I need 500 words and will post reference information reading material.What is new or different
about cybercrime? How might the growth of cybercrimes shape the ways in
which the Internet continues to grow in the future? How does public
discourse represent the problem of cybercrime? Is cybercrime inevitable
in a connected and globalized world? Is their evidence that cybercrime involves
organized crime groups, or is it an individual criminal act performed by a lone
person or a group of hackers?Broadhurst, R., Grabosky,
P., Alazab, M., & Chon, S. (2014). Organizations and cyber crime: An
analysis of the nature of groups engaged in cyber crime.International Journal of Cyber
Criminology, 8(1), 1-20.
Retrieved from https://search-proquest-com.ezproxy2.apus.edu/docv…Griffy-Brown, C.,
Lazarikos, D., & Chun, M. (2017). Cybercrime business models: Developing an
approach for effective security against better organized criminals. The Journal of Applied
Business and Economics, 19(8), 22-34. Retrieved from
https://search-proquest-com.ezproxy2.apus.edu/docv…Leukfeldt, E.,
Kleemans, E., & Stol, W. (2017). A typology of cybercriminal networks: from
low-tech all-rounders to high-tech specialists. Crime, Law & Social Change, 67(1), 21–37.
https://doi-org.ezproxy1.apus.edu/10.1007/s10611-0…
cyber_criminal_networks.pdf
cybercrime_business_models_de_week1.pdf
organizations_and_cyber_crime__week_1.pdf
Unformatted Attachment Preview
Crime Law Soc Change (2017) 67:21–37
DOI 10.1007/s10611-016-9662-2
A typology of cybercriminal networks: from low-tech
all-rounders to high-tech specialists
E. Rutger Leukfeldt 1,2 & Edward R. Kleemans 3 &
Wouter P. Stol 2
Published online: 22 November 2016
# Springer Science+Business Media Dordrecht 2016
Abstract Case studies show that there are at least two types of groups involved in
phishing: low-tech all-rounders and high-tech specialists. However, empirical criminological research into cybercriminal networks is scarce. This article presents a taxonomy
of cybercriminal phishing networks, based on analysis of 18 Dutch police investigations into phishing and banking malware networks. There appears to be greater variety
than shown by previous studies. The analyzed networks cannot easily be divided into
two sharply defined categories. However, characteristics such as technology use and
offender-victim interaction can be used to construct a typology with four overlapping
categories: from low-tech attacks with a high degree of direct offender-victim interaction to high-tech attacks without such interaction. Furthermore, clear differences can be
distinguished between networks carrying out low-tech attacks and high-tech attacks.
Low-tech networks, for example, make no victims in other countries and core members
and facilitators generally operate from the same country. High-tech networks, on the
contrary, have more international components. Finally, networks with specialists focusing on one type of crime are present in both low-tech and high-tech networks. These
specialist networks have more often a local than an international focus.
Keywords Cybercrime . Phishing . Malware . Criminal networks . Theory . Organized
crime
* E. Rutger Leukfeldt
[email protected]
1
Netherlands Institute for the Study of Crime and Law Enforcement (NSCR), De Boelelaan 1077a,
1081 HV, Amsterdam, The Netherlands
2
Open University of the Netherlands, Valkenburgerweg 177, 6401 DL, Heerlen, The Netherlands
3
VU University Amsterdam, De Boelelaan 1105, 1081 HV, Amsterdam, The Netherlands
22
Leukfeldt E.R. et al.
Introduction
‘Warning! The security of your online bank account needs to be updated. Update today
or your account will be blocked. Click here to go to our secure website directly.’
Criminals use these kinds of e-mail messages to lure bank customers to phishing
websites with only one goal: obtaining user credentials to clear out their bank accounts.
This article is a follow-up to the work of Soudijn and Zegers [20] and Leukfeldt
[15]. These studies described phishing networks, based on police files, and showed that
phishing networks can have totally different characteristics. The ‘crime script’ of the
two different networks was quite similar: the formation of a criminal core group,
contacting other capable criminal enablers, capturing login details from victims and
transferring funds to money mule accounts. However, the origin, growth, and criminal
opportunities of these networks – and thus the possibilities for crime prevention – were
completely different. In the first group [20], technology played a major role: e.g. malware
was used to steal user data, a forum functioned as offender convergence setting to meet
new criminals, contacts between offenders were primarily online, and spam e-mails were
used to recruit money mules. In the other case [15], social ties played an important role:
e.g. e-mails and telephone calls were used to steal user data, other criminals were recruited
through social contacts, and encounters took place on the streets of large cities.
These two case studies confirm what a priori one might expect: that cybercriminal
groups are not all the same. However, empirical criminological research into
cybercriminal networks is scarce (see for an overview e.g. [5, 6, 22]). Only a few case
studies on a limited number of criminal groups exist. It is clear that more research into
cybercriminal groups is required to map the range of possible compositions. This article
takes a more comprehensive approach and analyzes all known phishing and banking
malware cases in the Netherlands in the period 2004–2014. This gives more insight into
the different types of criminal groups that are involved in these cybercrimes and may
help to develop effective crime prevention methods.
This article uses a social opportunity structure perspective to study cybercriminal
phishing and banking malware networks (see section 2 for a more detailed explanation).
It elaborates upon the criminal capabilities of networks (e.g. modus operandi and the use of
technology, secondary criminal activities, and international components) and the composition of networks (e.g. functions within networks). Section 3 describes data and research
methods. Subsequently, the results of the study are presented regarding criminal capabilities of networks (section 4) and composition of networks (section 5). Section 6 contains a
taxonomy of networks, whereas section 7 contains the main conclusions and discussion.
Social opportunity structure
The studies by Soudijn and Zegers [20] and Leukfeldt [15] show that there are at least
two types of groups involved in phishing. As Leukfeldt [15] pointed out, an explanation for these differences can be found in the concept of social opportunity structure.
Social opportunity structure plays a major role in organized crime networks. Social ties
and networks provide access to criminal opportunities and their nature further determines the opportunity structure, which facilitates different types of crime (e.g. [9, 18,
19]). Social relationships, however, are highly clustered and therefore always limited in
A typology of cybercriminal networks
23
certain ways (e.g. because of geographical or social barriers between countries, lack of
access to different ethnic groups, or barriers between illicit networks and the licit world
– see [7]: 179–180). In order to expand opportunities, it is necessary to establish
relationships with ‘outsiders’ (persons outside someone’s existing social network). Therefore, access to ‘offender convergence settings’ (cf. [3, 4]) and key figures that are able to
arrange these new contacts determine the growth and criminal opportunities of a given
network. Studies into traditional criminal networks showed that access to these important
brokers causes some offenders to remain local, whereas other offenders became international players (e.g. [9]). The local offenders commit all sorts of crimes in their own region,
but they have no contacts outside their region and have no expertise others depend on. A
condition for evolving into an international player is having contacts with brokers who
give access to new export markets, or who have capital or expertise.
The degree of access to key figures and (digital) offender convergence settings
provides an explanation for the differences between the cases described in Soudijn and
Zegers [20] and Leukfeldt [15]. In fact, a parallel of the distinction between local and
international offenders can be observed. The second group had no access to digital
offender convergence settings and was constrained to a local social cluster. Accomplices were recruited through local social contacts and were all living in the Netherlands. All the victims were Dutch too. They also committed all kinds of other crimes to
earn easy money. Conversely, the offenders of the first group met each other at a digital
forum. Specific criminal services could relatively easily be acquired through the forum:
victims were targeted, and accomplices were recruited in foreign countries. It also
seems that the criminals were specialized in phishing attacks, as no other criminal
activities were described in this case. Offenders were able to recruit new members in
other countries and attack victims in multiple countries.
The social opportunity structure perspective can be used to explain differences between
the nature and capabilities of cybercriminal groups described above. The two case studies
show that there are differences between the criminal capabilities of cybercriminal networks
and the composition of networks. In this article, we analyze 18 cybercriminal networks
and test if these differences hold or need to be nuanced. The data and variables used in this
article to gain insight into these elements will be described in the next section.
Data and methods
Eighteen Dutch criminal investigations were analyzed in order to gain insight into the
composition and the criminal capabilities of criminal networks. These police files
provide unique knowledge about cybercriminal networks and their members due to
the use of special investigative powers such as wiretaps (telephone and internet traffic),
observation, undercover policing, and house searches.
Cybercriminal networks: a demarcation
This study is part of the Research Program Safety and Security of Online Banking.
Therefore, this study only includes networks that carry out attacks on online banking.
Briefly, this means phishing attacks and malware attacks. In the literature, different
definitions of phishing are used (see, for example, Lastdrager [14] for an analysis of
24
Leukfeldt E.R. et al.
113 definitions). The common thread is: Phishing is the process aimed at retrieving
users’ personal information by criminals who, by using digital means such as e-mail,
pose as a trusted authority. User credentials can be intercepted in a more technical way,
namely by using malicious software such as Trojans or spyware. This kind of malware
could log keystrokes, screenshots, e-mail addresses, browsing habits, or personal
information such as credit card numbers.
Case selection
In our analysis, only completed criminal investigations are used. In these cases, the public
prosecutor has decided that enough evidence has been collected to prosecute the suspects
successfully. This, however, does not mean that there has already been a court decision.
There is no central registration system in the Netherlands that allows for a quick
overview of all criminal investigations into phishing networks. The selection of cases
was, therefore, done by using the snowball method. Starting points were cybercrime
and fraud teams on a national and (inter)regional level. Using existing contacts within
the Dutch police and the Dutch Police Academy, team leaders and senior investigators
of these teams were asked whether they knew any investigations into phishing networks. Subsequently, public prosecutors who deal with cybercrime and fraud cases
were asked the same question. Furthermore, an online database in which (a limited
number of) court documents are published, was used, and a media analysis was done to
find news reports about phishing cases. During the file study, people involved in the
criminal investigation were asked whether they knew any other phishing cases. In total,
eighteen criminal investigations into phishing networks were obtained. The investigations
ran between six months and three years and were carried out between 2004 and 2014.
Analytical framework
The criminal investigation files contained records of interrogations and information
obtained through special investigative powers (e.g. transcripts of phone taps, internet
traffic and other surveillance reports). Relevant information was systematically gathered from the investigation files using an analysis framework. The framework was
based on the analytical framework used in the Dutch Organized Crime Monitor. This is
a long-running research program on organized crime (see [9–13, 21]).
The analytical framework consists of a list of topics the researcher has to describe
(rather than a closed questionnaire). The topics and questions of the framework include
inter alia composition (hierarchy, fluid cooperation, important roles/functions, use of
enablers) and criminal capabilities (modus operandi, use of technology, secondary
criminal activities, working area of the network).
Interviews
The analyses of the criminal investigation were complemented by interviews with the
public prosecutor, the police team leader, and senior detectives (e.g. financial or digital
experts). The same analytical framework was used. The interviews were conducted
because the information in the police files is aimed at providing evidence of criminal
activity, meaning that other relevant information to this analysis is often lacking.
A typology of cybercriminal networks
25
Hierarchy and secondary criminal activities, for example, are not always described.
Respondents, however, were sometimes able to provide more insight into these topics.
Criminal opportunities
Modus operandi
All networks are engaged in attacks on online banking. The scripts of the crime networks
have many similarities in common. The first step is to intercept login credentials from
victims to gain access to their online bank accounts. However, that is not enough to
transfer money from the account of victims. In order to do this, so-called ‘one-time
transaction authentication codes’ are required. Obtaining these codes is, therefore, step 2.
With these transaction authentication codes, transactions can be done from victim accounts
to the accounts of money mules.1 Once the money has been transferred successfully, it is
cashed out and, via various links, given to core members. There are some networks
experimenting with other ways of cashing. These, for example, buy goods using the
account of victims or buy Bitcoins. However, all networks predominantly use bogus front
accounts to cash out the money.
Although the scripts of all criminal networks are roughly similar, there are some
important differences. These differences concern obtaining user credentials and transaction authentication codes. The extent of ICT-use and degree of contact between the
criminals and the victims differ. The high-tech capability of offenders makes it possible
to limit the direct contact with the victim, but there is variation within the networks
studied regarding the extent to which criminal attackers actually reduce contact with the
victim. At one end of the continuum, there are networks limiting the use of ICT to a
minimum and where victims issue codes to the criminals. These networks use e-mails
(and sometimes phishing sites) to get user credentials. Subsequently, victims are
phoned by criminals posing as bank employees in order to elicit necessary transaction
authentication codes. At the other side of the continuum, there are networks using
advanced malware that requires no direct contact with the victim. These networks, for
example, infect websites that have outdated security. Once someone visits this website,
his or her computer becomes infected with malware. This malware gives criminals
access to and control over the victim’s computer and enables the attacker to adjust or
change online banking sessions.
The differences between these two types of attacks relate to the extent of ICT use during
the attack, as well as the degree to which criminals have direct contact with the victims.
The crime scripts can, therefore, be divided into two main categories: low-tech attacks and
high-tech attacks. Moreover, each category of attacks can be subdivided by the degree of
interaction between offenders and victims (Fig. 1). As a result, 4 attack variants can be
identified: low-tech attacks with a high degree of direct interaction between attacker and
1
In cybercrime literature, the term ‘money mule’ is often used to describe these offenders (see Choo [2];
McCombie [17]; Aston et al. [1]; [15, 20]). In our opinion, ‘money mule’ is not entirely the right term as these
offenders are not used to physically move money from one place to another, but instead solely to disguise the
financial trail from victims’ bank accounts leading back to the core members (see Leukfeldt et al. [16] for a
more comprehensive description). As the term money mule is so widely used, we have chosen to use it in this
article.
26
Leukfeldt E.R. et al.
victim (10 cases), low-tech attacks with a low degree of direct interaction (5 cases), hightech attacks with a low degree of interaction (4 cases) and high-tech attacks without
interaction (1 case). Networks that are carrying out low-tech attacks sometimes use several
types of attacks (both with a low degree of contact and a high degree of contact). The total
number of type of attacks is, therefore, higher than the total number of networks. Below a
brief description will be given for each category.
Type 1: Low-tech attacks with a high degree of victim-attacker interaction
The 10 networks executing low-tech attacks with a high degree of interaction
between the criminals and victims all use phishing e-mails and websites. As a rule,
victims receive an e-mail appearing to be sent by their bank. The e-mail refers to the
security of online banking, and the victim is asked to take immediate action to ensure
that his or her account remains secure. Sometimes the victim has to reply to the e-mail
itself and sometimes via a link in the e-mail (which usually links to a ‘secure section of
the website of the bank’). In both cases, offenders obtain user credentials and other
relevant information. Subsequently, the victim is contacted by a member of the
criminal network by telephone. The caller poses as a bank employee. During the
telephone conversation, the caller refers to the phishing e-mail. Besides, the caller
is able to give the victim information only the bank is supposed to know. This
provides confidence that the victims are actually talking to a bank employee.
During the telephone call, victims are asked to give one-time security codes, ‘to
finalize the latest security updates’. Using these security codes, offenders are able
to transfer money from the victim’s bank account to money mule accounts.
Type 2: Low-tech attacks with a low degree of victim-attacker interaction
Seven networks also use phishing e-mails and websites to acquire user credentials
and other victim information. However, the crime script of these groups does not
require a telephone call. Just like in the first attack variant, victims receive a phishing
e-mail containing a link to a phishing site. This website has an additional entry field in
which a telephone number has to be entered. Once the victim logs on to this phishing
site, the criminals have access to the online bank account, and they consequently know
the victim’s telephone number. The criminals request a new SIM card in the name of
the victim. Once this has been approved by the telecom company, all communication to
High degree of
interaction
Low degree of
interaction
No interaction
Low tech 1
Low tech 2
High tech 1
Fig. 1 Degree of technology use and contact between offender and victim
High tech 2
A typology of cybercriminal networks
27
the phone number of the victim goes to the criminals. Transaction authentication codes
sent to the mobile phone of the user are now received by the criminals, and can be used
for transactions from the victim’s bank account.
Type 3: High-tech attacks with a low degree of victim-attacker interaction
Networks using malware do not need to have direct interaction with victims to
intercept user credentials and transaction authentication codes. The malware gives the
criminal network control over the user’s computer. As soon as this has been accomplished, transfers made by the victims can be manipulated. The most important part of
this attack is infecting computers of potential victims with malware. 4 networks use a
method installing malware when victims click on a link in an e-mail. Network 15, for
example, first hacks into several databases of companies to obtain e-mail addresses.
The group also hacks a hosting company to send large amounts of e-mail via the servers
of that company (in at least one case over 250,000 e-mails). The e-mail appears to
originate from a major utility c …
Purchase answer to see full
attachment
