The setting: the back of a college lecture hall on a balmy August day — the first class of Freshman year. The professor shuffles to the chalk board and draws a graph with two diagonal lines forming an X. “Lesson #1,” he says, “supply and demand.”
Ah, good ol’ supply and demand.
Nowhere is this lesson more applicable than in the cyber criminal world. Many people struggle to perceive the vibrant underground marketplaces where stolen information is bought and sold. Where do all the stolen Home Depot and Target credit cards go? Where do the Anthem health records get turned from mere PII into cash? Who is buying? Who is selling?
The Pillars of the Cybercrime Economy
The economy feeds mostly on spamming, credit card fraud, and the sales of pharmaceuticals or drugs. Some of this involves willing participants (people who respond to spam or buy prescriptions and other drugs online), while other channels are fed by unaware victims (breached bank accounts, stolen credit cards, etc). Stolen information can be leveraged to carry out identity theft, launch spam campaigns, or re-purposed in other cyber attacks. Criminals across the web are willing to pay top dollar for a strong source of stolen credit card numbers, social security numbers, social media account credentials or even just email addresses.
Just like any other economy, cybercrime is founded on the principles of supply and demand. As long as there is demand on the civilian side (people willing to buy drugs, medication and goods with questionable origins) as well as on the shadow economy side (stolen credit cards and botnet rentals for DDoS and spamming campaigns), the economy won’t easily be stopped.
Structure of the Cybercrime Economy
The cybercrime economy works much like a normal economy, demarcated into groups who specialize in certain elements of the supply and demand chain. The main areas of expertise are:
- Marketing and traffic generation: These are the groups who set up the bait — fancy graphics on scamming sites, clickbait articles, ad placement in legitimate traffic, and leveraging trends and engaging with potential victims online. These actors are usually provided a URL schema of where to point traffic and are paid much like online marketers (per-click or per-install).
- Malware brokers: These groups operate the actual malicious code that is delivered to unsuspecting victims. They usually use ready-to-use exploit kits such as BlackHole, Phoenix, Eleanore, RedKit, etc. These kits are commercially distributed in specialized forums and websites and include several exploits that target different browsers and operating systems. The kits provide the distributor the option to choose which malware to deliver to victims.
- Botnet “herders”: Operators of botnets buy the malware and maintain it within the botnet. Malware is usually available commercially (with support) so that a botnet operator simply needs to run C&C (command and control) infrastructure and deploy the bots. The botnet herders themselves usually do not engage in monetization of the compromised machines, as they defer that risk to other groups who specialize in specific elements of monetization. The main “direct” business that they engage in is using the botnet to distribute spam or conduct DDoS (Distributed Denial of Service) attacks. The bot herders usually offer DDoS-as-a-service to the highest bidder in underground forums.
- Monetization specialists: These groups specialize in monetizing the data harvested from the victims — from credit card and bank account numbers to sensitive corporate data. These groups collect stolen information and sell it on criminal forums to other malicious actors. This data can be subsequently leveraged for a host of purposes, including identity theft, credit card fraud, spam marketing, social engineering scams or additional cybercrime .
- Money laundering: A subset of the monetization specialization focuses on money laundering through schemes such as “work from home as an account specialist” (cashing in on fraudulent checks, and wiring the balances forward), “re-shipping scams” (receiving goods that were bought with stolen credit cards, and reshipping them several times over until they can be re-sold), and other means of laundering money from compromised assets.
In the past, online crime was a smaller scale economy with multiple small players having the ability to run operations on a limited scale. Ever since cybercrime picked up traction and was recognized for its global reach and legal immunities, traditional organized crime has adopted it as a lucrative channel and expanded it to additional markets (fake pharma, drugs, etc). Now, most larger scale cybercrime operations are “protected” by traditional organized crime operations.
Who’s in charge?
It’s difficult to pinpoint the “heads” of the economy. I think that Brian Krebs has done a fantastic job with one specific element of a cybercrime operation (pharma and spam) by identifying a few key personalities (in Russia). But going down that rabbit hole is a long and sometimes dangerous route, which is best left for law enforcement. The main issue here is obviously jurisdiction — this has played well into the hands of criminals that operate out of countries where computer crime laws are more relaxed (or nonexistent) and are slow to cooperate with western law enforcement efforts.
The Cost of Cybercrime and How We Can Stop It
So what’s the big deal — how does this underground economy influence the economy we see day to day?
The financial markets themselves are highly sensitive to the impact of cyber crime. Criminals have the ability to easily affect smaller stocks (existing pump-and-dump schemes proliferate on the penny stock markets), and they have an understanding of how major markets are influenced (from technology “glitches” to fake news and unsubstantiated rumors). Criminals are likely to exploit these opportunities to play the stock markets, exchanges and forex platforms to their advantage. Additionally, fluctuating bitcoin markets (which affects forex trades) and verticals that can be affected through social engineering (the Fin4 example) are both targets for exploitation on a mass scale.
The common scamming of the everyday internet user has intangible yet serious fall-out. When aggregated, petty cyber crime accounts for billions lost to the black market. Now consider cyber crime on an enterprise or nation-state level. The Sony hack alone will have a ripple effect costing billions of dollars. There is a good reason cyber security spending surpassed 70 billion in 2014: breaches are costly. Very costly.
I have often been asked if there is an effective way to “cut off the head” of the economy in order to stall its growth. The short answer is “no.” If you cut off the head, another 3 will take its place. As long as the practice is lucrative and doesn’t yield severe consequences on a repeatable and consistent basis, the economic forces will keep that head alive and kicking. Efforts to crack down on operations from law enforcement and the industry have proven to be inconsistent. Even when they are effective, it leaves the criminal economy wide open for new criminal entrepreneurs to fill in.
Monopolies of critical industries, such as pharma, causes people to look for alternate sources of cheaper medication, which will be met with the supply on the cybercrime side. In my opinion, this is true in severely imbalanced industries as well. Without organic equilibrium in the legitimate market, cybercrime will thrive on the black market. Because much of the economy is derived from gullible or uneducated users, currently, the marketplace is thriving. Therefore, education may be our best line of defense. I do believe that focusing on educating victims and civilians on the implications of “feeding” the cyber criminal economy would be effective in decreasing its impact. Doing so reduces demand and undermines the process from the ground up.