{"id":1414,"date":"2008-12-08T16:57:55","date_gmt":"2008-12-08T23:57:55","guid":{"rendered":"http:\/\/gillin.com\/blog\/?p=1414"},"modified":"2009-09-12T04:22:14","modified_gmt":"2009-09-12T11:22:14","slug":"the-crime-economy","status":"publish","type":"post","link":"https:\/\/gillin.com\/blog\/2008\/12\/the-crime-economy\/","title":{"rendered":"The Crime Economy"},"content":{"rendered":"<p><em>From Innovations, a website published by Ziff-Davis Enterprise from mid-2006 to mid-2009. Reprinted by permission.<\/em><\/p>\n<p>Is access to your corporate Web server worth $740?\u00a0 That&#8217;s the average price a computer criminal pays today for information about a security flaw at a specific financial institution, according to a new report from Symantec.\u00a0 While some exploits command as much as $3,000, information about other corporate security flaws are being sold for as little as $100.<\/p>\n<p>That&#8217;s not the only example of corporate security on sale.\u00a0 Hackers can purchase links to webpages that have known security vulnerabilities for about 40 cents per link in bundles of 500.\u00a0 Or they can buy their own remote file included (RFI) scanner for about $25 and identify those PHP-induced flaws themselves.<\/p>\n<p>This information and much more is contained in a new report entitled \u201c<a href=\"https:\/\/eval.symantec.com\/mktginfo\/enterprise\/white_papers\/b-whitepaper_underground_economy_report_11-2008-14525717.en-us.pdf\">Symantec Report on the Underground Economy<\/a>\u201d that can be freely downloaded from Symantec&#8217;s website.\u00a0 The 84-page document paints a picture of a vast marketplace that traffics in the tools and the spoils of computer crime, creating a recursive ecosystem that feeds upon its own success.<\/p>\n<p>The report is hair-raising, not so much because it identifies new vulnerabilities in corporate information systems but because it documents the efficiency of the market that traffics in the tools and spoils of computer crime.<\/p>\n<p>In this new underground economy, tens of thousands of anonymous entities advertise tools that can be purchased for modest sums and used to create spam attacks, phishing farms and direct assaults on corporate servers.\u00a0 The people who buy these tools then sell the spoils of their work to brokers who remarket the information to other criminals.<\/p>\n<p>Those groups may in turn produce bogus credit cards or orchestrate massive credit fraud and identity theft operations that cost businesses billions of dollars in losses.\u00a0 One estimate put the cost of phishing attacks alone at $2.1 billion for US consumers and businesses in 2007.<\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\" align=\"left\">\n<tbody>\n<tr>\n<td width=\"474\" valign=\"top\">\n<h3>Vulnerability for Sale<\/h3>\n<p><img loading=\"lazy\" class=\"alignright size-full wp-image-1606\" title=\"vulnerability_prices\" src=\"https:\/\/gillin.com\/blog\/wp-content\/uploads\/2008\/12\/vulnerability_prices.GIF\" alt=\"vulnerability_prices\" width=\"484\" height=\"170\" srcset=\"https:\/\/gillin.com\/blog\/wp-content\/uploads\/2008\/12\/vulnerability_prices.GIF 462w, https:\/\/gillin.com\/blog\/wp-content\/uploads\/2008\/12\/vulnerability_prices-300x105.GIF 300w\" sizes=\"(max-width: 484px) 100vw, 484px\" \/><\/td>\n<\/tr>\n<tr>\n<td width=\"474\" valign=\"top\"><\/td>\n<\/tr>\n<tr>\n<td width=\"474\" valign=\"top\">Source: Symantec<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The electronic flea markets that enable this evil are networks of IRC servers and covert websites that\u00a0 visitors use to bid upon tools and information.\u00a0 The average price of a botnet, for example, is just $225 and a single botnet can be rented out for used by other criminals to produce an income stream or specialized service. Hackers can buy all the security-busting software they want for less than $500. Who needs to be a technical expert any more?<\/p>\n<p>Skilled professional criminals can rake in unbelievable sums.\u00a0 Symantec estimates that one organization that specializes in phishing made $150 million in 2006 from stealing bank credentials alone.\u00a0 Another operation that mass-produced counterfeit credit cards was reportedly earning up to $100,000 a day.<\/p>\n<p>The disheartening message in these statistics is that the enemy of corporate security managers is no longer a script kiddie working in his basement but a vast and faceless network of entrepreneurs and arbitrage experts cooperating in a strikingly efficient marketplace with total anonymity.\u00a0 In a one-year period, Symantec observed nearly 70,000 advertisers on various underground economy servers hosting more than 44 million messages.\u00a0 These criminals are so active because the system works.\u00a0 Computer crime has become, in effect, a vast peer-to-peer network. And as the recording industry has learned painfully, peer-to-peer networks are nearly impossible to stamp out.<\/p>\n<p>If you&#8217;re hoping to hear about the magic pill to cure this problem, you&#8217;re out of luck. The Symantec report offers no advice, either. Instead, it documents the sophistication of a distributed operation that is financially motivated to constantly attack the institutions of commerce and government. Our only defense is to be buttoned down, well-educated and prepared for a long struggle.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>From Innovations, a website published by Ziff-Davis Enterprise from mid-2006 to mid-2009. Reprinted by permission. Is access to your corporate Web server worth $740?\u00a0 That&#8217;s the average price a computer criminal pays today for information about a security flaw at &hellip; <a href=\"https:\/\/gillin.com\/blog\/2008\/12\/the-crime-economy\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":""},"categories":[143],"tags":[164,166,165],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pTy95-mO","_links":{"self":[{"href":"https:\/\/gillin.com\/blog\/wp-json\/wp\/v2\/posts\/1414"}],"collection":[{"href":"https:\/\/gillin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gillin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gillin.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/gillin.com\/blog\/wp-json\/wp\/v2\/comments?post=1414"}],"version-history":[{"count":6,"href":"https:\/\/gillin.com\/blog\/wp-json\/wp\/v2\/posts\/1414\/revisions"}],"predecessor-version":[{"id":1608,"href":"https:\/\/gillin.com\/blog\/wp-json\/wp\/v2\/posts\/1414\/revisions\/1608"}],"wp:attachment":[{"href":"https:\/\/gillin.com\/blog\/wp-json\/wp\/v2\/media?parent=1414"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gillin.com\/blog\/wp-json\/wp\/v2\/categories?post=1414"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gillin.com\/blog\/wp-json\/wp\/v2\/tags?post=1414"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}