Vulnerabilities / Threats
10/21/2011
12:36 PM
50%
50%

Does Cybercrime Pay?

Turning a profit in today's underground economy remains tough. Here's why.

Does cybercrime pay? Maybe not as much as you'd expect.

Law enforcement agencies trumpet whenever they bust a cybercrime gang, in part to try and deter other criminals. Some of those takedowns have jailed rings that stole millions of dollars.

Busts, of course, highlight only crimes that have been spotted and criminals caught. What about the crimes no one knows about? We won't be reading any press releases on online criminals evading law enforcement agencies or operating from countries without cybercrime laws.

How many millionaire or even billionaire spam and malware kings are at large? Estimates of the annual cybercrime tab vary widely, from $560 million to $1 trillion per year. According to "Sex, Lies and Cyber-Crime Surveys," a research paper released earlier this year, that variability points to the problem with cybercrime data: Too much of it is based on self-reported statistics from too few respondents. With small sample sizes, "a single lie, transcription error, or exaggeration" can completely skew survey results, say the paper's authors, Microsoft researchers Dinei Florencio and Cormac Herley.

To see that effect at work, they point to an annual identity theft study from the Federal Trade Commission. "The FTC estimated identity theft at $47 billion in 2004, $15.6 billion in 2006 and $54 billion in 2008. Either there was a precipitous drop in 2006, or all of the estimates are extremely noisy," according to Florencio and Herley. To put the state of affairs mildly, cybercrime survey data is less than reliable.

Furthermore, studies of actual cybercrime networks suggest that criminals' profits may be less than people think. For example, University of California and Budapest Technology researchers looked at about 20 groups that fulfilled orders for pharmaceuticals that they had "advertised" via spam emails. But they found that only two of the roughly 20 groups they studied earned profits of more than $1 million per month. According to the researchers, "our results suggest that while the spam-advertised pharmacy market is substantial, with annual revenue in the many tens of millions of dollars, it has nowhere near the size claimed by some, and indeed falls vastly short of the annual expenditures on technical anti-spam solutions."

Likewise, researchers from the University of California, Santa Barbara, studied crime rings pushing fake antivirus software, which pretends to discover malware (besides itself) on users' computers, then scares them into buying a product to eliminate the infection. "The Underground Economy of Fake Antivirus Software," a paper to be presented next month at the eCrime 2011 conference in San Diego, estimates "the annual revenue of each criminal group at a few tens of millions of dollars," reports The Economist.

Why aren't cybercrime profits higher? Another study by Microsoft's Florencio and Herley investigates that question and finds a large gap between "potential and actual harm." Potentially, of course, attackers could be exploiting all of the weak links on people's PCs, ranging from known vulnerabilities to reused passwords stolen from other websites. But while that's possible in theory, in practice such attacks generally aren't practical.

For starters, attackers have to walk a fine line. If criminals let a botnet get too big, or fail to keep updating the underlying malware with the latest anti-security-tool defenses, security researchers may find a way to scuttle the botnet, and authorities may actually run them down, resulting in some significant jail time.

Botnet infections aside, however, outright cybercrime faces a significant challenge: It's difficult to turn a profit. "It's not enough that something succeed now-and-then, or when the circumstances are right, or when all the ducks are in a row," say Florencio and Herley. "When attacking users en masse, as Internet attackers do, attacks must be profitable at scale." As the studies of cybercrime profit show, thankfully, building really profitable online attacks at scale isn't a skill that most cybercriminals have mastered.

Sensitive customer and business data is scattered in hidden corners of your infrastructure. Find and protect it before it winds up in the wrong hands. Also in the new issue of Dark Reading: The practical side of data defense. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
10/25/2011 | 1:26:10 AM
re: Does Cybercrime Pay?
I agree Jim. Also, since relatively few people seem to be brought to justice, it could be argued that cyber-crime has a better risk-reward ratio than other crimes.
Brian Prince, InformationWeek contributor
jrapoza
50%
50%
jrapoza,
User Rank: Apprentice
10/24/2011 | 7:57:23 PM
re: Does Cybercrime Pay?
I agree that most published estimates are unreliable. I think the question on whether it pays is all relative to the cybercriminal. Is someone likely to become massively rich like Scarface? Probably not. But for say, an unemployed eastern european programmer, working for an identity theft ring can certainly pay better than many legitimate options.

Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6123
Published: 2014-12-28
IBM Rational AppScan Source 8.0 through 8.0.0.2 and 8.5 through 8.5.0.1 and Security AppScan Source 8.6 through 8.6.0.2, 8.7 through 8.7.0.1, 8.8, 9.0 through 9.0.0.1, and 9.0.1 allow local users to obtain sensitive credential information by reading installation logs.

CVE-2014-6160
Published: 2014-12-28
IBM WebSphere Service Registry and Repository (WSRR) 8.5 before 8.5.0.1, when Chrome and WebSEAL are used, does not properly process ServiceRegistryDashboard logout actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.