Malware & Fraud Working Group

Malicious code (such as botnets and worms) and fraudulent activity (such as phishing, spam, or credit card abuse) have been the scourge of the Internet for several years now. Recently, the activities of malware authors and online fraudsters have converged, creating a vibrant and dangerous underground economy. This underground economy is responsible for the tremendous increase of criminal activity on the Internet and the resulting significant financial losses to companies and end users. In addition to the financial damage, the criminal activities also lead to a decrease of trust in the security of online transactions and the credibility of major players on the network. This causes secondary, undesirable effects, for example, a move away from online business and a slowdown in the adoption of Internet-based services.


The goals of this working group are:

  1. to identify and discuss future developments and emerging threats in the areas of online fraud and malicious code;
  2. to network and coordinate the efforts between players in academia and industry that are active in these areas; and
  3. to inform and influence decision makers to initiate the necessary steps to thwart the identified threats.


In this working group, we discuss all aspects of malicious code and fraudulent activities in ICT networks. This includes the complete life cycle of online fraud and malware. The following list enumerates the topics that are in scope. Moreover, it provides exemplary questions that belong to these different topics.

  • Spreading of malicious code: How does malicious code propagate and reach the victim machines? What are emerging propagation vectors (drive-by downloads, instant messaging worms, ..)? What are novel ways in which software vulnerabilities are exploited? What are emerging social engineering techniques?
  • Malware code: What techniques are used to develop malware? How does malware thwart detection and analysis? How does malware control victim computers and remains a stronghold? How can we detect malware before and after it infects a computer?
  • Effects of malicious code: How is malware used once a machine is infected? What attacks are launched (against the owner of the computer, against the infrastructure)? What information is stolen?
  • Information gathering: Which information is interesting for criminals? How is this information obtained? How can we protect this information?
  • Exploiting information and control: What are the emerging schemes to convert information into profit? What other goals do fraudsters and malware authors attempt to achieve? How does the underground economy work? How are goods and services traded and are there interesting changes that can be observed?


This section describes the way in which the working group attempts to achieve the goals outlined in Section I. We envision four mechanisms to achieve the outlined goals:

  1. First, we have two mailing lists. One mailing list is public and allows participants to exchange ideas about possible future threats, to point out an emerging threat that starts to manifest in the wild, and to provide pointers to material (publications, presentations, events) that is related to the addressed areas. This mailing list is public, that is, anyone is invited to join and express her opinion. Of course, the mailing list owner (the consortium) moderates the list to prevent spam or postings that are unrelated to the topic.

    The second mailing list is private and provides access only to trusted, vetted members. Initially, the list members are the participants of the first Forward workshop that expressed interest in this working group. Any list member can suggest new members. The approval of a new addition to the list requires the positive recommendation of at least two other list members. Also, the existing list members can voice qualified objections against the approval of a new member. This list is closed because it serve as a platform to exchange data that is more sensitive in nature. This includes operational information, sensitive information about current cases, or information about novel threats that are not known to a larger audience yet. It also serves as a means to establish a trusted nucleus of (European) security professionals that remains alive after the end of the project.

  2. In addition to the mid-term working group meeting, there are regular (at least, bi-monthly) telephone conferences in which participants can directly engage in lively discussions. Depending on the size of the working group, this meetings might be divided (by topic) and held separately.

  3. Third, the working group maintains an open, living document that captures the discussions in the mailing lists and telephone meetings. This document is actively maintained by the members of the consortium. It provides a first structure of the topics that are relevant for this working groups. It also contains questions that the working group leaders feel are important and should be addressed. Of course, everybody is welcome to contribute to this document. It will be run similar to a Wiki to allow participants to quickly undo vandalism.

  4. Fourth, the consortium members in this working group will prepare a chapter for a white book that highlights the most important threats in this area. This text will contain clear recommendations for policymakers to address the identified challenges.