Risky Business? Investigating the Security Practices of Vendors on an Online Anonymous Market using Ground-Truth Data Jochem van de Laarschot and Rolf van Wegberg, Delft University of Technology https://www.usenix.org/conference/usenixsecurity21/presentation/van-de-laarschot This paper is included in the Proceedings of the 30th USENIX Security Symposium. August 11–13, 2021 978-1-939133-24-3 Open access to the Proceedings of the 30th USENIX Security Symposium is sponsored by USENIX. Risky Business? Investigating the Security Practices of Vendors on an Online Anonymous Market using Ground-Truth Data Jochem van de Laarschot Rolf van Wegberg Delft University of Technology Delft University of Technology Abstract However, there are numerous indications in earlier work that cybercriminals do not always achieve maximum security. Cybercriminal entrepreneurs on online anonymous markets Due to competing business incentives, criminals may turn rely on security mechanisms to thwart investigators in at- to insecure practices that ease transacting illegal products or tributing their illicit activities. Earlier work indicates that – services. Here, we witness an inevitable trade-off between despite the high-risk criminal context – cybercriminals may enhanced security and improved efficiency of operations [42]. turn to poor security practices due to competing business ‘Perfect security’ therefore, is not economically viable. Like incentives. This claim has not yet been supported through in the legitimate economy [54], security in the underground empirical, quantitative analysis on ground-truth data. In this economy comes at a cost [53]. This leads us to wonder how paper, we investigate the security practices on Hansa Mar- prevalent poor security practices (or: “insecure practices”) ket (2015-2017) and measure the prevalence of poor security among online anonymous market vendors actually are. practices across the vendor population (n = 1;733). While in earlier work attempts have been made to quan- We create ‘vendor types’ based on latent profile analysis, tify insecure practices of cybercriminals trading in the un- clustering vendors that are similar regarding their experience, derground economy, these only focus on a single, specific activity on other markets, and the amount of physical and dig- mechanism – e.g., PGP-adoption [49], consistent VPN us- ital items sold. We then analyze how these types of vendors age [50] and the reuse of usernames and/or PGP-keys across differ in their security practices. To that end, we capture their different markets [59]. Moreover, it remains unknown who are password strength and password uniqueness, 2FA usage, PGP behaving insecurely most often and we are left completely in adoption and key strength, PGP-key reuse and the traceability the dark regarding why. All of these security mechanisms are of their cash-out. We find that insecure practices are prevalent designed and implemented to compromise the availability or across all types of vendors. Yet, between them large differ- usefulness of evidence to the forensic process [24]. Here, we ences exist. Rather counter-intuitively, Hansa Market vendors should acknowledge that some market-based security mech- that sell digital items – like stolen credit cards or malware – anisms apply to every vendor. Rules, policies, content mod- resort to insecure practices more often than vendors selling eration, account verification and the mandatory use of cryp- drugs. We discuss possible explanations, including that ven- tocurrencies and Tor-routing are examples of mechanisms that dors of illicit digital items may perceive their risk to be lower are imposed and enforced by the market [2,7, 22, 62]. These than vendors of illicit physical items. mechanisms make up a form of ‘extra-legal governance’ that contributes to a more secure and trustworthy trading environ- 1 Introduction ment [13,34]. Still, not all security mechanisms are introduced by the market administrators. Cybercriminals deploy security mechanisms that are intended In this paper, we focus on specifically these mechanisms, as to hinder investigators in their attribution efforts, making it dif- only unimposed practices can differ between vendors. To be ficult to link cybercriminal activity in the underground econ- precise, we analyze their password strength, password unique- omy to an identity, location or machine [14,64]. Since ‘opera- ness, 2FA-usage, PGP-key adoption and key-strength, reuse tional security’ (OPSEC) techniques are frequently shared in of PGP-keys over multiple markets and the traceability of the underground community [4, 56] and given the increasing their cash-out to bitcoin exchanges. We capture these prac- amount of law enforcement scrutiny [15], we should expect tices on a single market – Hansa Market, which was active that among cybercriminal entrepreneurs on online anonymous from late 2015 to mid 2017. Seized data originating from the markets, poor security practices are rarely present. web server that hosted the market, has been made available USENIX Association 30th USENIX Security Symposium 4079 to us by Dutch law enforcement. We combine the back-end time that Silk Road was active, it made its mark on the ecosys- database with three other data sources to measure the preva- tem as other initiatives successfully copy its business model to lence of poor security practices across the vendor population. this day [49]. A decade later, some industry reports estimate In short, we make the following contributions: the yearly revenue of all online anonymous markets combined, to be more than $790 million worth in cryptocurrencies [6]. • We present the first empirical, quantitative analysis lever- First, predominantly illegal narcotics and prescription drugs aging unique ground-truth data to investigate vendor were transacted on these marketplaces [7]. Nowadays, they security practices on an online anonymous market. also serve as one-stop shops for digital items – ranging from stolen credit cards to ransomware toolkits [58]. • We measure the prevalence of poor security practices across different types of vendors on Hansa Market. For For those offering illicit substances or cybercrime items, instance, we uncover that almost 40% of all vendors online anonymous markets are attractive platforms to conduct (n = 1;733) did not enable 2FA and find that at least their business on. The platforms provide contractual safe- 10% of vendors cash-out directly to mainstream bitcoin guards – like an escrow and review system – and anonymity exchanges. Poor practices are also observed among the enhancing functionalities that are superior to their alterna- most successful vendors. tives [49, 58]. On top of that, vendors can employ additional security practices – ranging from authentication mechanism • We demonstrate that poor security practices do not occur to obfuscating cash-out techniques. But, which practice makes at random. Rather counter-intuitively, vendors on Hansa perfect? Market selling digital cybercrime items are more likely In this paper we aim to investigate which types of vendors to have insecure practices than vendors selling physical pay more attention to their security than others. Thus, the items – e.g., drugs. security practices that the market imposes on all vendors, are not of our interest. Rather, we focus on the security practices • We discuss possible explanations for our findings, includ- that may differ between individuals. Leveraging earlier ing that the perceived risk of transacting illicit digital advances into ‘deviant security’ 1, we take the following six items may be lower than the perceived risk for illicit practices that impact the security of vendors into account. physical items. Later, in Sections5 and7, we will elaborate on the earlier work identifying these practices, and report how we are able We structure the remainder of this paper as follows. Section2 to capture them in the data available to us. identifies the security practices of vendors on online anony- mous markets. Section3 elaborates on the data we analyze and our approach to measure the prevalence of insecure prac- Password strength. Although password authentication tices. In Section4, we identify characteristics of vendors that has been around for decades, people still have a tendency can relate to their security practices and we cluster vendors to choose predictable passwords [16], criminals included. with similar characteristics into distinct ‘vendor types’. Sec- This leaves them open to brute-force attacks that can give tion5 shows how we capture the identified security practices, third-parties – e.g., rivals or law enforcement – access to then we apply these measurements on the data to investigate their accounts. Which in turn, may lead to irreparable harm the security practices across vendor types. We discuss possi- to business continuity. ble explanations for differences in vendors’ security practices as well as limitations and implications of our work in Sec- Password uniqueness. A theoretically complex, but non- tion6.We show how our work connects to related work in unique password can also be easily breached [3,31]. Research Section7. Section8 concludes. suggests that password reuse is common, even among those who are security-aware [18, 61]. Additionally, databases of leaked passwords may include usernames or email 2 Security practices on online anonymous addresses. Thus, password reuse can also lead to compro- markets misability of users that operate on online anonymous markets. Online anonymous marketplaces take