Vulnerabilities / Threats
10/21/2011
12:36 PM
50%
50%

Does Cybercrime Pay?

Turning a profit in today's underground economy remains tough. Here's why.

Does cybercrime pay? Maybe not as much as you'd expect.

Law enforcement agencies trumpet whenever they bust a cybercrime gang, in part to try and deter other criminals. Some of those takedowns have jailed rings that stole millions of dollars.

Busts, of course, highlight only crimes that have been spotted and criminals caught. What about the crimes no one knows about? We won't be reading any press releases on online criminals evading law enforcement agencies or operating from countries without cybercrime laws.

How many millionaire or even billionaire spam and malware kings are at large? Estimates of the annual cybercrime tab vary widely, from $560 million to $1 trillion per year. According to "Sex, Lies and Cyber-Crime Surveys," a research paper released earlier this year, that variability points to the problem with cybercrime data: Too much of it is based on self-reported statistics from too few respondents. With small sample sizes, "a single lie, transcription error, or exaggeration" can completely skew survey results, say the paper's authors, Microsoft researchers Dinei Florencio and Cormac Herley.

To see that effect at work, they point to an annual identity theft study from the Federal Trade Commission. "The FTC estimated identity theft at $47 billion in 2004, $15.6 billion in 2006 and $54 billion in 2008. Either there was a precipitous drop in 2006, or all of the estimates are extremely noisy," according to Florencio and Herley. To put the state of affairs mildly, cybercrime survey data is less than reliable.

Furthermore, studies of actual cybercrime networks suggest that criminals' profits may be less than people think. For example, University of California and Budapest Technology researchers looked at about 20 groups that fulfilled orders for pharmaceuticals that they had "advertised" via spam emails. But they found that only two of the roughly 20 groups they studied earned profits of more than $1 million per month. According to the researchers, "our results suggest that while the spam-advertised pharmacy market is substantial, with annual revenue in the many tens of millions of dollars, it has nowhere near the size claimed by some, and indeed falls vastly short of the annual expenditures on technical anti-spam solutions."

Likewise, researchers from the University of California, Santa Barbara, studied crime rings pushing fake antivirus software, which pretends to discover malware (besides itself) on users' computers, then scares them into buying a product to eliminate the infection. "The Underground Economy of Fake Antivirus Software," a paper to be presented next month at the eCrime 2011 conference in San Diego, estimates "the annual revenue of each criminal group at a few tens of millions of dollars," reports The Economist.

Why aren't cybercrime profits higher? Another study by Microsoft's Florencio and Herley investigates that question and finds a large gap between "potential and actual harm." Potentially, of course, attackers could be exploiting all of the weak links on people's PCs, ranging from known vulnerabilities to reused passwords stolen from other websites. But while that's possible in theory, in practice such attacks generally aren't practical.

For starters, attackers have to walk a fine line. If criminals let a botnet get too big, or fail to keep updating the underlying malware with the latest anti-security-tool defenses, security researchers may find a way to scuttle the botnet, and authorities may actually run them down, resulting in some significant jail time.

Botnet infections aside, however, outright cybercrime faces a significant challenge: It's difficult to turn a profit. "It's not enough that something succeed now-and-then, or when the circumstances are right, or when all the ducks are in a row," say Florencio and Herley. "When attacking users en masse, as Internet attackers do, attacks must be profitable at scale." As the studies of cybercrime profit show, thankfully, building really profitable online attacks at scale isn't a skill that most cybercriminals have mastered.

Sensitive customer and business data is scattered in hidden corners of your infrastructure. Find and protect it before it winds up in the wrong hands. Also in the new issue of Dark Reading: The practical side of data defense. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
jrapoza
50%
50%
jrapoza,
User Rank: Apprentice
10/24/2011 | 7:57:23 PM
re: Does Cybercrime Pay?
I agree that most published estimates are unreliable. I think the question on whether it pays is all relative to the cybercriminal. Is someone likely to become massively rich like Scarface? Probably not. But for say, an unemployed eastern european programmer, working for an identity theft ring can certainly pay better than many legitimate options.

Bprince
50%
50%
Bprince,
User Rank: Ninja
10/25/2011 | 1:26:10 AM
re: Does Cybercrime Pay?
I agree Jim. Also, since relatively few people seem to be brought to justice, it could be argued that cyber-crime has a better risk-reward ratio than other crimes.
Brian Prince, InformationWeek contributor
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9651
Published: 2015-08-28
Buffer overflow in CHICKEN 4.9.0.x before 4.9.0.2, 4.9.x before 4.9.1, and before 5.0 allows attackers to have unspecified impact via a positive START argument to the "substring-index[-ci] procedures."

CVE-2015-1171
Published: 2015-08-28
Stack-based buffer overflow in GSM SIM Utility (aka SIM Card Editor) 6.6 allows remote attackers to execute arbitrary code via a long entry in a .sms file.

CVE-2015-2987
Published: 2015-08-28
Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.

CVE-2015-6266
Published: 2015-08-28
The guest portal in Cisco Identity Services Engine (ISE) 3300 1.2(0.899) does not restrict access to uploaded HTML documents, which allows remote attackers to obtain sensitive information from customized documents via a direct request, aka Bug ID CSCuo78045.

CVE-2015-5367
Published: 2015-08-27
The HP lt4112 LTE/HSPA+ Gobi 4G module with firmware before 12.500.00.15.1803 on EliteBook, ElitePad, Elite, ProBook, Spectre, ZBook, and mt41 Thin Client devices allows local users to gain privileges via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.