December 14, 2007 1:10 PM PST

Cracking open the cybercrime economy

(continued from previous page)

Hackers can buy denial-of-service attacks for $100 per day, while spammers can buy CDs with harvested e-mail addresses. Spammers can also send mail via spam brokers, handled via online forums such as and In this environment, $1 buys 1,000 to 5,000 credits, while $1,000 buys 10,000 compromised PCs. Credit is deducted when the spam is accepted by the target mail server. The brokers handle spam distribution via open proxies, relays and compromised PCs, while the sending is usually done from the client's PC using broker-provided software and control information.

"This is a completely standard commercial business," Gutmann said. "The spammers even have their own trade associations."

Ready-made tools for creating phishing e-mails, such as fake requests for bank details, are fairly easy to buy, with many independent vendors selling them. Bulletproof hosting is also easily available, while phishers engage spam services to lure users to their sites.

Carders, who mainly deal in stolen credit card details, openly publish prices, or engage in private negotiations to decide the price, with some sources giving bulk discounts for larger purchases. The rate for credit card details is approximately $1 for all the details down to the Card Verification Value (CVV); $10 for details with CVV linked to a Social Security number; and $50 for a full bank account.

Scammers use a variety of ways to launder cash. Compromised bank accounts can be used to launder funds, or struggling companies can be bribed to turn the money into ready cash. Scammers can find businesses with a debt of $10,000, and agree to pay them $20,000 if they agree to cash out 50 percent of the funds. Dedicated cashiers, also known as "money mules," can also take up to 50 percent of the funds to move the money via transfer services.

Money can also be laundered by buying and selling merchandise on the wider black market. Shipper rings can ship PCs to scammers via intermediaries, which can then be resold.

Cost to legitimate business
As the malicious-software economy grows in sophistication, so do the losses sustained by legitimate businesses. According to the 2007 Computer Security Institute computer crime and security survey, these losses have seen a sharp increase this year.

Robert Richardson, director of the CSI, said the average annual loss among U.S. businesses due to cybercrime has shot up to $350,424, from $168,000 in 2006. "Not since the 2004 report have average losses been this high," said Richardson.

This year's survey results are based on the responses of 494 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions, and universities.

Almost one-fifth of those respondents who suffered one or more kinds of security incidents said they had suffered a targeted attack aimed exclusively at their organization, or organizations within a small subset. Khalid Kark, a principal security analyst at Forrester, said targeted attacks against companies and institutions are becoming more common.

"As banks and companies have increased security levels, the hacker community is casting a much wider net," said Khalid. "Instead of hacking into something right away, now it's low and slow. They're determining attack avenues, taking their sweet time to find holes, and then using stealth (to steal data)."

Financial services companies are being attacked more and more, said the analyst, while the attacks are increasing in number and complexity.

But while the black cybereconomy is maturing, at the moment its main practitioners seem to be individuals or small groups acting within a loose web of affiliations that can be quickly established and broken to evade detection.

F-Secure's Hypponen blames a lack of international co-operation and political and social problems for the current situation. "In many cases these are people with skills but without opportunities," said Hypponen. "What if you are born with IT skills in rural China, or in the middle of Siberia? There is no legal way of making use of the skills they have."

While law enforcement co-operation with government and the IT community is paramount in addressing the problem in the short term, longer-term solutions must be found. One way to address the issue of the growth of the "black cybereconomy" in the long term is to harness the IT talent in developing countries that otherwise might be co-opted into illegal activity, say security experts.

"We have to make it more attractive to be in the white economy than in the black--when that happens we will turn a corner. We're starting to see that happen as companies look to less expensive economies as places to put people. In Eastern Europe and Asia there are highly skilled people where there are less opportunities--this is where the black economy is fueled now," said McAfee's Telafici.

Tom Espiner of ZDNet UK reported from London.

Correction: This report misattributed quotes of a report by Peter Gutmann, a researcher at the University of Auckland.

Previous page
Page 1 | 2 | 3

See more CNET content tagged:
hacking, McAfee Inc., malware, malicious code, bot


Join the conversation!
Add your comment
It's not a closed economy
Money is getting into this economy from what we consider "legitimate" economy. They're not only marketing porn/gambling/illegal drugs etc. The kind of businesses I see advertised in Israel using botnet based spam are legitimate businesses: financial institutions, academic colleges (real ones), medical institutions, and other legitimate businesses selling legitimate merchandise/services. The money they pay feeds this illegal industry. And as long as they can go buy services from this illegal economy that steals computer and network resources and sells them at cheaper price than those who actually pay for the resources they sell we would have this economy. Buying these services is not different from buying stolen goods.

I would like to see the information about use of malware organized and flowing to allow those whose PCs were infected find out the advertisers whose spam was sent using their compromised PCs, and done in such a way that they can organize and demand that the advertiser pay for the use of the resources, and sue the spammer in the right jurisdiction if needed. Advertisers should know that if they get a cheap deal and it was cheap because the spammer stole the resources used to do the distribution, they might have to pay for the resources in addition to what they paid to the spammer, and they might have to face criminal charges for illegal use of computer viruses (that is, having paid to be provided with a service based on computer viruses should be enough for a criminal charge. It doesn't have to be limited to those who actually perform the crime they were paid to perform). To achieve this there is a need for an infrastructure that collects the data from various sources (spam reports, security software on infected PCs, network monitoring such as scanning of outgoing traffic for spam by ISPs) and maks them available to the right parties (such as spam reports about mail coming from a dynamic IP address matched with information about the service advertised provided by speakers of the language of the advertisement should be available to the operator of the PC that used the IP address at the time the spam was sent. It's not an easy task. But it is not impossible, and it is needed if we want to stp the flow of legitimate money to the cybercrime economy.
Posted by hadaso (468 comments )
Reply Link Flag
HadasoL It;s Not Likely You'l;l See...
...that list of firms in a popular tech publication amytime too soon. Many of the firms to which you're alluding are after all major advertisers at best and poular providers of system killing freeware ay worst. Personally, I'd prefer an adjusted C|NET policy of providing copy (reviews et al) of for-pay products that offer a freeware product for those who cannot afford the for-pay version. To cxompliment this initiative, I'd like to see a requirement that C|NEY only offer downloads of products they recommend in their reviews. This post is a compliment to C|NET's vision and integrity appled to this new world we're living ibn which the article describes.
Posted by i_made_this (302 comments )
Link Flag
Bottom Line: As long as it's profitable... it will continue to expound
That said, what can be implemented to ensure that it's no-longer profitable.

Once the risks and loss are greater than the profits... it will start to dwindle... No sooner.

Posted by wbenton (522 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.