Tracking Covid Cybercrime and Abuse
Lead Research Organisation:
University of Cambridge
Department Name: Computer Science and Technology
Abstract
Around half of all acquisitive crime was already online before the start of the pandemic; it is now surging as many human activities move online chaotically, and cybercriminals adapt to the opportunities. This project will collect data at scale about online criminality, quickly enough to fetch malicious material before it is removed. We will not work alone but will promptly provide datasets to other researchers, and collaborate to create better analysis tools, analyse offender behaviour, and monitor the effectiveness of police and industry response. Our Cambridge Cybercrime Centre already collects data from underground forums, spam feeds, and industry partners, but we will ensure that pandemic related cybercrime Is prioritised and new datasets collected about online abuse and extremist views, such as anti-vaxxers. To scale up our work, we need to maintain and expand our network of honeypots and other sensors; extend our server cluster; scrape dozens more underground forums; and extend our collection of chat channels and illicit marketplaces - which are often found on Tor hidden services. We have an established ethical framework for data collection and a straightforward legal framework for data sharing, but a current bottleneck is that non-technical users can be swamped by what we provide, so we need to develop NLP tools to enable easier analysis of the data by researchers from other disciplines. We will also do our own analysis, for research to identify opportunities for law enforcement action, and to measure the effectiveness of responses by law enforcement and industry.
Publications
Anderson R
(2022)
Chat Control or Child Protection?
Anderson R
(2023)
The Online Safety Bill
Anderson RJ
(2021)
Silicon Den: Cybercrime is Entrepreneurship
Bada M
(2020)
Cybercrime in Context
| Description | There was a sharp spike of cybercrime associated with the lockdown in March 2020, which we've been collecting and curating for other researchers, and also studying ourselves. There were complex effects on fraud, on digital drug markets, on distributed denial-of-service attacks, on employment in activities supporting cybercrime, and elsewhere. We have expanding our existing forum/chat channel collection to include extremist forums, whilst continuing to collect ever more cybercrime material. We have produced a series of weekly briefing papers that illustrate the type of detailed analysis that these datasets make possible. We have illustrated how it is possible to determine how topics of conversation, and patterns of criminal activity changed during the first lockdown period in the Spring of 2020. In 2021, we started also collecting data on extremism, and in addition to our CrimeBB database on cybercrime which has almost 100m messages scraped form cybercrime forums, we now also offer ExtremeBB with over 50m messages to extremism forums. This enables our analytic techniques to be extended from acquisitive crime to violent online political extremism and gender-related violence, which have grown significantly during the pandemic and its associated lockdowns in multiple countries. The correlation between the CrimeBB and ExtremeBB datasets has shed light on the links between misogyny and violent extremism, resulting in our work becoming known to, and useful for, feminist scholars of violence. We have also been able to measure the involvement of online crime gangs in the cyber-conflict on the fringes of the Russia-Ukraine war. Yet another achievement was measuring the effects of online censorship of Kiwi Farms (a misogynistic online forum) by the tech industry in 2022, which has direct relevance for the debate over the Online Safety Bill. |
| Exploitation Route | As we have collected and curated a lot of data, our perhaps superficial initial analyses can be repeated and complemented by the work of others. Data from the Cambridge Cybercrime Centre are now licensed by 198 researchers from 65 research groups in 17 countries worldwide.Some of our work has contributed to police strategy in that Prof Lawrence Sherman, one of our advisory council, became CSA at the Metropolitan Police, which has since started to feed data on men suspected of violence against women and girls to Counterterrorism Command. |
| Sectors | Communities and Social Services/Policy,Creative Economy,Digital/Communication/Information Technologies (including Software),Education,Financial Services, and Management Consultancy,Government, Democracy and Justice,Security and Diplomacy |
| URL | https://www.cambridgecybercrime.uk/COVID/ |
| Description | We provide weekly briefings to the FBI on IoT malware that is frequently used in DDoS attacks, and we also help measure the effects of law-enforcement interventions. For example, we measured the effect of an NCA campaign to use Google ads to alert anyone in the UK who searched for booter services to the fact that using such services is an offence under the Computer Misuse Act. It turned out that while booter use continued to grow in the USA, growth ceased in the UK. The NCA were delighted with this work as it enabled them to justiify this use of funds to the Treasury. The use of targeted ads for behavioural change around cybercrime and indeed crime generally has since expanded significantly; we have also been analysing and writing about that. We have measured the effects of industry attempts to censor the online forum Kiwi Farms, which has direct implications for policy. We have also accumulated evidence about the correlation between misogyny and violent online extremism, following which data about men suspected of violence against women and girls has been shared with Counterterrorism Command who find it useful in identifying the most dangerous suspects. |
| First Year Of Impact | 2020 |
| Sector | Communities and Social Services/Policy,Education,Financial Services, and Management Consultancy,Government, Democracy and Justice,Security and Diplomacy |
| Impact Types | Societal,Policy & public services |
| Title | CrimeBB |
| Description | CrimeBB is a database of postings to underground cybercrime forums. It is the most widely used of all the resources collected and curated by our team. Starting in 2016, we scraped the contents of hackforums, where people bought and sold malware and other crime tools and services. We can't list it under "databases" as it's not "published" and doesn't have a DOI. For ethical and data-protection reasons it's available only under license. |
| Type Of Material | Improvements to research infrastructure |
| Year Produced | 2016 |
| Provided To Others? | Yes |
| Impact | We set out at the Cambridge Cybercrime Centre to turn cybercrime research into a science. Previously, researchers collected their own data and couldn't share it, so their findings could not easily be replicated or built on. We set out to change that by collecting and curating data at scale. Of all our collections, CrimeBB has turned out to be by far the most popular. We have other collections too; for example, ExtremeBB is a more recent project, which collects postings to extremist forums. As of February 2022, our data are licensed by 198 researchers at 65 research groups in 17 countries. |
| URL | https://www.cambridgecybercrime.uk/process.html |
| Description | Collaboration with Threatstop |
| Organisation | Threatstop Inc |
| Country | United States |
| Sector | Private |
| PI Contribution | We're analysing a lot of DDoS data collected by Threatstop. |
| Collaborator Contribution | Threatstop gave us US$75k for work on distributed denial of service attacks. We used the money to hire Daniel Thomas for one year. |
| Impact | We're going to help them help their customers deal with DDoS attacks better, and in the process understand them better ourselve |
| Start Year | 2015 |
| Description | Collaboration with Yahoo |
| Organisation | Yahoo! |
| Country | United States |
| Sector | Private |
| PI Contribution | On the identification and counting of phishing attacks. |
| Collaborator Contribution | Supplying us under NDA a copy of their spam feed, and giving Richard Clayton access to their systems as an intern to run analytics |
| Impact | Improved detection of spam and phishing by 20%. |
| Start Year | 2010 |
| Description | Utrecht university |
| Organisation | Utrecht University |
| Country | Netherlands |
| Sector | Academic/University |
| PI Contribution | Sophie van der ee and I worked with Ronall Poppe of Utrecht on the deception detection experiments. Ronald is a signal-processing guy. |
| Collaborator Contribution | Supporting the signal-processing software to analyse the experiments done with motion-capture suits, depth cameras and radar, and also conducting a number of the experiments on their premises. |
| Impact | Jointly authoored papers, already entered |
| Start Year | 2014 |