Cybercrime Now Worth $105 Billion, Bypasses Drug Trade

Stony Stevenson writes "Citing recent highly publicized corporate data breaches that have beset major companies like Ameritrade, Citigroup, and Bank of America, McAfee CEO David DeWalt, said that cyber-crime has become a US$105 billion business that now surpasses the value of the illegal drug trade worldwide. Despite the increase in government compliance requirements and the proliferation of security tools, companies continue to underestimate the threat from phishing, data loss, and other cyber vulnerabilities, DeWalt said. 'Worldwide data losses now represent US$40 billion in losses to affected companies and individuals each year, DeWalt says. But law enforcement's ability to find, prosecute, and punish criminals in cyberspace has not kept up: "If you rob a 7-11 you'll get a much harsher punishment than if you stole millions online," DeWal remarked. "The cross-border sophistication in tracking and arresting cyber-criminals is just not there."'"

Now expect

[Jeremiah+Cornelius]

The covert Government support of CyberCrime by "intelligence" agencies, and the monopoly of profits from this - just like the drug trade.

Too bad the CIA can't destroy the black urban population of America with phishing spam, like they did to the brothers ad sisters with drugs in the 70's and 80's.

Here's Another Reason: Cybercrime Pays

[patio11]

You know what your hourly wage works out as any dealer not on top of the local pyramid? Check out Freakonomics, its an interesting case study. Using one gang's meticulously kept accounting records, they estimated the average dealer makes a bit more than minimum wage. Oh, and for that he has a 25% chance of death or imprisonment over an N month interval. (I can't remember what N was but, yikes, for 25% it wouldn't matter if it were 120!)

Compare this to cybercrime. I have been, at points in the past, a spam researcher. At the time, I lurked in spammer forums to get an idea of what the enemy is thinking. Ignoring the "I make a million a month and own a fleet of cars and a harem" boasting, and just focusing on the deals that were offered and consumated there, it is clear that cybercrime makes Serious Money especially by the standards of the locales where some criminals hang out. A single script to clean a spam mailing list, which is what, two or three hours of work, costs about a month worth of a legit Russian programmer's wages.

Or take a look at the opportunities for low-level criminals in the US, like "cashers". A casher is the guy at the end of the identity theft chain who gets the only risky job: turning the swiped data into money. (Phisher turns credentials over to casher, casher gets money, pays phisher.) He has a non-zero chance of his photo ending up on camera. For this, he gets perhaps 35% of the take from the scam. 35% of the banking account of say a lower-middle class family is easily thousands of dollars. No drugs in your pocket, no guns in your face, and no dedicated squad of police officers busting into your apartment at 1:00 in the morning if you get sold out by a buddy.

Why would you sell drugs if you weren't using, given these risk-vs-reward scenarios?

Re:This number

[rwyoder]

...sounds like it was pulled out of someone's ass.

Absolutely! When a thief robs a liquor store of $1000, he actually has the money, and the store has really lost the money. Now let me relay something I learned from a lecture I attended by a wekll-know former hacker a few years ago; He had used social engineering to obtain a copy of some cell-phone infrastructure s/w from a large, well-known high-tech company. He later learned that when the cops questioned the mgt of the company, they wanted a dollar amount of the damages. When the mgt hesitated about how to determine the damages, the cops asked: "So what did it cost to develop it?" And that was the number they used! The hacker had done nothing but use social engineering to persuade an employee to FedEx him a copy of the s/w which he kept, but did nothing with it. He never even broke into a single computer, nor ever distributed the s/w, nor did any kind of damage. But in their zeal to pump this up into a big case, the cops used the completely bogus multi-million dollar cost of the project and charged him with that dollar amount of (non-existent) damage.

Re:It is scary. AV coordination is suspicious thou

[dedazo]

Not to downplay the threat, but is a new version of Windows out?

Yes, thankfully. It's been out for 8 months, it has twice the market share of Linux and OS X combined, and it's much more secure than the one it's replacing.

BTW, I think it's funny that you'd give so much weight to companies that you've referred to in the past as "snake oil vendors".

Given the fact that the vast majority of computers on botnets are there because of user action instead of exploited vulnerabilities, I fail to see what a new version of Windows has to do with this or not. People will infect a mainframe if the given the chance and someone can be bothered to write the malware for it. Hmmm. BonzyBuddy for OS/390 must be quite an experience. I wonder if it runs on InfoMan...

WAR!!!!

[s1oan]

I see it coming... We had a war on drugs, a war on terror and soon we'll have a war on cybercrime. What country must be invaded this time?

It's Not a Fair Comparison

[ThomasTerranova]

It sounds impresive, but i don't think cybercrime
really surpasses the drug trade in profits, except on paper.

Corporations routinely exaggerate losses to a
ridiculous degree. I read that the average cost
to a company for a lost or stolen laptop is
considered to be $85,000 (due to loss of time
and proprietary data.)

Another example:
A company's server is hacked by a friendly hacker.
The hacker just wanted a challenge and didn't
distribute any data. He's caught and the company
then claims $5 million dollars in damages.

CyberCrime figures look good on paper and make for
great insurance and tax write-offs. But they are
probably largely imaginary.

Many private citizens are victims of identity theft
and fraud, but I don't think those cases make up the
bulk of the CyberCrime dollar claim.