Know Your Cybercriminal: Evaluating Attacker Preferences by Measuring Profile Sales on an Active, Leading Criminal Market for User Impersonation at Scale
share
In this paper we exploit market features proper of a leading Russian cybercrime market for user impersonation at scale to evaluate attacker preferences when purchasing stolen user profiles, and the overall economic activity of the market. We run our data collection over a period of 161 days and collect data on a sample of 1'193 sold user profiles out of 11'357 advertised products in that period and their characteristics. We estimate a market trade volume of up to approximately 700 profiles per day, corresponding to estimated daily sales of up to 4'000 USD and an overall market revenue within the observation period between 540k and 715k USD. We find profile provision to be rather stable over time and mainly focused on European profiles, whereas actual profile acquisition varies significantly depending on other profile characteristics. Attackers' interests focus disproportionally on profiles of certain types, including those originating in North America and featuring crypto resources. We model and evaluate the relative importance of different profile characteristics in the final decision of an attacker to purchase a profile, and discuss implications for defenses and risk evaluation.
READ FULL TEXT
