What do Shepherds and Cybercriminals Have in Common?

Tracking down and prosecuting cybercriminals is one of the more daunting challenges facing law enforcement agencies today. Online anonymity, questions of jurisdiction and difficulty in gathering and preserving evidence are all significant impediments to the process. A group of Drexel computer scientists, using a bit of 19th century economic theory, have an idea about how to disrupt this criminal activity by helping the FBI throw up a few roadblocks of its own.

To gather their data, researchers in the Privacy, Security, Automation Lab sifted through logs from five different forums used by cybercriminals.
To gather their data, researchers in the Privacy, Security, Automation Lab sifted through logs from five different forums used by cybercriminals.

In political philosophy and economics the “Tragedy of the Commons” refers to a situation in which consumers are depleting a shared, limited resource. “The commons,” which originally referred to a parcel of shared grazing land, has since become a lens for sustainability analyses of everything from highways to fish hatcheries.

In Dr. Rachel Greenstadt’s Privacy, Security and Automation Lab the commons is about 4GB of documents – roughly five-to-seven years-worth of conversations between denizens of five online forums frequented by cybercriminals.

Armed with this mountain of transcripts Greenstadt, Sadia Afroz, Dr. Vaibhav Garg, and their collaborator from George Mason University, Dr. Damon McCoy are trying to figure out just how much cybercriminals are like shepherds – and, more importantly, if it’s possible to disrupt their activities by ruining their “pasture.”

“We’re looking at what makes cybercrime forums sustainable and making recommendations on how to make it unsustainable for criminals to keep operating in them,” said Afroz, a doctoral student in Greenstadt’s lab.

Presenting at the recent 2013 eCrime Researchers Summit in San Francisco, Afroz explained to her audience that trust is the limited resource that keeps cybercrime forums functioning.

“Working alone it would take cybercriminals a great deal of time and effort to collect their wares –such as credit card numbers, pirated software, botnets and blackhat SEO,” Afroz said. “By participating in a forum, it’s possible to quickly buy, sell and trade these goods and services. But the community only functions because of its system for ensuring that vendors and dealers can be trusted to deliver the products that they claim to be delivering.”

Each forum has its own established method for vetting its members. And the economy of this process is what makes the forums so valuable to cybercriminals.  Honor among cybercriminals is measured in much the same way sellers are rated on eBay –reviews and return customers. At least in some forums -others require users to pay for VIP access or membership to inner circles of vendors.

This hierarchy of trust is what the PSAL group is trying to understand and exploit. As part of a National Science Foundation grant, the group will be passing their findings along to the FBI to help guide its anti-cybercrime efforts.

Aside from the traditional method of attempting to track down and arrest the criminal, which can be quite costly, the team makes two recommendations for cybercrime deterrence in its paper “Honor Among Thieves: A Commons Analysis of Cybercrime Economics” – the first of two papers the group plans to publish as part of the NSF grant.


One suggestion is to erode trust in the forums to the point where it is no longer efficient for cybercriminals to operate in them. This could be achieved, according to Garg, by infiltrating the forums en masse to create “noise” in the channel –a large influx of untrusted members. This would slow the process of vetting users and conducting business.

A second idea is for enforcement agents to plant and promote the exchange of “bad” or “marked” products in the forum. As word spreads that these products aren’t actually what the sellers are claiming they are, users will stop going to the forums to do business because they can no longer be trusted.

The group contends that without regular participation by trusted users, the forums are no longer sustainable. While this method might not lead to arrests, the team believes that it could help slow the progression of cybercrime. The lab’s next goal is to examine the viability and effectiveness of implementing their recommendations by testing it against a behavioral model they will create using the forum logs.

Tagged with: