Report: Cybercrime Riches Are Hard To Come By

Turns out the profitability of cybercrime may have been greatly exaggerated. According to a new report by two researchers for Microsoft's research organization, cybercrime doesn't equal easy money after all, despite findings to the contrary.

In their report, titled "Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy," Microsoft researchers Cormac Herley and Dinei Florencio say it's a smaller population of more sophisticated and organized gangs of cybercriminals who come out ahead. "While there is a great deal of activity in the underground economy marketplace, it does not imply a lot of dollars change hands," they wrote in their paper. Lucrative cybercrime doesn't occur in the open IRC space because "rippers," or those who don't deliver the goods and services they "sell" there, damage the market, they say.

The researchers also took on security-vendor research (as well as that of Gartner) that estimates the value of the underground economy based on the price tags of wares sold via IRC: "We believe that anyone who shows up on an IRC channel hoping to trade profitably with anonymous partners is almost certain to be cheated. Thus, estimating the dollar size of the underground economy based on the asking price of goods and services advertised on IRC networks appears unsound," they say. "We find that the published estimates of the dollar value of underground economy IRC channels are exaggerated. They are derived by simply adding the unverified claims of anonymous channel participants (who include rippers). Those who lie most and exaggerate most affect the average most."

More nimble and organized alliances and gangs of cybercriminals incur lower overhead by banding together, and they are the sector making a profit. Herley and Florencio said rippers bring instability into the IRC marketplace, making it too risky to do any real business. "We emphasize that the activities of the upper tier are largely invisible and probably account for a majority of the losses," they said.

Researcher Nitesh Dhanjani says the researchers have raised a bigger elephant-in-the-room issue of vendor-sponsored research, as well as flawed logic for calculating the size of the black market. "I think this is the bigger issue [of the research here]...We cannot get a handle on what the situation is, who the agents are that we are up against, and if we are continuously bombarded with bogus statistics in the name of science. I feel Herley and Dinei, in addition to the specifics of the paper, are helping us raise consciousness about this so we are able to distinguish between marketing speak and real scientific discourse," Dhanjani says.

The security industry relies on statistics from biased companies, Dhanjani says. "When was the last time we heard a security firm publish an opinion that played down the impact of anything? In some sense we wouldn't expect them to -- after all, security corporations are businesses, too. But on the other hand, we have not done a good job of distinguishing marketing speak against scientific discourse," he says.

Dhanjani, who along with fellow researcher Billy Rios infiltrated the phishing underground to profile phishers and their activities, agrees that estimates of billions of dollars in losses don't add up. "I remembered [during our phishing research] going through the vast amount of underground message boards and IRC channels where phishers and scam artists convene, noting how much of a constant struggle it was for the criminals to monetize -- including cases where criminals attempted to scam other criminals -- and wondering how it is that such a struggling system could correlate to a loss of billions of dollars. It just didn't feel right," Dhanjani says.

This isn't the first time "myth busters" Herley and Florenci have shot down conventional wisdom about cybercime: Earlier this year, they used an economic analysis method to show phishing was not as lucrative as once thought. Their economic models concluded that phishing is a low-paid, low-skills enterprise where the average phisher makes hundreds, rather than thousands, of dollars a year. The researchers' work is their own, they say, and doesn't speak for Microsoft.

"The more automated, the lower the barrier to entry, [and] the lower the effective return. When it's automated, it becomes a low-skill endeavor, and low-skill jobs pay like low-skill jobs," Herley said in an earlier interview.

Their latest research takes the analysis to another level.

Stolen bank credit card numbers and bank credentials are not easy to monetize, the researchers said in their report, so stealing this information doesn't necessarily translate into profit: "Goods offered for sale on the IRC channels are hard to monetize. Those who sell there are clearly unable to monetize the goods themselves or need someone who will do so for a smaller premium than the ripper tax," they say in their report, noting that stolen credit cards and CCNs are most of what's sold on IRC channels.

"This implies that getting credentials is only a first step, and by no means the most important one, in the chain of fraud," they wrote. "The IRC markets on the underground economy represent a classic example of a market for lemons. The rippers who steal from other participants ensure that buying and selling is heavily taxed."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.