Explaining Cybercrime through the Lens of

Differential Association Theory

Hadidi44-2.php PayPal Case Study
Rachel Levin
(levin8@tcnj.edu)
The College of New Jersey
Ewing, NJ
Jonathan Richardson
(richardsoj1@nku.edu)
Northern Kentucky University
Highland Heights, KY
Gary Warner, Kent Kerley, PhD
(gar@cis.uab.edu, krkerley@uab.edu)
University of Alabama at Birmingham
Birmingham, AL


AbstractSocial learning theories, such as differential
association theory, state that criminals develop deviant behaviors
and learn the tools of their trade through close association with
other deviants. This case study examines a group of 99 email
addresses found to be using the same PayPal phishing kit. It uses
Open Source Intelligence techniques to determine potential
relationships between the holders of these email addresses. The
results are then discussed in light of differential association
theory to determine the extent to which this theory may aid in the
understanding of cybercrime. (Abstract)
Index TermsPhishing, Differential Association Theory,
Cybercrime, PayPal
I. INTRODUCTION
Cybercrime has evolved with the ever-constant boom of
modern technology, but law enforcement has struggled to keep
up with the innovations of cybercriminals. Cybercrime has
become a huge problem for online financial institutions and E-
commerce websites alike. Typical street-level criminals and
cybercriminals may differ in many ways. In street-level crime,
criminals commit their acts against people that are in their
general vicinity. Their motives often are clear, usually
involving immediate reward and financial gain.
Cybercriminals commit all of their crimes online where
distance is no factor in their motivations. They can commit
these crimes without fear of being seen. Their motivations are
usually related to those of street-level criminals, but their
reward usually comes at a later date. Data collection is their
immediate reward, whereas financial gain comes in time.
There are clear differences between these types of criminals,
but can they be explained through the same criminological
theories?

Using social learning theories as a heuristic guide, we
provide a case study of cybercrime. This is an exploratory
study that investigates the many criminals who all chose to
personalize and use the same PayPal phishing kit referred to as
hadidi44-2.php because of the presence of that unique
filename. It is clear that cybercriminals pursue deviant
behaviors and commit deviant actions, but how did they come
to all use the same tool in this case? What can we learn about
this case from differential association theory? Utilizing open
source intelligence tools to conduct the research, investigation
was carried out under the scope of this theory.

II. THEORETICAL BACKGROUND
Traditional criminological theories have been used to
explain cybercrime in the past, but such theories pertain to
intuitive choice, rather than learning outcomes. Social learning
theories are within a subcategory of social process theories
[14]. Social process theories attempt to explain crime through
the contribution of societal factors to the moral development of
an individual. Social learning theories, in particular, explain
how the interaction within groups and peers constitute the
framework for criminal activities [3]. These theories posit that
criminals learn behavior through social interactions involving
the sharing of knowledge through physical acts and
reinforcement of ethical codes and attitudes towards crime.
Within this framework, these specific theories can contribute to
explaining cybercrime.

Computers provide various hubs of open source
information and serve as a world within themselves comprised
of multiple communities. The range of interests presented
within the cyber world includes a rich subculture based on
devious intent. The most successful cybercriminals require
access to a wide array of abilities, tools, and knowledge that is
hard to acquire in isolation. Therefore, one can infer that social
learning theories provide a basic framework for explaining how
criminals share knowledge and tools, but more importantly,
how they create favorable attitudes and group-reinforcing
rationalizations towards participating in crime [15]. Social
learning theories consist of a number of sub theories. In this
research, the focus will be on the study of differential
association theory in relation to the cybercrime world.

In the fields of Sociology and Criminology, differential
association theory is the exemplar of social learning theories
[3]. This theory was introduced by Edwin Sutherland in 1939
and posits that criminality, in large part, represents a
socialization process. Short for differential association with
criminal and anti-criminal behavioral patterns,[13] the theory
generalizes that humans learn to participate in delinquency
from exposure to criminal behavior and attitudes through
association with close and trusted peers. Further exploration
into this theory reveals the idea that learning criminal behavior
978-1-4673-2543-1/12/$31.00 2012 IEEE
h_adidi@windowslive.com - September 6, 2013 - Read articles at www.DeepDyve.com
is a process similar to learning any other type of behavior [20].
The theory is built upon nine basic concepts that are
summarized as follows:

1) Criminal behavior is learned
2) Criminal behavior is learned through interaction with
others
3) Learning behavior takes place within intimate
personal groups
4) Learning criminal behavior includes techniques of
committing the crime and direction of motives, drives,
rationalizations, and attitudes.
5) Direction of drives and motives is learned from
definitions of legal codes as favorable and
unfavorable.
6) A person becomes a criminal when contact with other
deviants produces an excess of definitions favorable to
the violation of the law
7) Differential associations vary in frequency, duration,
priority, and intensity.
8) The process of learning criminal behavior by
association with criminal and anti-criminal patterns
involves all of the mechanisms that are involved in
any other learning.
9) The process of learning criminal behavior expresses
general needs and values, but is not excused by such
because noncriminal behavior expresses the same
needs and values. [20]

These nine components of differential association theory
are usually used to explain street-level crime and white-collar
crime. Differential association has been used to explain a wide
range of online misbehavior ranging from cyber bullying to
terrorism [32,33]. This study will explore the investigation into
the hadidi44-2.php phishing kit and examine how this theory
may be used as a framework for understanding this case.

III. TECHNICAL BACKGROUND

For the purpose of this case study, phishing will be defined
as the use of deceitful emails to trick targeted victims into
redirecting to a fake website and disclosing private information
such as user names, passwords, credit card numbers, social
security numbers, addresses and other exploitative information.
As consumers have embraced online methods of commerce,
banks and online merchants have moved towards email as the
most inexpensive and effective method of maintaining
relationships with their customers. This normalization of email
as the chosen method for consumer-facing communications has
created a new opportunity for criminals as consumers now
expect important reminders and notices from their online
merchants to arrive via electronic mail. Criminals around the
world no longer need to be in physical proximity to their victim
to accomplish sophisticated financial crimes.

Phishing has grown into a multi-billion dollar conglomerate
comprised of sects of cybercriminals from around the world,
collectively hoarding millions of unsuspecting victims
personal information annually and using that information to
exploit their victims finances or for identity theft. The January
2012 RSA report notes that in 2011, roughly one in every 300
emails in circulation around the Internet was believed to
contain elements relating to phishing. This report also stated
that in 2011, 279,580 phishing attacks were observed, a 37%
increase in attacks from their 2010 report.

The top requested phishing sites imitated the login pages of
the U.S.-based banks [25]. This information demonstrates why
research into a financial institution phish such as PayPal is
necessary for a greater understanding of cybercriminal tool
sharing [25]. According to the January 2012 RSA phishing
report; phishers in 2011 kept their focus on committing fraud
against financial institutions. This report states that financial
institutions topped the chart of entities that had their web pages
targeted for the majority of phishing attacks. Financial
institutions combat phishing in one of two ways: internal cyber
security professionals, or by contracting takedown companies
that remove relevant phishing websites when they are detected
[18]. However, with a better understanding of cybercrime
through current social learning theories, phishing may be
combated before taking place.

The purpose of this case study is not to give a history of
phishing; rather it is to describe how phishers, hackers, and
spammers share their online tools and how cybercriminals fit
into differential association theory. This insight should inspire
future research into other social learning theories and how they
apply to cybercrime.

Integral to this study was the use of the University of
Alabama at Birminghams (UAB) [28] Spam Data Mine. The
purpose of the resource is to store and research spam data
found throughout the Internet, usually in form of spam emails
[27]. UABs Computer Forensics Research Lab automatically
extracts information from the spam emails and stores it for use
in open source investigations. UAB gathers upwards of 1
million spam emails a day, totaling more than 500 million
spam emails as of January 2011. The UAB Phishing
Operations team receives potential phishing URLs from
various sources, including URL lists and spam email messages,
and systematically analyzes them to determine if the URL is
confirmed to be a phishing website [27]. If the URL is found
to be a phish, automated tools, informed by patterns labeled by
subject matter experts on the team, decide what financial
institution or e-commerce web site it belongs to [27]. The
phishing analysis system does this in part by inventorying the
individual files used to create the phishing system and finding
previously confirmed phishing sites that contain the same set of
files used on the site under consideration through a process
called Deep MD5 Matching[35].
Automated and manual techniques are then used to attempt to
identify phishing kits placed on a hacked web server used for
phishing. A phishing kit is an archive file, usually in .zip
format, uploaded to a compromised web site by the phisher.
The phishing site is then made by unzipping the kit in the
directory structure of the published webserver pages. These
kits often contain the email addresses to which stolen personal
financial information gathered from victims will be sent,
referred to as drop emails. Since its creation in 2007, the
h_adidi@windowslive.com - September 6, 2013 - Read articles at www.DeepDyve.com
UAB PhishOps team has confirmed and archived more than
540,000 phishing websites. As of July 18, 2012, the Phishing
Ops team had found 194,462 total recorded phish for the year
of 2012 alone. Within these phish, the team was able to retrieve
21,412 (11%) phishing kits. In 2011, over 189,000 phishing
sites for more than 400 ecommerce and financial institutions
were identified. When a phishing kit is located on a phishing
site, it is retrieved and analyzed, with key information about the
kit and its contents stored into the Phishing Data Mine. These
tools were used to archive and analyze the hadidi44-2.php
phishing kit that serves as the focus of this case study.
IV. METHODS

Analysts on the PhishOps team work with law enforcement and
corporate investigators to identify groups of related phishing
sites that are interesting for further investigation because of
their prominence in relation to other groups of phishing sites.
In this case study, visiting researchers participating in the
National Science Foundation Research Experience for
Undergraduates emulated these techniques while learning the
methods used routinely in the lab. Individual phishing kits are
chosen for investigation for a variety of reasons, including
being linked to a particular financial loss, or in response to a
request from an investigator. In this case, the kit was chosen
due to a sudden surge in the prominence of the kit. In July
2012, more than thirty phishing sites imitating PayPal were
found to have used the same phishing kit, where the only
modification between versions of the kit was the drop email
address that should receive the stolen credentials. In the lab
parlance, the php program file that sends the email to the
criminal is called the action file. For convenience of
reference, the kit was referred to by the name of its action file,
hadidi44-2.php. The hadidi44-2 kit was found to have been
used to create at least 274 phishing sites dating back almost a
year to July 25, 2011. Ninety-six versions of the kit were
found based on the uniqueness of the action file with the most
prominent version of the kit found to be used 31 times. These
emails were then extracted for investigation. Within the 96
hadidi44-2 kits, 99 unique email addresses were extracted for
further investigation.

The concept of 99 individuals each choosing to name their
action file hadidi44-2.php was not plausible. This left the
research with three possible outcomes: (1) The kit's creator had
multiple email accounts and was spreading the kit from a
plethora of different aliases or (2) The kit was freely available
on the Internet and any aspiring criminal could acquire and use
it, or (3) The kit was distributed within a community of
cybercriminals who share their tools and techniques with one
another. By investigating the emails, the relationships between
these criminals could be identified and finding the origin of
hadidi44-2 could help us further explain whether the criminals
behind these email addresses had a relationship with one
another as suggested by the differential association theory.

After extracting the 99 unique emails from the phishing kit,
each individual email was searched through a number of open
source intelligence tools, beginning with Patervas Maltego
product. Maltego uses a series of predefined transforms to
search a variety of data sources for relevant information, and
then graphically represents relationships formed between
search items when they return common results. Email
addresses were found to be related to one another for a variety
of reasons. Some were found on the same hacked website
where hackers had posted email addresses of their team mates
as a form of graffiti. Others were found to belong to members
of a common hacking forum, or to have been used as an
administrative email address for a website.

Some of the results of the Maltego search yielded additional
aliases or identities used by the same hacker. For example,
Maltego produced more than 50 results for the email address
crywolef@yahoo.com including evidence that the email was
used to register the domain FireMovies.net, and that the
individual also used the aliases mamoun00@hotmail.com and
cry_wolef@hotmail.com both of which are contained in our
original list of 99 hadidi44-2 emails. This particular individual
is also involved in hacking. We also know that this criminal
used the email address crywole@yahoo.com to register the
domain tahasocial.com. Tahasocial.com is recommended by
members of traidnt.net, an Arabic forum. Traidnt.net is an
online hacking forum with several members within our target
emails, including fnxdsp@hotmail.fr, deemar197@gmail.com,
and hk96sp@gmail.com. Each of these emails also receives
stolen information from at least one version of the hadidi44-
2.php action file.

The Google search engine was used to find further
information on the phishers, as well as clues as to where they
share their tools. By searching the previously mentioned email,
deemar197@gmail.com, we find that this email uses the alias
Zakariati on the Arabic hacking forum, Sa3eka. Sa3eka
proved to be popular within our set of criminals, along with
other Arabic web design forums such as traidnt.net, and Arabic
hacking forums including VBhacker, VBspiders, and
gazahacker.net. These forums were found to create most of the
relationships within our criminal web. This discovery helped
to reveal forums where criminals felt comfortable freely
discussing their nefarious activities. In some cases the same
email address is associated with multiple aliases across
different forums. Conversely, multiple email addresses were
found for the same alias within threads of comments found on
the forums. With multiple email addresses, further searches
were conducted using Maltego and other techniques, deducing
even more information on the hadidi44-2 criminals. Many of
the searches resulted in social networking profiles.

In the modern cyber-driven world, communities are being
formed online creating associations and forming social bonds
through the Internet. One way in which people take advantage
of this is through social networking sites, such as Facebook.
Of the ninety-nine unique email addresses associated with the
hadidi44-2.php, twenty-nine of these criminals were owners of
Facebook profiles. Strict privacy settings and fraudulent
personal information within profiles ended the investigation of
some of the cybercriminals, while less vigilant profiles
provided a surfeit of information. For example,
mootez.saad@gmail.com has a Facebook profile under the
h_adidi@windowslive.com - September 6, 2013 - Read articles at www.DeepDyve.com
name, Mootez Saad. Analysis of Saads public pictures proved
to be lucrative to this investigation. Within these files were
multiple screenshots of stolen PayPal accounts. Saad attempted
to cover his tracks by masking the personal information within
his screenshots, however his attention to detail was lacking in
most cases. Upon closer inspection of Saads other Facebook
images, another email under the address of
miutex.xox@hotmail.fr was identified in addition to a physical
street address, details of a PayPal SQL injection attack, and his
Skype alias.

After researching all ninety-nine email addresses and their
associations, the relationships were collected and portrayed in
i2 Analysts Notebook where the analysis of their connections
took place. Each individual shows the relationship between
hadidi44-2 emails as demonstrated by common social network
links, including forum memberships, Facebook groups, and
other contexts. Unconnected trees were not demonstrated to
have a social network relationship to each other. Creating this
type of chart allowed for visual representation of the criminals
relationships with one another.


Figure 1: Hadidi44-2 emails in social network context
V. RESULTS

Using open source intelligence tools generated very useful
results. Maltego was able to provide relevant email addresses,
websites, and other relationships, which were refined through
further queries using Google and other search methods.
Google returned fewer results then Maltego, but were often
more relevant than some of the leads generated in Maltego. It
provided various links to community forums, web pages, and
social networking sites tied to the specified email searched.

Of the ninety-nine unique emails behind the hadidi44-2.php
action file, forty-three emails were found on the Internet.
Thirty-two emails returned ample and significant results not
only on the criminals themselves, but also the way in which
they were able to obtain hadidi44-2. The remaining eleven of
those emails had registered Facebook profiles, but
investigation into their profiles yielded no substantial results.

The i2 chart created on this information represents how the
thirty-two most significant criminals relate to each other. The
final chart is displayed in Figure 1.The largest cluster contains
twenty-three of these emails. This cluster also contains detailed
information regarding relationships to the criminals to
Facebook pages, aliases, alternate email addresses, and Arabic
forum memberships. Using Google, many forums were found
where the criminals showed an online presence. A widely used
forum, called sa3eka, was the hub for many of the perpetrators
behind hadidi44-2. Eleven of the twenty-three criminals were
found to be members of this forum, which is the point at the top
of the tree shown in Figure 1. Searches of the forum revealed
that a PayPal phishing kit, as well as many other hacker tools,
designed by a hacker named Hadidi44 were distributed on this
site. The remaining twelve drop email addresses in this tree
were directly related to the Sa3eka members either through
common membership in other Arabic-language hacking
forums, such as VBSpiders and VBhacker, or through close
associates. We found the most prominent locations of the
criminals to be Morocco, Palestine, and Tunisia. Though the
criminals were not close associates in the real world, they
seemed to be closely related to each other within cyber
communities, as one can view from the interconnectedness of
the largest cluster documented in i2.

A close up view of the relationships with the phisher Cry
Wolef can be viewed in Figure 2. Cry Wolef links to other
members of the chart through common memberships in
GazaHacker.net, fr.netlog.com, and links between his taha-
social.com domain and the traidnt forum.

Figure 2: Cry Wolef

Discussed earlier within the Methods section was the
naivety of mootezsaad@gmail.com. Due to the lack of privacy
settings on Saads Facebook profile, investigation into this
criminals malicious activity provided a plethora of evidence
h_adidi@windowslive.com - September 6, 2013 - Read articles at www.DeepDyve.com
against him. Saad had multiple friends with perilous privacy
settings as well, including the group that dubs themselves as
the Tunisian-Hackers. This group boasts about its mission to
create a community of Tunisian ethical hackers. (Perhaps they
failed in the ethical portion of that mission, as evidenced by
their many ties to PayPal phishing.) Investigating further,
email contacts for the group are found under
bsebai@ymail.com and smatrix1@live.fr.

An example of a single phisher using many email addresses
would be Smatrix. Smatrix1@live.fr is linked to the sa3eka
hackers through Achraf_lady, and his membership in the
Islamic Army Alkatrone, led by Dr. Timor, a member of both
VBSpiders and VBHackers, forums which share several
members with sa3eka. smatrix1@live.fr also uses the email
alias smatrix4spam@gmail.com with a Facebook page
assigned to the name Borhen Jwini. Smatrix is also known as
cc4smatrix@gmail.com which is the email of one of the
criminals receiving information through hadidi44-2 .php.
Under this email, we find that this criminal is the administrator
of a website called Tounsi-Shop where he has listed his phone
number and street address. Smatrix is also linked to Mootez
Saad as a common member of the Tunisian-Hackers Facebook
group.

After searching through various notes posted by the
Tunisian-Hackers, it was evident that they acquired stolen
PayPal accounts. Through comments, pictures, and notes, it
was deduced that this group was a large proponent in the
spread of this kit. Deeper investigation led to a MediaFire
link posted under a header titled PayPal scam by smatrix.
Though the file itself was inaccessible, a search was
conducted on the various php components featured within
the post.

Searching with Google for these various php components led to
a browsable directory containing a copy of the hadidi44-2
phishing kit publicly displayed within a hacked website. The
kit was designed under the alias of Dr. Spam. Dr. Spam had his
results sent to rezult@live.de. The same cybercriminal also
uses the email zakprokiller@gmail.com, which was the most
prominent drop email associated with the kit, used to create at
least 31 phishing sites at the beginning of this research.
Searching this kit in the data mine 10 days later revealed that
the zakprokiller version had been encountered more than
twice as many times as it was on the first day it was accessed.
On this day, the search showed that Dr. Spam used this kit 68
times. Dr. Spam has an alternative alias, Map Dr. S., on the
widely used sa3eka forum. On this forum he has posted another
phishing kit containing the action file hadidi44-2.php, but this
one pertains to an AlertPay scam.

The alias Sam-Hacker has posted a word of thanks for the
criminal embedding the AlertPay tool and his email address is
Iv4@vip.cn. This criminal hacks websites with a criminal with
the alias Sn!PeR-HaCkER whose email is waes@w.cn, one of
the emails associated with the PayPal scam through hadidi44-
2.php. The connections to this particular file are widespread
through these Arabic-language hacking forums and show the
spread of this specific tool used to phish PayPal.
V. DISCUSSION AND CONCLUSION
The hadidi44-2 kit was found to be a file hosted on the
Tunisian-Hacker Facebook page with multiple copies and
adaptations found on different Arabic-language hacker forums.
The kit seems to have originated on the sa3eka forum, and
many of the later instances of the kit can be traced back
through social relationships to members who would have had
access to the original kit. It is concluded that these forums are
where the majority of the criminals using this kit share their
tools. In this specific case study, it is inferred that the
cybercriminals involved in this particular PayPal phish shared
their tools of the trade with other cybercriminals through close
knit cyber communities.
The criminals behind the hadidi44-2.php PayPal phishing
kit were able to learn and propagate their criminal activity by
making connections within the cyber world. Just as a gang
member obtains their weapons and knowledge from more
experienced members of the same gang, the criminals involved
in this case obtained their tools from more experienced
cybercriminals who frequented the same forums. Therefore,
specific components of the differential association theory can
explain aspects of this case study.
Which components of Sutherlands theory are prevalent in
this investigation and which ones are not? To analyze this
question, each component was evaluated separately. The ones
most relevant to this case are explained as follows:
1) Criminal behavior is learned: Phishing PayPal was
learned in this case. We know this because the usage of the
hadidi44-2.php kit is growing. The number of times that the kit
was used more than doubled within only a week and a half.
2) Criminal behavior is learned through interaction with
others: This instance of phishing was learned through virtual
communication within forums and social networking mediums.
The criminals were able to interact with each other through the
virtual world. More prominent phishers were able to serve as
teachers of the crime through these virtual mediums.
3) Learning behavior takes place within intimate personal
groups: Close relationships were formed within these criminals
through the virtual communication mediums. These individuals
learned the usage of the kit by developing a trust and
connection with the influential phishers present within these
communities.
4) Learning criminal behavior includes techniques of
committing the crime and direction of motives, drives,
rationalizations, and attitudes: Techniques and skills of
phishing were available through public upload of the hadidi44-
2 kit to the close-knit cyber communities. Criminals targeted
PayPal for monetary purposes and believed it was acceptable
because reputable criminals within the forums were spreading
the kit. They were motivated by proof of monetary gain from
the other criminals that utilized this kit. The proof was in form
h_adidi@windowslive.com - September 6, 2013 - Read articles at www.DeepDyve.com
of screen shots of stolen accounts and gains, as well as boasts
of gain on forums.
7) Differential associations vary in frequency, duration,
priority, and intensity: This kit was being used by 99 email
addresses. However, most of these found criminals were
previously hackers associated with their own smaller hacking
groups. Phishing is a more serious crime than hacking that
involves much more involvement. Instead of defacing websites,
they are stealing money, identities, etc.
9) The process of learning criminal behavior expresses
general needs and values, but is not excused by such because
noncriminal behavior expresses the same needs and values:
Phishers were able to express need for monetary gain and an
outlet for their computer skills, which they may have thought to
not be accessible without committing this crime However, non-
offenders express need for money and creative outlet and find
non-criminal ways to gain these needs. Therefore, the crimes of
these criminals cannot be excused by the reasons as to why
they committed the crime in the first place.
Six of the nine components of the differential
association theory were able to explain aspects of this PayPal
phishing case. The remaining three components deal with the
histories of the criminals. With this particular investigation,
there was not enough past history found on the individuals to
explain the inherent development of the criminals involved in
this case. These components refer to the ways in which
criminal behavior is learned in association with peers in
communication to share a common idea through practices,
skills, and tool sharing [13, 14]. This case study observed
behavior that seems to reinforce these points. Although the
particular kit was placed onto the Internet where any person
could freely access it, analysis shows that cybercriminals have
formed intimate communities where they have developed a
sense of trust and friendship. They may not be close in
proximity or even acquaintanceship in the real world, but in the
cyber world they have formed close associations with each
other. In their cyber bubbles they are able to learn from each
other by sharing ideas, practices, and tools of injustice.
Specifically regarding the hadidi44-2 kit, public sharing of the
kit within these close criminal communities allowed for
different cybercriminals to associate with one another for a
common purpose. This common purpose was to commit a
crime. Thus, it is concluded that hadidi44-2 kit was distributed
as an open source phishing kit within a particular community
targeted at a particular audience. The process of the spread of
the hadidi44-2 kit can therefore be explained through
components of the differential association theory.
This case study examined a specific pattern of
financial crimes that reinforced the concept that differential
association seems relevant to cybercrimes, even though no
real world association can be documented between the
criminals. The authors encourage additional case studies be
conducted in order to further relate social learning theories to
cybercrime. With a deeper understanding of how cybercrime
can be explained through such traditional criminology theories,
law enforcement may be able to better understand criminal
motivations in ways that help to prevent and combat
cybercrime in the future.
ACKNOWLEDGMENT
FUNDING FOR THIS STUDY WAS PROVIDED BY THE NATIONAL
SCIENCE FOUNDATIONS RESEARCH EXPERIENCES FOR
UNDERGRADUATES PROGRAM (AWARD # 1004953).
REFERENCES
[1] Agnew, R. "Testing the leading crime theoriesan alternative
strategy focusing on motivational processes." Journal of
Research in Crime and Delinquency, no. 4 (1995): 32.

[2] Akers, R L., M D. Khron, L Lanza-Kaduce, and M Radosevich.
"Social learning and deviant behavior: A specific test of a
general theory." American Sociological Association (1979): 636
- 655.

[3] Akers, R L. Deviant behavior - a social learning approach
Belmont, CA: Wadsworth Publishing Co., 1973.

[4] Beck, K, and J Zhan. "Phishing in Finance." Future Information
Technology (FutureTech),2010 5th International Conference on
(2010): 1-5.

[5] Burgess, R L., and R L. Akers. "A differential association-
reinforcement theory of criminal behavior." Social Problems
(1966): 128-147.

[6] Chen, J, and C Guo. "Online Detection and Prevention of
Phishing Attacks." Communications and Networking in China,
2006. ChinaCom '06. First International Conference on (2006):
1-7.

[7] Collins, M P., T J. Shimeall, S Faber, J Janies, R Weaver, M
Shon, and J B. Kadane. "Using uncleanliness to predict future
botnet addresses." In Proceedings of the 7th ACM SIGCOMM
conference on Internet measurement (2007): 93-104.

[8] Dahmija, R, J D. Tygar, and M Hearst. "Why Phishing Works."
UC Berkeley: Experimental Social Science Laboratory (Xlab).
Retrieved from: http://escholarship.org/uc/item/9dd9v9vd
(2006):

[9] Gu, G, J Zhang, and W Lee. "BotMiner: Clustering Analysis of
Network Traffic for Protocol- and Structure-Independent Botnet
Detection." In Proc. of the 17 th conference USENIX Security
Symposium, Boston, MA (2008): 139-154.

[10] Hayati, P, and V Potdar. "Spammer and hacker, two old friends
." Digital Ecosystems and Technologies, 2009. DEST '09. 3rd
IEEE International Conference on (2009): 290-294.

[11] Husna, H, S Phithakkitnukoon, S Palla, and R Dantu. "Behavior
Analysis of Spam Botnets." Communication Systems Software
and Middleware and Workshops, 2008. COMSWARE 2008. 3rd
International Conference on (2008): 246-253.

[12] Irani, D, S Webb, J Griffin, and C Pu. "Evolutionary Study of
Phishing ." eCrime Researchers Summit (2008): 1-10.
h_adidi@windowslive.com - September 6, 2013 - Read articles at www.DeepDyve.com
[13] Lanier, M M., and S Henry. Learning Criminal Behavior:
Social Process Theories." In Essential Criminology, 2nd ed.,
156-178. Oxford, United Kingdom: Westview Press, 2004.

[14] McQuade, S C. "Theories of Computer Enabled Abuse and
Crime." In Understanding and Managing Cyber crime, 1st ed.,
137-182. Boston, Massachusetts: Pearson Education, Inc, 2006.

[15] Morris, R G., and A G. Blackburn. "Cracking The Code: An
Empirical Exploration of Social Learning Theory and Computer
Crime." Journal of Crime and Justice 1 (2009): 1-32.

[16] Nazario, J, and T Holz. "As the net churns: Fast-flux botnet
observations." Malicious and Unwanted Software, 2008.
MALWARE 2008. 3rd International Conference on (2008): 24-
31.

[17] Nero, P J., B Wardman, H Copes, and G Warner. "Phishing:
Crime that pays." eCrime Researchers Summit (eCrime), (2011):
1-10.

[18] Parno, B, C Kuo, and A Perrig. "Authentication and Fraud
Detection: Phoolproof phishing prevention. ." Di Crescenzo, G.,
Rubin, A 4107 (2006):

[19] Rivest, R. "The MD5 Message Digest Algorithm." RFC 1321
(1992):

[20] Sutherland, E H., D R. Cressey, and D F. Luckenbill. Principles
of criminology, 11th ed. Oxford: Altamira Pr, 1992.

[21] Yong-Xia, Z, and Z Ge. "MD5 Research." Multimedia and
Information Technology (MMIT), (2010): 271-273.

[22] Yu, W D., S Nargundkar, and N Tiruthani. "A Phishing
Vulnerability Analysis of Web Based. ." Computers and
Communications, 2008. ISCC 2008. IEEE Symposium on
(2008): 326-331.

[23] "Botnet." Oxford Dictionaries, Accessed July 18, 2012.
http://oxforddictionaries.com/definition/english/botnet.

[24] "Key Features. IBM i2 Analyst's Notebook." IBM, Accessed
July 18, 2012. http://www.i2group.com/us/products/analysis-
product-line/ibm-i2-analysts-notebook.

[25] "RSA." The Year In Phishing. Fraud Report, Accessed July 18,
2012.
http://www.rsa.com/solutions/consumer_authentication/intelrepo
rt/11635_Online_Fraud_report_0112.pdf.

[26] "Technical Trends in Phishing Attacks. us-cert.gov." Us-cert.gov
, Accessed July 18, 2012.
http://www.cis.uab.edu/UABSpamDataMine.
[27] "UAB Phishing Operations. UAB Computer and Information
Sciences." UAB Computer and Information Sciences , Accessed
July 18, 2012. http://www.cis.uab.edu/PhishOps.

[28] "UAB Spam Data Mine. UAB Computer and Information
Sciences." UAB Computer and Information Sciences , Accessed
July 18, 2012. http://www.cis.uab.edu/UABSpamDataMine.

[29] "Understanding Criminology Theories." Criminology.com ,
Accessed July 18, 2012.
http://www.criminology.com/resources/understanding-
criminology-theories.

[30] "What is Maltego?." Maltego, Accessed July 18, 2012.
http://www.paterva.com/web5/client/overview.php.

[31] "What is PostgreSQL?." The PostgreSQL Global Development
Group , Accessed July 18, 202.
http://www.postgresql.org/docs/devel/static/intro-whatis.html.

[32] Freiburger, T. and Crane, J. The Internet as a Terrorists Tool:
A Social Learning Perspective in Cyber Criminology: Exploring
Internet Crimes and Criminal Behavior. Boca Raton, FL: CRC
Press

[33] Wang, J., Nansel, T. R., & Iannotti, R. J. (2011). Cyber and
Traditional Bullying: Differential Association With Depression.
Journal of Adolescent Health, 48 (4), 415-417.

[34] Wardman, B., Warner, G., McCalley, H., Turner, S., &
Skjellum, A. (2010). Reeling in Big Phish with a Deep MD5
Net. Journal of Digital Forensics, Security and Law, 5 (3), 33-
55.

[35] McCalley, H., Wardman, B. & Warner, G. (2011) Analysis of
Back-Doored Phishing Kits. Advanced in Digital Forensics VII,
155-168.






h_adidi@windowslive.com - September 6, 2013 - Read articles at www.DeepDyve.com