DOCSLIB.ORG

City Research Online

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
City Research Online City Research Online City, University of London Institutional Repository Citation: Acarali, D., Rajarajan, M., Komninos, N. and Herwono, I. (2016). Survey of Approaches and Features for the Identification of HTTP-Based Botnet Traffic. Journal of Network and Computer Applications, doi: 10.1016/j.jnca.2016.10.007 This is the accepted version of the paper. This version of the publication may differ from the final published version. Permanent repository link: https://openaccess.city.ac.uk/id/eprint/15580/ Link to published version: http://dx.doi.org/10.1016/j.jnca.2016.10.007 Copyright: City Research Online aims to make research outputs of City, University of London available to a wider audience. Copyright and Moral Rights remain with the author(s) and/or copyright holders. URLs from City Research Online may be freely distributed and linked to. Reuse: Copies of full items can be used for personal research or study, educational, or not-for-profit purposes without prior permission or charge. Provided that the authors, title and full bibliographic details are credited, a hyperlink and/or URL is given for the original metadata page and the content is not changed in any way. City Research Online: http://openaccess.city.ac.uk/ [email protected] Journal Logo 00 (2016) 1{19 Survey of Approaches and Features for the Identification of HTTP-Based Botnet Traffic Dilara Acaralia, Muttukrishnan Rajarajana, Nikos Komninosa, Ian Herwonob aSchool of Engineering and Mathematical Science, City University London, London, United Kingdom. bSecurity Futures Practice, Research & Innovation, British Telecom, Ipswich IP5 3RE, United Kingdom. Abstract Botnet use is on the rise, with a growing number of botmasters now switching to the HTTP-based C&C infrastructure. This offers them more stealth by allowing them to blend in with benign web traffic. Several works have been carried out aimed at characterising or detecting HTTP-based bots, many of which use network communication features as identifiers of botnet behaviour. In this paper, we present a survey of these approaches and the network features they use in order to highlight how botnet traffic is currently differentiated from normal traffic. We classify papers by traffic types, and provide a breakdown of features by protocol. In doing so, we hope to highlight the relationships between features at the application, transport and network layers. c 2016 Published by Elsevier Ltd. Keywords: Bot, botnet traffic, network analysis, feature analysis, network-based detection 1. Introduction a server. In contrast, both IRC and HTTP-based botnets operate with a centralised architecture, where bots are re- The digital age has brought many benefits to society, quired to connect to a command and control (C&C) server with the Internet acting as an enabler for growth and de- in order to upload data or receive commands. For this velopment across practically all sectors of business and in- study, we have chosen to focus on HTTP-based botnets. dustry. Unsurprisingly, it has also become an attractive The wide-spread use of web-based services has pushed the and fertile environment for criminal activity. Malware pro- adoption of HTTP as an advantageous communication grams, which may take many forms, are now frequently protocol thanks to the fact that it is usually permitted used for financial theft, identity theft, espionage, and dis- by firewalls, and it allows bot traffic to blend in with vast ruption of services. A particularly troublesome type of volumes of benign activity. The benefits of using HTTP malware is a bot, an exploited system which acts as a re- rather than IRC are demonstrated and discussed by Farina mote tool for an attacker to control and use the resources et al. (2016) and Gu et al. (2008). Additionally, McAfee of a target system. Typically, the attacker (called the bot- (2015) listed at least 5 HTTP-based botnets as top spam- master) will do the same for multiple systems and then use mers in their 2014 Q4 Threat Report. This was also echoed them collectively, in what is known as a botnet, to launch by Symantec (2014), where HTTP-based botnets made up attack campaigns. over half of their 2014 top 10 spamming botnets. Botnet classification is based on the type of communica- The difficulty of detecting botnet traffic (especially for tion protocol used. The main classes currently defined by HTTP-based botnets) amongst web activity is a current the research community are P2P-based, IRC-based, and research challenge. Rostami et al. (2014) compared clean HTTP-based. P2P-based botnets use a decentralised ar- network traces to those collected from HTTP-based bot- chitecture, in which each node can act as both a client and nets. They focused on HTTP data in client-side PCAP files to highlight differences in clean and malicious traffic at Email addresses: [email protected] (Dilara the application layer. However, they do not consider how Acarali), [email protected] (Muttukrishnan Rajarajan), [email protected] (Nikos Komninos), this traffic may manifest at other layers, nor how it may [email protected] (Ian Herwono) be measured. Both Haddadi & Zincir-Heywood (2014) and 1 D. Acarali et al / 00 (2016) 1{19 2 Beigi et al. (2014) study the effectiveness of flow-based fea- 2. Behaviour of HTTP-Based Botnets tures in combination with machine learning techniques for botnet detection. The former analyses the use of flow ex- In order to interpret the traffic generated by bots, we porters (used to extract and aggregate flows), whilst the first need to understand the activities that they may be en- latter considers the use of different flow-based features as gaging in. In this section, we consider sequences of events inputs to machine learning algorithms. Whilst they pro- in a typical botnet's lifecycle, and split them into groups vide interesting insights, these works consider neither fea- based on the aims behind those events. We then consider tures from the application layer to help to characterise the what kind of traffic may be observed for each of these malware, nor the behaviours which may underpin them. groups. Meanwhile, Garcia et al. (2014) conduct a general survey on network-based detection methods, including a categori- 2.1. Lifecycle sation of algorithms and in-depth analysis of key works. Botnets inherently exhibit similar behaviours over the However, they do not identify the specific features those course of their active lifespan. These behaviours can be ab- approaches use. stracted into a number of sequential stages to form a model The aim of this work is to provide a study of the char- of the botnet lifecycle. The stages may be slightly different acteristics of HTTP-based botnet traffic and the types of depending on whether behaviours are viewed from the per- features used to measure or detect them. Such features or spective of the botmaster or of the defenders. Rodriguez- identifiers are the inputs to many detection mechanisms, Gomez et al. (2013) consider the former approach, and regardless of the methodology used. Therefore, it is im- define the lifecycle as Conception, Recruitment, Interac- portant to have a clear view of both what these identifiers tion, Marketing, Attack Execution and Attack Success. may be as well as how they fit together. To achieve this, we Conception covers the initial design and development of conduct a survey of recent network-based detection meth- the malware, including the botmaster's motivations. The ods, with specific focus on the types of traffic they observe Recruitment stage is the infection process through which and the parameters they define for the distinction of be- new bot victims are acquired. Next, the Interaction stage nign and malicious network data. Identified features are is where communication channels are established, includ- abstracted into sets, and classified by protocols and the as- ing those between the bots and C&C servers. Marketing sociated layers of the OSI model. Our goal is to enable a is (as the name suggests) the advertisement of the botnet better understanding of the nature of HTTP-based botnet or its services. Attack Execution will then depend on the traffic, including the underlying behaviours which cause it chosen campaign, and the end of this stage will be marked and the implementation of different protocols. (Note that by Attack Success. the term \HTTP-based botnet" refers to those that com- Meanwhile, the stages as defined by Silva et al. (2013) municate with C&Cs over HTTP, but they may use other are Initial Infection, Secondary Injection, Rally, Malicious protocols for other activities). Activities, and Maintenance. Initial Infection is the stage The main contributions of this paper are as outlined where the bot malware first comes into contact with a below: vulnerable node, and roughly aligns with the previous model's Recruitment stage. Then, a Secondary Injection • A survey of recent network-based detection ap- is triggered, where the executed malware downloads proaches for HTTP-based botnets additional configuration files. Rally denotes the initial • A survey of traffic-based features used to detect bot connection attempts made by bots to C&Cs from which traffic they will receive further instructions. This aligns with Interaction in the previous model. The commands of the • An abstraction of the main types of features in rela- botmaster will dictate the botnet's behaviours during tion to protocols and OSI layers Malicious Activities (similarly to Attack Execution and Attack Success). Maintenance covers the process of The paper is organised as follows: Section 2 will provide updating or patching the botnet. a background on the observed behaviours of HTTP-based botnets and the traffic which is generated as a result of The lifecycle conceptually encapsulates botnet be- those behaviours.
Load more

Recommended publications
  • Identifying Threats Associated with Man-In-The-Middle Attacks During Communication Between a Mobile Device and the Back End Server in Mobile Banking Applications
    IOSR Journal of Computer Engineering (IOSR-JCE) e-ISSN: 2278-0661, p- ISSN: 2278-8727Volume 16, Issue 2, Ver. IX (Mar-Apr. 2014), PP 35-42 www.iosrjournals.org Identifying Threats Associated With Man-In-The-Middle Attacks during Communication between a Mobile Device and the Back End Server in Mobile Banking Applications Anthony Luvanda1,*Dr Stephen Kimani1 Dr Micheal Kimwele1 1. School of Computing and Information Technology, Jomo Kenyatta University of Agriculture and Technology, PO Box 62000-00200 Nairobi Kenya Abstract: Mobile banking, sometimes referred to as M-Banking, Mbanking or SMS Banking, is a term used for performing balance checks, account transactions, payments, credit applications and other banking transactions through a mobile device such as a mobile phone or Personal Digital Assistant (PDA). Mobile banking has until recently most often been performed via SMS or the Mobile Web. Apple's initial success with iPhone and the rapid growth of phones based on Google's Android (operating system) have led to increasing use of special client programs, called apps, downloaded to the mobile device hence increasing the number of banking applications that can be made available on mobile phones . This in turn has increased the popularity of mobile device use in regards to personal banking activities. Due to the characteristics of wireless medium, limited protection of the nodes, nature of connectivity and lack of centralized managing point, wireless networks tend to be highly vulnerable and more often than not they become subjects of attack. This paper proposes to identify potential threats associated with communication between a mobile device and the back end server in mobile banking applications.
    [Show full text]
  • Recent Developments in Cybersecurity Melanie J
    American University Business Law Review Volume 2 | Issue 2 Article 1 2013 Fiddling on the Roof: Recent Developments in Cybersecurity Melanie J. Teplinsky Follow this and additional works at: http://digitalcommons.wcl.american.edu/aublr Part of the Law Commons Recommended Citation Teplinsky, Melanie J. "Fiddling on the Roof: Recent Developments in Cybersecurity." American University Business Law Review 2, no. 2 (2013): 225-322. This Article is brought to you for free and open access by the Washington College of Law Journals & Law Reviews at Digital Commons @ American University Washington College of Law. It has been accepted for inclusion in American University Business Law Review by an authorized administrator of Digital Commons @ American University Washington College of Law. For more information, please contact [email protected]. ARTICLES FIDDLING ON THE ROOF: RECENT DEVELOPMENTS IN CYBERSECURITY MELANIE J. TEPLINSKY* TABLE OF CONTENTS Introduction .......................................... ..... 227 I. The Promise and Peril of Cyberspace .............. ........ 227 II. Self-Regulation and the Challenge of Critical Infrastructure ......... 232 III. The Changing Face of Cybersecurity: Technology Trends ............ 233 A. Mobile Technology ......................... 233 B. Cloud Computing ........................... ...... 237 C. Social Networking ................................. 241 IV. The Changing Face of Cybersecurity: Cyberthreat Trends ............ 244 A. Cybercrime ................................. ..... 249 1. Costs of Cybercrime
    [Show full text]
  • The Botnet Chronicles a Journey to Infamy
    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
    [Show full text]
  • Mobile Financial Fraud April 2013
    White Paper: Mobile Financial Fraud April 2013 Mobile Threats and the Underground Marketplace Principal Investigator and Corresponding Author Jart Armin Contributing Researchers Andrey Komarov, Mila Parkour, Raoul Chiesa, Bryn Thompson, Will Rogofsky Panel & Review Dr. Ray Genoe (UCD), Robert McArdle (Trend Micro), Dave Piscitello (ICANN), Foy Shiver (APWG), Edgardo Montes de Oca (Montimage), Peter Cassidy (APWG) APWG Mobile Fraud web site http://ecrimeresearch.org/wirelessdevice/Fraud/ Table of Contents Abstract ..................................................................................................................................... 2 Introduction and Starting Position ........................................................................................ 2 A Global Overview .................................................................................................................. 3 Vulnerabilities Overview ....................................................................................................... 3 The Underground Mobile Market ....................................................................................... 13 Mobile DNS & Traffic ........................................................................................................... 15 iBots & the Pocket Botnet ..................................................................................................... 18 Mobile Intrusion ...................................................................................................................
    [Show full text]
  • An Analysis of the Asprox Botnet
    An Analysis of the Asprox Botnet Ravishankar Borgaonkar Technical University of Berlin Email: [email protected] Abstract—The presence of large pools of compromised com- motives. Exploitable vulnerabilities may exist in the Internet puters, also known as botnets, or zombie armies, represents a infrastructure, in the clients and servers, in the people, and in very serious threat to Internet security. This paper describes the way money is controlled and transferred from the Internet the architecture of a contemporary advanced bot commonly known as Asprox. Asprox is a type of malware that combines into traditional cash. Many security firms and researchers are the two threat vectors of forming a botnet and of generating working on developing new methods to fight botnets and to SQL injection attacks. The main features of the Asprox botnet mitigate against threats from botnets [7], [8], [9]. are the use of centralized command and control structure, HTTP based communication, use of advanced double fast-flux service Unfortunately, there are still many questions that need to networks, use of SQL injection attacks for recruiting new bots be addressed to find effective ways of protecting against the and social engineering tricks to spread malware binaries. The threats from botnets. In order to fight against botnets in future, objective of this paper is to contribute to a deeper understanding of Asprox in particular and a better understanding of modern it is not enough to study the botnets of past. Botnets are botnet designs in general. This knowledge can be used to develop constantly evolving, and we need to understand the design more effective methods for detecting botnets, and stopping the and structure of the emerging advanced botnets.
    [Show full text]
  • Kaspersky Security Bulletin 2020. Statistics Kaspersky Security Bulletin 2020
    Kaspersky Security Bulletin 2020. Statistics Kaspersky Security Bulletin 2020. Statistics Contents Figures of the year 3 Financial threats 4 Number of users attacked by banking malware 4 Attack geography 5 Top 10 financial malware families 6 Ransomware programs 7 Number of users attacked by ransomware Trojans 7 Attack geography 8 Miners 10 Number of users attacked by miners 10 Attack geography 11 Vulnerable applications used by cybercriminals during cyber attacks 12 Attacks on macOS 14 Threat geography 15 IoT attacks 17 IoT threat statistics 17 Threats loaded into traps 19 Attacks via web resources 20 Countries that are sources of web-based attacks: 20 Countries where users faced the greatest risk of online infection 21 Top 20 malicious programs most actively used in online attacks 22 Local threats 24 Top 20 malicious objects detected on user computers 24 Countries where users faced the highest risk of local infection 25 2 Kaspersky Security Bulletin 2020. Statistics Figures of the year • During the year, 10.18% of Internet user computers worldwide experienced at least one Malware-class attack. • Kaspersky solutions blocked 666,809,967 attacks launched from online resources in various countries across the world. • 173,335,902 unique URLs were recognized as malicious by Web Anti-Virus. • Our Web Anti-Virus blocked 33,412,568 unique malicious objects. • Ransomware attacks were defeated on the computers of 549,301 unique users. • During the reporting period, miners attacked 1,523,148 unique users. • Attempted infections by malware designed to steal money via online access to bank accounts were logged on the devices of 668,619 users.
    [Show full text]
  • Detecting Botnets Using File System Indicators
    Detecting botnets using file system indicators Master's thesis University of Twente Author: Committee members: Peter Wagenaar Prof. Dr. Pieter H. Hartel Dr. Damiano Bolzoni Frank Bernaards LLM (NHTCU) December 12, 2012 Abstract Botnets, large groups of networked zombie computers under centralised control, are recognised as one of the major threats on the internet. There is a lot of research towards ways of detecting botnets, in particular towards detecting Command and Control servers. Most of the research is focused on trying to detect the commands that these servers send to the bots over the network. For this research, we have looked at botnets from a botmaster's perspective. First, we characterise several botnet enhancing techniques using three aspects: resilience, stealth and churn. We see that these enhancements are usually employed in the network communications between the C&C and the bots. This leads us to our second contribution: we propose a new botnet detection method based on the way C&C's are present on the file system. We define a set of file system based indicators and use them to search for C&C's in images of hard disks. We investigate how the aspects resilience, stealth and churn apply to each of the indicators and discuss countermeasures botmasters could take to evade detection. We validate our method by applying it to a test dataset of 94 disk images, 16 of which contain C&C installations, and show that low false positive and false negative ratio's can be achieved. Approaching the botnet detection problem from this angle is novel, which provides a basis for further research.
    [Show full text]
  • C&C Botnet Detection Over
    C&C Botnet Detection over SSL Riccardo Bortolameotti University of Twente - EIT ICT Labs masterschool [email protected] Dedicated to my parents Remo and Chiara, and to my sister Anna 2 Abstract Nowadays botnets are playing an important role in the panorama of cyber- crime. These cyber weapons are used to perform malicious activities such fi- nancial frauds, cyber-espionage, etc... using infected computers. This threat can be mitigated by detecting C&C channels on the network. In literature many solutions have been proposed. However, botnet are becoming more and more complex, and currently they are trying to move towards encrypted solutions. In this work, we have designed, implemented and validated a method to detect botnet C&C communication channels over SSL, the se- curity protocol standard de-facto. We provide a set of SSL features that can be used to detect malicious connections. Using our features, the results indicate that we are able to detect, what we believe to be, a botnet and ma- licious connections. Our system can also be considered privacy-preserving and lightweight, because the payload is not analyzed and the portion of an- alyzed traffic is very small. Our analysis also indicates that 0.6% of the SSL connections were broken. Limitations of the system, its applications and possible future works are also discussed. 3 4 Contents 1 Introduction 7 1.1 Problem Statement . .9 1.2 Research questions . 10 1.2.1 Layout of the thesis . 11 2 State of the Art 13 2.1 Preliminary concepts . 13 2.1.1 FFSN .
    [Show full text]
  • European Cyber Security Perspectives 2015 | 3 Preface
    European Cyber Security Perspectives 2015 | 3 Preface Dear reader, Following the success of last year’s publication, we are proud to present the second edition of our European Cyber Security Perspectives report. Through this collection of articles, we aim to share our different perspectives and insights, the latest developments and achievements in the field of cyber security, cybercrime investigations and cyber resilience. By uniting the expertise of four parties with diverse roles in the cyber security domain, we hope to offer some fresh perspectives on issues and developments that we believe to be relevant for society. Rather than presenting you with bare facts and figures, we describe real-life cases and experiences from our professional practice. Topics include the trends to watch in 2015, responses to high-profile vulnerabilities and advances in the detection and investigation of targeted cyber attacks. Each article in the report can be read independently, allowing you to focus on the topics that interest you most. A central theme in this year’s report is cooperation in cyber security. We strongly believe in the value of uniting cyber security capabilities across public and private organisations and even national borders. In fact, you will see that many of the articles in this publication have been co-authored by specialists from different parties. This reflects the growth in our collaborative projects when addressing the latest cyber security challenges. We aim to foster more of those partnerships in the coming year. We encourage you to build on our work and experiences and hope that this report will inspire further enhancements in cyber security, cybercrime investigations and cyber resilience, both in the Netherlands and abroad.
    [Show full text]
  • The Dridex Swiss Army Knife: Big Data Dissolves the APT & Crime Grey Area
    #RSAC SESSION ID: HT-W10 The Dridex Swiss Army knife: big data dissolves the APT & crime grey area Eward Driehuis Director of product Fox-IT @brakendelama #RSAC Understanding criminal evolution Global visibility Collaboration Investigations Feeds #RSAC May 2014 #RSAC Rewind 9 years… 2006 Slavik launches ZeuS 2009 SpyEye & Carberp compete for market share 2010 Slavik creates ZeuS2 Hands over ZeuS support to the SpyEye guy 2011 ZeuS2 code leaks 2012 Gribodemon & Carberp members arrested In 2009 Slavik had joined JabberZeuS And Evolved to GameOver / P2PZeuS #RSAC The Businessclub Legacy Businesslike Financial guy perfected money laundry Targeted commercial banking Perfected the Hybrid attack / Tokengrabber Perfected ransomware / Cryptolocker Did some “light espionage” #RSAC Business club after Slavik Dyre Businessclub (GameOver ZeuS gang until May 2014) EvilCorp (Dridex crew) #RSAC Dridex: EvilCorp’s Swiss Army knife #RSAC EvilCorp network expands Core businessclub members in EvilCorp & Dridex operators Leveraging existing money laundry networks Branching out: Dridex operators do ransomware, RATs, Credit Cards, high value targets Ties with Anunak / Carbanak #RSAC Dridex Malware Based on Bugat/Cridex/Feodo, since 2014 Speading: scattergun (spam / attachments) Modular architecture P2P, with 3 operating modes: Token Grabber, data mining, inter node comm Using businessclub technology Loader dropping many different malwares #RSAC #RSAC EvilCorp: Dridex Targets 2015 -2017 #RSAC EvilCorp: ”Gucci” accounts Harvesting data from victims Big data techniques
    [Show full text]
  • Zerohack Zer0pwn Youranonnews Yevgeniy Anikin Yes Men
    Zerohack Zer0Pwn YourAnonNews Yevgeniy Anikin Yes Men YamaTough Xtreme x-Leader xenu xen0nymous www.oem.com.mx www.nytimes.com/pages/world/asia/index.html www.informador.com.mx www.futuregov.asia www.cronica.com.mx www.asiapacificsecuritymagazine.com Worm Wolfy Withdrawal* WillyFoReal Wikileaks IRC 88.80.16.13/9999 IRC Channel WikiLeaks WiiSpellWhy whitekidney Wells Fargo weed WallRoad w0rmware Vulnerability Vladislav Khorokhorin Visa Inc. Virus Virgin Islands "Viewpointe Archive Services, LLC" Versability Verizon Venezuela Vegas Vatican City USB US Trust US Bankcorp Uruguay Uran0n unusedcrayon United Kingdom UnicormCr3w unfittoprint unelected.org UndisclosedAnon Ukraine UGNazi ua_musti_1905 U.S. Bankcorp TYLER Turkey trosec113 Trojan Horse Trojan Trivette TriCk Tribalzer0 Transnistria transaction Traitor traffic court Tradecraft Trade Secrets "Total System Services, Inc." Topiary Top Secret Tom Stracener TibitXimer Thumb Drive Thomson Reuters TheWikiBoat thepeoplescause the_infecti0n The Unknowns The UnderTaker The Syrian electronic army The Jokerhack Thailand ThaCosmo th3j35t3r testeux1 TEST Telecomix TehWongZ Teddy Bigglesworth TeaMp0isoN TeamHav0k Team Ghost Shell Team Digi7al tdl4 taxes TARP tango down Tampa Tammy Shapiro Taiwan Tabu T0x1c t0wN T.A.R.P. Syrian Electronic Army syndiv Symantec Corporation Switzerland Swingers Club SWIFT Sweden Swan SwaggSec Swagg Security "SunGard Data Systems, Inc." Stuxnet Stringer Streamroller Stole* Sterlok SteelAnne st0rm SQLi Spyware Spying Spydevilz Spy Camera Sposed Spook Spoofing Splendide
    [Show full text]
  • An Analysis of the Nature of Groups Engaged in Cyber Crime
    International Journal of Cyber Criminology Vol 8 Issue 1 January - June 2014 Copyright © 2014 International Journal of Cyber Criminology (IJCC) ISSN: 0974 – 2891 January – June 2014, Vol 8 (1): 1–20. This is an Open Access paper distributed under the terms of the Creative Commons Attribution-Non- Commercial-Share Alike License, which permits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited. This license does not permit commercial exploitation or the creation of derivative works without specific permission. Organizations and Cyber crime: An Analysis of the Nature of Groups engaged in Cyber Crime Roderic Broadhurst,1 Peter Grabosky,2 Mamoun Alazab3 & Steve Chon4 ANU Cybercrime Observatory, Australian National University, Australia Abstract This paper explores the nature of groups engaged in cyber crime. It briefly outlines the definition and scope of cyber crime, theoretical and empirical challenges in addressing what is known about cyber offenders, and the likely role of organized crime groups. The paper gives examples of known cases that illustrate individual and group behaviour, and motivations of typical offenders, including state actors. Different types of cyber crime and different forms of criminal organization are described drawing on the typology suggested by McGuire (2012). It is apparent that a wide variety of organizational structures are involved in cyber crime. Enterprise or profit-oriented activities, and especially cyber crime committed by state actors, appear to require leadership, structure, and specialisation. By contrast, protest activity tends to be less organized, with weak (if any) chain of command. Keywords: Cybercrime, Organized Crime, Crime Groups; Internet Crime; Cyber Offenders; Online Offenders, State Crime.
    [Show full text]