Vulnerabilities / Threats
10/21/2011
12:36 PM
Connect Directly
RSS
E-Mail
50%
50%

Does Cybercrime Pay?

Turning a profit in today's underground economy remains tough. Here's why.

Does cybercrime pay? Maybe not as much as you'd expect.

Law enforcement agencies trumpet whenever they bust a cybercrime gang, in part to try and deter other criminals. Some of those takedowns have jailed rings that stole millions of dollars.

Busts, of course, highlight only crimes that have been spotted and criminals caught. What about the crimes no one knows about? We won't be reading any press releases on online criminals evading law enforcement agencies or operating from countries without cybercrime laws.

How many millionaire or even billionaire spam and malware kings are at large? Estimates of the annual cybercrime tab vary widely, from $560 million to $1 trillion per year. According to "Sex, Lies and Cyber-Crime Surveys," a research paper released earlier this year, that variability points to the problem with cybercrime data: Too much of it is based on self-reported statistics from too few respondents. With small sample sizes, "a single lie, transcription error, or exaggeration" can completely skew survey results, say the paper's authors, Microsoft researchers Dinei Florencio and Cormac Herley.

To see that effect at work, they point to an annual identity theft study from the Federal Trade Commission. "The FTC estimated identity theft at $47 billion in 2004, $15.6 billion in 2006 and $54 billion in 2008. Either there was a precipitous drop in 2006, or all of the estimates are extremely noisy," according to Florencio and Herley. To put the state of affairs mildly, cybercrime survey data is less than reliable.

Furthermore, studies of actual cybercrime networks suggest that criminals' profits may be less than people think. For example, University of California and Budapest Technology researchers looked at about 20 groups that fulfilled orders for pharmaceuticals that they had "advertised" via spam emails. But they found that only two of the roughly 20 groups they studied earned profits of more than $1 million per month. According to the researchers, "our results suggest that while the spam-advertised pharmacy market is substantial, with annual revenue in the many tens of millions of dollars, it has nowhere near the size claimed by some, and indeed falls vastly short of the annual expenditures on technical anti-spam solutions."

Likewise, researchers from the University of California, Santa Barbara, studied crime rings pushing fake antivirus software, which pretends to discover malware (besides itself) on users' computers, then scares them into buying a product to eliminate the infection. "The Underground Economy of Fake Antivirus Software," a paper to be presented next month at the eCrime 2011 conference in San Diego, estimates "the annual revenue of each criminal group at a few tens of millions of dollars," reports The Economist.

Why aren't cybercrime profits higher? Another study by Microsoft's Florencio and Herley investigates that question and finds a large gap between "potential and actual harm." Potentially, of course, attackers could be exploiting all of the weak links on people's PCs, ranging from known vulnerabilities to reused passwords stolen from other websites. But while that's possible in theory, in practice such attacks generally aren't practical.

For starters, attackers have to walk a fine line. If criminals let a botnet get too big, or fail to keep updating the underlying malware with the latest anti-security-tool defenses, security researchers may find a way to scuttle the botnet, and authorities may actually run them down, resulting in some significant jail time.

Botnet infections aside, however, outright cybercrime faces a significant challenge: It's difficult to turn a profit. "It's not enough that something succeed now-and-then, or when the circumstances are right, or when all the ducks are in a row," say Florencio and Herley. "When attacking users en masse, as Internet attackers do, attacks must be profitable at scale." As the studies of cybercrime profit show, thankfully, building really profitable online attacks at scale isn't a skill that most cybercriminals have mastered.

Sensitive customer and business data is scattered in hidden corners of your infrastructure. Find and protect it before it winds up in the wrong hands. Also in the new issue of Dark Reading: The practical side of data defense. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
jrapoza
50%
50%
jrapoza,
User Rank: Apprentice
10/24/2011 | 7:57:23 PM
re: Does Cybercrime Pay?
I agree that most published estimates are unreliable. I think the question on whether it pays is all relative to the cybercriminal. Is someone likely to become massively rich like Scarface? Probably not. But for say, an unemployed eastern european programmer, working for an identity theft ring can certainly pay better than many legitimate options.

Bprince
50%
50%
Bprince,
User Rank: Ninja
10/25/2011 | 1:26:10 AM
re: Does Cybercrime Pay?
I agree Jim. Also, since relatively few people seem to be brought to justice, it could be argued that cyber-crime has a better risk-reward ratio than other crimes.
Brian Prince, InformationWeek contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.