Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/3/2009
02:25 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Report: Cybercrime Riches Are Hard To Come By

Researchers from Microsoft say stolen goods offered for sale in IRC channels are tough to monetize, and industry estimates of underground profits are "exaggerated"

Turns out the profitability of cybercrime may have been greatly exaggerated. According to a new report by two researchers for Microsoft's research organization, cybercrime doesn't equal easy money after all, despite findings to the contrary.

In their report, titled "Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy," Microsoft researchers Cormac Herley and Dinei Florencio say it's a smaller population of more sophisticated and organized gangs of cybercriminals who come out ahead. "While there is a great deal of activity in the underground economy marketplace, it does not imply a lot of dollars change hands," they wrote in their paper. Lucrative cybercrime doesn't occur in the open IRC space because "rippers," or those who don't deliver the goods and services they "sell" there, damage the market, they say.

The researchers also took on security-vendor research (as well as that of Gartner) that estimates the value of the underground economy based on the price tags of wares sold via IRC: "We believe that anyone who shows up on an IRC channel hoping to trade profitably with anonymous partners is almost certain to be cheated. Thus, estimating the dollar size of the underground economy based on the asking price of goods and services advertised on IRC networks appears unsound," they say. "We find that the published estimates of the dollar value of underground economy IRC channels are exaggerated. They are derived by simply adding the unverified claims of anonymous channel participants (who include rippers). Those who lie most and exaggerate most affect the average most."

More nimble and organized alliances and gangs of cybercriminals incur lower overhead by banding together, and they are the sector making a profit. Herley and Florencio said rippers bring instability into the IRC marketplace, making it too risky to do any real business. "We emphasize that the activities of the upper tier are largely invisible and probably account for a majority of the losses," they said.

Researcher Nitesh Dhanjani says the researchers have raised a bigger elephant-in-the-room issue of vendor-sponsored research, as well as flawed logic for calculating the size of the black market. "I think this is the bigger issue [of the research here]...We cannot get a handle on what the situation is, who the agents are that we are up against, and if we are continuously bombarded with bogus statistics in the name of science. I feel Herley and Dinei, in addition to the specifics of the paper, are helping us raise consciousness about this so we are able to distinguish between marketing speak and real scientific discourse," Dhanjani says.

The security industry relies on statistics from biased companies, Dhanjani says. "When was the last time we heard a security firm publish an opinion that played down the impact of anything? In some sense we wouldn't expect them to -- after all, security corporations are businesses, too. But on the other hand, we have not done a good job of distinguishing marketing speak against scientific discourse," he says.

Dhanjani, who along with fellow researcher Billy Rios infiltrated the phishing underground to profile phishers and their activities, agrees that estimates of billions of dollars in losses don't add up. "I remembered [during our phishing research] going through the vast amount of underground message boards and IRC channels where phishers and scam artists convene, noting how much of a constant struggle it was for the criminals to monetize -- including cases where criminals attempted to scam other criminals -- and wondering how it is that such a struggling system could correlate to a loss of billions of dollars. It just didn't feel right," Dhanjani says.

This isn't the first time "myth busters" Herley and Florenci have shot down conventional wisdom about cybercime: Earlier this year, they used an economic analysis method to show phishing was not as lucrative as once thought. Their economic models concluded that phishing is a low-paid, low-skills enterprise where the average phisher makes hundreds, rather than thousands, of dollars a year. The researchers' work is their own, they say, and doesn't speak for Microsoft.

"The more automated, the lower the barrier to entry, [and] the lower the effective return. When it's automated, it becomes a low-skill endeavor, and low-skill jobs pay like low-skill jobs," Herley said in an earlier interview.

Their latest research takes the analysis to another level.

Stolen bank credit card numbers and bank credentials are not easy to monetize, the researchers said in their report, so stealing this information doesn't necessarily translate into profit: "Goods offered for sale on the IRC channels are hard to monetize. Those who sell there are clearly unable to monetize the goods themselves or need someone who will do so for a smaller premium than the ripper tax," they say in their report, noting that stolen credit cards and CCNs are most of what's sold on IRC channels.

"This implies that getting credentials is only a first step, and by no means the most important one, in the chain of fraud," they wrote. "The IRC markets on the underground economy represent a classic example of a market for lemons. The rippers who steal from other participants ensure that buying and selling is heavily taxed."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11684
PUBLISHED: 2021-02-26
Improper Access Control in the RCP+ server of the Bosch Video Recording Manager (VRM) component allows arbitrary and unauthenticated access to a limited subset of certificates, stored in the underlying Microsoft Windows operating system. The fixed versions implement modified authentication checks. P...
CVE-2020-24686
PUBLISHED: 2021-02-26
The vulnerabilities can be exploited to cause the web visualization component of the PLC to stop and not respond, leading to genuine users losing remote visibility of the PLC state. If a user attempts to login to the PLC while this vulnerability is exploited, the PLC will show an error state and ref...
CVE-2021-23964
PUBLISHED: 2021-02-26
Mozilla developers reported memory safety bugs present in Firefox 84 and Firefox ESR 78.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 85, Thunder...
CVE-2021-23965
PUBLISHED: 2021-02-26
Mozilla developers reported memory safety bugs present in Firefox 84. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 85.
CVE-2021-23978
PUBLISHED: 2021-02-26
Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 86, Thunder...