Vulnerabilities / Threats
6/3/2009
02:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Report: Cybercrime Riches Are Hard To Come By

Researchers from Microsoft say stolen goods offered for sale in IRC channels are tough to monetize, and industry estimates of underground profits are "exaggerated"

Turns out the profitability of cybercrime may have been greatly exaggerated. According to a new report by two researchers for Microsoft's research organization, cybercrime doesn't equal easy money after all, despite findings to the contrary.

In their report, titled "Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy," Microsoft researchers Cormac Herley and Dinei Florencio say it's a smaller population of more sophisticated and organized gangs of cybercriminals who come out ahead. "While there is a great deal of activity in the underground economy marketplace, it does not imply a lot of dollars change hands," they wrote in their paper. Lucrative cybercrime doesn't occur in the open IRC space because "rippers," or those who don't deliver the goods and services they "sell" there, damage the market, they say.

The researchers also took on security-vendor research (as well as that of Gartner) that estimates the value of the underground economy based on the price tags of wares sold via IRC: "We believe that anyone who shows up on an IRC channel hoping to trade profitably with anonymous partners is almost certain to be cheated. Thus, estimating the dollar size of the underground economy based on the asking price of goods and services advertised on IRC networks appears unsound," they say. "We find that the published estimates of the dollar value of underground economy IRC channels are exaggerated. They are derived by simply adding the unverified claims of anonymous channel participants (who include rippers). Those who lie most and exaggerate most affect the average most."

More nimble and organized alliances and gangs of cybercriminals incur lower overhead by banding together, and they are the sector making a profit. Herley and Florencio said rippers bring instability into the IRC marketplace, making it too risky to do any real business. "We emphasize that the activities of the upper tier are largely invisible and probably account for a majority of the losses," they said.

Researcher Nitesh Dhanjani says the researchers have raised a bigger elephant-in-the-room issue of vendor-sponsored research, as well as flawed logic for calculating the size of the black market. "I think this is the bigger issue [of the research here]...We cannot get a handle on what the situation is, who the agents are that we are up against, and if we are continuously bombarded with bogus statistics in the name of science. I feel Herley and Dinei, in addition to the specifics of the paper, are helping us raise consciousness about this so we are able to distinguish between marketing speak and real scientific discourse," Dhanjani says.

The security industry relies on statistics from biased companies, Dhanjani says. "When was the last time we heard a security firm publish an opinion that played down the impact of anything? In some sense we wouldn't expect them to -- after all, security corporations are businesses, too. But on the other hand, we have not done a good job of distinguishing marketing speak against scientific discourse," he says.

Dhanjani, who along with fellow researcher Billy Rios infiltrated the phishing underground to profile phishers and their activities, agrees that estimates of billions of dollars in losses don't add up. "I remembered [during our phishing research] going through the vast amount of underground message boards and IRC channels where phishers and scam artists convene, noting how much of a constant struggle it was for the criminals to monetize -- including cases where criminals attempted to scam other criminals -- and wondering how it is that such a struggling system could correlate to a loss of billions of dollars. It just didn't feel right," Dhanjani says.

This isn't the first time "myth busters" Herley and Florenci have shot down conventional wisdom about cybercime: Earlier this year, they used an economic analysis method to show phishing was not as lucrative as once thought. Their economic models concluded that phishing is a low-paid, low-skills enterprise where the average phisher makes hundreds, rather than thousands, of dollars a year. The researchers' work is their own, they say, and doesn't speak for Microsoft.

"The more automated, the lower the barrier to entry, [and] the lower the effective return. When it's automated, it becomes a low-skill endeavor, and low-skill jobs pay like low-skill jobs," Herley said in an earlier interview.

Their latest research takes the analysis to another level.

Stolen bank credit card numbers and bank credentials are not easy to monetize, the researchers said in their report, so stealing this information doesn't necessarily translate into profit: "Goods offered for sale on the IRC channels are hard to monetize. Those who sell there are clearly unable to monetize the goods themselves or need someone who will do so for a smaller premium than the ripper tax," they say in their report, noting that stolen credit cards and CCNs are most of what's sold on IRC channels.

"This implies that getting credentials is only a first step, and by no means the most important one, in the chain of fraud," they wrote. "The IRC markets on the underground economy represent a classic example of a market for lemons. The rippers who steal from other participants ensure that buying and selling is heavily taxed."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4231
Published: 2015-07-03
The Python interpreter in Cisco NX-OS 6.2(8a) on Nexus 7000 devices allows local users to bypass intended access restrictions and delete an arbitrary VDC's files by leveraging administrative privileges in one VDC, aka Bug ID CSCur08416.

CVE-2015-4232
Published: 2015-07-03
Cisco NX-OS 6.2(10) on Nexus and MDS 9000 devices allows local users to execute arbitrary OS commands by entering crafted tar parameters in the CLI, aka Bug ID CSCus44856.

CVE-2015-4234
Published: 2015-07-03
Cisco NX-OS 6.0(2) and 6.2(2) on Nexus devices has an improper OS configuration, which allows local users to obtain root access via unspecified input to the Python interpreter, aka Bug IDs CSCun02887, CSCur00115, and CSCur00127.

CVE-2015-4237
Published: 2015-07-03
The CLI parser in Cisco NX-OS 4.1(2)E1(1), 6.2(11b), 6.2(12), 7.2(0)ZZ(99.1), 7.2(0)ZZ(99.3), and 9.1(1)SV1(3.1.8) on Nexus devices allows local users to execute arbitrary OS commands via crafted characters in a filename, aka Bug IDs CSCuv08491, CSCuv08443, CSCuv08480, CSCuv08448, CSCuu99291, CSCuv0...

CVE-2015-4239
Published: 2015-07-03
Cisco Adaptive Security Appliance (ASA) Software 9.3(2.243) and 100.13(0.21) allows remote attackers to cause a denial of service (device reload) by sending crafted OSPFv2 packets on the local network, aka Bug ID CSCus84220.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report