Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/3/2009
02:25 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Report: Cybercrime Riches Are Hard To Come By

Researchers from Microsoft say stolen goods offered for sale in IRC channels are tough to monetize, and industry estimates of underground profits are "exaggerated"

Turns out the profitability of cybercrime may have been greatly exaggerated. According to a new report by two researchers for Microsoft's research organization, cybercrime doesn't equal easy money after all, despite findings to the contrary.

In their report, titled "Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy," Microsoft researchers Cormac Herley and Dinei Florencio say it's a smaller population of more sophisticated and organized gangs of cybercriminals who come out ahead. "While there is a great deal of activity in the underground economy marketplace, it does not imply a lot of dollars change hands," they wrote in their paper. Lucrative cybercrime doesn't occur in the open IRC space because "rippers," or those who don't deliver the goods and services they "sell" there, damage the market, they say.

The researchers also took on security-vendor research (as well as that of Gartner) that estimates the value of the underground economy based on the price tags of wares sold via IRC: "We believe that anyone who shows up on an IRC channel hoping to trade profitably with anonymous partners is almost certain to be cheated. Thus, estimating the dollar size of the underground economy based on the asking price of goods and services advertised on IRC networks appears unsound," they say. "We find that the published estimates of the dollar value of underground economy IRC channels are exaggerated. They are derived by simply adding the unverified claims of anonymous channel participants (who include rippers). Those who lie most and exaggerate most affect the average most."

More nimble and organized alliances and gangs of cybercriminals incur lower overhead by banding together, and they are the sector making a profit. Herley and Florencio said rippers bring instability into the IRC marketplace, making it too risky to do any real business. "We emphasize that the activities of the upper tier are largely invisible and probably account for a majority of the losses," they said.

Researcher Nitesh Dhanjani says the researchers have raised a bigger elephant-in-the-room issue of vendor-sponsored research, as well as flawed logic for calculating the size of the black market. "I think this is the bigger issue [of the research here]...We cannot get a handle on what the situation is, who the agents are that we are up against, and if we are continuously bombarded with bogus statistics in the name of science. I feel Herley and Dinei, in addition to the specifics of the paper, are helping us raise consciousness about this so we are able to distinguish between marketing speak and real scientific discourse," Dhanjani says.

The security industry relies on statistics from biased companies, Dhanjani says. "When was the last time we heard a security firm publish an opinion that played down the impact of anything? In some sense we wouldn't expect them to -- after all, security corporations are businesses, too. But on the other hand, we have not done a good job of distinguishing marketing speak against scientific discourse," he says.

Dhanjani, who along with fellow researcher Billy Rios infiltrated the phishing underground to profile phishers and their activities, agrees that estimates of billions of dollars in losses don't add up. "I remembered [during our phishing research] going through the vast amount of underground message boards and IRC channels where phishers and scam artists convene, noting how much of a constant struggle it was for the criminals to monetize -- including cases where criminals attempted to scam other criminals -- and wondering how it is that such a struggling system could correlate to a loss of billions of dollars. It just didn't feel right," Dhanjani says.

This isn't the first time "myth busters" Herley and Florenci have shot down conventional wisdom about cybercime: Earlier this year, they used an economic analysis method to show phishing was not as lucrative as once thought. Their economic models concluded that phishing is a low-paid, low-skills enterprise where the average phisher makes hundreds, rather than thousands, of dollars a year. The researchers' work is their own, they say, and doesn't speak for Microsoft.

"The more automated, the lower the barrier to entry, [and] the lower the effective return. When it's automated, it becomes a low-skill endeavor, and low-skill jobs pay like low-skill jobs," Herley said in an earlier interview.

Their latest research takes the analysis to another level.

Stolen bank credit card numbers and bank credentials are not easy to monetize, the researchers said in their report, so stealing this information doesn't necessarily translate into profit: "Goods offered for sale on the IRC channels are hard to monetize. Those who sell there are clearly unable to monetize the goods themselves or need someone who will do so for a smaller premium than the ripper tax," they say in their report, noting that stolen credit cards and CCNs are most of what's sold on IRC channels.

"This implies that getting credentials is only a first step, and by no means the most important one, in the chain of fraud," they wrote. "The IRC markets on the underground economy represent a classic example of a market for lemons. The rippers who steal from other participants ensure that buying and selling is heavily taxed."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...