Forget script kiddies and website taggers: Cybercrime forums have become the domain of well-organized criminal enterprises and even some nation states. The economic maturity these black-market forums has reached could give attackers an edge over would-be defenders.
Those are just some of the takeaways from "Markets for Cybercrime Tools and Stolen Data," a report released Tuesday by the non-profit, non-partisan Rand Corporation. The report, sponsored by Juniper Networks, examines the rise of underground cybercrime marketplaces, and asks what can be done to curb them.
The existence of advanced cybercrime black markets won't be news to anyone who's been following the recent spate of data breaches involving retailers, including Target. Small batches of the 40 million credit cards stolen from Target continue to turn up on carder forums such as Rescator. Some evidence also suggests that the point-of-sale (POS) malware used to steal the data in the first place might have even been commissioned by a carder forum administrator.
As that suggests, cybercrime forums are no longer ad-hoc outposts where would-be hackers congregate just to strut their stuff. "Ten to 15 years ago, these markets were just sporadically organized, little ad-hoc groups of individuals, where their motivation was notoriety, ego. They wanted to get on systems, explore and see what they could see," said Lily Ablon, an information systems analyst at RAND, and the lead co-author of the cybercrime study. Now, she said, these markets are highly organized, and increasingly serve as a "cyber" extension to organized criminal enterprises, occasionally even nation-state endeavors.
[Protect yourself. Read 10 Ways To Fight Digital Theft & Fraud.]
In other words, the marketplace for cybercrime services has grown up. "The RAND study said that if an economy meets these criteria -- is it sophisticated, specialized, reliable, accessible, and resilient -- then it has matured," said Michael Callahan, vice president of security product marketing at Juniper Networks, speaking by phone.
The maturation of cybercrime markets is tied to the services they offer, which include not just selling stolen credit card numbers, but also phishing and spam attacks, on-demand DDoS takedowns, and botnets that anyone can rent, without having to first assemble their own. "Really, anyone can get involved -- you don't have to be good at it all," said RAND's Ablon. "In fact, you don't have to be good at anything, really, because there are people in services who can do things for you, as long as you have the funding."
The availability of on-demand cybercrime services gives attackers the edge over their targets. Or as the RAND report puts it: "The ability to attack will likely outpace the ability to defend." That's because service providers need only offer one particular type of service -- a flavor of botnet, DDoS, advanced persistent threat attack, or POS malware -- and do it extremely well. But any given organization must successfully fend off every different type of specialized attack, or risk being exploited.
Furthermore, such services are far from static. "These markets really do match the world's technology trends," said Ablon. "From a technology point of view, the world is becoming more on-demand, smart, and hyper-connected, and these markets are mirroring that." The markets also are providing rapid shipping of "goods," and tapping "darknets" and encryption to hide their criminal activities.
If there's one bright spot in the report, it's that businesses aren't the only ones being exploited. It turns out there is little honor among the thieves themselves, who routinely rip each off. "If you can get ripped off, you will," said Albon, and that goes especially for anyone who frequents the lower, less exclusive -- and easier to access -- cybercrime forum echelons, which might exist solely on ICQ or Jabber channels. "Rippers -- or people who want to rip you off -- are prevalent, especially people through these lower tiers," she said. "If you found the carder site through Google, there's a good chance that those people are going to rip you off."
Typically ruses are disguised. "It's very easy for them to give 10 credit cards away for free that are good, sell you 1,000 cards, and the other 990 are out of date or no longer valid," she said.
Just how many cybercrime players are at large? "One expert puts 10 to 20 percent of the participants in the highly vetted tiers, and 80 to 90 percent in the lower, easier-to-find tiers," says the RAND report. "Of all these players in all of the tiers, an estimate is that only a quarter can be considered highly skilled. Others maintain that there are too many variables -- freelancers versus organized groups, varying types of threat actors, etc. -- to make a reasonable breakdown."
One thing for certain is that for the criminally minded, the incentives for getting into cybercrime remain significant. "The black market can be more profitable than the illegal drug trade," says the report, "with the difference that digital goods carry less risk."
The obvious next question: What can we do to stop cybercrime-as-a-service? Any attempts to rid the world of cybercriminals must focus on eliminating or disrupting these cybercrime marketplaces, the RAND report argues. A number of ideas have been floated for undercutting cybercrime, such as "establishing fake credit card shops, fake forums, and sites to increase the number and quality of arrests, and otherwise tarnish the reputation of black markets," as well as launching hack-back attacks, having banks buy back stolen data, further increasing cross-border law enforcement cooperation, and helping businesses to better defend themselves, says the report.
"You need to change the economics," said Juniper's Callahan. "You need to find a way to disrupt the value chain."
The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio