By Marlene Cimons, National Science Foundation
Today’s hackers are a different breed from those of the past. In the old days, all they wanted to do was make mischief. Now all they want to do is make money.
This means security experts no longer can depend solely on traditional defenses, such as blacklists and anti-virus software, since experienced attackers eventually find ways to get around them. Instead, cyber scientists are turning to an age-old system to help them develop a new approach.
“We are looking at the economic business model of Internet crime to try to understand ‘unprofitable,’" says Stefan Savage, professor of computer science and engineering at the University of California, San Diego. “We need to find the attackers’ economic vulnerabilities and weaknesses. It’s like trying to stop the drug trade—you need to look at every step in the pipeline to figure out the best place to disrupt it.”
Savage and his colleague, Vern Paxson, professor of electrical engineering and computer sciences at University of California, Berkeley, are principal investigators at the Collaborative Center for Internet Epidemiology and Defenses, a joint effort between University of California, San Diego and the International Computer Science Institute’s Center for Internet Research, where Paxson also is a senior scientist. The center is funded in part by the National Science Foundation, which has provided more than $1 million annually.
The center’s goal is to address the challenges posed by worms and viruses, and more recently by the proliferation of botnets, networks of computers controlled en masse by a third party. Typically unknown to the owners of the individual machines, botnets allow criminals to set up scams via spam email, selling counterfeit drugs and other products, as well as more insidious things, such as stealing credit card information or even entire identities.
“Much of today’s large scale threat is from botnets,” Savage says. “The attacker decides which machines to take over and, having taken over these machines, can control them centrally, and tell thousands, or in some cases millions, of machines what to do.”
Paxson adds: “The great ease of obtaining so many compromised machines turns them into a commodity business.”
In examining the problem of email spam, the scientists decided that the best approach to dealing with botnet spammers might be to target their economic soft spots. But first they needed to find out more about how the schemes actually work in practice, including how many people respond to them. To do that, they launched a series of ‘measurement’ studies.
“We know the bad guys pump out spam in huge numbers,” Paxson says. “People, to some degree, must reply to these spams and presumably look over a bunch of products and buy them, using credit cards. The money actually changes hands, and the product changes hands. We wanted to know how effective is spam advertising? How much spam must people send out to get people to look at their website? Sending out spam might be cheap, but it’s not completely free. It’s clear that spammers send out zillions of emails, so are they the new drug lords who have billions of dollars rolling in? Or are they losers who just get by on that plus their welfare checks? What is their revenue?”
So the researchers went undercover. Using their own computers, they infiltrated the “Storm” botnet, which emerged in early 2007, and took over hundreds of thousands of computers, and sent spam ads. The researchers then created an exact replica of one of Storm’s sales sites, and devised a way to divert about 1 percent of the botnet’s traffic to their fake site.
“There was a funny thing about the way this botnet was set up,” Savage says. “One of the innovations they came up with was to have layers of communication, rather than have all the bots talk to one central manager. They had middle management. We infiltrated that middle tier. That allowed us to see all the commands trying to be sent, and all those sent back. We were undercover in the middle tier listening to conversation between the bottom and the top—really only 1 percent, but it gave us an idea of how it worked.”
At their bogus site, they could see how many consumers visited and ultimately ordered products. “We replicated this to the point of checkout, and then an error message would appear,” Savage says. “As it turns out, their business model was no different than an online catalog.”
The scientists found that the spammers had to send 12 million emails to get one person to buy. And yet it was worth it. “There is a cost to send these things out, but it is low,” Savage says. “What was daunting was that the return was so small, and yet it was still profitable.”
Their work, published in 2008 in the ACM Conference on Computer and Communications Security, is the first of several studies trying to examine the botnet economic pipeline and all its nuances in order to figure out the best place to disrupt the process.
“You can come up with very, very precise filters that will allow you to block spam before you get it, but that still has you playing ‘whack-a-mole,’ always responding to the latest particular threat,” Savage says. “Our current focus is on trying to understand the right place to intervene. Blocking spam, in fact, appears likely to be cost-ineffective. Spammers can still make lots of money even though very few of their messages get through.”
Another study, published last year in the USENIX Security Symposium, explored how spammers deal with “CAPTCHAs,” those distorted word texts that people must reproduce in order to gain entry to a particular site. CAPTCHAs are designed to separate humans from automation that uses computer algorithms.
“The solution has been to outsource the CAPTCHA solving in real time to third world labor,” Savage says. “We found all these underground sites that sell CAPTCHA-solving as a service. The spammers farm it out to third world laborers who will work for a few dollars a day typing in the answers. Most are operating out of China. There are all kinds of security interventions where we make an assumption about how hard things are for a computer, but, if it is simple, you can outsource it. You can apply massive amounts of human labor to the problem, and it can be cost effective.”
In the end, the most effective attack against massive spamming ultimately may come down to hitting them where it will hurt the most: in the profit margin. “We are interested in the economic factors,” Savage says. “The spammers all play on each others’ resources and capabilities. It’s a fairly evolved economic system. Much of our work is trying to uncover where the economic bottlenecks are and where they are not.”
Follow U.S. News Science on Twitter.