APWG’s eCrime 2021 Symposium Shows Cybercrime Evolving
Cybercrime is here, it is dynamic and it is not going anywhere. The Anti-Phishing Working Group (APWG) hosted its 16th annual Electronic Crime Research symposium, APWG eCrime 2021 in early December. The three-day event saw 12 peer-reviewed papers on cybercrime and ecrime presented and discussed from both academia and the cybersecurity sectors.
The three tracks of the eCrime symposium were:
- Behavioral aspects of the cybercrime experience
- The DNS research session
- Economic aspects of cybercrime
eCrime Best Paper: Twitter as Open Source Knowledge Base
The best paper award went to a team from the University of Texas for the paper “Evaluating the Effectiveness of Phishing Reports on Twitter” presented by Sayak Saha Roy, Unique Karanjit and Shirin Nilizadeh.
The paper’s intent was to “identify attacks through phishing reports shared by users on Twitter.” To accomplish this, the “team evaluated over 16,400 reports posted by 701 Twitter accounts between June and August 2021 which contained 11,100 unique URLs.”
Interestingly, the findings indicated that the posted tweets did provide “more information regarding phishing websites,” when compared to PhishTank and OpenPhish. The team also noticed that though accurate in detail, the Tweets received very little interaction, including from “the domains and organizations targeted by the reported URL.”
The truly troubling aspect of the paper’s findings is that 31% of the URLs identified by individuals as phishing sites were still active a week after the site was reported and “27% of them remained undetected by anti-phishing tools.” The conclusion: The tweeted reports are not making their way into the mix and that there are “benefits of using them [Twitter posts] as an open source knowledge base.”
Best Student Paper: Social Engineering
The best student paper was awarded to Temple University student Rachel Bleiman who, with her supervisor Aunshul Rege, PhD., associate professor with the department of criminal justice at Temple, hosted a Collegiate Social Engineering Capture the Flag Competition. The competition, which was conducted virtually due to the COVID-19 pandemic, focused on the socio-psychological aspects of cybercrime and touched on the tried-and-true techniques of social engineering—open source intelligence (OSINT), phishing, vishing and direct target engagement.
The competition saw 25 participants who were given 38 OSINT items to collect with associated point values. They then crafted a “persuasive email” which was graded by the judges. Interestingly, non-technical teams took part in the competition. The presenters made available the social engineering call used by the first-place winner, Ragnhild (Bridget) Sageng. She made this call to a judge (link to call).
Best Student Paper: Mobile Number Recycling
A second paper shared the award for best student paper. This came from Princeton University student Kevin Lee. Lee’s paper, “Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States” was prepared with his supervisor, Dr. Arvind Narayanan, associate professor of computer science at Princeton.
The team looked at 259 recycled cell numbers and found that 171 were tied to existing accounts and thus could be used to hijack those accounts. Furthermore, the numbers provided a starting point from which personal identifying information could be acquired about the previous owners through searching aggregation sites for publicly available information. Finally, of the 259 recycled numbers, 100 of them were linked to login credentials which could lead to manipulation of SMS-based multifactor authentication or password change.
Takeaways for CISOs
APWG’s eCrime Summit provided insight into current research and served to reinforce the point that the eCrime we experienced previously is simply morphing and evolving. It is the same crime being conducted in a slightly different manner.
Furthermore, the onus is on entities to regularly conduct OSINT reviews on their brand. Even if their organization eschews social networks like Twitter, information which could indicate compromise are being shared by individuals and, as detailed by the University of Texas team, being missed.
