Stolen Data's Black Market

Computer crime is changing, experts agree. The Web-wide attack, designed to prove the hacker's proficiency, is out. The targeted attack -- designed to make a buck for the hacker or insider who initiates it -- is in, in, in.

So who's targeting your enterprise? And what's your data worth? Many IT people may be surprised at the answers, experts say.

The "black market" for stolen computer data is growing by leaps and bounds, according to experts who study computer crime and corporate espionage. "Before 1998, about 90 to 95 percent of all intrusions were done by individuals hacking out of curiosity," says Chris Pierson, founder of the cybersecurity and cyberliability practice at Lewis and Roca LLP, a Phoenix law firm. "That's entirely flipped now. I'd say 75 to 85 percent of all malicious attacks are coordinated by some organized group, even if it's a very loose organization."

"We're seeing a rapid growth in cooperative attacks, where an insider works in concert with some sort of external source to make a financial gain," says Brian Contos, chief security officer at ArcSight and author of the new book, Enemy at the Water Cooler, which outlines some of the recent trends and exploits in corporate computer crime. "It's not just hackers looking randomly for easy points of entry -- these are attacks on specific companies."

And although big-name companies and financial institutions are the most obvious targets, smaller and lesser-known organizations are on the hit list, too, Contos says. "Almost any company has some sensitive data that's valuable [to criminals]," he says. "A customer list can be used by a competitor or an identity thief. We've seen criminals hack into hospital systems just to get the Social Security numbers of the newborns. There's no one, obvious group of organizations that hackers are targeting."

The types of criminals who attack corporations are similarly diverse, experts say. There are still plenty of independent hackers out on the Web -- just look at the recent Black Hat and Defcon conferences -- who might sell vulnerabilities or stolen data by putting them up for auction.

"You can buy a rootkit for $75 that will give you all of the advice, logos, and templates you need to execute a phishing attack on the customers of a specific bank," observes Michael Rothschild, director of marketing at CounterStorm, which makes tools that help enterprises prevent insider attacks. Worms and viruses invented by independent hackers still make up a huge portion of the damage done to corporations each year, Pierson notes.

But the visibility of these individuals and their exploits sometimes belies the growing, but largely unpublicized threat from organized criminals who buy data from hackers or insiders and sometimes contract with them to collect data from a specific corporation, experts agree.

"There is a growing interest from organizations, like the Russian or Italian mafias, which basically just see stolen data as another revenue stream, like drugs or prostitution," says Pierson. "But when I say 'organized,' I don't just mean those groups. I also mean loose associations of people who may combine their efforts to make money from the data."

Pierson gives the example of stolen customer credit card data, which is sometimes handled by multiple individuals in a joint effort. While credit card information might be collected through the collaboration of phishers and spammers, that data might then be passed to "cashers" who forge credit cards that use the numbers. Then those cards will be passed out to a network of "mules" who use the cards for small purchases -- the kind that might not be immediately detected by the victim -- and thrown away. Then the syndicate of players might sell the account information to another buyer, just as the parts of a stolen car might be resold. The person or group that organizes the syndicate gets a cut from all of the players.

"Often, it takes an organized group to really maximize the financial gain from a [data theft]," Pierson says. A similar sort of "syndicate" might be formed to fence stolen business secrets or customer lists to competitors, or to other nations or terrorist groups, he says.

What do criminals pay for this data? Not nearly as much as you'd think. "You can buy a hacked credit card on the Web for as little as $10," says Rothschild.

Contos relates a case in which an individual used botnets to install adware on user computers for a full year, accounting for more than a million installations. "In all that time, and with all the trouble he caused, he only made about $30,000," he says.

In a recent study of 150 cases of alleged spying on key U.S. data sources, the federal government found that 26 percent of the spies accepted between $10,000 and $100,000 to do their dirty work, Contos says. Eleven percent accepted less than $1,000.

"You'd think it would cost millions to get someone to sell out their country," Contos says. "But that's not necessarily the case."

Pierson says that criminals often keep the price of their exploits low so they can avoid detection and make choices easy for corporations. For example, an extortionist might develop the means to launch a denial-of-service attack against a major search engine but only ask for $50,000 in ransom.

"If you're a site like Amazon or one of the big organizations that might lose $5 million in less than an hour of downtime, it's a pretty easy choice to pay a relatively small ransom like that and avoid all of the negative publicity," he says. Although Pierson's firm has handled many legal cases involving hackers, corporate espionage, and extortion, "we have never had a case that involved more than $200,000 paid to the alleged criminal," he says.

In fact, Pierson says the vast majority of computer crimes committed against corporations never see the light of day. "We estimate that only about 8 percent of the cases ever make it to the point where a company seeks assistance from outside counsel," he says. "And even then, sometimes companies call us, and then decide not to pursue it."

Most of the time, companies prefer to settle their computer crime cases without consulting law enforcement, and sometimes without even consulting their own legal counsel, Pierson says. External hackers may be paid off; insiders may be disciplined or dismissed; and in some cases, the crime is never detected.

Although there are cases in which external hackers break into an enterprise they find attractive, most targeted attacks involve some help from an insider, experts say. In many cases, the insider is an employee who feels slighted by the organization and is receptive to an inquiry from a targeted hacker, or goes out looking for a place to sell the information.

"There have been cases where an employee was coerced or blackmailed into participating, but according to the data I've seen, 69 percent of insiders said they just did it for the money," says Contos. "It's not a very surprising conclusion, but greed is usually the main motivator."

— Tim Wilson, Site Editor, Dark Reading