As one of the only peer-reviewed academic conferences focusing on electronic crime, the APWG eCrime 2018 symposium covered a range of topics. These included emerging threats such as cryptocurrency phishing and theft, ransomware, and the use of blockchain technology by cyber criminals. Other sessions discussed the current state of previously introduced defensive measures, including strong authentication mechanisms (evolving password-less sign-on techniques) and their adoption, as well as the use and impact of SPF, DKIM and DMARC standards.
Presentations and papers related to the state of the anti-phishing ecosystem were of particular interest to security providers. Some examples were the growing use of machine learning technologies in cybercrime, IDN Domain Name masquerading, and the challenges posed by an increase in adoption of encryption, including for phishing sites. The symposium also featured case studies of international law enforcement takedowns of shopping scams, fake online stores, stores selling counterfeit goods, and the Iranian Mabna group’s theft of intellectual property using credential phishing.
The effect of GDPR on data sharing and the many consequences to researchers was discussed in multiple contexts. Access to WHOIS data, which is used by the security and anti-phishing industries, may be severely constrained by the new law. Strategies to find a balance between protecting user privacy and mitigating security risk are being actively discussed by ICANN and other bodies. APWG, as well as Forcepoint, will continue to follow these discussions closely in the coming weeks and months.
Forcepoint Security Labs researchers submitted and delivered two presentations to the conference attendees.
A layered approach to defending against list-linking email bombs
Cristina Houle and Ruchika Pandey talked about the re-emerging problem of subscription-based email bombs in their research paper, “A Layered Approach to Defending Against List-Linking Email Bombs.”
The work was sparked by a case study involving a high-volume targeted attack and yielded User and Entity Behavioral Analytics (UEBA) based solutions. The research demonstrated how understanding the routine interactions of people with data helps detect anomalies and mitigate risk. The presentation led to some good discussions with peers in the security field and members of industry associations, as well as international law enforcement professionals.
Their paper is available from the APWG eCrime Research Papers library.
Using simplistic tagging of automatic attack chain analysis to verify statistically identified botnets
In their presentation, Mark Haffenden and Ran Mosessco described their work on bot and compromised infrastructure used by malicious email campaigns. Their talk, “Using Simplistic Tagging of Automatic Attack Chain Analysis to Verify Statistically Identified Botnets,” touched on how clustering based on features including email sender IPs could be used to group campaigns and identify larger patterns. One of the key facts that stood out for the audience was that compromised hosts are reused with an average lifespan of 9.1 days, with some outliers persisting for over 250 days.