Objective
This study examines Bitcoin generator (BG) websites on the clear and dark web. It focuses on their prevalence, revenue, and associated warnings, as these sites are suspected scams.

Method
Data for the study was gathered from the Dark Web Monitor and Iknaio Cryptoasset Analytics. A four-step process was used to identify BG sites and their Bitcoin addresses from 2 million dark websites.

Results
We found 832 dark web BG sites. The monetary revenue from a dark web BG site is approximately 1/3 smaller per Bitcoin address than from a clear web BG site. There is a concentration of revenue at a few BG sites. Only 24% of Bitcoin addresses on dark web BG sites have ever had money deposited on them. On the dark web, the top three clusters of crypto addresses account for 35% of the total revenue. On the clear web, the top three clusters account for 52% of the total revenue. The longer BG sites are online, the higher the revenue. There are hardly any warnings against BG sites.

Conclusion
Our results fit the Rational Choice model of crime: the revenue is modest, but the effort of the offenders is also limited.

Law enforcement agencies struggle with criminals using end-to-end encryption (E2EE). A recent policy paper states: “while encryption is vital and privacy and cyber security must be protected, that should not come at the expense of wholly precluding law enforcement”. The main argument is that E2EE hampers attribution and prosecution of criminals who rely on encrypted communication - ranging from drug syndicates to child sexual abuse material (CSAM) platforms. This statement - in policy circles dubbed ‘going dark’ - is not yet supported by empirical evidence. That is why, in our work, we analyse public court data from the Netherlands to show to what extent law enforcement agencies and the public prosecution service are impacted by the use of E2EE in bringing cases to court and their outcome. Our results show that in cases brought to court, the Dutch courts appear to be as successful in convicting offenders who rely on E2EE as those who do not. Our data do not permit us to draw conclusions on the effect of E2EE on criminal investigations.

Open data promotes transparency and accountability as everyone can analyse it. Law enforcement and the judiciary are increasingly making data available, to increase trust and confidence in the criminal justice system. Due to privacy legislation, judicial open data — like court judgements — in Europe is usually anonymized. And even if the court judgement has been made public, the rest of the case file is usually not published. Therefore, the question arises to what extent criminological research into sentencing can make use of anonymized open data. We answer this question based on a case study in which we use the open data of the Dutch criminal justice system that is available on https://www.rechtspraak.nl/Uitspraken. Over the period 2015–2020, we analysed sentencing in 25,366 court judgements and investigated the relationship between sentence severity and the offender’s use of advanced Information and Communication Technology (ICT). The most important results are, firstly, that offenders who use advanced ICT are sentenced to longer custodial sentences compared to other offenders. Secondly, sentencing research with open data is found to be feasible.

It is crucial that smart contracts are tested thoroughly due to their immutable nature. Even small bugs in smart contracts can lead to huge monetary losses. However, testing is not enough; it is also important to ensure the quality and completeness of the tests. There are already several approaches that tackle this challenge with mutation testing, but their effectiveness is questionable since they only considered small contract samples. Hence, we evaluate the quality of smart contract mutation testing at scale. We choose the most promising of the existing (smart contract specific) mutation operators, analyse their effectiveness in terms of killability and highlight severe vulnerabilities that can be injected with the mutations. Moreover, we improve the existing mutation methods by introducing a novel killing condition that is able to detect a deviation in the gas consumption, i.e., in the monetary value that is required to perform transactions.

Passive application fingerprinting is a technique to detect anomalous outgoing connections. By monitoring the network traffic, a security monitor passively learns the network characteristics of the applications installed on each machine, and uses them to detect the presence of new applications (e.g., malware infection). In this work, we propose HeadPrint, a novel passive fingerprinting approach that relies only on two orthogonal network header characteristics to distinguish applications, namely the order of the headers and their associated values. Our approach automatically identifies the set of characterizing headers, without relying on a predetermined set of header features. We implement HeadPrint, evaluate it in a real-world environment and we compare it with the state-of-the-art solution for passive application fingerprinting. We demonstrate our approach to be, on average, 20% more accurate and 30% more resilient to application updates than the state-of-the-art. Finally, we evaluate our approach in the setting of anomaly detection, and we show that HeadPrint is capable of detecting the presence of malicious communication, while generating significantly fewer false alarms than existing solutions.

Research shows that people's use of computers and mobile phones is often characterized by a privacy paradox: Their self-reported concerns about their online privacy appear to be in contradiction with their often careless online behaviors. Earlier research into the privacy paradox has a number of caveats. Most studies focus on intentions rather than behavior and the influence of technical knowledge, privacy awareness, and financial resources is not systematically ruled out. This study therefore tests the privacy paradox under extreme circumstances, focusing on actual behavior and eliminating the effects of a lack of technical knowledge, privacy awareness, and financial resources. We designed an experiment on the downloading and usage of a mobile phone app among technically savvy students, giving them sufficient money to buy a paid-for app. Results suggest that neither technical knowledge and privacy awareness nor financial considerations affect the paradoxical behavior observed in users in general. Technically-skilled and financially independent users risked potential privacy intrusions despite their awareness of potential risks. In their considerations for selecting and downloading an app, privacy aspects did not play a significant role; functionality, app design, and costs appeared to outweigh privacy concerns.

Since it takes time and effort to put a new product or service on the market, one would like to predict whether it will be a success. In general this is not possible, but it is possible to follow best practices in order to maximize the chance of success. A smart contract is intended to encode business logic and is therefore at the heart of every new business on the Ethereum blockchain. We have investigated how to measure the success of smart contracts, and whether successful smart contracts have characteristics that less successful smart contracts lack. The appearance of a smart contract on a listing website such as Etherscan or StateoftheDapps is such a characteristic. In this paper, we present a three-pronged analysis of the relative success of listed smart contracts. First, we have used statistical analysis on the publicly visible transaction history of the Ethereum blockchain to determine that listed contracts are significantly more successful than their unlisted counterparts. Next, we have conducted a survey among more than 200 developers via an anonymous online survey about their experience with the listing process. A significant majority of respondents do not believe that listing a contract itself contributes to its success, but they believe that the extra attention that is typically paid in tandem with the listing process does contribute. Finally, based on the respondents' answers, we have drafted 10 recommendations for developers and validated them by submitting them to an international panel of experts.

We investigate the problem of detecting advanced covert channel techniques, namely victim-aware adaptive covert channels. An adaptive covert channel is considered victim-aware when the attacker mimics the content of its victim’s legitimate communication, such as application-layer metadata, in order to evade detection from a security monitor. In this paper, we show that victim-aware adaptive covert channels break the underlying assumptions of existing covert channel detection solutions, thereby exposing a lack of detection mechanisms against this threat. We first propose a toolchain, Chameleon, to create synthetic datasets containing victim-aware adaptive covert channel traffic. Armed with Chameleon, we evaluate state-of-the-art detection solutions and we show that they fail to effectively detect stealthy attacks. The design of detection techniques against these stealthy attacks is challenging because their network characteristics are similar to those of benign traffic. We explore a deception-based detection technique that we call HoneyTraffic, which generates network messages containing honey tokens, while mimicking the victim’s communication. Our approach detects victim-aware adaptive covert channels by observing inconsistencies in such tokens, which are induced by the attacker attempting to mimic the victim’s traffic. Although HoneyTraffic has limitations in detecting victim-aware adaptive covert channels, it complements existing detection methods and, in combination with them, it can to make evasion harder for an attacker.

We report on an educational experiment where computer science students perform empirical research into the human factor in cyber security. Most courses restrict students to work in a lab environment,but we encouraged our students to conduct a realistic experiment with real -world subjects. The students wrote a research proposal that had to be approved by the IRB. They then executed the proposal, collecting and analysing the data. Finally the students wrote and presented a paper a student conference. The main method of assessment is by peer review. After teaching the course for six years, we report on the exciting ideas our students came up wi th, and on the lessons we learned in teaching the course. The main conclusions are (a) offering complete freedom to choose research topics inspires students to design creative projects, (b) working with real subjects creates a stimulating learning experience, and (c) peer-review is a useful assessment tool .

Online anonymous markets have been around since early 2011 and are aprominent part of today’s cybercrime ecosystem. Their popularity as markets inillicit goods has steadily grown over the years. With the rise ofmarkets like Silk Road, similar marketplaces came into existence where next todrugs, supply and demand of other products and services could meet: rangingfrom physical goods, like passports and weapons, to digital goods and services,like carding and cybercrime software. As a resultwe can witness an increasing supply of criminal product and services onstandardized digital trading platforms in the underground economy.

The aim of this study was to explore the extent to which persuasion principles are used in successful social engineering attacks. Seventy-four scenarios were extracted from 4 books on social engineering (written by social engineers) and analysed. Each scenario was split into attack steps, containing single interactions between offender and target. For each attack step, persuasion principles were identified. The main findings are that (a) persuasion principles are often used in social engineering attacks, (b) authority (1 of the 6 persuasion principles) is used considerably more often than others, and (c) single-principle attack steps occur more often than multiple-principle ones. The social engineers identified in the scenarios more often used persuasion principles compared to other social influences. The scenario analysis illustrates how to exploit the human element in security. The findings support the view that security mechanisms should include not only technical but also social countermeasures.

Purpose – When security managers choose to deploy a smart lock activation system, the number of units needed and their location needs to be established. This study presents the results of a penetration test involving smart locks in the context of building security. We investigated how the amount of effort an employee has to invest in complying with a security policy (i.e. walk from the office to the smart key activator) influences vulnerability. In particular, the attractiveness of a no-effort alternative (i.e. someone else walking from your office to the key activators to perform a task on your behalf) was evaluated. The contribution of this study relates to showing how experimental psychology can be used to determine the cost-benefit analysis (CBA) of physical building security measures.
Design/methodology/approach – Twenty-seven different ‘offenders’ visited the offices of 116 employees. Using a script, each offender introduced a problem, provided a solution and asked the employee to hand over their office key.
Findings – A total of 58.6% of the employees handed over their keys to a stranger; no difference was found between female and male employees. The likelihood of handing over the keys for employees close to a key activator was similar to that of those who were further away.Research limitations/implications – The results suggest that installing additional key activators is not conducive to reducing the building’s security vulnerability associated with the handing over of keys to strangers.
Originality/value – No research seems to have investigated the distribution of smart key activators in the context of a physical penetration test. This research highlights the need to raise awareness of social engineering and of the vulnerabilities introduced via smart locks (and other smart systems).

Every new technology brings new opportunity for crime, and information and communication technology (ICT) is no exception. This short article offers students of crime insights in the two main connections between ICT and criminology. On the one hand we show how ICT can be used as a tool, target, or location of crime. On the other hand we show how ICT can be used as a tool to study crime.

Social engineering is een aanvalstechniek waarin misleiding en bedrog worden gebruikt om doelwitten actief te laten meewerken aan hun eigen slachtofferschap. In dit artikel wordt aan de hand van een praktisch voorbeeld en bijbehorende heorieën inzicht gegeven in social engineering-praktijken. Daarnaast zal er ook orden ingegaan op een drietal experimenten (i.e. face-to-face, telefoon en e-mail) waarin systematisch onderzoek naar dit gevaar centraal staat. De resultaten geven inzicht in hoe kwetsbaar een organisatie is voor social engineering en welke medewerkers het meeste baat hebben bij een bewustwordingscampagne.

We present DECANTeR, a system to detect anomalous outbound HTTP communication, which passively extracts fingerprints for each application running on a monitored host. The goal of our system is to detect unknown malware and backdoor communication indicated by unknown fingerprints extracted from a host's network traffic. We evaluate a prototype with realistic data from an international organization and datasets composed of malicious traffic. We show that our system achieves a false positive rate of 0.9% for 441 monitored host machines, an average detection rate of 97.7%, and that it cannot be evaded by malware using simple evasion techniques such as using known browser user agent values. We compare our solution with DUMONT [24], the current state-of-The-Art IDS which detects HTTP covert communication channels by focusing on benign HTTP traffic. The results show that DECANTeR outperforms DUMONT in terms of detection rate, false positive rate, and even evasion-resistance. Finally, DECANTeR detects 96.8% of information stealers in our dataset, which shows its potential to detect data exfiltration.

User training is a commonly used method for preventing victimization from phishing attacks. In this study, we focus on training children, since they are active online but often overlooked in interventions. We present an experiment in which children at Dutch primary schools received an anti-phishing training. The subjects were subsequently tested for their ability to distinguish phishing from non-phishing. A control group was used to control for external effects. Furthermore, the subjects received a re-test after several weeks to measure how well the children retained the training. The training improved the children's overall score by 14%. The improvement was mostly caused by an increased score on the questions where they had to detect phishing. The score on recognizing legitimate emails was not affected by the training. We found that the improved phishing score returned to pre-training levels after four weeks. Conversely, the score of recognition of legitimate emails increased over time. After four weeks, trained pupils scored significantly better in recognizing legitimate emails than their untrained counterparts. Age had a positive effect on the score (i.e., older children scored higher than younger ones); but sex had no significant influence. In conclusion, educating children to improve their ability to detect phishing works in the short term only. However, children go to school regularly, making it easier to educate them than adults. An increased focus on the cybersecurity of children is essential to improve overall cybersecurity in the future.

Purpose - The purpose of this study is to explore how the opening phrase of a phishing email influences the action taken by the recipient. Design/methodology/approach - Two types of phishing emails were sent to 593 employees, who were asked to provide personally identifiable information (PII). A personalised spear phishing email opening was randomly used in half of the emails. Findings - Nineteen per cent of the employees provided their PII in a general phishing email, compared to 29 per cent in the spear phishing condition. Employees having a high power distance cultural background were more likely to provide their PII, compared to those with a low one. There was no effect of age on providing the PII requested when the recipient's years of service within the organisation is taken into account. Practical implications - This research shows that success is higher when the opening sentence of a phishing email is personalised. The resulting model explains victimisation by phishing emails well, and it would allow practitioners to focus awareness campaigns to maximise their effect. Originality/value - The innovative aspect relates to explaining spear phishing using four sociodemographic variables.

The aim of the current study is to explore to what extent an intervention reduces the effects of social engineering (e.g., the obtaining of access via persuasion) in an office environment. In particular, we study the effect of authority during a ‘social engineering’ attack. Methods Thirty-one different ‘offenders’ visited the offices of 118 employees and on the basis of a script, asked them to hand over their office keys. Authority, one of the six principles of persuasion, was used by half of the offenders to persuade a target to comply with his/her request. Prior to the visit, an intervention was randomly administered to half of the targets to increase their resilience against attempts by others to obtain their credentials. Results A total of 37.0 % of the employees who were exposed to the intervention surrendered their keys while 62.5 % of those who were not exposed to it handed them over. The intervention has a significant effect on compliance but the same was not the case for authority. Conclusions Awareness-raising about the dangers, characteristics, and countermeasures associated with social engineering proved to have a significant positive effect on neutralizing the attacker.

In the field of security, attack trees are often used to assess security vulnerabilities probabilistically in relation to multi-step attacks. The nodes are usually connected via AND-gates, where all children must be executed, or via OR-gates, where only one action is necessary for the attack step to succeed. This logic, however, is not suitable for including human interaction such as that of social engineering, because the attacker may combine different persuasion principles to different degrees, with different associated success probabilities. Experimental results in this domain are typically represented by regression equations rather than logical gates. This paper therefore proposes an extension to attack trees involving a regression-node, illustrated by data obtained from a social engineering experiment. By allowing the annotation of leaf nodes with experimental data from social science, the regression-node enables the development of integrated socio-technical security models.

We survey the notion of provably secure Searchable Encryption (SE) by giving a complete and comprehensive overview of the two main SE techniques: Searchable Symmetric Encryption (SSE) and Public Key Encryption with Keyword Search (PEKS). Since the pioneering work of Song, Wagner and Perrig (IEEE SP '00), the field of provably secure SE has expanded to the point where we felt that taking stock would provide benefit to the community. The survey has been written primarily for the non-specialist who has a basic information security background. Thus, we sacrifice full details and proofs of individual constructions in favor of an overview of the underlying key techniques. We categorize and compare the different SE schemes in terms of their security, efficiency, and functionality. For the experienced researcher we point out connections between the many approaches to SE and identify open research problems. Two major conclusions can be drawn from our work. While the so-called IND-CKA2 security notion becomes prevalent in the literature and efficient (sub-linear) SE schemes meeting this notion exist in the symmetric setting, achieving this strong form of security efficiently in the asymmetric setting remains an open problem. We observe that in multi-recipient SE schemes, regardless of their efficiency drawbacks, there is a noticeable lack of query expressiveness which hinders deployment in practice.