The Crime Economy

From Innovations, a website published by Ziff-Davis Enterprise from mid-2006 to mid-2009. Reprinted by permission.

Is access to your corporate Web server worth $740?  That’s the average price a computer criminal pays today for information about a security flaw at a specific financial institution, according to a new report from Symantec.  While some exploits command as much as $3,000, information about other corporate security flaws are being sold for as little as $100.

That’s not the only example of corporate security on sale.  Hackers can purchase links to webpages that have known security vulnerabilities for about 40 cents per link in bundles of 500.  Or they can buy their own remote file included (RFI) scanner for about $25 and identify those PHP-induced flaws themselves.

This information and much more is contained in a new report entitled “Symantec Report on the Underground Economy” that can be freely downloaded from Symantec’s website.  The 84-page document paints a picture of a vast marketplace that traffics in the tools and the spoils of computer crime, creating a recursive ecosystem that feeds upon its own success.

The report is hair-raising, not so much because it identifies new vulnerabilities in corporate information systems but because it documents the efficiency of the market that traffics in the tools and spoils of computer crime.

In this new underground economy, tens of thousands of anonymous entities advertise tools that can be purchased for modest sums and used to create spam attacks, phishing farms and direct assaults on corporate servers.  The people who buy these tools then sell the spoils of their work to brokers who remarket the information to other criminals.

Those groups may in turn produce bogus credit cards or orchestrate massive credit fraud and identity theft operations that cost businesses billions of dollars in losses.  One estimate put the cost of phishing attacks alone at $2.1 billion for US consumers and businesses in 2007.

Vulnerability for Sale

vulnerability_prices

Source: Symantec

The electronic flea markets that enable this evil are networks of IRC servers and covert websites that  visitors use to bid upon tools and information.  The average price of a botnet, for example, is just $225 and a single botnet can be rented out for used by other criminals to produce an income stream or specialized service. Hackers can buy all the security-busting software they want for less than $500. Who needs to be a technical expert any more?

Skilled professional criminals can rake in unbelievable sums.  Symantec estimates that one organization that specializes in phishing made $150 million in 2006 from stealing bank credentials alone.  Another operation that mass-produced counterfeit credit cards was reportedly earning up to $100,000 a day.

The disheartening message in these statistics is that the enemy of corporate security managers is no longer a script kiddie working in his basement but a vast and faceless network of entrepreneurs and arbitrage experts cooperating in a strikingly efficient marketplace with total anonymity.  In a one-year period, Symantec observed nearly 70,000 advertisers on various underground economy servers hosting more than 44 million messages.  These criminals are so active because the system works.  Computer crime has become, in effect, a vast peer-to-peer network. And as the recording industry has learned painfully, peer-to-peer networks are nearly impossible to stamp out.

If you’re hoping to hear about the magic pill to cure this problem, you’re out of luck. The Symantec report offers no advice, either. Instead, it documents the sophistication of a distributed operation that is financially motivated to constantly attack the institutions of commerce and government. Our only defense is to be buttoned down, well-educated and prepared for a long struggle.