Cracking open the cybercrime economy

• Tags:
• Malware,
• Credit Card,
• Wider,
• Phishing

Tom Espiner ZDNet.co.uk

Published: 14 Dec 2007 15:53 GMT

• 
• 
• 
• 
• 

...specialham.com and spamforum.biz. One dollar buys 1,000 to 5,000 credits, while $1,000 (£500) buys 10,000 compromised PCs. Credit is deducted when the spam is accepted by the target mailserver. The brokers handle spam distribution via open proxies, relays and compromised PCs, while the sending is usually done from the client's PC using broker provided software and control information.

"This is a completely standard commercial business," says Gutmann. "The spammers even have their own trade associations."

Ready-made tools for creating phishing emails, such as fake requests for bank details, are fairly easy to buy, with many independent vendors selling them. Bulletproof hosting is also easily available, while phishers engage spam services to lure users to their sites.

Carders, who mainly deal in stolen credit-card details, openly publish prices, or engage in private negotiations to decide the price, with some sources giving bulk discounts for larger purchases. The rate for credit-card details is approximately $1 for all the details down to the Card Verification Value (CVV); $10 for details with CVV linked to a social security number; and $50 for a full bank account.

How is the money laundered?
Scammers use a variety of ways to launder cash. Compromised bank accounts can be used to launder funds, or struggling companies can be bribed to turn the money into ready cash. Scammers can find businesses with a debt of $10,000 (£5,000), and agree to pay them $20,000 (£10,000) if they agree to cash out 50 percent of the funds. Dedicated cashiers, also known as "money mules", can also take up to 50 percent of the funds to move the money via transfer services.

Money can also be laundered by buying and selling merchandise on the wider black market. Shipper rings can ship PCs to scammers via intermediaries, which can then be resold.

What is the cost to legitimate business?
As the malware economy grows in sophistication, so do the losses sustained by legitimate businesses. According to the 2007 Computer Security Institute computer crime and security survey, these losses have seen a sharp increase this year.

Robert Richardson, director of the CSI, says the average annual loss among US businesses due to cybercrime has shot up to $350,424, from $168,000 in 2006. "Not since the 2004 report have average losses been this high," says Richardson.

This year's survey results are based on the responses of 494 computer security practitioners in US corporations, government agencies, financial institutions, medical institutions and universities.

Almost one-fifth (18 percent) of those respondents who suffered one or more kinds of security incident said they had suffered a targeted attack aimed exclusively at their organisation, or organisations within a small subset. Khalid Kark, a principal security analyst at Forrester, says targeted attacks against companies and institutions are becoming more common.

"As banks and companies have increased security levels, the hacker community is casting a much wider net," says Khalid. "Instead of hacking into something right away, now it's low and slow. They're determining attack avenues, taking their sweet time to find holes, and then using stealth [to steal data]."

Financial services companies are being attacked more and more, says the analyst, while the attacks are increasing in number and complexity.

But while the black cyber-economy is maturing, at the moment its main practitioners seem to be individuals or small groups acting within a loose web of affiliations that can be quickly established and broken to evade detection.

F-Secure's Hypponen blames a lack of international co-operation and political and social problems for the current situation. "In many cases these are people with skills but without opportunities," says Hypponen. "What if you are born with IT skills in rural China, or in the middle of Siberia? There is no legal way of making use of the skills they have."

While law-enforcement co-operation with government and the IT community is paramount in addressing the problem in the short term, longer-term solutions must be found. One way to address the issue of the growth of the "black cyber-economy" in the long term is to harness the IT talent in developing countries that otherwise might be co-opted into illegal activity.

"We have to make it more attractive to be in the white economy than in the black — when that happens we will turn a corner. We're starting to see that happen as companies look to less expensive economies as places to put people. In Eastern Europe and Asia there are highly skilled people where there are less opportunities — this is where the black economy is fuelled now," says McAfee's Telafici.

• 
• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit