Vulnerabilities / Threats
10/21/2011
12:36 PM
50%
50%

Does Cybercrime Pay?

Turning a profit in today's underground economy remains tough. Here's why.

Does cybercrime pay? Maybe not as much as you'd expect.

Law enforcement agencies trumpet whenever they bust a cybercrime gang, in part to try and deter other criminals. Some of those takedowns have jailed rings that stole millions of dollars.

Busts, of course, highlight only crimes that have been spotted and criminals caught. What about the crimes no one knows about? We won't be reading any press releases on online criminals evading law enforcement agencies or operating from countries without cybercrime laws.

How many millionaire or even billionaire spam and malware kings are at large? Estimates of the annual cybercrime tab vary widely, from $560 million to $1 trillion per year. According to "Sex, Lies and Cyber-Crime Surveys," a research paper released earlier this year, that variability points to the problem with cybercrime data: Too much of it is based on self-reported statistics from too few respondents. With small sample sizes, "a single lie, transcription error, or exaggeration" can completely skew survey results, say the paper's authors, Microsoft researchers Dinei Florencio and Cormac Herley.

To see that effect at work, they point to an annual identity theft study from the Federal Trade Commission. "The FTC estimated identity theft at $47 billion in 2004, $15.6 billion in 2006 and $54 billion in 2008. Either there was a precipitous drop in 2006, or all of the estimates are extremely noisy," according to Florencio and Herley. To put the state of affairs mildly, cybercrime survey data is less than reliable.

Furthermore, studies of actual cybercrime networks suggest that criminals' profits may be less than people think. For example, University of California and Budapest Technology researchers looked at about 20 groups that fulfilled orders for pharmaceuticals that they had "advertised" via spam emails. But they found that only two of the roughly 20 groups they studied earned profits of more than $1 million per month. According to the researchers, "our results suggest that while the spam-advertised pharmacy market is substantial, with annual revenue in the many tens of millions of dollars, it has nowhere near the size claimed by some, and indeed falls vastly short of the annual expenditures on technical anti-spam solutions."

Likewise, researchers from the University of California, Santa Barbara, studied crime rings pushing fake antivirus software, which pretends to discover malware (besides itself) on users' computers, then scares them into buying a product to eliminate the infection. "The Underground Economy of Fake Antivirus Software," a paper to be presented next month at the eCrime 2011 conference in San Diego, estimates "the annual revenue of each criminal group at a few tens of millions of dollars," reports The Economist.

Why aren't cybercrime profits higher? Another study by Microsoft's Florencio and Herley investigates that question and finds a large gap between "potential and actual harm." Potentially, of course, attackers could be exploiting all of the weak links on people's PCs, ranging from known vulnerabilities to reused passwords stolen from other websites. But while that's possible in theory, in practice such attacks generally aren't practical.

For starters, attackers have to walk a fine line. If criminals let a botnet get too big, or fail to keep updating the underlying malware with the latest anti-security-tool defenses, security researchers may find a way to scuttle the botnet, and authorities may actually run them down, resulting in some significant jail time.

Botnet infections aside, however, outright cybercrime faces a significant challenge: It's difficult to turn a profit. "It's not enough that something succeed now-and-then, or when the circumstances are right, or when all the ducks are in a row," say Florencio and Herley. "When attacking users en masse, as Internet attackers do, attacks must be profitable at scale." As the studies of cybercrime profit show, thankfully, building really profitable online attacks at scale isn't a skill that most cybercriminals have mastered.

Sensitive customer and business data is scattered in hidden corners of your infrastructure. Find and protect it before it winds up in the wrong hands. Also in the new issue of Dark Reading: The practical side of data defense. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
jrapoza
50%
50%
jrapoza,
User Rank: Apprentice
10/24/2011 | 7:57:23 PM
re: Does Cybercrime Pay?
I agree that most published estimates are unreliable. I think the question on whether it pays is all relative to the cybercriminal. Is someone likely to become massively rich like Scarface? Probably not. But for say, an unemployed eastern european programmer, working for an identity theft ring can certainly pay better than many legitimate options.

Bprince
50%
50%
Bprince,
User Rank: Ninja
10/25/2011 | 1:26:10 AM
re: Does Cybercrime Pay?
I agree Jim. Also, since relatively few people seem to be brought to justice, it could be argued that cyber-crime has a better risk-reward ratio than other crimes.
Brian Prince, InformationWeek contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

CVE-2015-1951
Published: 2015-07-01
IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 IFIX001, and 7.6.0 before 7.6.0.0 IFIX005 does not prevent caching of HTTPS responses, which allows physically proximate attackers to obtain sensitive local-cache information by leveraging an unattended workstation.

CVE-2015-1967
Published: 2015-07-01
MQ Explorer in IBM WebSphere MQ before 8.0.0.3 does not recognize the absence of the compatibility-mode option, which allows remote attackers to obtain sensitive information by sniffing the network for a session in which TLS is not used.

CVE-2014-9734
Published: 2015-06-30
Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php.

CVE-2014-9735
Published: 2015-06-30
The ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for Wordpress does not properly restrict access to administrator AJAX functionality, which allows remote attackers to (1) upload and execute arbitrary files via an update_plugin a...

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report