Learning more about the underground economy: a case-study of keyloggers and dropzones

Authors:
Thorsten Holz;Markus Engelberth;Felix Freiling
Affiliations:
Laboratory for Dependable Distributed Systems, University of Mannheim, Germany and Secure Systems Lab, Vienna University of Technology, Austria;Laboratory for Dependable Distributed Systems, University of Mannheim, Germany;Laboratory for Dependable Distributed Systems, University of Mannheim, Germany
Venue:
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Year:
2009

Citing 14
Cited 16

Obfuscation of executable code to improve resistance to static disassembly

Proceedings of the 10th ACM conference on Computer and communications security
The battle against phishing: Dynamic Security Skins

SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
PHONEY: Mimicking User Response to Detect Phishing Attacks

WOWMOM '06 Proceedings of the 2006 International Symposium on on World of Wireless, Mobile and Multimedia Networks
Understanding the network-level behavior of spammers

Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Toward Automated Dynamic Malware Analysis Using CWSandbox

IEEE Security and Privacy
Exploring Multiple Execution Paths for Malware Analysis

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Behavior-based spyware detection

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Bump in the ether: a framework for securing sensitive user input

ATEC '06 Proceedings of the annual conference on USENIX '06 Annual Technical Conference
Panorama: capturing system-wide information flow for malware detection and analysis

Proceedings of the 14th ACM conference on Computer and communications security
An inquiry into the nature and causes of the wealth of internet miscreants

Proceedings of the 14th ACM conference on Computer and communications security
Spamscatter: characterizing internet scam hosting infrastructure

SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Binary obfuscation using signals

SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Spamalytics: an empirical analysis of spam marketing conversion

Proceedings of the 15th ACM conference on Computer and communications security
All your iFRAMEs point to Us

SS'08 Proceedings of the 17th conference on Security symposium

AccessMiner: using system-centric models for malware protection

Proceedings of the 17th ACM conference on Computer and communications security
Infringo ergo sum: when will software engineering support infringements?

Proceedings of the FSE/SDP workshop on Future of software engineering research
Covertly probing underground economy marketplaces

DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
BotSwindler: tamper resistant injection of believable decoys in VM-based hosts for crimeware detection

RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
An analysis of rogue AV campaigns

RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Evaluation of a spyware detection system using thin client computing

ICISC'10 Proceedings of the 13th international conference on Information security and cryptology
Security games with market insurance

GameSec'11 Proceedings of the Second international conference on Decision and Game Theory for Security
Learning from early attempts to measure information security performance

CSET'12 Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test
NoisyKey: tolerating keyloggers via keystrokes hiding

HotSec'12 Proceedings of the 7th USENIX conference on Hot Topics in Security
Botnets: A survey

Computer Networks: The International Journal of Computer and Telecommunications Networking
Genetic-based real-time fast-flux service networks detection

Computer Networks: The International Journal of Computer and Telecommunications Networking
AdRob: examining the landscape and impact of android application plagiarism

Proceeding of the 11th annual international conference on Mobile systems, applications, and services
An empirical analysis of malicious internet banking software behavior

Proceedings of the 28th Annual ACM Symposium on Applied Computing
SMARTPROXY: secure smartphone-assisted login on compromised machines

DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Survey and taxonomy of botnet research through life-cycle

ACM Computing Surveys (CSUR)
Explicit authentication response considered harmful

Proceedings of the 2013 workshop on New security paradigms workshop

Quantified Score

Hi-index	0.00

Visualization

Abstract

We study an active underground economy that trades stolen digital credentials. In particular, we investigate keylogger-based stealing of credentials via dropzones, anonymous collection points of illicitly collected data. Based on the collected data from more than 70 dropzones, we present an empirical study of this phenomenon, giving many first-hand details about the attacks that were observed during a seven-month period between April and October 2008. We found more than 33 GB of keylogger data, containing stolen information from more than 173,000 victims. Analyzing this data set helps us better understand the attacker's motivation and the nature and size of these emerging underground marketplaces.