June 5th, 2009

Microsoft study debunks profitability of the underground economy

Posted by Dancho Danchev @ 2:44 pm

Categories: Anti Virus, Botnets, Data theft, Hackers, Malware, Passwords, Phishing, Spam and Phishing, Spyware and Adware, Viruses and Worms

Tags: Credit Card, Malware, Microsoft Corp., Cybercriminal, Economy, Cybercrime-as-a-Service, Cyberthreats, Financial Services, Security, Dancho Danchev

Cybercrime, what cybercrime and millions of dollars in profits?!

A newly released paper presented by Cormac Herley and Dinei Florencio at this year’s  Workshop on the Economics of Information Security 2009 entitled “Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy” debunks the often taken for granted profitability of the underground economy comparing it to that of a Market for Lemons, where the seller knows more about the product than the buyer.

Earlier this year, the same researchers also debunked the profitability of phishing (Microsoft study debunks phishing profitability) in general, using the Tragedy of the Commons as an analogy for their findings.

I beg to differ with the conclusions drawn in both papers, and here’s why:

According to the executive summary:

“Stolen credentials are traded in bulk for pennies on the dollar. It is suggested that large sums move on these markets. We argue that this makes very little sense. Using basic arguments from Economics we show that the IRC markets studied represent classic examples of Lemon Markets. The ever present rippers who cheat other participants ensure that the market cannot operate effectively. Their presence represents a tax on every transaction conducted in the market. Those who form gangs and alliances avoid this tax, enjoy a lower cost basis and higher profit.”

It does makes sense since the report’s findings are flawed, in the sense that they draw conclusions based on a highly outdated form of communication between cybercriminals - the Internet Relay Chat or IRC.

Trading with stolen credit card information over IRC is so Web 1.0, it encompasses a tiny percentage of these trades, the majority of which happen in closed invite-only portals next to the plain simple private communications with the vendor itself lacking a fancy online store for the stolen goods. Therefore, generalization based on a single, largely outdated distribution and advertising channel for stolen goods undermines the majority of conclusions made.

The researchers also find no sense in statements such as :

“For example,  Symantec finds the asking price for a CCN varies between $0.5 and$12, even when the available balance is several thousand dollars. This makes very little sense. Why would anyone sell for 50 cents an asset that is worth $2000? If turning the CCN into cash requires skill that the seller does not possess it would surely be a skill worth learning.”

They would not only because they would still break-even (earn profit) if they do so, but also, because depending on their position within they underground marketplace, they may in fact be willing to earn less, but forward the responsibility (and potential imprisonment if detected) to the buyers of credit card details while attempting to cash out the money.

Based on personal observations of numerous monetization approaches throughout the past several years, there’s a majority within the underground ecosystem that whereas may indeed look like a hardcore cybercriminal cashing-out money from each and every phished and Zeus-ed (banker-malwared infected host) on his own, is in fact reselling access and the accounting data to the organized cybercrime syndicates with experience in obtaining the cash. If these cybecriminals were to “learn the skill” of how to do, they would inevitably be earning more, however, the money made is proportional with the increased risk of getting caught based on their lack of experience, so reselling the data to experienced parties as fast as possible, remains their only option.

Next –>

Pages: 1 2 3