While the global economy is grinding to a standstill, the underground economy is thriving. This increasingly mature, efficient marketplace is providing cybercriminals a profitable forum for buying and selling millions of dollars worth of stolen goods and fraud-related services.
According to Symantec Corp.'s November 2008 "Report on the Underground Economy," which is derived from data gathered by the company's Security Technology and Response (STAR) organization between July 1, 2007 and June 30, 2008, the value of total advertised goods was upward of $276 million.
And how does the underground economy continue to thrive? More often than not, through fraudulent activities conducted by way of discussion groups on IRC server channels and Web-based forums.
The good news, however, is that even as fraud-related activities flourish, there are a number of general measures businesses and end users can follow to safeguard their assets. By gaining a better understanding of the underground economy and adhering to recommended practices for security, organizations and individuals can continue to enjoy the benefits of the online economy while protecting against its risks.
Like its legitimate counterparts, the underground economy is based on supply and demand. Consequently, not all stolen goods are created equal. Among the most popular goods that cybercriminals routinely buy and sell are credit card data and bank account credentials.
Credit card data tops the list of goods and services advertised by cybercriminals, accounting for 31 percent of the total. It is also the most requested category of goods, making up 24 percent of all goods requested. Why? Because they are inexpensive to buy and the potential profit is high., Prices range from ten cents and go up to $25 per card - with discounts offered for bulk purchases - and the average stolen credit card has a limit of $4,000. The potential worth of all credit cards observed during the reporting period was $5.3 billion.
Credit cards are also considered valuable because credit card information can be stolen in a variety of ways, from using phishing schemes to monitoring merchant card authorizations, skimming magnetic stripes, and breaking into databases. Furthermore, stolen cards are easy to use for online shopping and may go undetected by merchants long enough for fraudsters to complete their transactions and receive their goods.
The second most common category of goods advertised was financial accounts, accounting for 20 percent of the total. Here again, the potential worth of an account drives its popularity, as does the speed at which a payout can be made. Stolen bank account information sells for between $10 and $1,000, but the average advertised stolen account balance is nearly $40,000. And cashing out is fast; in one case, it took cybercriminals less than 15 minutes to cash out online financial accounts to untraceable locations.
Supply and demand is also apparent in the services offered in the underground economy. For a commission between 8 and 50 percent of the total value of the transaction, savvy cashiers will transfer funds from stolen accounts into legitimate currency. For $10 per 1,000 cards, a cybercriminal will validate CVV2 numbers against their corresponding credit card number and expiration dates. Phishing and scam page hosting services are also offered in the underground economy, and cybercriminal organizations even post job openings-for scam developers, phishing partners, and the like.
Two of the most common platforms available to participants in the online underground economy are Web-based forums and channels on Internet relay chat (IRC) servers. Membership in a Web-based forum is typically open to anyone and different levels of membership are often available. Some allow members to post advertisements and interact with other members immediately; others restrict privileges until the member meets certain criteria, in some cases conducting a peer-review process before endorsing a potential seller. After all, business-even if illegal-is business.
While the majority of IRC servers are set up and used for legitimate purposes, cybercriminals also leverage channels on these servers to advertise and traffic stolen information and offer fraud-related services. As with Web forums, users often need only a unique username to join a channel, although some channels are restricted and can be used only by users who have been invited by an existing channel user or have been approved by channel administrators. Together, these platforms give cybercriminals an always-on, global forum for conducting transactions.
In addition to selling and requesting goods such as credit card information and bank account data and offering specific services over these channels, cybercriminals also advertise malicious tools such as attack kits, botnets, autorooters that scan for vulnerabilities, and SQL injection attack kits as well as scam pages and spam software. In addition, cybercriminals may offer , Trojans, keystroke loggers and other malicious code.
All of these goods and services are not only a means of producing other goods and services, but are also goods and services in their own right. This ensures that the underground economy maintains a degree of self-sufficiency.
Although cybercriminals tools and tactics are becoming increasingly sophisticated and effective, businesses and consumers also have a wide range of proven practices and tools for mitigating risk. For example, businesses should monitor all network-connected computers for signs of malicious activity, including bot activity and potential security breaches. Infected computers should be removed from the network and cleaned as soon as possible. In addition, if potentially malicious activity is discovered, businesses should notify their ISP. Ingress and egress filtering on all network traffic is also vital to ensure that malicious activity and unauthorized communications are not taking place.
Businesses and consumers are also advised to employ defense-in-depth strategies, which emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection methodology. Such a strategy should include antivirus, firewalls, and intrusion detection among other security measures. Security products are available that provide these capabilities in a single integrated solution for consumers. Organizations and individuals should also make sure all of their systems are updated with the necessary security patches from the appropriate operating system vendor.
In addition, individual Web users should be cautious when browsing the Internet. It is important to log out of Web sites when a session is complete. Users should also be wary of visiting untrusted or unfamiliar sites, and they may also consider disabling scripting and active content when casually browsing the Web.
Finally, to guard against identity theft, consumers should conduct higher-risk Internet activities such as online banking or purchasing only on their own computers and not on public systems as such as those in Internet cafes or libraries. Consumers should also avoid storing passwords and bank card numbers on their computers.
With cybercriminals finding it increasingly profitable to use the Internet to steal information from consumers and businesses, protection and mitigation against such attacks becomes both an individual and collective global priority. With a proven set of technologies in place and best practices followed, consumers and organizations can avoid becoming entangled in the web of this underground economy and keep their information assets from becoming a cybercriminal's hot property.
About the Author
Marc Fossi is Executive Editor of the Symantec Report on the Underground Economy.