Periodic Reporting for period 2 - iCrime (Interdisciplinary Cybercrime Project)
Reporting period: 2023-01-01 to 2024-06-30
The Interdisciplinary Cybercrime Project (iCrime) incorporates expertise from criminology and computer science to develop and evaluate cybercrime responses. iCrime consists of four major interconnected components to research cybercrime using the offender, the crime type, the place (such as online black markets), and the response as discrete units of analysis. The project is flexible by design, enabling us to respond to new cybercrime issues as they emerge. Cybercrime offenders are innovative and change monetising techniques rapidly. Within iCrime, we are developing tools to identify and measure criminal infrastructure at scale. Difficult challenges are being tackled by using and developing unique datasets and designing novel methodologies. This is important as cybercrime changes dynamically. Our aim is to be at the forefront of new developments as they arise.
The research staff and doctoral students engaged in this interdisciplinary project integrate skills and tools from criminology and computer science. From computer science we leverage: machine learning and natural language processing (NLP) to classify massive datasets; tools to automate the detection of, and measure change in, criminal infrastructure; and technical knowledge about complex cybercrimes and how to prevent them. Criminology provides frameworks for theorising about offenders’ involvement in crime, and how crimes may be prevented, as well as methodologies to evaluate the effects of interventions designed to disrupt crime.
The research staff and doctoral students engaged in this interdisciplinary project integrate skills and tools from criminology and computer science. From computer science we leverage: machine learning and natural language processing (NLP) to classify massive datasets; tools to automate the detection of, and measure change in, criminal infrastructure; and technical knowledge about complex cybercrimes and how to prevent them. Criminology provides frameworks for theorising about offenders’ involvement in crime, and how crimes may be prevented, as well as methodologies to evaluate the effects of interventions designed to disrupt crime.
The first component, cybercrime offenders, focuses on those who commit cybercrime. Our work to date includes a critique of the popular narrative of a “sophisticated attack”, explaining how incentives align to misrepresent very run-of-the-mill events in this manner. Furthermore, we research the link between autism and cybercrime, for which prior evidence is scant and conflicting. We find that compared to a matched sample, actors who self-declare as autistic on an underground cybercrime forum post more frequently but are less likely to discuss cybercrime-related matters.
For the second component, cybercrime types, we analyse how cybercrime changes in response to externalities, as well as new and emerging aspects of cybercrime. We analyse web defacement and DDoS attacks before and after the Russian invasion of Ukraine. We found the conflict briefly but significantly caught the attention of the low-level cybercrime community, with notable shifts in the geographical distribution of both attack types. We have also investigated the evolution of investment scam lures and scam-related keywords at scale longitudinally (over 13 years) and across multiple platforms. We used NLP approaches to classify threads into four categories: overt scams, potential scams, scam comments and not investment scam related. During the COVID-19 pandemic we find scam invitations increased, as well as the type of strategies used to lure victims.
The third component uses place as the unit of analysis. We have researched the use of argot, or slang, within cybercrime communities. We apply signalling theory to explore how argot (slang and jargon) is used to signal trust in untrustworthy environments. Our findings indicate forum users are using argot to overcome the cold start problem, a conundrum faced by new entrants to markets with feedback systems. We also analyse music shared on underground forums. While we find little evidence of the glamorisation of cybercrime, lyrics often depict a ‘gangster’ lifestyle, including the promotion of violence.
In the fourth component, cybercrime responses, we evaluate the effects of cybercrime responses. We measured the impact of the community-led disruption of a hate and harassment forum. This intervention resulted in the forum becoming unavailable for some time, although it has since re-emerged. The campaign raises issues about how the industry deals with coordinated abuse. We have also evaluated the anti-stalking features of tracking devices using a naturalistic quasi-experimental gamified design. We find that most users are not aware of anti-stalking features, and even when users were aware of them and would benefit from their use, if not enabled by default they were rarely used.
For the second component, cybercrime types, we analyse how cybercrime changes in response to externalities, as well as new and emerging aspects of cybercrime. We analyse web defacement and DDoS attacks before and after the Russian invasion of Ukraine. We found the conflict briefly but significantly caught the attention of the low-level cybercrime community, with notable shifts in the geographical distribution of both attack types. We have also investigated the evolution of investment scam lures and scam-related keywords at scale longitudinally (over 13 years) and across multiple platforms. We used NLP approaches to classify threads into four categories: overt scams, potential scams, scam comments and not investment scam related. During the COVID-19 pandemic we find scam invitations increased, as well as the type of strategies used to lure victims.
The third component uses place as the unit of analysis. We have researched the use of argot, or slang, within cybercrime communities. We apply signalling theory to explore how argot (slang and jargon) is used to signal trust in untrustworthy environments. Our findings indicate forum users are using argot to overcome the cold start problem, a conundrum faced by new entrants to markets with feedback systems. We also analyse music shared on underground forums. While we find little evidence of the glamorisation of cybercrime, lyrics often depict a ‘gangster’ lifestyle, including the promotion of violence.
In the fourth component, cybercrime responses, we evaluate the effects of cybercrime responses. We measured the impact of the community-led disruption of a hate and harassment forum. This intervention resulted in the forum becoming unavailable for some time, although it has since re-emerged. The campaign raises issues about how the industry deals with coordinated abuse. We have also evaluated the anti-stalking features of tracking devices using a naturalistic quasi-experimental gamified design. We find that most users are not aware of anti-stalking features, and even when users were aware of them and would benefit from their use, if not enabled by default they were rarely used.
Overall, the interdisciplinary research conducted in iCrime pushes the boundaries of current knowledge in understanding cybercrime dynamics and developing effective responses to mitigate its impact.
In Component 1: Cybercrime offenders, the research challenges prevailing notions of cybercriminal sophistication and highlights how this misrepresentation distorts criminological analysis. Additionally, we provide crucial evidence in the debate around the role of autism in cybercrime offending. In our ongoing work, we aim understand not only why people commit cybercrime, but also why people do not pursue this potentially lucrative opportunity.
Component 2: Cybercrime types introduces innovative research methodologies in analysing the evolution of investment scam tactics longitudinally and across platforms. The use of NLP approaches to classify scam-related threads and the identification of shifting scam tactics over time, including the influence of the COVID-19 pandemic, represent advancements in understanding cybercrime trends and strategies.
Component 3: We explore new territory by examining the role of online spaces as facilitators of cybercriminal activities. We developed an argot detection tool and develop our understanding of trust dynamics within cybercrime communities. We currently have work in progress to understand how third party modded app markets are being used maliciously, such as enabling premium features without payment, distributing malware and keyloggers, or changing advertiser ID to siphon advertising revenue.
In Component 4: Cybercrime responses, the evaluation of anti-stalking features in tracking devices provides not only methodological developments (through our unique research design), but also actionable findings that have been adopted by industry. We have ongoing work with law enforcement in relation to the provision of denial of service attacks for a fee.
In Component 1: Cybercrime offenders, the research challenges prevailing notions of cybercriminal sophistication and highlights how this misrepresentation distorts criminological analysis. Additionally, we provide crucial evidence in the debate around the role of autism in cybercrime offending. In our ongoing work, we aim understand not only why people commit cybercrime, but also why people do not pursue this potentially lucrative opportunity.
Component 2: Cybercrime types introduces innovative research methodologies in analysing the evolution of investment scam tactics longitudinally and across platforms. The use of NLP approaches to classify scam-related threads and the identification of shifting scam tactics over time, including the influence of the COVID-19 pandemic, represent advancements in understanding cybercrime trends and strategies.
Component 3: We explore new territory by examining the role of online spaces as facilitators of cybercriminal activities. We developed an argot detection tool and develop our understanding of trust dynamics within cybercrime communities. We currently have work in progress to understand how third party modded app markets are being used maliciously, such as enabling premium features without payment, distributing malware and keyloggers, or changing advertiser ID to siphon advertising revenue.
In Component 4: Cybercrime responses, the evaluation of anti-stalking features in tracking devices provides not only methodological developments (through our unique research design), but also actionable findings that have been adopted by industry. We have ongoing work with law enforcement in relation to the provision of denial of service attacks for a fee.