New York University researchers at the Anti-Phishing Working Group’s (APWG) cybercrime research conference, in San Diego California, demonstrated their method for exposing bank accounts used to clear payments for purchase of counterfeit goods on the Internet, and brought home the conference award for best electronic crime research paper.
The paper, “Bullet-Proof Payment Processing,” describes how the research team deployed secret shoppers to purchase counterfeit goods online and trace the venues that mediated the payments for their purchases to locate the merchant accounts that cleared the stealth customer’s payments.
The authors, Dr. Damon McCoy and Hongwei Tian of New York University’s Tandon School of Engineering and D. Sean West and Stephen M. Gaffigan of SMGPA found that their research program wasn’t as simple as shooting tracers in the cloud, as the corrupt merchants quickly responded with evasive action.
“Anything you try – they adapt to – and try to stay in business,” said Dr. McCoy on the floor of the 13th annual APWG Symposium on Electronic Crime Research last Thursday after receiving the award on behalf of his team.
“We found these third parties who we know are serving counterfeit goods merchants, with expertise in setting up shell companies and merchant accounts at banks. These facilitators and payment processors know that people like us are trying to detect and close down those merchant accounts and want to detect and block our test purchasers,” McCoy said.
McCoy said disrupting the payment mechanisms is singularly efficient because of the degree of resources that have to be expended in their replacement, including fake companies and bank accounts that require extensive cost and process to restore. Replacing a website or suspended domain name is relatively trivial in comparison, McCoy observed.
Honorable mention was also awarded to Pranshu Bajpai, Michigan State University, Aditya K Sood, SecNiche Security, and Richard Enbody, Michigan State University for their paper “A Key-Management-Based Taxonomy for Ransomware.”
These researchers’ work are exemplars of the kind of applied research that has been proceeding from the symposium since its inception in 2006 at the APWG’s annual conference in Orlando, Florida, which focused initially on the technologies of cybercrime and defenses against it.
APWG eCrime is one of the only peer-reviewed academic conferences to focus on research of electronic crime as its own discipline. The competition was fierce from researchers from industry and academia, with accepted papers from Michigan State University, University of Washington at Bothell, Arizona State University, Nile University, University of Ottawa, Forcepoint, Cisco Umbrella Research, New York University / SMPGA, University of Oxford, Universidat Nacional del Sur, IBM, PayPal, PhishMe, SecNiche, and Data Metrics.
Since 2006, the scope of the topical spaces formally cited on the symposium’s call for papers (CFP) has expanded incrementally while maintaining the insistence on relevance to the principal focus on cybercrime. This year, the CFP added to the subjects of interest at the conference: user psychology, crypto currencies and public policy dimensions of cybercrime research.
APWG Secretary General Peter Cassidy, founder of the conference, said, “As an applied research conference for academia and industry, we pursue expansion of scope only to the extent that the topics are representative of the experience in the field. The next extension of our CFP will likely include artificial intelligence and machine learning technologies.”
The Symposium on Electronic Crime Research was conceived as a comprehensive venue to present state-of-the-art basic and applied research into electronic crime, engaging every aspect of its development as well as technologies and techniques for electronic crime detection, related forensics and prevention.
The symposium brings together the most heterogeneous community of counter-cybercrime stakeholders to confer over the latest research, to foster collaborations, to provide a convenient venue for funding agencies to connect with leading principal investigators in the field – and to introduce leading minds to member companies of the APWG who may employ them.
About the APWG
The APWG, founded in 2003 as the Anti-Phishing Working Group, is the global industry, law enforcement, and government coalition focused on unifying the global response to electronic crime. Membership is open to qualified financial institutions, online retailers, ISPs and Telcos, the law enforcement community, solutions providers, multi-lateral treaty organizations, research centers, trade associations and government agencies. There are more than 2,200 companies, government agencies and NGOs participating in the APWG worldwide. The APWG’s <www.apwg.org> and <education.apwg.org> websites offer the public, industry and government agencies practical information about phishing and electronically mediated fraud as well as pointers to pragmatic technical solutions that provide immediate protection.
The APWG is co-founder and co-manager of the Stop. Think. Connect. Messaging Convention, the global online safety public awareness collaborative <https://education.apwg.org/safety-messaging-convention/> and founder/curator of the eCrime Researchers Summit, the world’s only peer-reviewed conference dedicated specifically to electronic crime studies <www.ecrimeresearch.org>. APWG advises hemispheric and global trade groups and multilateral treaty organizations such as the European Commission, the G8 High Technology Crime Subgroup, Council of Europe’s Convention on Cybercrime, United Nations Office of Drugs and Crime, Organization for Security and Cooperation in Europe, Europol EC3 and the Organization of American States. APWG is a member of the steering group of the Commonwealth Cybercrime Initiative at the Commonwealth of Nations.
Among APWG’s corporate sponsors include
AhnLab, Area 1, AT&T (T), Afilias Ltd., Avast!, AVG Technologies, Axur, Baidu Antivirus, BANDURA Systems, Bangkok Bank, BBN Technologies, Barracuda Networks, BillMeLater, Bkav, Blue Coat, BrandMail, BrandProtect, Bsecure Technologies, CSC Digital Brand Services, Check Point Software Technologies, Claro, Cloudmark, Comcast, CrowdStrike, CSIRTBANELCO, Cyber Defender, CYREN, Cyveillance, DNS Belgium, DigiCert, Domain Tools, Donuts, Duo Security, Easy Solutions, PayPal, eCert, EC Cert, ESET, EST Soft, Facebook, FeelSafe Digital, FEBRABAN, Fortinet, FraudWatch International, F-Secure, GetResponse, GlobalSign, GoDaddy, Google, Hauri, Hitachi Systems, Ltd., Huawei, ICANN, Identity Guard, Infoblox, IronPort (Cisco), Infoblox, Intel (INTC), Interac, IT Matrix, iThreat Cyber Group, iZOOlogic, KnowBe4, LaCaixa, Lenos Software, LookingGlass, MX Tools, MailChannels, MailJet, MailChimp, MailShell, MailUp, MarkMonitor (TRI), Melbourne IT, MessageLevel, Microsoft (MSFT), MicroWorld, Mimecast, Mirapoint, NHN, NZRS, MyPW, nProtect Online Security, Netcraft, Network Solutions, NeuStar, Nominet, Nominum, NZRS Limited, Public Interest Registry, Panda Software, Phishlabs, PhishMe, Planty.net, Prevalent, Prevx, Proofpoint, Psafe, RSA Security (EMC), Rakuten, RedMarlin, Return Path, RiskIQ, RuleSpace, SalesForce, SecureBrain, SendGrid, S21sec, SIDN, SilverPop, SiteLock, SnoopWall, SoftForum, SoftLayer, SoftSecurity, SOPHOS, SunTrust, SurfControl, Symantec (SYMC), TDS Telecom, Telefonica (TEF), ThreatSTOP, TransCreditBank, Trend Micro (TMIC), Trustwave, UITSEC, Vasco (VDSI), VADE-RETRO, VeriSign (VRSN), Wombat Security Technologies, ZIX, and zvelo.