The Cascade Effect in Big Data Cybercrime

The Cascade Effect in Big Data Cybercrime

Excerpt from Porcedda, M.G. and Wall, D.S. (2019) ‘Cascade and Chain Effects in Big Data Cybercrime: Lessons from the TalkTalk hack’, proceedings of WACCO 2019: 1st Workshop on Attackers and Cyber-Crime Operations, IEEE Euro S&P 2019, Stockholm, Sweden (N.B. references excluded). Funded by EPSRC EP/M020576/1 & EP/P011772/1

Cybercrime Group, Centre for Criminal Justice Studies, University of Leeds

The big data phenomenon is driving ‘upstream’ data related cyber-dependent crimes such as data breaches. These crimes are essential components in a cybercrime chain that cascades ‘downstream’ to give rise to further crimes such as fraud and extortion, when the data is subsequently monetized in a way that impacts massively upon victims. These upstream and downstream crimes are often committed by entirely different offending actors against different victim groups, which complicates and frustrates the reporting, recording, investigative and prosecution processes. Taken together the crime stream’s ‘cascade’ effect creates unprecedented societal challenges that need addressing in the face of the booming data economy stimulated by advances in Artificial Intelligence and the Internet of Things. We explore this phenomenon by unpacking the TalkTalk case study to help conceptualize how big data and cloud computing are creating cascading effects of disorganized, distributed and escalating data crime. The case study also reveals important information about the levels of interdependency within the modern cybercrime ecosystem and, where relevant, the division of labour within the offender group.

In October 2015, news outlets extensively covered a data breach from TalkTalk, a UK internet service provider. The scale of the breach was serious enough to launch a Parliamentary inquiry into cybersecurity and the protection of personal data online. Hackers used an open source SQL Map penetration testing tool “that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers” to probe webpages. Vulnerabilities were found in three legacy webpages owned by TalkTalk and posted on TalkTalk’s website. Exploiting this vulnerability, another hacker took some data and his colleague asked TalkTalk for a ransom for its return or deletion. Multiple hacker collectives independently and erroneously claimed responsibility for the hack; the BBC even claimed that one was a “Russian Islamist group”. At the same time a third party promised to post the stolen data on the now defunct deep web black market AlphaBay. Although there might have been up to 10 attackers in total, the police arrested six individuals and all but one were convicted – another individual also convicted at the time was alleged to be involved in the sale of the data. The case study shows how complicated and distributed a data breach is, illustrating a clear disconnect between the very high media profile of the case, the police investigation and the subsequent prosecutions.

Our analysis of the TalkTalk case study suggests that tipping points occur at each stage of the cascade model, for example, the disclosure of a vulnerability, its exploitation, followed by its monetization (selling data). Then other offender groups buy data, either to use for further offending or to refine for future crime, while third party offenders use the pretext of the original attack to deceive victims. The case study not only illustrates how cybercrime cascades from upstream to downstream, but it also enables us to make a number of observations. The first is that it shows the complex nature of online crime groups and their diverse and distributed (even disorganized) nature when compared with contemporary organised crime. Not only had the offenders not met in the flesh (only two knew each other in person), but they also appear to have been in competition with one another when it came to monetizing the data. The second is the relative youth of the offenders compared to the seriousness of their offending. Their profiles showed them not to be the burly street criminals that the criminal justice is designed for, strengthening the argument for sentencing alternatives. Our third observation is that the motivations of those caught – who appear to be driven more by the prospect of increasing their status within the reputational hierarchy of their group rather than by financial gain – may have made themselves more easily identifiable to law enforcement and to become ‘low hanging fruit’. Our fourth observation is that the case study sends some blunt messages to (business) organisations to keep their computers and their data secure during a time when new attack vectors are often exceeding existing protection measures. Our fifth and final observation relates to how hard it is to find out information about cybercrime events in order to research cybercrime offending. There is no single reliable data source of information, there is no single database for arrests, prosecutions and outcomes, although it becomes evident that there are historical, legal, bureaucratic and professional reasons why this is the case. In one way it suggests that there is ‘myth of data’ and that research methodologies will have to adapt.