Professor Guy-Vincent Jourdan of the Faculty of Engineering, his doctoral student Emad Badawi, and Dr. Iosif Viorel Onut of IBM Canada’s Centre for Advanced Studies are probing this virtual underworld. Their work has caught the attention of the Anti-Phishing Working Group (APWG), an international coalition of industry, government, and academia based in the United States that was founded in 2003 to exchange data and research in a concerted effort to counter cybercrime.
About three years ago, the APWG formed the Crypto Currency Working Group (CCWG); the University of Ottawa and the University of Tulsa are the first universities in the world to contribute data to the CCWG’s growing repository of cryptocurrency wallet addresses used by cybercriminals to collect ransoms and scammed payments from victims. IBM is also supporting uOttawa’s project, with IBM Security X-Force, the company’s threat intelligence division, providing guidance and resources. The database being built through this international collaboration is becoming increasingly important in the fight against cryptocurrency fraud.
Bitcoin generator scams
Most recently, Jourdan, Badawi and fellow researchers adapted an automated scam detection system they had previously created to find Bitcoin generator scam webpages and to extract and monitor the Bitcoin wallet addresses used in the scams. In doing so, they have been able to track potential attacks against Bitcoin investors even before the investors become victims.
Unlike other types of cybercrime, it is possible to track transactions in cryptocurrency-based scams because they are posted on the blockchain, explains Jourdan, whose research is at the heart of the University of Ottawa’s hub for cybersecurity and cyber safety, launched in partnership with IBM Canada in 2019.
“We leverage the fact that these scams need to be advertised. Scammers do not know their victims, and thus must advertise their fraudulent ‘services’ and wait for victims to come,” he says. “We initially spend time in forums and other places where the scams are being advertised to create an initial dataset. We then extract several characteristics found in these advertisements and we use our web crawler to systematically look for pages having similar characteristics.
“We give all the pages found by the crawler to our classifier, which we have trained to flag real scam instances. As a result, our system automatically finds new instances of the scam as they are being advertised to victims,” he adds. “We then have a final system that analyzes these instances in real time, as they are being discovered, to extract specific information, such as the payment address.”
Blocking fraudulent attacks
This proactive approach to detecting cryptocurrency fraud is already paying off. “In scams that ultimately do receive payment, we can flag the address before the first payment is submitted in over 70% of the cases,” says Jourdan. “That is the most exciting part of the system to us: ideally, we want to block the attack before there are any victims, and our system is a step in that direction.” Their system has detected well over 8,000 addresses so far — and counting.
The automatic production of this telling data is invaluable, says Peter Cassidy, APWG Secretary General and a founding curator of the CCWG. “It is using the resources of the Web to help the Web defend itself. There aren’t enough hands to do this type of work; the machine has to defend itself.”
“It’s essential that we foster a highly skilled, cyber workforce to secure and defend Canada’s economic prosperity tomorrow,” says Steven Astorino, IBM Canada Lab Director and VP of Development for IBM Data & AI. “Seeing a research project develop into a global threat identification tool, just a year after we announced our partnership with uOttawa, is very promising and encouraging. This is a testament to how powerful collaboration between industry and academia can be, and why IBM will continue to support and drive domestic leadership in cybersecurity.”
What happens when fraudulent addresses are uncovered? Jourdan’s team shares them with the research community and the APWG, which runs the eCrime eXchange clearinghouse, which is used by professionals working in the field, including cryptocurrency exchanges, wallet providers, and trading platforms. “It is not a stretch to imagine that law enforcement agencies use this data as well,” says Jourdan.
As an important step toward unravelling a complex web of deceit in the investment world, Jourdan’s research collaboration with the CCWG is also contributing to a larger global effort to protect the public — and its pocketbook — from all manner of cybercrime.