Hadidi44-2.php PayPal Case Study Rachel Levin (levin8@tcnj.edu) The College of New Jersey Ewing, NJ Jonathan Richardson (richardsoj1@nku.edu) Northern Kentucky University Highland Heights, KY Gary Warner, Kent Kerley, PhD (gar@cis.uab.edu, krkerley@uab.edu) University of Alabama at Birmingham Birmingham, AL
AbstractSocial learning theories, such as differential association theory, state that criminals develop deviant behaviors and learn the tools of their trade through close association with other deviants. This case study examines a group of 99 email addresses found to be using the same PayPal phishing kit. It uses Open Source Intelligence techniques to determine potential relationships between the holders of these email addresses. The results are then discussed in light of differential association theory to determine the extent to which this theory may aid in the understanding of cybercrime. (Abstract) Index TermsPhishing, Differential Association Theory, Cybercrime, PayPal I. INTRODUCTION Cybercrime has evolved with the ever-constant boom of modern technology, but law enforcement has struggled to keep up with the innovations of cybercriminals. Cybercrime has become a huge problem for online financial institutions and E- commerce websites alike. Typical street-level criminals and cybercriminals may differ in many ways. In street-level crime, criminals commit their acts against people that are in their general vicinity. Their motives often are clear, usually involving immediate reward and financial gain. Cybercriminals commit all of their crimes online where distance is no factor in their motivations. They can commit these crimes without fear of being seen. Their motivations are usually related to those of street-level criminals, but their reward usually comes at a later date. Data collection is their immediate reward, whereas financial gain comes in time. There are clear differences between these types of criminals, but can they be explained through the same criminological theories?
Using social learning theories as a heuristic guide, we provide a case study of cybercrime. This is an exploratory study that investigates the many criminals who all chose to personalize and use the same PayPal phishing kit referred to as hadidi44-2.php because of the presence of that unique filename. It is clear that cybercriminals pursue deviant behaviors and commit deviant actions, but how did they come to all use the same tool in this case? What can we learn about this case from differential association theory? Utilizing open source intelligence tools to conduct the research, investigation was carried out under the scope of this theory.
II. THEORETICAL BACKGROUND Traditional criminological theories have been used to explain cybercrime in the past, but such theories pertain to intuitive choice, rather than learning outcomes. Social learning theories are within a subcategory of social process theories [14]. Social process theories attempt to explain crime through the contribution of societal factors to the moral development of an individual. Social learning theories, in particular, explain how the interaction within groups and peers constitute the framework for criminal activities [3]. These theories posit that criminals learn behavior through social interactions involving the sharing of knowledge through physical acts and reinforcement of ethical codes and attitudes towards crime. Within this framework, these specific theories can contribute to explaining cybercrime.
Computers provide various hubs of open source information and serve as a world within themselves comprised of multiple communities. The range of interests presented within the cyber world includes a rich subculture based on devious intent. The most successful cybercriminals require access to a wide array of abilities, tools, and knowledge that is hard to acquire in isolation. Therefore, one can infer that social learning theories provide a basic framework for explaining how criminals share knowledge and tools, but more importantly, how they create favorable attitudes and group-reinforcing rationalizations towards participating in crime [15]. Social learning theories consist of a number of sub theories. In this research, the focus will be on the study of differential association theory in relation to the cybercrime world.
In the fields of Sociology and Criminology, differential association theory is the exemplar of social learning theories [3]. This theory was introduced by Edwin Sutherland in 1939 and posits that criminality, in large part, represents a socialization process. Short for differential association with criminal and anti-criminal behavioral patterns,[13] the theory generalizes that humans learn to participate in delinquency from exposure to criminal behavior and attitudes through association with close and trusted peers. Further exploration into this theory reveals the idea that learning criminal behavior 978-1-4673-2543-1/12/$31.00 2012 IEEE h_adidi@windowslive.com - September 6, 2013 - Read articles at www.DeepDyve.com is a process similar to learning any other type of behavior [20]. The theory is built upon nine basic concepts that are summarized as follows:
1) Criminal behavior is learned 2) Criminal behavior is learned through interaction with others 3) Learning behavior takes place within intimate personal groups 4) Learning criminal behavior includes techniques of committing the crime and direction of motives, drives, rationalizations, and attitudes. 5) Direction of drives and motives is learned from definitions of legal codes as favorable and unfavorable. 6) A person becomes a criminal when contact with other deviants produces an excess of definitions favorable to the violation of the law 7) Differential associations vary in frequency, duration, priority, and intensity. 8) The process of learning criminal behavior by association with criminal and anti-criminal patterns involves all of the mechanisms that are involved in any other learning. 9) The process of learning criminal behavior expresses general needs and values, but is not excused by such because noncriminal behavior expresses the same needs and values. [20]
These nine components of differential association theory are usually used to explain street-level crime and white-collar crime. Differential association has been used to explain a wide range of online misbehavior ranging from cyber bullying to terrorism [32,33]. This study will explore the investigation into the hadidi44-2.php phishing kit and examine how this theory may be used as a framework for understanding this case.
III. TECHNICAL BACKGROUND
For the purpose of this case study, phishing will be defined as the use of deceitful emails to trick targeted victims into redirecting to a fake website and disclosing private information such as user names, passwords, credit card numbers, social security numbers, addresses and other exploitative information. As consumers have embraced online methods of commerce, banks and online merchants have moved towards email as the most inexpensive and effective method of maintaining relationships with their customers. This normalization of email as the chosen method for consumer-facing communications has created a new opportunity for criminals as consumers now expect important reminders and notices from their online merchants to arrive via electronic mail. Criminals around the world no longer need to be in physical proximity to their victim to accomplish sophisticated financial crimes.
Phishing has grown into a multi-billion dollar conglomerate comprised of sects of cybercriminals from around the world, collectively hoarding millions of unsuspecting victims personal information annually and using that information to exploit their victims finances or for identity theft. The January 2012 RSA report notes that in 2011, roughly one in every 300 emails in circulation around the Internet was believed to contain elements relating to phishing. This report also stated that in 2011, 279,580 phishing attacks were observed, a 37% increase in attacks from their 2010 report.
The top requested phishing sites imitated the login pages of the U.S.-based banks [25]. This information demonstrates why research into a financial institution phish such as PayPal is necessary for a greater understanding of cybercriminal tool sharing [25]. According to the January 2012 RSA phishing report; phishers in 2011 kept their focus on committing fraud against financial institutions. This report states that financial institutions topped the chart of entities that had their web pages targeted for the majority of phishing attacks. Financial institutions combat phishing in one of two ways: internal cyber security professionals, or by contracting takedown companies that remove relevant phishing websites when they are detected [18]. However, with a better understanding of cybercrime through current social learning theories, phishing may be combated before taking place.
The purpose of this case study is not to give a history of phishing; rather it is to describe how phishers, hackers, and spammers share their online tools and how cybercriminals fit into differential association theory. This insight should inspire future research into other social learning theories and how they apply to cybercrime.
Integral to this study was the use of the University of Alabama at Birminghams (UAB) [28] Spam Data Mine. The purpose of the resource is to store and research spam data found throughout the Internet, usually in form of spam emails [27]. UABs Computer Forensics Research Lab automatically extracts information from the spam emails and stores it for use in open source investigations. UAB gathers upwards of 1 million spam emails a day, totaling more than 500 million spam emails as of January 2011. The UAB Phishing Operations team receives potential phishing URLs from various sources, including URL lists and spam email messages, and systematically analyzes them to determine if the URL is confirmed to be a phishing website [27]. If the URL is found to be a phish, automated tools, informed by patterns labeled by subject matter experts on the team, decide what financial institution or e-commerce web site it belongs to [27]. The phishing analysis system does this in part by inventorying the individual files used to create the phishing system and finding previously confirmed phishing sites that contain the same set of files used on the site under consideration through a process called Deep MD5 Matching[35]. Automated and manual techniques are then used to attempt to identify phishing kits placed on a hacked web server used for phishing. A phishing kit is an archive file, usually in .zip format, uploaded to a compromised web site by the phisher. The phishing site is then made by unzipping the kit in the directory structure of the published webserver pages. These kits often contain the email addresses to which stolen personal financial information gathered from victims will be sent, referred to as drop emails. Since its creation in 2007, the h_adidi@windowslive.com - September 6, 2013 - Read articles at www.DeepDyve.com UAB PhishOps team has confirmed and archived more than 540,000 phishing websites. As of July 18, 2012, the Phishing Ops team had found 194,462 total recorded phish for the year of 2012 alone. Within these phish, the team was able to retrieve 21,412 (11%) phishing kits. In 2011, over 189,000 phishing sites for more than 400 ecommerce and financial institutions were identified. When a phishing kit is located on a phishing site, it is retrieved and analyzed, with key information about the kit and its contents stored into the Phishing Data Mine. These tools were used to archive and analyze the hadidi44-2.php phishing kit that serves as the focus of this case study. IV. METHODS
Analysts on the PhishOps team work with law enforcement and corporate investigators to identify groups of related phishing sites that are interesting for further investigation because of their prominence in relation to other groups of phishing sites. In this case study, visiting researchers participating in the National Science Foundation Research Experience for Undergraduates emulated these techniques while learning the methods used routinely in the lab. Individual phishing kits are chosen for investigation for a variety of reasons, including being linked to a particular financial loss, or in response to a request from an investigator. In this case, the kit was chosen due to a sudden surge in the prominence of the kit. In July 2012, more than thirty phishing sites imitating PayPal were found to have used the same phishing kit, where the only modification between versions of the kit was the drop email address that should receive the stolen credentials. In the lab parlance, the php program file that sends the email to the criminal is called the action file. For convenience of reference, the kit was referred to by the name of its action file, hadidi44-2.php. The hadidi44-2 kit was found to have been used to create at least 274 phishing sites dating back almost a year to July 25, 2011. Ninety-six versions of the kit were found based on the uniqueness of the action file with the most prominent version of the kit found to be used 31 times. These emails were then extracted for investigation. Within the 96 hadidi44-2 kits, 99 unique email addresses were extracted for further investigation.
The concept of 99 individuals each choosing to name their action file hadidi44-2.php was not plausible. This left the research with three possible outcomes: (1) The kit's creator had multiple email accounts and was spreading the kit from a plethora of different aliases or (2) The kit was freely available on the Internet and any aspiring criminal could acquire and use it, or (3) The kit was distributed within a community of cybercriminals who share their tools and techniques with one another. By investigating the emails, the relationships between these criminals could be identified and finding the origin of hadidi44-2 could help us further explain whether the criminals behind these email addresses had a relationship with one another as suggested by the differential association theory.
After extracting the 99 unique emails from the phishing kit, each individual email was searched through a number of open source intelligence tools, beginning with Patervas Maltego product. Maltego uses a series of predefined transforms to search a variety of data sources for relevant information, and then graphically represents relationships formed between search items when they return common results. Email addresses were found to be related to one another for a variety of reasons. Some were found on the same hacked website where hackers had posted email addresses of their team mates as a form of graffiti. Others were found to belong to members of a common hacking forum, or to have been used as an administrative email address for a website.
Some of the results of the Maltego search yielded additional aliases or identities used by the same hacker. For example, Maltego produced more than 50 results for the email address crywolef@yahoo.com including evidence that the email was used to register the domain FireMovies.net, and that the individual also used the aliases mamoun00@hotmail.com and cry_wolef@hotmail.com both of which are contained in our original list of 99 hadidi44-2 emails. This particular individual is also involved in hacking. We also know that this criminal used the email address crywole@yahoo.com to register the domain tahasocial.com. Tahasocial.com is recommended by members of traidnt.net, an Arabic forum. Traidnt.net is an online hacking forum with several members within our target emails, including fnxdsp@hotmail.fr, deemar197@gmail.com, and hk96sp@gmail.com. Each of these emails also receives stolen information from at least one version of the hadidi44- 2.php action file.
The Google search engine was used to find further information on the phishers, as well as clues as to where they share their tools. By searching the previously mentioned email, deemar197@gmail.com, we find that this email uses the alias Zakariati on the Arabic hacking forum, Sa3eka. Sa3eka proved to be popular within our set of criminals, along with other Arabic web design forums such as traidnt.net, and Arabic hacking forums including VBhacker, VBspiders, and gazahacker.net. These forums were found to create most of the relationships within our criminal web. This discovery helped to reveal forums where criminals felt comfortable freely discussing their nefarious activities. In some cases the same email address is associated with multiple aliases across different forums. Conversely, multiple email addresses were found for the same alias within threads of comments found on the forums. With multiple email addresses, further searches were conducted using Maltego and other techniques, deducing even more information on the hadidi44-2 criminals. Many of the searches resulted in social networking profiles.
In the modern cyber-driven world, communities are being formed online creating associations and forming social bonds through the Internet. One way in which people take advantage of this is through social networking sites, such as Facebook. Of the ninety-nine unique email addresses associated with the hadidi44-2.php, twenty-nine of these criminals were owners of Facebook profiles. Strict privacy settings and fraudulent personal information within profiles ended the investigation of some of the cybercriminals, while less vigilant profiles provided a surfeit of information. For example, mootez.saad@gmail.com has a Facebook profile under the h_adidi@windowslive.com - September 6, 2013 - Read articles at www.DeepDyve.com name, Mootez Saad. Analysis of Saads public pictures proved to be lucrative to this investigation. Within these files were multiple screenshots of stolen PayPal accounts. Saad attempted to cover his tracks by masking the personal information within his screenshots, however his attention to detail was lacking in most cases. Upon closer inspection of Saads other Facebook images, another email under the address of miutex.xox@hotmail.fr was identified in addition to a physical street address, details of a PayPal SQL injection attack, and his Skype alias.
After researching all ninety-nine email addresses and their associations, the relationships were collected and portrayed in i2 Analysts Notebook where the analysis of their connections took place. Each individual shows the relationship between hadidi44-2 emails as demonstrated by common social network links, including forum memberships, Facebook groups, and other contexts. Unconnected trees were not demonstrated to have a social network relationship to each other. Creating this type of chart allowed for visual representation of the criminals relationships with one another.
Figure 1: Hadidi44-2 emails in social network context V. RESULTS
Using open source intelligence tools generated very useful results. Maltego was able to provide relevant email addresses, websites, and other relationships, which were refined through further queries using Google and other search methods. Google returned fewer results then Maltego, but were often more relevant than some of the leads generated in Maltego. It provided various links to community forums, web pages, and social networking sites tied to the specified email searched.
Of the ninety-nine unique emails behind the hadidi44-2.php action file, forty-three emails were found on the Internet. Thirty-two emails returned ample and significant results not only on the criminals themselves, but also the way in which they were able to obtain hadidi44-2. The remaining eleven of those emails had registered Facebook profiles, but investigation into their profiles yielded no substantial results.
The i2 chart created on this information represents how the thirty-two most significant criminals relate to each other. The final chart is displayed in Figure 1.The largest cluster contains twenty-three of these emails. This cluster also contains detailed information regarding relationships to the criminals to Facebook pages, aliases, alternate email addresses, and Arabic forum memberships. Using Google, many forums were found where the criminals showed an online presence. A widely used forum, called sa3eka, was the hub for many of the perpetrators behind hadidi44-2. Eleven of the twenty-three criminals were found to be members of this forum, which is the point at the top of the tree shown in Figure 1. Searches of the forum revealed that a PayPal phishing kit, as well as many other hacker tools, designed by a hacker named Hadidi44 were distributed on this site. The remaining twelve drop email addresses in this tree were directly related to the Sa3eka members either through common membership in other Arabic-language hacking forums, such as VBSpiders and VBhacker, or through close associates. We found the most prominent locations of the criminals to be Morocco, Palestine, and Tunisia. Though the criminals were not close associates in the real world, they seemed to be closely related to each other within cyber communities, as one can view from the interconnectedness of the largest cluster documented in i2.
A close up view of the relationships with the phisher Cry Wolef can be viewed in Figure 2. Cry Wolef links to other members of the chart through common memberships in GazaHacker.net, fr.netlog.com, and links between his taha- social.com domain and the traidnt forum.
Figure 2: Cry Wolef
Discussed earlier within the Methods section was the naivety of mootezsaad@gmail.com. Due to the lack of privacy settings on Saads Facebook profile, investigation into this criminals malicious activity provided a plethora of evidence h_adidi@windowslive.com - September 6, 2013 - Read articles at www.DeepDyve.com against him. Saad had multiple friends with perilous privacy settings as well, including the group that dubs themselves as the Tunisian-Hackers. This group boasts about its mission to create a community of Tunisian ethical hackers. (Perhaps they failed in the ethical portion of that mission, as evidenced by their many ties to PayPal phishing.) Investigating further, email contacts for the group are found under bsebai@ymail.com and smatrix1@live.fr.
An example of a single phisher using many email addresses would be Smatrix. Smatrix1@live.fr is linked to the sa3eka hackers through Achraf_lady, and his membership in the Islamic Army Alkatrone, led by Dr. Timor, a member of both VBSpiders and VBHackers, forums which share several members with sa3eka. smatrix1@live.fr also uses the email alias smatrix4spam@gmail.com with a Facebook page assigned to the name Borhen Jwini. Smatrix is also known as cc4smatrix@gmail.com which is the email of one of the criminals receiving information through hadidi44-2 .php. Under this email, we find that this criminal is the administrator of a website called Tounsi-Shop where he has listed his phone number and street address. Smatrix is also linked to Mootez Saad as a common member of the Tunisian-Hackers Facebook group.
After searching through various notes posted by the Tunisian-Hackers, it was evident that they acquired stolen PayPal accounts. Through comments, pictures, and notes, it was deduced that this group was a large proponent in the spread of this kit. Deeper investigation led to a MediaFire link posted under a header titled PayPal scam by smatrix. Though the file itself was inaccessible, a search was conducted on the various php components featured within the post.
Searching with Google for these various php components led to a browsable directory containing a copy of the hadidi44-2 phishing kit publicly displayed within a hacked website. The kit was designed under the alias of Dr. Spam. Dr. Spam had his results sent to rezult@live.de. The same cybercriminal also uses the email zakprokiller@gmail.com, which was the most prominent drop email associated with the kit, used to create at least 31 phishing sites at the beginning of this research. Searching this kit in the data mine 10 days later revealed that the zakprokiller version had been encountered more than twice as many times as it was on the first day it was accessed. On this day, the search showed that Dr. Spam used this kit 68 times. Dr. Spam has an alternative alias, Map Dr. S., on the widely used sa3eka forum. On this forum he has posted another phishing kit containing the action file hadidi44-2.php, but this one pertains to an AlertPay scam.
The alias Sam-Hacker has posted a word of thanks for the criminal embedding the AlertPay tool and his email address is Iv4@vip.cn. This criminal hacks websites with a criminal with the alias Sn!PeR-HaCkER whose email is waes@w.cn, one of the emails associated with the PayPal scam through hadidi44- 2.php. The connections to this particular file are widespread through these Arabic-language hacking forums and show the spread of this specific tool used to phish PayPal. V. DISCUSSION AND CONCLUSION The hadidi44-2 kit was found to be a file hosted on the Tunisian-Hacker Facebook page with multiple copies and adaptations found on different Arabic-language hacker forums. The kit seems to have originated on the sa3eka forum, and many of the later instances of the kit can be traced back through social relationships to members who would have had access to the original kit. It is concluded that these forums are where the majority of the criminals using this kit share their tools. In this specific case study, it is inferred that the cybercriminals involved in this particular PayPal phish shared their tools of the trade with other cybercriminals through close knit cyber communities. The criminals behind the hadidi44-2.php PayPal phishing kit were able to learn and propagate their criminal activity by making connections within the cyber world. Just as a gang member obtains their weapons and knowledge from more experienced members of the same gang, the criminals involved in this case obtained their tools from more experienced cybercriminals who frequented the same forums. Therefore, specific components of the differential association theory can explain aspects of this case study. Which components of Sutherlands theory are prevalent in this investigation and which ones are not? To analyze this question, each component was evaluated separately. The ones most relevant to this case are explained as follows: 1) Criminal behavior is learned: Phishing PayPal was learned in this case. We know this because the usage of the hadidi44-2.php kit is growing. The number of times that the kit was used more than doubled within only a week and a half. 2) Criminal behavior is learned through interaction with others: This instance of phishing was learned through virtual communication within forums and social networking mediums. The criminals were able to interact with each other through the virtual world. More prominent phishers were able to serve as teachers of the crime through these virtual mediums. 3) Learning behavior takes place within intimate personal groups: Close relationships were formed within these criminals through the virtual communication mediums. These individuals learned the usage of the kit by developing a trust and connection with the influential phishers present within these communities. 4) Learning criminal behavior includes techniques of committing the crime and direction of motives, drives, rationalizations, and attitudes: Techniques and skills of phishing were available through public upload of the hadidi44- 2 kit to the close-knit cyber communities. Criminals targeted PayPal for monetary purposes and believed it was acceptable because reputable criminals within the forums were spreading the kit. They were motivated by proof of monetary gain from the other criminals that utilized this kit. The proof was in form h_adidi@windowslive.com - September 6, 2013 - Read articles at www.DeepDyve.com of screen shots of stolen accounts and gains, as well as boasts of gain on forums. 7) Differential associations vary in frequency, duration, priority, and intensity: This kit was being used by 99 email addresses. However, most of these found criminals were previously hackers associated with their own smaller hacking groups. Phishing is a more serious crime than hacking that involves much more involvement. Instead of defacing websites, they are stealing money, identities, etc. 9) The process of learning criminal behavior expresses general needs and values, but is not excused by such because noncriminal behavior expresses the same needs and values: Phishers were able to express need for monetary gain and an outlet for their computer skills, which they may have thought to not be accessible without committing this crime However, non- offenders express need for money and creative outlet and find non-criminal ways to gain these needs. Therefore, the crimes of these criminals cannot be excused by the reasons as to why they committed the crime in the first place. Six of the nine components of the differential association theory were able to explain aspects of this PayPal phishing case. The remaining three components deal with the histories of the criminals. With this particular investigation, there was not enough past history found on the individuals to explain the inherent development of the criminals involved in this case. These components refer to the ways in which criminal behavior is learned in association with peers in communication to share a common idea through practices, skills, and tool sharing [13, 14]. This case study observed behavior that seems to reinforce these points. Although the particular kit was placed onto the Internet where any person could freely access it, analysis shows that cybercriminals have formed intimate communities where they have developed a sense of trust and friendship. They may not be close in proximity or even acquaintanceship in the real world, but in the cyber world they have formed close associations with each other. In their cyber bubbles they are able to learn from each other by sharing ideas, practices, and tools of injustice. Specifically regarding the hadidi44-2 kit, public sharing of the kit within these close criminal communities allowed for different cybercriminals to associate with one another for a common purpose. This common purpose was to commit a crime. Thus, it is concluded that hadidi44-2 kit was distributed as an open source phishing kit within a particular community targeted at a particular audience. The process of the spread of the hadidi44-2 kit can therefore be explained through components of the differential association theory. This case study examined a specific pattern of financial crimes that reinforced the concept that differential association seems relevant to cybercrimes, even though no real world association can be documented between the criminals. The authors encourage additional case studies be conducted in order to further relate social learning theories to cybercrime. With a deeper understanding of how cybercrime can be explained through such traditional criminology theories, law enforcement may be able to better understand criminal motivations in ways that help to prevent and combat cybercrime in the future. ACKNOWLEDGMENT FUNDING FOR THIS STUDY WAS PROVIDED BY THE NATIONAL SCIENCE FOUNDATIONS RESEARCH EXPERIENCES FOR UNDERGRADUATES PROGRAM (AWARD # 1004953). REFERENCES [1] Agnew, R. "Testing the leading crime theoriesan alternative strategy focusing on motivational processes." Journal of Research in Crime and Delinquency, no. 4 (1995): 32.
[2] Akers, R L., M D. Khron, L Lanza-Kaduce, and M Radosevich. "Social learning and deviant behavior: A specific test of a general theory." American Sociological Association (1979): 636 - 655.
[3] Akers, R L. Deviant behavior - a social learning approach Belmont, CA: Wadsworth Publishing Co., 1973.
[4] Beck, K, and J Zhan. "Phishing in Finance." Future Information Technology (FutureTech),2010 5th International Conference on (2010): 1-5.
[5] Burgess, R L., and R L. Akers. "A differential association- reinforcement theory of criminal behavior." Social Problems (1966): 128-147.
[6] Chen, J, and C Guo. "Online Detection and Prevention of Phishing Attacks." Communications and Networking in China, 2006. ChinaCom '06. First International Conference on (2006): 1-7.
[7] Collins, M P., T J. Shimeall, S Faber, J Janies, R Weaver, M Shon, and J B. Kadane. "Using uncleanliness to predict future botnet addresses." In Proceedings of the 7th ACM SIGCOMM conference on Internet measurement (2007): 93-104.
[8] Dahmija, R, J D. Tygar, and M Hearst. "Why Phishing Works." UC Berkeley: Experimental Social Science Laboratory (Xlab). Retrieved from: http://escholarship.org/uc/item/9dd9v9vd (2006):
[9] Gu, G, J Zhang, and W Lee. "BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection." In Proc. of the 17 th conference USENIX Security Symposium, Boston, MA (2008): 139-154.
[10] Hayati, P, and V Potdar. "Spammer and hacker, two old friends ." Digital Ecosystems and Technologies, 2009. DEST '09. 3rd IEEE International Conference on (2009): 290-294.
[11] Husna, H, S Phithakkitnukoon, S Palla, and R Dantu. "Behavior Analysis of Spam Botnets." Communication Systems Software and Middleware and Workshops, 2008. COMSWARE 2008. 3rd International Conference on (2008): 246-253.
[12] Irani, D, S Webb, J Griffin, and C Pu. "Evolutionary Study of Phishing ." eCrime Researchers Summit (2008): 1-10. h_adidi@windowslive.com - September 6, 2013 - Read articles at www.DeepDyve.com [13] Lanier, M M., and S Henry. Learning Criminal Behavior: Social Process Theories." In Essential Criminology, 2nd ed., 156-178. Oxford, United Kingdom: Westview Press, 2004.
[14] McQuade, S C. "Theories of Computer Enabled Abuse and Crime." In Understanding and Managing Cyber crime, 1st ed., 137-182. Boston, Massachusetts: Pearson Education, Inc, 2006.
[15] Morris, R G., and A G. Blackburn. "Cracking The Code: An Empirical Exploration of Social Learning Theory and Computer Crime." Journal of Crime and Justice 1 (2009): 1-32.
[16] Nazario, J, and T Holz. "As the net churns: Fast-flux botnet observations." Malicious and Unwanted Software, 2008. MALWARE 2008. 3rd International Conference on (2008): 24- 31.
[17] Nero, P J., B Wardman, H Copes, and G Warner. "Phishing: Crime that pays." eCrime Researchers Summit (eCrime), (2011): 1-10.
[18] Parno, B, C Kuo, and A Perrig. "Authentication and Fraud Detection: Phoolproof phishing prevention. ." Di Crescenzo, G., Rubin, A 4107 (2006):
[19] Rivest, R. "The MD5 Message Digest Algorithm." RFC 1321 (1992):
[20] Sutherland, E H., D R. Cressey, and D F. Luckenbill. Principles of criminology, 11th ed. Oxford: Altamira Pr, 1992.
[21] Yong-Xia, Z, and Z Ge. "MD5 Research." Multimedia and Information Technology (MMIT), (2010): 271-273.
[22] Yu, W D., S Nargundkar, and N Tiruthani. "A Phishing Vulnerability Analysis of Web Based. ." Computers and Communications, 2008. ISCC 2008. IEEE Symposium on (2008): 326-331.
[23] "Botnet." Oxford Dictionaries, Accessed July 18, 2012. http://oxforddictionaries.com/definition/english/botnet.
[24] "Key Features. IBM i2 Analyst's Notebook." IBM, Accessed July 18, 2012. http://www.i2group.com/us/products/analysis- product-line/ibm-i2-analysts-notebook.
[25] "RSA." The Year In Phishing. Fraud Report, Accessed July 18, 2012. http://www.rsa.com/solutions/consumer_authentication/intelrepo rt/11635_Online_Fraud_report_0112.pdf.
[26] "Technical Trends in Phishing Attacks. us-cert.gov." Us-cert.gov , Accessed July 18, 2012. http://www.cis.uab.edu/UABSpamDataMine. [27] "UAB Phishing Operations. UAB Computer and Information Sciences." UAB Computer and Information Sciences , Accessed July 18, 2012. http://www.cis.uab.edu/PhishOps.
[28] "UAB Spam Data Mine. UAB Computer and Information Sciences." UAB Computer and Information Sciences , Accessed July 18, 2012. http://www.cis.uab.edu/UABSpamDataMine.
[30] "What is Maltego?." Maltego, Accessed July 18, 2012. http://www.paterva.com/web5/client/overview.php.
[31] "What is PostgreSQL?." The PostgreSQL Global Development Group , Accessed July 18, 202. http://www.postgresql.org/docs/devel/static/intro-whatis.html.
[32] Freiburger, T. and Crane, J. The Internet as a Terrorists Tool: A Social Learning Perspective in Cyber Criminology: Exploring Internet Crimes and Criminal Behavior. Boca Raton, FL: CRC Press
[33] Wang, J., Nansel, T. R., & Iannotti, R. J. (2011). Cyber and Traditional Bullying: Differential Association With Depression. Journal of Adolescent Health, 48 (4), 415-417.
[34] Wardman, B., Warner, G., McCalley, H., Turner, S., & Skjellum, A. (2010). Reeling in Big Phish with a Deep MD5 Net. Journal of Digital Forensics, Security and Law, 5 (3), 33- 55.
[35] McCalley, H., Wardman, B. & Warner, G. (2011) Analysis of Back-Doored Phishing Kits. Advanced in Digital Forensics VII, 155-168.
h_adidi@windowslive.com - September 6, 2013 - Read articles at www.DeepDyve.com