December 14, 2007 1:10 PM PST
Cracking open the cybercrime economy
- Related Stories
The next generation of security threatsDecember 5, 2007
Infamous Russian malware gang vanishesNovember 9, 2007
Security expert: Storm botnet 'services' could be soldOctober 16, 2007
Storm worm variant ignites e-mail virus delugeApril 13, 2007
Net pioneer predicts overwhelming botnet surgeJanuary 29, 2007
'Storm worm' rages across the globeJanuary 19, 2007
Security from A to Z: BotnetNovember 27, 2006
(continued from previous page)
Hackers can buy denial-of-service attacks for $100 per day, while spammers can buy CDs with harvested e-mail addresses. Spammers can also send mail via spam brokers, handled via online forums such as specialham.com and spamforum.biz. In this environment, $1 buys 1,000 to 5,000 credits, while $1,000 buys 10,000 compromised PCs. Credit is deducted when the spam is accepted by the target mail server. The brokers handle spam distribution via open proxies, relays and compromised PCs, while the sending is usually done from the client's PC using broker-provided software and control information.
"This is a completely standard commercial business," Gutmann said. "The spammers even have their own trade associations."
Ready-made tools for creating phishing e-mails, such as fake requests for bank details, are fairly easy to buy, with many independent vendors selling them. Bulletproof hosting is also easily available, while phishers engage spam services to lure users to their sites.
Carders, who mainly deal in stolen credit card details, openly publish prices, or engage in private negotiations to decide the price, with some sources giving bulk discounts for larger purchases. The rate for credit card details is approximately $1 for all the details down to the Card Verification Value (CVV); $10 for details with CVV linked to a Social Security number; and $50 for a full bank account.
Scammers use a variety of ways to launder cash. Compromised bank accounts can be used to launder funds, or struggling companies can be bribed to turn the money into ready cash. Scammers can find businesses with a debt of $10,000, and agree to pay them $20,000 if they agree to cash out 50 percent of the funds. Dedicated cashiers, also known as "money mules," can also take up to 50 percent of the funds to move the money via transfer services.
Money can also be laundered by buying and selling merchandise on the wider black market. Shipper rings can ship PCs to scammers via intermediaries, which can then be resold.
Cost to legitimate business
As the malicious-software economy grows in sophistication, so do the losses sustained by legitimate businesses. According to the 2007 Computer Security Institute computer crime and security survey, these losses have seen a sharp increase this year.
Robert Richardson, director of the CSI, said the average annual loss among U.S. businesses due to cybercrime has shot up to $350,424, from $168,000 in 2006. "Not since the 2004 report have average losses been this high," said Richardson.
This year's survey results are based on the responses of 494 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions, and universities.
Almost one-fifth of those respondents who suffered one or more kinds of security incidents said they had suffered a targeted attack aimed exclusively at their organization, or organizations within a small subset. Khalid Kark, a principal security analyst at Forrester, said targeted attacks against companies and institutions are becoming more common.
"As banks and companies have increased security levels, the hacker community is casting a much wider net," said Khalid. "Instead of hacking into something right away, now it's low and slow. They're determining attack avenues, taking their sweet time to find holes, and then using stealth (to steal data)."
Financial services companies are being attacked more and more, said the analyst, while the attacks are increasing in number and complexity.
But while the black cybereconomy is maturing, at the moment its main practitioners seem to be individuals or small groups acting within a loose web of affiliations that can be quickly established and broken to evade detection.
F-Secure's Hypponen blames a lack of international co-operation and political and social problems for the current situation. "In many cases these are people with skills but without opportunities," said Hypponen. "What if you are born with IT skills in rural China, or in the middle of Siberia? There is no legal way of making use of the skills they have."
While law enforcement co-operation with government and the IT community is paramount in addressing the problem in the short term, longer-term solutions must be found. One way to address the issue of the growth of the "black cybereconomy" in the long term is to harness the IT talent in developing countries that otherwise might be co-opted into illegal activity, say security experts.
"We have to make it more attractive to be in the white economy than in the black--when that happens we will turn a corner. We're starting to see that happen as companies look to less expensive economies as places to put people. In Eastern Europe and Asia there are highly skilled people where there are less opportunities--this is where the black economy is fueled now," said McAfee's Telafici.
Tom Espiner of ZDNet UK reported from London.
3 commentsJoin the conversation! Add your comment