Investigating an association between DDoS and Phishing attacks

(1)

U

NIVERSITY OF

T

WENTE MASTER THESIS

Investigating an association between DDoS and Phishing attacks

Author:

Samiksha

Chair:

Prof. Dr. Ir. A. Pras (DACS) Supervisor:

Prof. Dr. Marianne Junger (BMS) Dr. Abhishta (BMS) Dr. Mattijs Jonker (EEMCS)

Thesis submitted in fulfillment of the requirements for the degree of Masters

in

Computer Science, Cyber Security Specialization

June 24, 2021

(2)

(3)

iii

Acknowledgements

While I was wondering how to start writing this portion, I just could not stop thinking of so many people around me who supported me, helped me in every best way possible. So here is my attempt to applaud you all who did this work with me, because without you, it was not possible.

First and foremost mention goes to my family. Dear family, you gave me the power for going through everything, you gave me immense support while sitting thousands of miles away. I am here because of you. Thank you very much.

I would like to appreciate Prof. Dr. Aiko Pras for taking out time and accepting to be the chair of my thesis. I am very glad that my project is evaluated by an experienced person like you.

I cannot express enough gratitude to my committee for their continued support and encouragement. Hearty thanks to Prof. Dr. Marianne Junger for her instant support whenever possible, for lending an ear during tough times whenever I thought things came to a halt. Your feedback is always humble and nurturing. This project could not be completed without your expertise and generous support.

Dr. Abhishta, thank you for always showing me a clear picture, answering my repetitive questions and pointing out my blunders. Even without asking, you took out time to have quick calls just so I could understand better.

Sincere thanks to Dr. Mattijs for taking care of all the formalities and most im- portantly bearing with me, teaching me the ethics to conduct research. I am very grateful that you helped me uncountable times, dealing with technical problems that I faced by responding through emails, or looking at it yourself or by sharing additional resources that increased my knowledge of the subject

Big thanks to APWG for providing abundant real phishing dataset. This work would have been very time consuming if we had not got help from them.

Definitely, there is a delay to finish this master’s thesis but I learnt the most at the cost of this delay. My student life will now end and new challenges will begin, and I hope to carry with me all the great lessons I learnt.

(4)

(5)

v

Abstract

Investigating an association between DDoS and Phishing attacks

The rapid growth of the Internet is not only transforming the way one engages and communicates, it also brings along new opportunities for online crime, such as, fraud and data theft. These opportunities are favourable circumstances that in- fluences one cybercrime to lead towards another cybercrime. These criminal opportunities may encourage a coordination amongst individuals or groups, sitting across international boundaries to work together and perform coordinated "chain of crimes" in the cyberspace. Through an extensive literature review of papers, a systematic methodology is designed to investigate association between seemingly distinct cybercrimes: DDoS and Phishing attack by using the theoretical and prac- tical knowledge of two criminological theories: Routine Activity Theory and Ratio- nal Choice Model. Routine Activity theory is the theory of crime which is not used to study criminality like other criminological theories but is used to study crime. It explains that crime opportunity is the central concept of carrying out a crime, that is, it has a generative impact on other crimes. The Rational Choice Model perspective offers effective analysis of modus operandi of each step or stage of the crime script. While the Routine Activity Theory focuses on preventing crime events by reducing the criminal opportunities, the theory of situational crime prevention, developed from Ration Choice Model, is one of the crime science approaches for crime prevention that lays its focus on altering the structures of opportunity that increases the risks and efforts for an attacker and reduces the desired benefits. The funda- mentals of these theories have expanded from their original grounds of analysing physical crimes to analysing cybercrimes. Therefore, the significant contribution of this research is to investigate whether one cybercrime creates conditions for a bigger cybercrime by recognizing the crime sequences under different time variations.

(6)

(7)

vii

List of Figures

1.1 DDoS attack . . . . 2

1.2 Phishing attack . . . . 3

1.3 Thesis outline . . . . 8

2.1 Flowchart of Grounded Theory results . . . . 12

3.1 Aspects of a DDoS attack . . . . 22

3.2 Hybrid model to analyse the aims of attackers . . . . 23

3.3 Observation on Taiwan malware authors . . . . 26

4.1 Five-Phase Methodology using Groot’s Cycle . . . . 28

4.2 TF-IDF Flowchart . . . . 31

4.3 Density curve of count for phishing emails . . . . 35

4.4 Illustration of two-tailed and one-tailed tests . . . . 37

5.1 DDoS eventful days . . . . 44

5.2 Descriptive statistics of phishing data under variation 1 . . . . 51

5.3 Descriptive statistics of phishing data under variation 2 . . . . 57

A.1 Journals included in the systematic review of the literature (1995-2005) 69 A.2 Description of data sources for articles using routine activities framework (1995-2005) . . . . 70

B.1 Cybercrime studies utilizing Routine Activity Theory . . . . 71

C.1 Phishing sites detected by Google during COVID-19 . . . . 77

F.1 TF-IDF Score of top 200 words . . . . 91

G.1 Sum of phishing emails received before and after DDoS announcement date for H1, H2, H3 . . . . 95

(10)

(11)

xi

List of Tables

5.1 Phishing data pre-processing . . . . 42

5.2 Phishing data description . . . . 43

5.3 Formulated hypotheses and corresponding null hypotheses . . . . . 45

5.4 Summary of hypothesis testing . . . . 45

5.5 Mann Whitney U Results: Variation 1 . . . . 52

5.6 Mann Whitney U Results: Variation 2 . . . . 58

D.1 Summary Table of Literature Review . . . . 80

E.1 DDoS Attack Events . . . . 87

G.1 Sum of phishing emails received before and after DDoS announcement date under variation 1 . . . . 93

G.2 Sum of phishing emails received before and after DDoS announcement date under variation 2 . . . . 94

H.1 Median of phishing emails received before and after DDoS announcement date under variation 1 . . . . 97

H.2 Median of phishing emails received before and after DDoS announcement date under variation 2 . . . . 98

H.3 Mean of phishing emails received before and after DDoS announcement date under variation 1 . . . . 98

H.4 Mean of phishing emails received before and after DDoS announcement date under variation 2 . . . . 99

H.5 Standard deviation of phishing emails received before and after DDoS announcement date under variation 1 . . . . 99

H.6 Standard deviation of phishing emails received before and after DDoS announcement date under variation 2 . . . . 100

(12)

(13)

xiii

List of Abbreviations

APWG Anti- Phishing Working Group DDoS Distributed Denial- of- Service

CPT Crime Pattern Theory

ICT Information and Communications Technology NER Named - Entity Recognition

RAT Routine Activity Theory RCT Rational Choice Theory

SLR Systematic Literature Review

TF-IDF Term Frequency - Inverse Document Frequency VIVA Value, Inertia, Visibility and Accessibility

(14)

(15)

1

Chapter 1

Introduction and Motivation

In this current Internet era of the Information age, the Internet has become the central focus of communication and commerce of almost all the sectors, such as government, consumers, businesses, and media. This majorly involves vast online processing and online storage of information. To obtain these facilities, we rely on the daily use of digital devices such as computers, laptops, and smartphones. The In- ternet not only connects these devices but also binds us with these devices. With the Internet revolution, the human race has benefited exceptionally. More people worldwide are becoming a part of the Digital age and can access the available tools that facilitate Internet services. Though the Internet is an overwhelmingly powerful tool, paradoxically, it is a "double-edged sword" that provides endless opportunities to all sectors of society and opportunities for cyber-criminals to execute cybercrime.

For instance, in the corporate sector, while the Internet boosts connectivity and im- proves the operational efficiency of businesses by allowing easy modes of communication among the employees, customers, and business partners, it also makes the company a potential victim of Internet security violations. With the help of the Internet, traditional crime groups are now stepping into cyberspace to perform traditional criminal activities and the Internet aids in executing these attacks in a more efficient and sophisticated way. Of course, the Internet provides new ways, making it simpler to reach potential victims and targets across countries or anywhere around the world. This provides cyber-criminals with numerous opportunities for executing organized online crimes such as phishing attacks for data theft or identity fraud, DDoS attacks, hacking or intellectual property crime.

The criminal groups get involved in these internet-organized crimes and get benefited by offering crime as a service, for instance, distributing malware to capture victim’s credentials, stealing personally identifiable information (PII) for identity fraud, selling or buying illicit items online, etc. These organized online crimes target networks, devices or individuals using advanced technologies. Therefore, new opportunities certainly give new ideas as well as bring new targets, as mentioned in Odinot et al.,2017"..through new opportunities caused by globalization these ’new’ crimes are rather an evolution of traditional crimes". However, there could be some patterns residing behind these organized online crimes but with the rising rate in cybercrime trend, it is becoming difficult to analyze and prevent cyber offenses at an early stage of an attack.

1.1 Background

The current study focuses on two cyber attacks, namely, DDoS attack and phishing attack. Distributed Denial of Service (DDoS) attack, as shown in figure 1.1, is a malicious attempt that leads to the unavailability of network-based resources to the user(s) of the targeted infrastructure. DDoS can damage the productivity, up-time

(16)

and reputation of the targeted company or infrastructure. The annual damage costs of this unavailability of network resources estimated to be around millions of dollars as reported by DDoS protection companies in 2018¹.

FIGURE1.1: DDoS attack

The other type of cyber attack which targets Internet users is the practice of send- ing fraudulent communication that appears to come from reliable sources and aims to get information from potential victims as shown in figure 1.2. This cybercrime is referred to as phishing attack and the reason that these attacks are so popular is that a phishing message (email) can be sent to thousands of people in no time and with very little effort. In the last decade, cybercrimes are evolving to be more pervasive and sophisticated than ever. Lewis,2018reports the 2014 results of global economy impact by cybercrime to be around $600 billion and the most popular and easiest cybercrime remains to be phishing attacks. The same report also mentions the results of the year 2016 where Anti Phishing Working Group (APWG)²recorded around 1.2 million phishing attacks out of which most of them were found to be linked to ran- somware. For more than a decade, it has been studied that skilled cyber-criminals consider financial institutes, such as banks, their most favourite targets as compared to non-financial institutes. Another news article³, provides statistical results of the

1Trends in the Cost of Web Application & Denial of Service Attack https://www.akamai.com /uk/en/multimedia/documents/report/trends-in-the-cost-of-web-application-ddos-atta cks-apac-ponemon-report.pdf(accessed on 6 May 2020))

2APWG https://apwg.org/(accessed on 6 May 2020)

3Less traditional crime, more cybercrime https://www.cbs.nl/en-gb/news/2020/10/less-t raditional-crime-more-cybercrime(accessed on 6 May 2020)

(17)

1.1. Background 3

crime trend in the Netherlands describing a significant drop in conventional crime followed by a rise in cybercrime reported between 2012-2019.

FIGURE1.2: Phishing attack

The potential target bodies of these crimes are government, public figures, ide- ological groups, large manufacturing companies, Internet Service Providers (ISPs), hosting service providers, gaming and gambling platforms or financial institutes such as banks, insurance companies, others. This digital age has brought new challenges for forward-thinking organizations, including governments as they understand the need of staying digitally strong for the benefits of the customers and citizens. But for the government sector, it is many a time tough to keep up with the pace of technological advancements. The potential of cybercrimes has widened to the extent of transnational offending such that offenders can commit the crime on one part of the world while sitting on the other side of the world and this can put a large part of the world on a halt. For these obvious reasons, the need to control digital technology remains strong. As Grabosky, 2001 says, ".. one could always

’pull the plug’, and severely restrict citizens’ access to cyberspace, but those governments which seek to maximize the economic well-being of their citizen realize that it is futile to try to hold back the tide of globalization, and that failure to get in on the ground floor of electronic commerce may retard economic development".

Crime is an action that is the outcome of an interaction between an offender and his setting. The spatial and temporal convergence of law, offender, target and situ- ation creates a criminal event. Crime events not only require a thorough studying and understanding of these settings but also sufficient knowledge of patterns and trends that exist behind the crime events. With the growth in technological advancements, not only crime has become simpler to perform, also finding a crime pattern

(18)

and motives behind a crime has now become a challenging piece of work (Brant- ingham, Brantingham, and J,2015). Understanding crime patterns requires not only looking at subgroups of individuals attracted towards crime but also the individuals who might have got attracted to the circumstances that may lead to a crime. Taking to the next level, one setting of crime is called crime chains or crime sequences which is the series of distinct types of crimes that are related and take place either together or in a specific order. With the digitalization of society, cyber-criminals are coping up at a good pace and work together to perform coordinated chain of crimes. These attacks are interrelated to each other to perform a coordinated set of actions, which means, specific offenses can possibly create conditions for other new offenses. In Felson, 2006, the author suggests "find out how one crime depends on the others" and

"discover the sequence of events for ongoing criminal cooperation" for understanding and reducing the organized crimes.

Nevertheless, there exist proofs based on surveys, interviews and scientific research that support the presence of one cybercrime (Crime A) building an opportunity for the next or bigger cybercrime (Crime B) to take place, eventually forming a chain of crimes. Crime B might go undetected while the focus remains on fight- ing against Crime A. This is called as a classic attack method "Cause a distraction in one area and then hit the victim in another area while everyone reacts to the first attack"

4. The distraction caused by DDoS attack in such cases is termed as smokescreen

5 which hides the attempts of other disruptions happening simultaneously, mostly originated from the same group of offenders. The Kaspersky Lab IT Security Risks 2016 stated that 29 % of the time DDoS is found to be part of attack tactics to dis- tract businesses while the hackers use the opportunity and enter the backdoor to perform more deadly type attacks. The lab report states "Over half of businesses ques- tioned (56%) are confident that DDoS has been used as a smokescreen for other kinds of cybercrime, and of those business respondents, a large majority (87%) reported that they had also been the victim of a targeted attack."⁶ Another instance reported in 2018 by Dutch Bank (DNB) ⁷ warns the possibility of receiving phishing emails after the DDoS attack had taken place. This indicates that offenders execute DDoS attacks on banks which acts as a storyline for the original crime of phishing attack on account holders. This opportunity makes it easier for criminals to steal sensitive information of the account holders while they are busy using the bank website which happens to be under the DDoS attack. These pieces of evidence motivate to conduct the existing research on investigating online crime chains and crime patterns.

Numerous criminological and social theories, such as Routine Activity Theory by Cohen and Felson, 1979 and Rational Choice Model by Cornish and Clarke, 1986, have been postulated to explain the conventional offenses and behaviour of those who commit offenses. The Opportunity Theory (Felson and Clarke,1998) and

4DDoS Attack as a Diversion https://isssource.com/ddos-attack-as-a-diversion/#$:~:

$text=It%20is%20a%20classic%20attack,reacts%20to%20the%20first%20attack.(accessed on 3 March 2020)

5DDoS Often Used as a Diversion Tactic https://www.itproportal.com/news/ddos-often- used-as-a-diversion-tactic/, (accessed on 3 March 2020)

6cyber-criminals Use DDoS as Smokescreen for Other Attacks on Business https://www.kasp ersky.com/about/press-releases/2016_research-reveals-hacker-tactics-cyber-criminals -use-ddos-as-smokescreen-for-other-attacks-on-business, (accessed on 3 March 2020)

7DNB warns against ’phishing mail’ https://www.dnb.nl/nieuws/nieuwsoverzicht-en-arc hief/Persberichten2018/dnb372138.jsp, (accessed on 3 March 2020)

(19)

1.2. Research goal 5

Crime Displacement (Felson and Clarke,1998) are subsidiary concepts of Routine Activity Theory. The opportunity theory revolves around the principle that criminal opportunities are produced when circumstances favorable to crime take place and therefore the crime occurs. The rational offenders, then, in turn, act upon these opportunities. The present research exclusively focuses on exploring the two supporting criminological theories: Rational Choice Model (RCM) and Routine Activ- ity Theory (RAT). Though the native application of these theories is implied in the conventional crimes in the terrestrial world, some researchers and philosophers ar- gue that these theories can be applied to the virtual environment to understand the patterns of cybercrimes and crime sequences. Clarke, 1997, Cornish and Clarke, 1986, Clarke and Cornish, 2013 and Wortley and Townsley, 2016 and many more researchers explain how Rational Choice Model is applicable to cybercrime. RCM holds the fundamental tenets of classical criminology which postulates that a criminal’s decision for committing a crime relies on cost-benefit analysis and therefore, the theory helps in analysing the thought process and rational choices made by the criminals. Grabosky, 2001, Yar, 2005, and many more studies provide significant results which shows that RAT, developed by Cohen and Felson,1979not only ap- plies to conventional crimes in the physical world, but also to the cybercrime which happens in the virtual environment called cyberspace.

1.2 Research goal

The previous section discusses the possibility of one cybercrime building an opportunity for a new and distinct cybercrime. Therefore, the aim of this research is to concentrate on two cyber attacks in particular, that is, DDoS and Phishing attacks.

The goal of this research is:

"Investigate whether there is an association between DDoS and Phishing attacks."

And before finding the possible association, it is necessary to comprehend the modus operandi of crime, that is, the online crime chain setting that exists in cybercrimes. Based on the existing scientific literature and case studies reported by industries, there seems to be a research gap on crime chains that exist in online organized crimes, however, there is widespread knowledge available to study crime chains in traditional organized crimes. Therefore, to achieve the goal of this research, the following research questions have been designed that require traversing from analyzing crime chains to analyzing crime patterns of DDoS and phishing attacks.

RESEARCH QUESTION 1: How to identify the crime chains that exist in online organized crimes? What are the aspects of criminological theory RAT and RCM and how can these aspects be applied in analysing the possible link between DDoS and phishing attacks?

The answer to [RQ 1] is delivered by presenting a comprehensive Systematic Lit- erature Review (SLR) in chapter 3, that helps in identifying and evaluating some of the available research on crime chains and provide context on associations that exist between distinct cybercrimes and how one cybercrime leads to another cybercrime.

(20)

The further research is based on the potential understanding of the setting and sequence of offenses by using theoretical and experimental concepts of criminological theories (RAT, RCM and their subsidiary theories) gained from the literature review.

RESEARCH QUESTION 2: What methodology should be used to analyse a possible link between DDoS and phishing attacks?

A five-phase methodology, based on the principles of A.D. de Groot’s Empirical Cycle, is designed in chapter4, which combines a quantitative and qualitative approach. These findings offer insights to analyse crime chains and residing patterns behind DDoS and phishing attacks.

The primary step is to acquire a sufficient dataset and therefore, we use crowd- sourced data provided with the Anti-Phishing Working Group (APWG Report for Q3 2020) that contains phishing emails reported by the citizens or businesses. For DDoS attack dataset, Google services like Google Alerts ⁸ is used for a systematic collection of DDoS related publicly reported news articles. The details of both the dataset are discussed in chapter 4.

During the process, we test the three hypotheses formulated under section 4.1.2 of chapter 4 using descriptive and test statistics, followed by the qualitative analysis using the postulations of RAT and RCM. The null hypotheses and the respective alternative hypotheses are mentioned below:

H10: There is no significant difference between the median of phishing emails received before and after DDoS announcement date.

H1: The median of phishing emails received before DDoS announcement date is same as the median of phishing emails received after DDoS announcement date.

H20: There is no significant difference between the median of phishing emails with ’security’ content received before and after DDoS announcement date.

H2: The median of phishing emails with ’security’ content received before DDoS announcement date is lesser compared to the median of phishing emails with

’security’ content received after DDoS announcement date.

H3₀: There is no significant difference between the median of phishing emails with malware attachments received before and after DDoS announcement date.

H3: The median of phishing emails with malware attachments received before DDoS announcement date is higher compared to the median of phishing emails with malware attachments received after DDoS announcement date.

RESEARCH QUESTION 3: How to validate if there exists any relationship between DDoS and phishing attacks?

8Google provides a free notification service called Google Alerts that delivers alerts to the subscriber via emails when it finds new results, such as web pages, blogs, newspaper articles, or scientific research that match the subscriber’s search term(s).

(21)

1.3. Report Structure 7

The aspects of criminological theories answered in [RQ 1] help in analysing crime pattern of organized crimes found while performing descriptive and test statistics. [RQ 3] focuses on using the principles of RAT and RCM to interpret the results obtained from [RQ 2] for analysing the attack trends. The core concepts of these criminological theories is used as a qualitative approach, as mentioned in chapter 5, to validate the relationship that exist between these seemingly unrelated distinct cyber attacks and instigate how one crime to leads to new crime.

RESEARCH QUESTION 4: How can the crime chain analysis contribute towards policy decisions and field of crime science ?

Answering the above research questions leads to a greater understanding of whether DDoS is used as an opportunity for covering the phishing attacks or vice- versa. This provides more information on perpetrator’s rational choices of executing a crime that can enable their early detection and increase the risk perception. Chap- ter 6 provides a detailed discussion on the major contributions of this research in making policy decisions.

1.3 Report Structure

The structure of this report, as shown in figure 1.3, traverses from providing a general and comprehensive overview on criminological theories: RAT and RCM towards a broader perspective of their application and empirical analysis in the field of cybercrime.

Chapter 1, as already discussed, provides the introduction and brief background knowledge of the topics relevant to this research.

Chapter 2 discusses the literature review methodology which mentions the inclusion criteria, exclusion criteria and search parameters used to reach the relevant literature for review. Followed by chapter 3 which summarizes the findings from a selected set of literature that primarily discusses distinct criminological theories but the ultimate focus is brought on to Routine Activity Theory and Rational Choice Model.

Chapter 4 elaborates the five-phase research methodology that details the data gathering and data pre-processing of DDoS and phishing attacks. It mentions the quantitative approach to test the formulated hypotheses and the qualitative approach that validates the findings of statistical tests.

Chapter 5provides a detailed discussion of the results obtained for each phase in the five-phase methodology.

Chapter 6delivers the closing words, key findings, and limitations of the current research. It also discusses the supporting evidence from this research that can be used as the foundations for possible future work.

The source code of this project can be found atCode Repositorywhich is made public. The following python files are included in the GitHub repository:

1. tf-idf.ipynb: TF-IDF implemented on the entire phishing email dataset for the keyword extraction.

(22)

2. descriptive-statistics-var1.ipynb & descriptive-statistics-var2.ipynb: De- scriptive statistics (mean, median, standard deviation) is computed for phishing data under variation 1 and 2.

3. mwu-var1.ipynb & mwu-var2.ipynb: Test statistics, that is, Mann-Whitney U test implementation on phishing emails received before and after each DDoS announcement date under variation 1 and 2. The test is conducted in Python using the mannwhitneyu() SciPy library⁹.

4. sum-var1.ipynb & sum-var2.ipynb: A code is implemented for calculating the sum of phishing emails (for respective hypothesis) received before and after each DDoS announcement date under variation 1 and 2.

FIGURE1.3: Thesis outline

9SciPy.org https://docs.scipy.org/doc/scipy/reference/generated/scipy.stats.mannwhi tneyu.html, (accessed on 7 March 2021)

(23)

9

Chapter 2

Literature Review Methodology

To conduct this literature review, a Systematic Literature Review (SLR) approach was carried out using the criteria of Grounded Theory¹ explained by Wolfswinkel, Furtmueller, and Wilderom,2013which is widely used in the academic world. The following Chapter 3 is based on this five-stage grounded theory method in an itera- tive fashion for reviewing the literature on criminological theories used in conventional as well as cyber crimes. The stages are categorised as follows:

1. Define: The criteria of including or excluding the literature, identifying the research fields, determining appropriate sources and deciding upon specific search terms/keywords.

2. Search: The process of searching through all the identified and authentic re- search sources such as Scopus, IEEE Xplore Digital Library, ScienceDirect or Google Scholar².

3. Select: The process of selecting and refining the generated searched sample by reading the titles, abstracts or some of the document content. The process also includes acknowledging the forward and backward citations that further helps in enriching the quality of research sample set.

4. Analyze: Analyzing each set of paper by highlighting significant findings, as- sociated insights, theoretical key points or empirical facts that seem relevant to the goal of review and also help in answering research question(s).

5. Present: The task of representing and structuring the content generated from Stage 4.

The following sections discuss each and every stage with detailed information that justifies the selection of literature studied throughout this literature review.

2.1 Define: Inclusion and Exclusion Criteria

The inclusion criteria set for all the research studies was based on the following key points:

1Discovery of grounded theory: Strategies for qualitative research by Glaser and Strauss,2017

2

• Scopus: https://www.scopus.com/

• IEEE Xplore Digital Library: https://ieeexplore.ieee.org/Xplore/home.jsp

• ScienceDirect : https://www.sciencedirect.com/

• Google Scholar: https://scholar.google.com/

(24)

1. The literature should be available in English text.

2. The entire text of the literature should be freely accessible through University of Twente subscription or at least the permission to access should be possible on requesting the main author(s).

3. It should present theoretical and empirical tests of criminological theories applied in traditional and cybercrime to understand the background nature of the theories as well as their utility in cybercrime.

4. It should present theoretical and empirical proofs of applying Routine Activity Theory, Rational Choice Model in traditional and cybercrime.

5. The literature that focused on subsidiary theories such as Opportunity Theory, Crime Pattern Theory and Situational Crime Prevention applied in traditional crimes or cybercrime were also chosen to get a deep insight of the concept.

6. The literature related to cyberspace should be published after the year 2000 as this topic blossomed in the past two decades majorly. While the literature focusing on criminological theories could be before the year 2000. In general, time period was not restricting factor.

7. The literature should be limited to the field of Computer Science, Decision Science, Social Science, Economics and Finance.

8. The study should give sufficient evidence and required knowledge.

The exclusion criteria set for all the research studies was based on the following key points:

1. The entire text of the literature was not freely accessible or required payment for download.

2. The literature in which the methodology of the study was inadequate or did not provide low-level overview of the methodology or lack to provide supporting evidences.

3. The literature that focused on criminological theories other than Routine Ac- tivity Theory and Rational Choice Model or its subsidiary theories.

4. Reading the title, abstract, keyword or conclusion of the literature were the deciding factors, and other literature were deemed that required reading beyond this point.

2.2 Search: Navigating Databases

The main focus of this stage was to design a query or queries, as per the content re- quirement, with relevant keywords that gave useful search results. The second significant process was using the constructed search query while navigating through the reliable and trusted databases such as Scopus, IEEE Xplore Digital Library, Sci- enceDirect or Google Scholar. Primarily, a pre-exploratory literature research was

(25)

2.3. Selection and Analysis 11

conducted in order to enlist and gather sufficient knowledge for choosing appropriate set of required keywords and to get acquainted with the topics as well. This approach helped and a search query was built using relevant set of keywords. The query further provided with required results and was mapped towards answering each research questions mentioned in section 1.2. The resulted search query that was used as an input in the Scopus Database is mentioned below:

• Scopus Query :

TITLE-ABS-KEY ( "ROUTINE ACTIVITY THEORY" OR "ROUTINE ACTIVI- TIES" OR "RATIONAL CHOICE" OR "CRIMINOLOGICAL THEORY" ) AND TITLE-ABS-KEY ( "CYBER" OR "CYBERCRIME" OR "CYBER ATTACK" OR

"CYBERSPACE" OR "VIRTUAL ENVIRONMENT" )

This query was used to answer [RQ 1]. The framed answer and literature review are not solely dependent on the results generated by this query, but also on other supporting plus authentic source of evidences such as new articles or scientific reports as discussed in section 2.3. This literature review significantly uses the process of citation chaining which allows a thorough search, both forward (forward citations) and backward (backward citations), using a specific literature as a starting point to find more relevant papers. The query gave output of 151 literature and a thorough analyses was made to select the most relevant literature based on abstract and title screening as discussed in the following section 2.3.

In order to gain access to the literature which were not freely available on Scopus, additional databases such as ScienceDirect and Google Scholar were searched using the similar keywords:

• Science Direct Query :

( "ROUTINE ACTIVITY THEORY" OR "ROUTINE ACTIVITIES" OR "RATIO- NAL CHOICE" OR "CRIMINOLOGICAL THEORY" ) AND ( "CYBERCRIME"

OR "CYBER ATTACK" OR "CYBER" )

• Google Scholar Query :

"routine activity theory" , "routine activities","rational choice", "cyber","criminological theory" ,"cybercrime", "cyberspace"

2.3 Selection and Analysis

This last stage of Grounded theory conducted the analysis and filtering of suitable literature to get the final set. As shown in figure 2.1, the search query built with relevant keywords gave in total 599 results from all the three databases (Scopus, Science Direct and Google Scholar). The three lists of studies from respective databases were entirely scanned in a progressive manner based on title, abstract and lastly, complete text. Majority of the studies were discarded, that is 362, after the title screening. Fol- lowed by, 174 more studies were discarded after the thorough abstract reading of the remaining studies. Meanwhile, there were 8 studies that were found to be already existing in the list of other databases (duplicates), thus, they were removed.

(26)

However 31 studies were included based on full-text screening, and 11 more studies were added that were found in the forward and backward citation using the second- level or second-generation reference search. Therefore, the final sample size of the acquired studies was 42 which has been studied minutely in chapter 3.

FIGURE2.1: Flowchart of Grounded Theory results

(27)

13

Chapter 3

Literature Review

To begin with discussion on cyber crimes, it has become obligatory to refer to the most jeopardizing plights it raises, be it the consequences or emergence of discrete crime and/or criminality. Robert Tappan Morris, the creator of the first computer worm known as The Morris Worm (Warner,2012), was created in 1988 with an inten- tion to highlight the security flaws in the digital system of Massachusetts Institute of Technology. But this code infected multiple computers causing huge havoc in cyber infrastructure and this unfortunate incident inspired the catastrophic concept of Distributed Denial of Services (DDoS) attacks that we hear today. In the Sum- mer of 1999, July 22 was marked as a forbidding date in the era of Internet. On that very day, a computer at the University of Minnesota received malicious data packets from a network of 114 computers which were infected with a malicious script called Trin00 Criscuolo, 2000. It has been 21 years since the first DDoS attack took place and now the list of cyber sabotages is never ending. Since then, the Internet with its widespread accessibility has facilitated crimes which not only use computer as medium to conduct crimes but also as a target. These attacks have become so com- mon, not only to achieve lucrative targets for extracting money by attacking web- sites and stealing users’ data but also these attacks have evolved over time. Back in 1990s, hackers used to indulge in crimes as they were driven by ego or revenge and to prove themselves as the best hacker but today in modern society, hackers have become more skillful and so they want to use their expertise to earn profits quickly.

The target of attack and motivation now exists in distinct regions such as politics, military, nation’s economy, etc. Thus, in this alternate ’virtual environment’, where the Internet has the power to connect any user with any other user in the world, new and distinct forms of cyber crime emerge which necessitates the study of cyber crimes. As Clarke,2012says ".. temptation, not merely opportunity, plays a substantial role in crime". This branch of study is still evolving and has become a prominent area of research in criminology.

The ongoing research is to understand and explain the patterns (if any) that exist amongst repeated or distinct illicit online attacks. As cited by Yar, 2005, ".. it is supposedly novel socio-interactional features of the cyber space environment (primarily the collapse of spatial-temporal barriers, many-to-many connectivity, anonymity and plasticity of online identity) that makes possible new forms and patterns of illicit activity". To get better insight, there exists criminological theories that provide explanations on residing patterns and crime chains within organized online cyber attacks and victimization.

3.1 Application of Criminological Theories in Cyber- crime

The aim of discussion followed in this section is to understand the differences and similarities between traditional crime and cybercrime which would eventually help

(28)

in understanding why criminological theories applied in traditional crimes are now applicable in cybercrime as well.

The study by Montoya, Junger, and Hartel, 2013 discusses two global approaches for measuring the cybercrime. The first approach implies that traditional crime and cyber crime belong to entirely different categories of crime, that is, traditional crime on one side and cybercrime on the other. While the second approach dwells on investigating digital modus operandi¹of traditional crimes. The authors focused on finding what percentage of cyber crimes take place based on the second approach.

This implies that most cybercrimes such as fraud, intellectual property theft, threats, sale of banned material are not indifferent from conventional forms of crimes²that pre-dated the Internet era but now occur online. The authors state simple analogies to describe cybercrime as conventional behaviour of criminals that uses computer and Internet, such as, hacking activities as a computer aided versions of vandalism or trespassing ³and phishing scheme as theft. Their studies showed that ICT does not have equal influence on all crime types. Secondly, digital crimes and traditional crimes varies on the relationship and geographical distance between the victim and offender, that is, offenders and victims involved in digital crimes are found to be at a greater distance compared to those involved in traditional crimes.

This suggests that principles of performing the cyber crimes and physical traditional crimes might be quite comparable, a simple analogy to mention: breaking into a house for robbery or computer network for stealing data, both the thief and cyber criminal need to first gather information and then perform a coordinated attack. This suggests that in both the cases of traditional and cybercrime, the offender first collects data about the entity and then perform an attack. Reyns, 2017 suggests some target hardening practices under Routine Activity concept for those who could be exposed to victimization risks, such as, individuals who do not consider security precautions could be amongst those attracting themselves as well as their property (e.g. Personally Identifiable Information, Login Credentials, etc) as a suitable target. The author gives the analogy of leaving a car’s door unlocked which seems like an open invitation for theft. Therefore, this depicts that human nature to commit such crimes remains the same while the technological advancements are rapidly growing.

Some commentators such as Capeller, 2001, Snyder, 2001 suggest that cyber crime is a completely different branch of criminology which comes with its own set of rules, limits, possibilities, ontological and epistemological structure. While other commentators such as Grabosky,2001, Yar,2005, Reyns,2017,and other studies throw theoretical and empirical reflections to explain significant relation between terrestrial traditional crimes and virtual crimes. They explain with their own different ways that motives for computer related and conventional crimes are not new, such that, they are known to be driven by similar motivations and most obvious of them are revenge, malice, boredom, adventure, vandalism, terrorism or monetary gain or, as said by Grabosky,2001, the desire to taste forbidden fruit.

1Modus operandi is a particular manner in which an offender commits a crime towards a chosen goal.

2The study by Montoya, Junger, and Hartel,2013was limited to investigate four types of crimes, namely residential burglary, commercial burglary, fraud and threats.

3As quoted, "When a hacker enters a restricted computer system, he/she is entering an other person’s property without authorization, which fits the definition of trespassing. Similarly, when a hacker purposely changes a website or destroys data, the action is analogous to vandalism".

(29)

3.1. Application of Criminological Theories in Cybercrime 15

3.1.1 Crime Chains

Crime Chains or Crime Sequences is the series of distinct types of crimes that are related to each other and take place either together or in a specific order. These attacks are inter-related to each other to perform a coordinated set of actions, which means specific offences can possibly create conditions for new offences, that is, one crime sets the stage for the next. The information on offline crime chains is quite evident but for online crime chains the knowledge is not widespread available. The existing studies on organised online crimes majorly focus on perpetrators, their background or behaviour but rarely the research is performed on studying the modus operandi.

There are few research which discuss coordinated online crime and some of the studies are: Kim, Wang, and Ullrich,2012, Yegneswaran, Barford, and Ullrich,2003, Junger et al.,2017. The study by Yegneswaran, Barford, and Ullrich,2003performed empirical analysis on Internet intrusion activities and one of their observations de- pict that attackers who have coordinated attack plans perform significant amount of illegal scanning activities. Another study by Junger et al., 2017 is in line with the concept of coordinated cyber attacks and provides strong evidence for multiple cybercrime victimization. The study given valuable insights on crime chain phe- nomena that leads to multiple online victimization. Multiple online victimization is the state where the victim of one crime happens to be the target of other types of cybercrimes victimization⁴. Their research was performed to find if there exists a relationship between routine activity and socio-economic aspects and cybercrimes.

The study was based on three forms of cybercrimes, namely, online shopping fraud, online banking fraud and DDoS attacks. It also aims to find whether victims of cybercrime have same characteristics as those of traditional crimes. The results were found to have positive correlation with RAT approach and it was effectively shown that digitization leads to normalization of victims in cybercrime.

Felson, 2010 offers two mathematical models to describe how the crime grows or declines. With Model 1 - "how burglary multiplies into other crimes", the authors shows three divisions of a criminal incident to explain how one crime builds up the opportunity for further crimes to occur. The three parts are (1) prelude of the criminal incident, (2) the criminal incident itself and (3) aftermath of the criminal incident. Therefore, the aftermath of one crime incident is the prelude to the next incident which portrays that crime events are sequential. When used in cyber crime, this model can help to justify the link between the distinct cyber attacks integrated together to execute a larger criminal plan.

The Routine Activity Theory by Felson and Clarke,1998in criminology explains that crime opportunity is the central concept of carrying out a crime, that is, it has a generative impact on other crimes. Routine legal activities that occur in everyday life gives birth to crime opportunities such that likely offenders discover apt crime circumstances. Many existing theories such as social ecology of crime by Deardorff, 1930, social control theory of crime and delinquency by Hirschi, 2002, crime pattern theory (CPT) Brantingham and Brantingham, 1984 describe the relationship between spatial and temporal elements of a criminal event, but Cohen and Felson, 1979not only recognize the socio-environment aspect of a criminal event but also

4For instance, a click on malware induced link can download malware in the victim’s system which could further allow the cybercriminals to access the victim’s computer system and obtain sensitive information.

(30)

bring attention to the structure of routine activities of the potential targets. And with this structure of routine legal activities, the authors have studied on determining how an illicit event takes place. A crime opportunity framework is built on the features of three approaches: routine activity, rational choice perspective and crime pattern. Crime science utilizes these three approaches altogether in the order of attention that ranges from using ’routine activity approach’ for larger society, to ’crime pattern theory’ for local area and ’rational choice’ for individuals. The core principle of crime opportunity theory states one crime breeds new crime, this is referred to as Van Dijk Chain who noticed a particular pattern in bicycle thefts ⁵. Felson and Clarke, 1998also mentions how small and minor offences can be executed to act as a smokescreen or camouflage layer for serious and disruptive offences.

Clarke, 2012 and Miró, 2014 discuss that crime opportunity approach is estab- lished on the grounds of RAT and rational choice made by an offender. It is the rational offender who seeks the opportunities, thus, a criminal opportunity is certainly the cause of criminal events and creates favorable conditions for a crime to take place. The role of opportunities in committing a crime along with the modes of execution has been found in Clarke, 2012, such as, burglary due to the window of the house left open, suicides in England and Wales due to the toxic carbon monox- ide content of domestic gas, car theft due to car door left open and un-updated computer system for malware or other cyber attacks are some examples where opportunity has played a significant role.

The above discussion gives the direction of this research to study the application of criminological theories of RAT postulated by Cohen and Felson, 1979and RCM developed by Cornish and Clarke, 1986 as these theories demonstrate the similarities between "virtual criminality" and terrestrial crime and are also used to postu- late real policies and practices against essential elements of forming a crime chain thereby, hindering or preventing the possibility of cyber crimes. But before that, it is quint essential to understand briefly the basic and core tenets of RAT and RCM theory in the following section 3.2.

3.2 Selected Criminological Theories to Study Crime Chains: RAT and RCM

3.2.1 Routine Activity Theory (RAT)

RAT, by Cohen and Felson,1979, is one of the most accepted theories used in crime science to address the situational circumstances of crimes. This theory is not used to study criminality but to study crime. Therefore, it is the theory of crime. The roots of this theory have been brought up from much mature concepts of human ecology

6 and is complemented by theory of rational choice. Unlike other criminological theories which study the criminal behaviour and factors that motivate crime such as psychological, biological or social factors, RAT implies the stress on studying a criminal act as an event, highlighting the intersection of spatial and temporal elements.

5Understanding crime rates: on the interactions between the rational choices of victims and offenders, Dijk,1994

6Human ecology; a theory of community structure, Hawley,1950

(31)

3.2. Selected Criminological Theories to Study Crime Chains: RAT and RCM 17

RAT constructs the idea that a crime occurs when there is a merge of three essential spatial and temporal elements in the course of daily activities:

• A motivated offender with capacity to commit a crime.

• A suitable target or victim⁷.

• An ineffective or lack of capable guardian for protecting targets and victims in order to impede a crime⁸.

Routine activity approach uses the properties of VIVA: Value, Inertia, Visibil- ity and Accessibility that helps in depicting the conditions under which a victim is probable to become a potential target. The score on these properties elucidates the chances of the specific target being attacked, which means, higher the score, higher the chances of risk or attack to occur.

• Value: Real or symbolic, the value defines the worth and importance of the victim/target to the attacker which may differ based on the attacker’s perspective.

• Inertia: It refers to the size, weight and shape or physical aspects that could impede the suitability of the target or victim from the attacker’s perspective.

• Visibility: It defines the degree of target being exposed to the attacker or the degree to which the attacker knows the target.

• Accessibility: It refers to the degree of ease for an attacker to reach the target or carry out an attack considering the challenges towards a successful attack.

In a literature review by Spano and Freilich,2009, an assessment on RAT was carried out based on empirical validity and conceptualization. The authors scrutinized the studies that were performed at an individual level and were published in main- stream journals between the period 1995 to 2005. The authors provides with sufficient evidence, as shown in Appendix A, that RAT has been fairly used in the field of criminology, especially after the 1990s. Another significant note found is that RAT framework has been extensively used for various kind of data sources, few to be mentioned are property victimization, crime/deviance, etc. as shown in Appendix A. Authors gather enough evidence to show how RAT framework has widened the interests and focus of criminologists. The theory which was initially used to study criminal behaviour, now is applied to understand criminal event which addition- ally involves victim as well as offender behaviour. The overall results of the report shows that the effects of essential RAT elements: exposure, target suitability and guardianship comply with theoretical and empirical expectations of routine activity approach.

Another literature review on RAT, carried out by Miró,2014, suggests that crime rates do not rely on the increase or decrease in number of criminals, that is, it can

7Felson and Clarke,1998highlight the difference between the "target" and "victim". "Target" implies that the majority of crimes aim at obtaining goods and therefore "victim" may be absent from the place of the crime.

8It could be the presence of a Closed-Circuit Television (CCTV) operated and monitored by people not physically present at the crime site or a security guard in the physical world or it could be a firewall installation in the virtual environment.

Investigating an association between DDoS and Phishing attacks

U

T

Investigating an association between DDoS and Phishing attacks

Acknowledgements

Abstract

Contents

List of Figures

List of Tables

List of Abbreviations

Chapter 1

Introduction and Motivation

Chapter 2

Literature Review Methodology

Chapter 3

Literature Review