Vulnerabilities / Threats
10/21/2011
12:36 PM
Connect Directly
RSS
E-Mail
50%
50%

Does Cybercrime Pay?

Turning a profit in today's underground economy remains tough. Here's why.

Does cybercrime pay? Maybe not as much as you'd expect.

Law enforcement agencies trumpet whenever they bust a cybercrime gang, in part to try and deter other criminals. Some of those takedowns have jailed rings that stole millions of dollars.

Busts, of course, highlight only crimes that have been spotted and criminals caught. What about the crimes no one knows about? We won't be reading any press releases on online criminals evading law enforcement agencies or operating from countries without cybercrime laws.

How many millionaire or even billionaire spam and malware kings are at large? Estimates of the annual cybercrime tab vary widely, from $560 million to $1 trillion per year. According to "Sex, Lies and Cyber-Crime Surveys," a research paper released earlier this year, that variability points to the problem with cybercrime data: Too much of it is based on self-reported statistics from too few respondents. With small sample sizes, "a single lie, transcription error, or exaggeration" can completely skew survey results, say the paper's authors, Microsoft researchers Dinei Florencio and Cormac Herley.

To see that effect at work, they point to an annual identity theft study from the Federal Trade Commission. "The FTC estimated identity theft at $47 billion in 2004, $15.6 billion in 2006 and $54 billion in 2008. Either there was a precipitous drop in 2006, or all of the estimates are extremely noisy," according to Florencio and Herley. To put the state of affairs mildly, cybercrime survey data is less than reliable.

Furthermore, studies of actual cybercrime networks suggest that criminals' profits may be less than people think. For example, University of California and Budapest Technology researchers looked at about 20 groups that fulfilled orders for pharmaceuticals that they had "advertised" via spam emails. But they found that only two of the roughly 20 groups they studied earned profits of more than $1 million per month. According to the researchers, "our results suggest that while the spam-advertised pharmacy market is substantial, with annual revenue in the many tens of millions of dollars, it has nowhere near the size claimed by some, and indeed falls vastly short of the annual expenditures on technical anti-spam solutions."

Likewise, researchers from the University of California, Santa Barbara, studied crime rings pushing fake antivirus software, which pretends to discover malware (besides itself) on users' computers, then scares them into buying a product to eliminate the infection. "The Underground Economy of Fake Antivirus Software," a paper to be presented next month at the eCrime 2011 conference in San Diego, estimates "the annual revenue of each criminal group at a few tens of millions of dollars," reports The Economist.

Why aren't cybercrime profits higher? Another study by Microsoft's Florencio and Herley investigates that question and finds a large gap between "potential and actual harm." Potentially, of course, attackers could be exploiting all of the weak links on people's PCs, ranging from known vulnerabilities to reused passwords stolen from other websites. But while that's possible in theory, in practice such attacks generally aren't practical.

For starters, attackers have to walk a fine line. If criminals let a botnet get too big, or fail to keep updating the underlying malware with the latest anti-security-tool defenses, security researchers may find a way to scuttle the botnet, and authorities may actually run them down, resulting in some significant jail time.

Botnet infections aside, however, outright cybercrime faces a significant challenge: It's difficult to turn a profit. "It's not enough that something succeed now-and-then, or when the circumstances are right, or when all the ducks are in a row," say Florencio and Herley. "When attacking users en masse, as Internet attackers do, attacks must be profitable at scale." As the studies of cybercrime profit show, thankfully, building really profitable online attacks at scale isn't a skill that most cybercriminals have mastered.

Sensitive customer and business data is scattered in hidden corners of your infrastructure. Find and protect it before it winds up in the wrong hands. Also in the new issue of Dark Reading: The practical side of data defense. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
10/25/2011 | 1:26:10 AM
re: Does Cybercrime Pay?
I agree Jim. Also, since relatively few people seem to be brought to justice, it could be argued that cyber-crime has a better risk-reward ratio than other crimes.
Brian Prince, InformationWeek contributor
jrapoza
50%
50%
jrapoza,
User Rank: Apprentice
10/24/2011 | 7:57:23 PM
re: Does Cybercrime Pay?
I agree that most published estimates are unreliable. I think the question on whether it pays is all relative to the cybercriminal. Is someone likely to become massively rich like Scarface? Probably not. But for say, an unemployed eastern european programmer, working for an identity theft ring can certainly pay better than many legitimate options.

Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.