Towards Algorithmic Identification of Online Scams

Abstract

In “web-based scams”, scam websites provide fraudulent business or fake services to steal money and sensitive information from unsuspecting victims. Despite the researchers’ efforts to develop anti-scam detection techniques, the scams continue to evolve and cause online threats. State-of-the-art anti-scam research still faces several challenges, such as automatically acquiring a labeled scam dataset and providing early detection and prevention mechanisms to attacks that use cryptocurrency as a payment medium.

In this thesis, we implement a data-driven model to detect and track web-based scams with a web presence. Given a few scam samples, our model formulates scam-related search queries and uses them on multiple search engines to collect data about the websites to which victims are directed when they search online for sites that may be related to the scam. After collecting a sufficient corpus of web pages, our model semi-automatically clusters the search results and creates a labeled training dataset with minimal human interaction.

Our model proactively looks for scam pages and monitors their evolution over time rather than waiting for the scam to be reported. Whenever a new scam instance is detected, the model sends it automatically to the eCrime eXchange data warehouse in real-time. We have used the model to investigate and gain knowledge on two scams; the “Game Hack” Scam (GHS) and the “Bitcoin Generator Scam” (BGS). To the best of our knowledge, GHS and BGS have not been well studied so far, and this is the first systematic study of both scams.

GHS targets game players, in which the attackers attempt to convince victims that they will be provided with free in-game advantages for their favorite game. Before claiming these advantages, the victims are supposed to complete one or more tasks, such as filling out “market research” forms and installing suspicious executable files on their machines. Over a year of crawling, we uncovered more than 5,900 unique domains. We estimate that these domains have been accessed at least 150 million times from 2014 until 2019.

BGS is a simple system in which the scammers promise to “generate” new bitcoins using the ones sent to them. BGS is not a very sophisticated attack; the modus operandi is to put up some web page that contains the address to send the money and wait for the payback. Over 21 months of crawling, we found more than 3,000 addresses directly associated with the scam, hosted on over 1,200 domains. Overall, these addresses have received (at least) over 9.6 million USD. Our analysis showed that a small group of scammers controls the majority of the received funds. The top two groups have received around 6 million USD, which is more than half of the total funds received by the scam addresses.