenient routes of trade... to participate, you'd have to be privy to codewords and the like. And we're sort of back to square 1. Yes, the fun that was e-commerce dissipates but then again, that was never the main aim was it?

Just my 2 cents. :)

Willing to meet Jimmy Hoffa? (1, Funny)

Anonymous Coward | about 7 years ago | (#21008189)

Just look at the article photo of that bespectacled nerd. Unless he is Superman or Harry Potter himself, he better not mess with organized online criminals (at least half of whom are directly connected to the russian maffia). In response to the slander attack he proposed they will just find Mr. Geek, step on his eyeglasses and make him sleep with the fishes.

OK, I know most geeks never slept with a girl, so they have no first-hand experience, but I can tell that you sleeping with fishes is even more dangerous to your health. Syphillis can be treated, HIV symptoms can be controlled but a slab of concrete cast around your legs never goes away, frankly.

Remmeber that american who went to Nigeria to find out about 419 scammers and ended up in a coffin, dismembered? Those negro are very docily compared to the ethnic jews who run the russian mafia!

Attacking Criminal Networks On the Internet (0)

Anonymous Coward | about 7 years ago | (#21008875)

Credit card fraud is a growing problem for online businesses and can hurt our business in many ways. Fraudulent credit card transactions are costing e-commerce businesses many millions of dollars annually. So, it is very important to verify the cardholder's identity. We can use software programs to detect fraudulent orders or we can manually check each transaction for possible fraud. Here are some steps that we can take as a merchant to reduce credit card fraud: 1) Check the buyers IP Address Location. Does this location match the cardholder's location? 2) Check the buyers e-mail domain. Criminals will use a free e-mail provider. 3) IP Address indicating anonymous or open proxies? 4) Check the bank identification number. 5) Call the credit card holder. You can ask the cardholder to verify the order. 6) Fax authorization with signature. You can ask the cardholder to verify the order by sending a signed fax. 7) Make your anti-fraud policy visible. 8) Utilize anti-fraud services.

Attacking Criminal Networks On the Internet (0)

Anonymous Coward | about 7 years ago | (#21008929)

In my opinion we cant fully curb network criminals as there are many ways and in each system there is a leak where someone can do their criminals work,for example we take credit card fraud.Credit card fraud is a growing problem for online businesses and can hurt your business in many ways.You can use software programs to detect fraudulent orders or you can manually check each transaction for possible fraud.

Attacking Criminal Networks On the Internet (0)

Anonymous Coward | about 7 years ago | (#21009067)

the only way to discredit them is to get in contact with them somehow or visit a site they visit regularly.

How? (2)

angus_rg (1063280) | about 7 years ago | (#21010835)

I'm working on methods to thwart cyber crime as well. I know I haven't provided any thing more than grotesquely vague details lacking any real substance, but just take my word on it.

honest (1)

rinaazlin (1162815) | about 7 years ago | (#21021931)

I love the way that the researcher want to prove they are "honest" criminal. I think it's a good idea. As long as the criminal is honest I don't mind making business with them

network criminals are increasing (1)

TT077136 (1167021) | about 7 years ago | (#21022983)

New Internet Security Threat Research Reveals that Hackers are Adopting New Business-Like Strategies to Successfully Perform Malicious Activity.

cyber criminals (1)

TT077136 (1167021) | about 7 years ago | (#21023111)

cybercrime continues to be driven by financial gain, cyber criminals are now utilising more professional attack methods, tools and strategies to conduct malicious activity. how to solve this from happening... phishing is one of the method used by the attacker to get victims personal information. do not give your personal information on net. don/t believe in the SPAM messages that will be sent to your emails.

Protocol Analysis Module (PAM) (1)

TT077136 (1167021) | about 7 years ago | (#21023315)

A vulnerability was discovered in the ICQ instant messaging protocol parsing routines of the ISS Protocol Analysis Module (PAM) component. The PAM module is a shared component of all current ISS host, server, and network protection software and devices. The flaw relates to incorrect parsing of the ICQ protocol which may lead to a buffer overflow condition.

help me (1)

TT077136 (1167021) | about 7 years ago | (#21023455)

i'm facing this problem very long ago and i don't know how to avoid this attacker from having my personal information. i never give any of my personal particulars to any spam messages... but still how????????

blur (1)

TT077136 (1167021) | about 7 years ago | (#21023587)

for god sake i really don get what question is about,thanks.

troublesome ... (1)

rk075583nDa (1164731) | about 7 years ago | (#21035571)

These troublesome entrepreneurs even offer tech support and free updates for their malicious creations that run the gamut from denial of service attacks designed to overwhelm Web sites and servers to data stealing Trojan viruses. All of the devised methods listed in the article are probably not legal. Whichever organization employs such methods will be exposing itself to lawsuits. computer scientists people should add a good attorney to their team, just to make sure it's the hackers and not them who ends up with a legal headache..

what to do? (1)

rk075583nDa (1164731) | about 7 years ago | (#21035843)

usually the user know where to find the source for what they need.. they also don't really care if the source is not legal or from black market.. so, if we concern about this when there are a lot of people who still do the wrongdoings things, what we should really do? a lot of people still doesn't have knowledge about it..

credit card spamming (1)

TT077136 (1167021) | about 7 years ago | (#21036463)

how this culprits manage to get our credit number and use it for their transaction, is there any way for us to prevent this

ARE YOU A SPAMMER (1)

TT077136 (1167021) | about 7 years ago | (#21036543)

have you ever e mailed a message to more than one person?

spamming technique (1)

TT077136 (1167021) | about 7 years ago | (#21036607)

some method go too far and are known as "search engine spamming" , "spamdexing" , and "spammage".

how to become a spammer (1)

TT077136 (1167021) | about 7 years ago | (#21036657)

jesus is not a spammer..was..How to become a christian.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?