Cybercrime Is a Franchise Model That Scales

Presto Vivace notes a report from the RSA conference on the cybercrime economy, and it's not an optimistic one. Part of the problem is that in many places cybercrime pays much better than legitimate work, including security research. "As the panelists explained, a single spam message might be tied to as many as 10 separate organizations and perhaps five suppliers. Every task in the criminal economy has become a separate specialty. Some people sell e-mail lists, others sell lists of compromised IP addresses, there are sellers of credit card numbers, and those who sell access to bot nets. Then there are those who handle product fulfillment for spammers, and those who specialize in laundering money."

Office Space clearly had an impact

One of the big problems the guys in Office Space faced was how to launder their money. They were computer programmers who had no knowledge of the intricacies of money laundering. It's good to see someone recognized the problem and is now providing solutions for those of us who don't know how to launder money ourselves.

Re:Office Space clearly had an impact

[CogDissident]

Its not as hard as you think. If you can get the money off-shore (such as an offshore account in the pacific), and then throw it to a numbered account in a swiss bank, its basically done.

The hard part is getting it out of the country of origin, without it being linked to you as having "left" from you.

Re:Office Space clearly had an impact

[PawNtheSandman]

The Russian Mafia is more than happy to help you in your future business endeavors.

Re:Office Space clearly had an impact

That's not that hard, just setup a charity or a bogus corporation and purchase some service from them, which since you own you don't have to provide, then have the corporation "buy" a "service" from a company in Europe, and presto, the money is now offshore. Since the companies bought it and not you, it can't be traced back to you... or so I've heard. I'm not saying that "this works" or that "you should use this to launder money".

Re:Office Space clearly had an impact

[CogDissident]

Charities need a lot of documentation to function (I'm on the board of a rather large one).

Corporate purchases are watched pretty carefully, especially offshore stuff. They're actually really easy to track weird spending habits. How often do companies spring up out of nowhere, and suddenly start having hundred thousand dollar offshore contracts every few months (or a hundred thousand spread out over a year, still suspicious).

Re:Office Space clearly had an impact

So what you're saying is that it's easy, except for the hard part.

Re:Office Space clearly had an impact

[chuckymonkey]

Funny offtopic story. My wife's aunt was just telling me about how a few weeks ago she thought she was going to jail for laundering money, meaning she ran it through the washer. She really didn't know what it really meant. This is also the same woman that thought people had to wear special shoes on the lower hemisphere so that they didn't fall off the earth.

Re:Office Space clearly had an impact

[bberens]

Or keep the money and gamble it at your favorite casino without ever telling them your name. You give them dirty money and even if you lose a percentage, whatever you walk away with is clean money. In fact, it's better to lose some. If you win enough money, they'll make you report it for tax purposes.

Re:Office Space clearly had an impact

[Foobar+of+Borg]

The Russian Mafia is more than happy to help you in your future business endeavors.

Sorry, not to get too offtopic, but this reminds me of Snow Crash. "Cosa Nostra - You've Got a Friend in the Family"

Re:Office Space clearly had an impact

But that still doesn't explain what brand of detergent you're supposed to use...

Re:Office Space clearly had an impact

[Teflon_Jeff]

The problem always comes in justifying how you received the money to spend. The IRS is very interested in how you got $100,000 to gamble, or spend, in the first place.

Ironically, some of the best ways to launder money are for services. Drug dealers will often set up as some sort of unregulated service (computer repair is popular) and when they make a house call for "service" they sell the drugs, and the money is documented as clean income for that particular service. However, that's laundering money before it gets to you. If you have dirty money already, it's far more complicated without partners. With partners, you can launder small amounts of money back and forth between various small businesses.

Re:Office Space clearly had an impact

[Pharmboy]

The hard part is actually getting back INTO the country. You can charge their visa card from a bank outside of the USA very easily.

Once you have a million dollars, you have to bring that money back INTO the US to buy that house and car, and with no legal income, that is what raises a red flag with the IRS, and the FEDS, who monitor all money transactions over $5,000 now (used to be 10k before 911). You can still make the money, but you can't spend it.

The traditional way is to open a "legit" biz with high margins, such as a bar/nightclub. You (quietly) give away the liquor, account for each giveaway as a "sale", then put that high margin money in the bank. You pay taxes on it, etc. but that is what you have to do if you launder money, make it "legit". (I used to work as an investigator, seen it many, many times with drug money).

So you end up with about half of your money, but it is laundered. The extra bonus is that owning a bar or nightclub and giving away a lot of liquor pretty much guarantees you lots of lady friends and minions.

Re:Office Space clearly had an impact

[redxxx]

The hard part is getting it out of the country of origin, without it being linked to you as having "left" from you. The money is coming out of a black global economy, so you shouldn't really have to worry about getting the money out of the country. Just have the folks sending you the money send it directly to a country with friendly banking laws. You don't need to 'touch' it.

Re:Office Space clearly had an impact

[smooth+wombat]

You give them dirty money and even if you lose a percentage, whatever you walk away with is clean money.

You mean like these folks did?

Re:Office Space clearly had an impact

[Timothy+Brownawell]

I would assume you just leave it in the pockets on your pants when you launder them...

Re:Office Space clearly had an impact

[krisak]

The limit is somewhere around $1200 for reporting. So casinos lately really aren't as useful for money laundering.

Unless the casino is in on it. You lose a lot of cash there, you don't need to report it. They then contract out to a company you own.

Not much of that left in Vegas these days, though.

Re:Office Space clearly had an impact

[Lord+Flipper]

So what you're saying is that it's easy, except for the hard part.

Ha ha ha, that's funny, and whee ae the mods at?

Cut of the source

[pembo13]

Kill all bot nets. Seriously. And have companies who sell operating system take some financial responsibility for future security.

Re:Cut of the source

[moderatorrater]

Kill all bot nets. Seriously. Agreed, although botnets are a tool, not necessarily a source. They make computing power cheap for the underworld, but everyone here should know that computing power is already cheap. The diversified IP addresses is harder for them to mimic, but not impossible.

And have companies who sell operating system take some financial responsibility for future security. Absolutely ridiculous. I've heard this before, and I think it makes as much sense as holding the door manufacturer responsible for home break ins. Microsoft has never claimed to be completely secure and they haven't made any contracts specifying that they should be. They allow other products to work on their platform, and these other products have threatened legal action if Microsoft makes their OS secure (although not in those exact words). It also patches on a regular cycle and it's ultimately a decently secure OS (when you take the patches into consideration).

The ultimate responsibility for what happens on someone's computer is theirs. There's a lot of hatred for Microsoft floating around here, and for good reason, but holding them responsible because people can't protect their computers in the most rudimentary ways is wrong. It also opens the doors for holding any software responsible for any hacking that occurs on them, even if the user could have prevented it with negligible effort. Considering the state of security in the software industry, that would destroy pretty much every company in existence and set us back 10-20 years.

Re:Cut of the source

[Dada+Vinci]

Not all botnets are the fault of insecure operating systems. People who exclaim "Oh, look, somebody I don't know emailed me a file called CutePuppies.exe! I think I'll click on it!" pretty well destroy any sort of security scheme. Vista tried to solve that by preventing users from running programs (under the guise of User Account Control) but that just led to rebellion because people don't want to have to explicitly grant access to every program that wants to read to disk or connect to the Internet. When I install the new Firefox I don't want to have to authorize each and every operation it performs (write to disk, read from disk, connect to Internet, etc).

Re:Cut of the source

[Spy+der+Mann]

Not all botnets are the fault of insecure operating systems.

Not all, but most definitely are:

- Unpatched Windows XP (and below) PC's
- patched but already infected Windows PC's
- patched but rootkitted Windows PC's
- patched Windows PC's just infected this week with a zero-day exploit.

So the rest of the botnets would be shared webservers running insecure PHP bulletin boards, and servers running unpatched MS SQL, but these are a tiny fraction.

As you can see, Microsoft's greed is largely responsible for most of the world's botnets. This has to stop. The US government could as well take these steps:

a) Force Microsoft to release a new version of XP but with Vista's security features (but please replace the cancel/allow with administrator password dialogue), so that all processes run in userspace and no changes can be done to the registry/configuration without user authorization.

b) Force Microsoft to release the patches and upgrades *FOR FREE*, even for pirate copies

c) Make a "Disinfect your PC" campaign, making a census of all computers, and running antivirus/antirootkit software (or possibly formatting, with previous backup of course) on such machines, at the same time upgrading the PC's to the newest Windows version (FOR FREE). When the campaign is over, we could as well declare the US virus-free (for now :-/ ) Unfortunately, for the measure to be effective, this should have to be done in all countries (so here comes international politics), so i'm afraid we'd have to stick with a) and b). But what use is upgrading a PC which has a rootkit on it?

Re:Cut of the source

[gmuslera]

Botnets=83.4 of ALL spam (check Marshal's Trace center) at least measured some days ago. All the other sources of spam are definately a minority there.

Microsoft never claimed to be completely secure? Probably all the sale speech for all Microsoft products (since windows 95 or before) includes some kind of claim regarding security (usually in the form of "this is safe, anything else is not") And probably the security experts aren't the main customer base of Windows, normal people only know that it says that is safe.

But in their licenses usually they wash pretty clean their hands taking away any possible liability.

But still, maybe not legal, but there are responsibility in Microsoft in a lot of fronts, from design choices to marketing speech and most what is in the middle.

Re:Cut of the source

[Dada+Vinci]

Your plan to force Microsoft to update Windows sounds good as long as Windows is the only operating system with problems. But what happens when a Linux distro has a security hole? (Yes, it can happen.) Who, exactly, does the government force to update it? If it's Ubuntu then it's easy enough, but what about CentOS/Debian? How do you force volunteer developers with a non-heirarchical structure to update code? And do we really want the government to get to define what a "security hole" is? I think there are some governments that think it's a "security hole" if the government doesn't have a backdoor into all users' data...

Re:Cut of the source

[ratboy666]

The solution? CutePuppies.exe is not executable. End of discussion.

If you want to actually execute it, you have to:

1 - save it to disk
2 - change its permissions
3 - then (and only then) execute it.

It is preferable to force a command line session (terminal window) for step 2, with a "difficult" sequence. Say.. chmod +x CutePuppies.exe. And it should show up on the desktop either...

No "is this allowed?" dialog. No "please enter your password" dialog. Just.. don't.. execute.. it.

I would even go so far as to force a manual base64 or uu decode in there.

Get off my lawn, you damn kids!

Re:Cut of the source

[g0bshiTe]

The solution? CutePuppies.exe is not executable. End of discussion.

What fantasy land do you live in? http://www.symantec.com/avcenter/attack_sigs/s22902.html
http://www.securityfocus.com/news/11511 Concerning the Flash Vuln
http://www.securityfocus.com/news/11512 How fully patched Vista box owned due to the flash vuln, with little to no user interaction.
When an attack exploits a weakness in something running on the system then in essence CutePuppies.exe may not run without interaction, but CutePuppies.sfw will.

Re:Cut of the source

[khallow]

Obviously, Windows has additional problems. But the grandparent's point was that a lot of security flaws allow relatively mild user error to lead to serious vulnerabilities.

Re:Cut of the source

[SamSim]

that would set us back 10-20 years.

Great, so there'd be almost no cybercrime!

Re:Cut of the source

And your porn would end in .gif, if you're lucky.

Re:Cut of the source

[Spy+der+Mann]

But what happens when a Linux distro has a security hole?

It has already happened, and not only with distros, but with Apache and the Linux Kernel as well. What happens? Simple. It's quickly discovered, and then patched within a day :)

Re:Cut of the source

[Richard+W.M.+Jones]

Absolutely ridiculous. I've heard this before, and I think it makes as much sense as holding the door manufacturer responsible for home break ins.

It's more like holding a lock-maker responsible if their locks are faulty.

The ultimate responsibility for what happens on someone's computer is theirs. There's a lot of hatred for Microsoft floating around here, and for good reason, but holding them responsible because people can't protect their computers in the most rudimentary ways is wrong.

It should be possible to allow someone to download and run any random program and not allow it to take over the computer. Programs should not run by default with full access to everything. Operating systems should summarise what a program wants to do in plain English ("this program wants to send out 100 emails a minute over your broadband connection", or "this program wants to log everything you type and send it to a Russian site called cracker.ru"). This is not some sort of impossible goal, but easily achievable today with a bit of thought.

You cannot on the other hand hold non-technical users responsible for stuff they don't understand, and if as a result of visiting a website your computer silently downloads malware which starts logging your credit card details, that is not something that a non-technical user could or should be held responsible for.

Rich.

Re:Cut of the source

[toddestan]

It has already happened, and not only with distros, but with Apache and the Linux Kernel as well. What happens? Simple. It's quickly discovered, and then patched within a day :)

So what? It's the same problem you have with Microsoft stuff. The patches come out quick enough, it's just that people don't patch their systems or keep them up to date and that's how they get infected.

Re:Cut of the source

[mrsbrisby]

And have companies who sell operating system take some financial responsibility for future security.

Absolutely ridiculous. I've heard this before, and I think it makes as much sense as holding the door manufacturer responsible for home break ins.

Hyperbole notwithstanding, anyone can make a door and reasonably assess the security of a door themselves. Not everyone can make an operating system and reasonably assess the security of an operating system.

Confusing a door, which any idiot can make in an afternoon, with an operating system which takes billions of man-hours, seems incredible.

Microsoft has never claimed to be completely secure and they haven't made any contracts specifying that they should be.

Before people took claims about security seriously, the following nugget was available at: http://msdn.microsoft.com/isapi/msdnlib.idc?theURL=/library/backgrnd/html/iissecure.htm

This integration means IIS offers the same robust security that is built
into Windows NT from the very core. Windows NT was created intending to meet
the security criteria for the U.S. Government's C2 Security Evaluation. The
critical need for an operating system to be designed for optimum security
from the ground up was noted by the NCSC, which wrote in its Final
Evaluation Report of the Windows NT operating system: "When security is not
an absolute requirement of the initial design, it is virtually impossible
through later add-ons to provide the kind of uniform treatment to diverse
system resources that Windows NT provides." Can you seriously suggest that a person reading that shouldn't have any expectation of security or privacy using Windows? I realize this doesn't say "completely" secure, but do you think phrases like "optimum security" really excuse this?

You should take a serious look around at the company you're keeping; people apologizing for Microsoft: Here is a product which defiantly does what the user doesn't want and then blames the user for having other expectations.

Really, the fear of financial responsibility without the safety net of a monopoly might make Microsoft think twice about encouraging the development of ActiveX controls.

Re:Cut of the source

Make Microsoft responsible yeah, that will work.

There is no such thing as a "Secure" application.

1) Microsoft will help the congress person with the bills wording.
2) Contribute to and lobby your congress person.
3) Profit.

Simply disconnect from the internet.

And my mother always said that

[name*censored*]

Crime doesn't pay. Pfft.

BRB, watching to see if the kettle boils.

Re:And my mother always said that

Obligatory xkcd

Re:And my mother always said that

[eli173]

http://xkcd.com/357/

Re:And my mother always said that

[Miseph]

How original, what's next, an "in Soviet Russia..." joke?

For those who don't get it, Randall, the guy on the left, writes XKCD, and the guy on the right is me (check out the name badge, infidels).

Off course

[iamacat]

Making money by creating value vs making money by just taking it from other people. Hmm.. what's going to easier?

There are after all established concepts of taxes, payday loans and patents that pretty much amount to the same thing.

Re:Off course

[Arthur+B.]

What !? How are payday loans theft ?

Re:Off course

And the recent Fed rescue of investment banks. Making money by taking it from people wins any day of the week.

Re:Off course

[DrgnDancer]

Legally they aren't. In theory they don't have to be. In practice they pretty much are. The pay day loan industry is predatory beyond belief, victimizing the poorest and least educated members of society. Unfortunately in most states there isn't actually a LAW against convincing some poor schmuck with a middle school education that a loan with an effective interest rate of 25-50% a week is in his best interest.

Re:Off course

[superwiz]

And the recent Fed rescue of investment banks. Making money by taking it from people wins any day of the week. FED didn't rescue investment banks. That's just how the news got reported to make the story more sensational. They arranged for a merger to take place and gave a loan on which the FED will actually make money. Taxpayers are in no way involved. Taxpayers pay their money into the US Treasury. FED lends money out of thin air -- not out of the treasury. Yes, "out of thin air". It says the money exists and by the virtue of that fact it comes to exist. And when the loan is repaid, the money ceases to exist.

Is pay really the reason?

[mrroot]

Part of the problem is that in many places cybercrime pays much better than legitimate work, including security research.

Crime almost always "pays better" than so-called legitimate work (is crime really considered a profession?) Well I guess you could say it is a part of the problem, but the OTHER part of the problem is the risk of getting caught is too low. It is a risk/reward model. There are other factors in play here too, for example people's morality. Even if there were little risk and great reward, some people have a moral system that would still prohibit them from undertaking a life of crime.

Re:Is pay really the reason?

[iamacat]

Even if there were little risk and great reward, some people have a moral system that would still prohibit them from undertaking a life of crime. But if you think about it, the highest moral system would actually push people into life of crime. There are lots of evil entities that need stealing from (nuclear weapons manufacturing, Bin Laden family in Saudi Arabia, Dick Cheney, Microsoft, RIAA, ...) and lots of hungry children in Africa. It's not immoral to steal from crooks!

Re:Is pay really the reason?

[mrroot]

But if you think about it, the highest moral system would actually push people into life of crime. There are lots of evil entities that need stealing from (nuclear weapons manufacturing, Bin Laden family in Saudi Arabia, Dick Cheney, Microsoft, RIAA, ...) and lots of hungry children in Africa. It's not immoral to steal from crooks!

So who decides who is a crook and who is not? I guess you feel like you have a pretty good handle on that, or at least you just rattled off all the names you have been told are crooks. Congratulations, you have conformed.

Re:Is pay really the reason?

"So who decides who is a crook and who is not?"

You could argue the same thing about why decides who are the crooks already.

"Congratulations, you have conformed."

Congratulations, so have you. Just with a different group of sheep.

Re:Is pay really the reason?

[Lumpy]

Exactly. Online gambling is illegal here in the states. That has not stopped the huge flow of american companies setting up offshore internet gambling sites and processing the credit cards through various processing houses that happily hide the money flow.

In fact knowing a lot of this makes you a lot of money consulting people and companies wanting to do such a thing.

Re:Is pay really the reason?

[Lumpy]

when you send money to starving children in africa. you actually give money to the warlords and corrupt governments profiting off those starving children.

Re:Is pay really the reason?

[iamacat]

So who decides who is a crook and who is not? We The People.

In the perfect world, we would have a working democracy and organizations like RIAA would be legally disbanded and their money redistributed to their victims (such as artists) or used for worthwhile social programs. Unfortunately, we have a two-party system that stacked the rules to prevent election of grass-root candidates. Truly courageous people should join an uprising to restore working democracy. But in the meantime, stealing some money out of the system to weaken it's power can also be a noble act.

Re:Is pay really the reason?

[iamacat]

Oh really? Even if I actually travel to Africa and personally hand out hot soup in the cities?

Re:Is pay really the reason?

So you're saying that the "highest moral system" essentially consists of violent, anarchic Communism from the barrel of a gun, with every individual charged as his own judge, jury, and executioner? Did I encapsulate that pretty well?

Here's some features of "moral systems" that the rest of the human race generally appreciates:

  * Consistent rules that are considered and set in a fair, non-authoritarian fashion by a group process.
  * Neutral, transparent arbitrators for disputes who are selected through a fair, non-authoritarian process, and who are held accountable for their activities by that same process.
  * A general consensus that the rules are basically fair and correct, enough so that most people will choose to follow them without the threat of compulsion or violence.

Maybe I missed something, here... Care to explain your argument in a little more depth?

Re:Is pay really the reason?

[iamacat]

So do most american citizens believe they should be fined $100K for each MP3 shared on LimeWire? That somebody should take 10% of their hard earned money and use it to kill people half way across the globe? That they shouldn't have an option of voting for a pro-market economy, anti-tax, pro-environment and pro-choice candidate in a presidential election?

Clearly we lack the mechanism to set consistent rules in "fair, non-authoritarian fashion by a group process".

Re:Is pay really the reason?

Professional assassination. It's the highest form of public service. - Chium, Remo Williams.

Re:Is pay really the reason?

[Herkum01]

Obliviously men with small penises or low libido and women with small breasts.

Re:Is pay really the reason?

[JordanL]

We The People.

Let's see...

1. Stealing from the "rich", (theoretically).
2. Giving to the "poor", (theoretically).
3. Discerened by the angry mob.
4. Done on the basis that people have a moral right to what other people earn.

Sounds a lot like Communism to me, and we all know how well that worked out.

Re:Is pay really the reason?

[dave562]

Crime almost always "pays better" than so-called legitimate work (is crime really considered a profession?)

Crime really is a profession. The "criminal world" is in reality just the free market at work. There are services that people want performed and there are those who perform the service. Like a lot of laws, most of the computer trespass laws are there to protect stupid/uneducated people from themselves. They are there to protect those people from "being taken advantage of" by others. Of course in this backasswards society that we live in the idea of taking responsibility for themselves never crosses their, or the legislators minds. Self reliance isn't cool. The government should solve all of the problems.... or in other words, those who have because they are capable should subsidize those who don't because they aren't.

OTHER part of the problem is the risk of getting caught is too low. It is a risk/reward model.

The real mechanism at work there comes down to how do you want to pay your taxes into the system? Do you want to pay them gradually in an orderly manner through already established mechanisms like the IRS? Or do you want to pay them in huge lump sums that might be due at any time, like you have to in the form of legal fees? In terms of the internet and computer crime, you can go for a long time before ever having to deal with the legal system. Unlike the war on drugs here in America where the cops can act fairly rapidly once they identify a drug supplier, it takes the international community a long time to come together to deal with botnet operators and spammers.

Re:Is pay really the reason?

[mi]

Oh really? Even if I actually travel to Africa and personally hand out hot soup in the cities?

Yes, even then. By feeding their populace, you'll be freeing the warlords from having to concern themselves with, you know, governing the country. From providing the food, to education, to building and maintaining roads, all the way up to the monetary policy... You are likely one of the voices in the chorus condemning Bush for spending too much on Iraq "instead of helping social programs". Now imagine, if some uber-rich third party was helping our social programs, leaving Bush able to spend even more on "his wars"...

And then, of course, it would also be exceptionally stupid (and — without proper immunization — reckless) of you to spend your own time doing it, instead of hiring a local (for a minuscule fraction of your wage).

That said, you have shown enough stupidity in this thread to make me think, we'd all be better off (on balance), if you tried...

Re:Is pay really the reason?

[aztektum]

Wait, you seemingly attempted to ridicule this guy without offering your own opinion on what makes a crook a crook.

Mine: An individual or corporate entity that lies, cheats, and swindles for their own gain. Not just to the detriment of "society", but an individual as well.

Based on my definition it seems his list hits the nail on the head. Microsoft is already a convicted monopolist. RIAA has gotten quite a few slaps in court for trying shifty tactics. Dick Cheney, enough has been proffered on this forum about him. The bin Laden family? Like they're completely untethered to Osama. The FBI even published a report that one of the "bin Laden flights" out of the US on 9/19/01 may have been chartered by Osama to get people out of here.

Product Fulfillment?

[TTURabble]

Then there are those who handle product fulfillment for spammers

Wait, those spam messages are actually selling something? I always just thought that it was a ruse to get your CC info.

Re:Product Fulfillment?

[sco08y]

I've actually tried, out of curiosity, to order something. I rarely get to a working web page, let alone an order form. Sometimes you'll see a 1800 number. Many times you'll just be redirected to a page full of ads.

I don't get it...

[Leomania]

Who buys crap from spammers? Even my 84-year old father (who has a difficult time remembering the "desktop" I'm talking about isn't the table his keyboard is setting on) knows the difference between a spam email and a legitimate one. We all laugh at the garbage they try to sell, and these days pretty much assume it's more likely a scam or an attempt at identity theft. So who the hell are these people who think it's a good idea to respond to the email from Hector McGillicuddy for Viagra?

Re:I don't get it...

So who the hell are these people who think it's a good idea to respond to the email from Hector McGillicuddy for Viagra? Please refer to the Complete guide to Identifying the Average Moron. Chapter 1 I believe quotes P.T. Barnum who said it best...

Re:I don't get it...

Chapter 1 I believe quotes P.T. Barnum who said it best... "Get that goddamned elephant out of my living room!"

Re:I don't get it...

[CodeBuster]

It probably has less to do with actually selling a particular product than it does with saturation advertising which is designed to bypass the natural mental defenses that people have built up to advertising in general by so completely saturating the mind with brand image, logo, slogan, etc...that when the decision to make a purchase finally does come it is made on an almost subconscious level (i.e. you drop the item in your shopping cart without even thinking about it really). That is the angle that most spammers are working for their clients these days. They know you hate it, they know that you would never buy anything directly from them, but they and their clients don't care because they do not require your active cooperation in any way for their strategy to work because they are attempting to manipulate your subconscious through information overload to short circuit the rational decision making part of your brain the next time you have to make a purchase so that you will buy their brand without remembering specifically where you heard of it or even if you have seen it before. That explains the client of the spammer, but the spammer is simply a mercenary who cares about getting paid and he doesn't give a crap either way as long as he gets paid (by his clients) to run the spam campaigns on their behalf.

Re:I don't get it...

[dave562]

I've always wondered this myself. The only theory that I've been able to come up with goes something like this.... The spammers aren't trying to sell products. Even the products that are being sold are often fakes. The real mechanism at work is capturing credit card data. Lets just pretend that for every 1,000,000 spam messages that are sent out, there is 1 that actually makes it through all of the filters and into the email box of someone who thinks, "Gee, I wish I could have lasted longer last night but I don't want to embarass myself by going to the doctor. I'll get some v14gra from China." That fool then uses his credit card with a $5,000 balance on it to purchase $14.99 worth of v14gra. The "spammer" sends out some sugar pills and then turns around and racks up $5,000 worth of profit. Or maybe they just sell the card for $50 or $100 or whatever the going rate for a $5,000 limit on a Visa card is these days.

Using the above theory it makes sense. The computing resources are very low cost (if you have to rent botnet time) or free (if you own the botnet). The emails are free to send. Even if you have to send a million of them to get a single card number, you're still getting card numbers. There was an article on here the other day that says they send what, BILLIONS of messages a day? Even if you only have one sucker out of one million, that's still 1000 cards per day that you're getting.

Re:I don't get it...

I believe quotes P.T. Barnum who said it best... He never said "There's a sucker born every minute".

Re:I don't get it...

[Leomania]

The real mechanism at work is capturing credit card data. That's the thing, though... if all they're after is credit card info, why bother with product fulfillment? That's what TFA referred to as one of the parties involved, so there's got to be more to it than just that. And wouldn't credit card companies figure out the statistics pretty quickly if a particular customer of theirs has a really high percentage of credit card numbers that end up being used fraudulently?

That makes me think that those stealing card numbers and/or personal data aren't bothering with product fulfillment, and vice versa.

Re:I don't get it...

[SpamIsLame]

So who the hell are these people who think it's a good idea to respond to the email from Hector McGillicuddy for Viagra?

Addicts, usually.

When Chris "Rizler" Smith was convicted and sentenced to 30 years in prison for his numerous crimes (among them, pharmacy spamming and money laundering,) court transcripts showed that he routinely spammed known repeat addicts of controlled substances. This was his prime target market.

Not everybody is purchasing their meds from criminal spam operations. But people who have no other means of getting their fix, or those who are way too broke to afford them, will probably rely on only the spamvertised sites to get them.

It's a public safety accident waiting to happen. There are a handful of stories about people who have died from the fake drugs offered by these criminal spam operations. It's bound to get worse before it gets better, and the spammers won't stop as long as it remains profitable (and anonymous. They love that there's never a well-known connection between them, their sponsor, their sponsor's suppliers, etc.)

SiL / IKS / concerned citizen

Crime

Now that's serious logistics! Outsourcing has a bad rap, now i see why.

WTF?

I clicked the link for the article and all I got was a giant full screen xerox advertisement. I guess there is supposed to be an article of some kind?

Re:WTF?

[Missing_dc]

Damnit, I clicked the link looking for a fullscreen xerox ad, and all I got was this lousy article:

The Cybercrime Economy
Posted by Thomas Claburn, Apr 9, 2008 08:33 PM

Dot-coms daunted by the financial downturn would be well advised to look to the cybercrime economy.

Cybercriminals "have very sound business models," said Joe St Sauver, manager of Internet2 Security Programs through the University of Oregon at an RSA Conference panel on Wednesday, "better than many corporate business plans I routinely see."

The conference session, "Deconstructing the Modern Online Criminal Ecosystem," offered interesting insight into the way the Internet's black market works.

While most of the security professionals I've spoken with at RSA expressed optimism about dealing with future cyberthreats, I find it hard to see where that optimism comes from, given the economics of cybercrime as explained by the participating panelists.

One of them was Larry. He provided no last name and asked that his picture not be published, presumably for his safety. He's the chief investigator for Spamhaus.org, a site that tracks spammers. "It's almost impossible to take these [spam Web sites] down because the DNS changes every five minutes or so," he said.

"Almost impossible" is not the stuff of optimism.

As the panelists explained, a single spam message might be tied to as many as 10 separate organizations and perhaps five suppliers. Every task in the criminal economy has become a separate specialty. Some people sell e-mail lists, others sell lists of compromised IP addresses, there are sellers of credit card numbers, and those who sell access to bot nets. Then there are those who handle product fulfillment for spammers, and those who specialize in laundering money.

All this specialization insulates the network from prosecution by providing a degree of deniability. "You mean my associate was using the names I sold him for spamming?" a cornered cybercriminal might say. "I told him not to do that." The modern cybercrime economy is a franchise model that scales, explained St Sauver.

And it pays well. IronPort's Patrick Peterson observed that an IT graduate in Romania might be able to earn $400 per month legitimately, compared with several thousand per month in the cybercrime economy. And I've spoken with security researchers who suggest the difference in pay between being a security researcher and a security exploiter differs by a factor of 10 quite often.

Cybercriminals make so much money, in fact, that they employ money mules, networks of thousands of people to help them launder money by receiving and sending cash for a commission. Many of them are unaware that they're facilitating crime. And many of them end up being scammed.

A typical scam: They're wired money and asked to send out a lesser amount via Western Union. Only later do they learn that wire transfers can be reversed, whereas Western Union money transfers are irrevocable.

And a final factoid from the session: Lawrence Baldwin, chief forensics officer with My Net Watchman, said that in the past few months he was aware of about 30 data breaches at companies and only two have been publicly reported.

The trend, Baldwin said, was to go after midsize organizations because the big ones have too much security and individuals don't have enough valuable data. Sounds like the recent Hannaford breach to me.

Re:WTF?

[zippthorne]

A typical scam: They're wired money and asked to send out a lesser amount via Western Union. Only later do they learn that wire transfers can be reversed, whereas Western Union money transfers are irrevocable.

And they're taking advantage of the victim's greed. His desire to participate in the scam. I mean, they typically do this under the pretense of laundering money, so the victims aren't exactly blameless in many of these scams.

The question is, should we then protect the victims? People who were so willing to take advantage of others, only to be taken advantage of, themselves?

Economies of scale

[Facetious]

The risk/reward concept of crime is complicated by economies of scale. Prior to the Series-Of-Tubes(TM), it was fairly difficult to con more than one person at a time. Now, many high school students have the power to con millions of people across international borders. The potential reward has gone up. The perceived potential of risk has gone down. Thus, cybercrime rises.

Re:Economies of scale

It was fairly difficult to con more than one person at a time. You can't fool all of the people all of the time (except in an election year)

The problem: FBI Baltimore

[Animats]

We need the FBI Baltimore office taken out of the business of distributing child porn and put on this problem. After ten years of work, they've arrested over 6,000 people.

How many computer criminals have they arrested? The Department of Justice doesn't seem to provide useful statistics, but it looks like the number per year is in the 10-100 range.

This is backwards, given the relative size of the problems.

Part of the problem is that the FBI has a measurement bias against white-collar crime. See the FBI Crime Statistics page. Violent crimes are counted if they are reported; white collar crimes are only counted if there's an arrest.

Re:The problem: FBI Baltimore

[CodeBuster]

Money is immaterial to government organizations like the FBI so long as there is enough to pay salaries and fund organizational needs. Beyond that these organizations exist in the political realm where the success is measured and rewards doled out based upon achievement of political objectives and saving money or spending the money of the taxpayers wisely is pretty far down the list of political priorities in most government organizations. Besides, if you spend less money then you get a hand shake for coming in under budget and then next year your budget is cut to reflect the "new" level of savings whereas if you go over the budget then you are rewarded with even more money next year so that you can really "get tough on crime". The incentives are exactly backwards and, of course, it also doesn't help that very often the white collar criminals and the big corporate political donors are one in the same people and it simply wouldn't do for the FBI to be "harassing" the "friends" of a powerful politician when there are much easier and more politically expedient targets to be singled out for "special attention" by the FBI and other government organizations.

Inciting crime?

[gmuslera]

The article seem to say that crime pays, and better (at least if you live in Romania or do security research for the bad guys) and that basically there is no punishment. That look like a call to arms for a new generation of scrip... i mean, spam kiddies.

Not sure how much it will scale before reaching some kind of saturation point. There are some numbers that cut in some way the amount of players in the field (like 50% of all internet spam coming from just one botnet, or malware removing other kind of malwares (and even closing the doors they used to get in). But the article paints it almost as a safe bet, making it even more attractive.

And we STILL don't have a LEGAL definition of spam

[mi]

The best we have from a judge — just quoted in a different article-submission is:

It refers to itself as an Internet marketing company. Some, perhaps even a majority of people in this country, would call it a spammer.

Awesome, judge, let's leave the judging to the demos... "Community standards", anyone?

Heck, according to my Firefox (2.0.0.13, thank you very much) spell-checker, the very word "spammer" does not even exist — much less legally defined. (Well, the word "firefox" does not exist either, to be fair.)

There are few laws against the scumbags, and those that exist, are rather imperfect. The definitions boil down to the (in)famous, "I know it, when I see it," — from the earlier attempts to distinguish between pornography (obscene) and art/expression (Constitution-protected)...

Until all spammer can be persecuted for spamming itself, rather than some of them being prosecuted for other illegal activities helped by spamming, we aren't going to get very far...

Not just cyber

[sm62704]

They keep parroting that "crime doesn't pay" but it obviously DOES pay, and it pays well. Most crimes are not solved. Most criminals are not caught - only the stupid ones and the unlucky ones get caught.

In fact, society should be damned glad that most slashdotters are honest and have conscienses (no that's not spelled right, so jail me) because if most of us were dishonest we could do one hell of a lot of damage!

Some times I wish I could be dishonest, I'd be a rich man. But it's just not in my nature.

Re:Not just cyber

[mrsbrisby]

only the stupid ones and the unlucky ones get caught.

Not only do the stupid and unlucky ones get caught, we incarcerate them and pay to keep them alive. It seems like these people are more likely to escape the gene pool if we simply take the labels off things.

Re:Not just cyber

[sm62704]

Ah, but there's the fallacy. They reproduce at a much greater rate than you or I do. Evolution is about reproduction.

I have two kids, Linda has 15 counting the one that died. She beats me at the genetic olympics. She just got out of prison 2 months ago.

Another Part of The Problem

[Bob9113]

Part of the problem is that in many places cybercrime pays much better than legitimate work, including security research.

Another part of the problem is that our cyber enforcement budget leans heavily toward pornography, gambling, and copyright.

Yet another part is that corporations and politicians are unwilling to kill their fatted calf that is "legitimate" UCE.

Remember that ancient business adage

[Tumbleweed]

"Location, location, location!"

In this case...online. Don't forget to get an easy to remember .com address! I was telling someone about a website of mine last night, that ends in '.info', and they put a '.com' after the .info! Urg.

..Watching as the frilly panties run in San Angelo

Sitting on a park bench eyeing little girls with bad intent
Snot running down his nose greasy fingers smearing shabby clothes
Hey, aqualung
Drying in the cold sun
Watching as the frilly panties run
Hey, aqualung
Feeling like a dead duck spitting out pieces of his broken luck
Hey, aqualung
Sun streaking cold an old man wandering lonely
Taking time the only way he knows
Leg hurting bad as he bends to pick a dog end
he goes down to the bog and warms his feet

Feeling alone the army's up the road
salvation a la mode and a cup of tea
Aqualung my friend don't you start away uneasy
you poor old sod you see it's only me
Do you still remember December's foggy freeze
when the ice that clings on to your beard is screaming agony
And you snatch your rattling last breaths with deep-sea-diver sounds
and the flowers bloom like madness in the spring

Sun streaking cold an old man wandering lonely
Taking time the only way he knows
Leg hurting bad as he bends to pick a dog end
he goes down to the bog and warms his feet

Feeling alone the army's up the road
salvation a la mode and a cup of tea
Aqualung my friend don't you start away uneasy
you poor old sod you see it's only me

Aqualung my friend don't you start away uneasy
you poor old sod you see it's only me

Sitting on a park bench
eyeing little girls with bad intent
Snot running down his nose greasy fingers smearing shabby clothes
Hey aqualung
Drying in the cold sun of San Angelo
Watching as the frilly panties run
Hey, aqualung
Feeling like a dead duck spitting out pieces of his broken luck
Hey aqualung

ohhhhhh aqualung San Angelo and the pretty little girls now also my wives

Duh?

Criminals commit crime to make money.

News at 11.

Credit the Inherent Decentralization

[-Tango21-]

Perhaps one should credit the success and scaling capacity with the inherent decentralization of the organized crime network discussed in the post. I recently read The Starfish and the Spider and the organized crime network seems to closely mirror a self healing, mostly decentralized network of peers as described in the book. If one person in the network described in the article is caught another takes his/her place with perhaps even more people. Kind of a fascinating dynamic.

Makes me glad the author of the book (above), Rob Beckstrom, was appointed to the newly created department of Cyber Security. He'll probably be able to help the President sync his iPod as well.

I stopped being optimistic about security long ago

[david_bonn]

I am a recovering "security professional". After an eye-opening experience long ago where I realized that I knew at least as much as the experts. So I managed to do pretty well for myself during the boom years. Then ran screaming from the Real World and goofed off with a few consulting gigs to keep me from being completely retired.

Those gigs were rarely happy ones. I came to the conclusion that there is no adequate technical solution to the security problem. Arguing that any given platform (Mac OS X, Linux, BeOS, Windows Vista, &c) is more secure misses the point -- all platforms have security holes, and all you need is one to ruin your whole month. Even if you loyally and skillfully apply all relevant security patches as soon as you are aware of them and as soon as they are available you still will have quite a window of vulnerability -- and that window might be shorter on your favorite OS. But how can that matter when an unprotected machine can literally be 0wned in minutes?

From a legal standpoint, a lot of work remains to be done (if you've ever tried to get help from your favorite law-enforcement agency when your server farm has been sacked and pillaged you'll understand). Our criminal-justice systems are caught in a race. They are a snail and the competition has a supersonic jet. The international nature of the internet kind of screws us too -- we've got to deal with Moldovan criminal gangs and elite government-sponsored hacking teams (who almost certainly cover many of their activities by looking and acting like criminals) who are hopelessly beyond the reach of any law enforcement agency. If it were just Moldova it would be one problem, but how many countries are there out there the bad guys can hide behind? Most any country in Africa, most any country whose name ends with "-stan", and damned near any country with scary toilets won't be much help if the people who set up the attacks are living there.

I've been reduced to alternating between Cheneyist tinfoil-hat paranoia and a Bushian "what? me worry?" obliviousness. Neither is very satisfying.

Robin Hood Rich/Poor Dichotomy

[Dareth]

Robin Hood would steal from the rich to give to the poor. Was this a moral act? Is it only when the rich originally stole from everyone else that it is moral? And what of the poor who were given wealth? Can they save any for a rainy day, or would that make them no longer poor and ineligible for the next payout to the poor from Robin Hood? If poor people constantly spend every cent they receive, whether from assistance or earned to remain poor, is that moral behavior? Can they be faulted if that is how the system works?

Re:Robin Hood Rich/Poor Dichotomy

[pbhj]

According to the UK government my family live well below the poverty line (about two-thirds of a poverty level income), so I feel I can offer some insight!

>>> Can they save any for a rainy day, or would that make them no longer poor and ineligible for the next payout to the poor from Robin Hood?

If you're a medieval peasant (probably a serf) given enough money to buy a sack of flour you won't go hungry for a few weeks. You'll still be in need, with more money you could buy vegetables, more still you could have meat, more than that land that you could use to feed yourselves from (assuming you're not debarred from owning land by not being a part of a noble family).

>>> If poor people constantly spend every cent they receive, whether from assistance or earned to remain poor, is that moral behavior?

We spend every penny we earn on housing, food, utilities, clothing (if we're lucky, though mostly we get clothes as gifts). We work and are raising a child (both consider moral goods for the community by most). I can't see how it's immoral to spend all you earn - with more money we could afford to eat a little more healthily and maintain our property better which in turn would reduce economic strains in the long-term. We have a national health service and someone will have to conduct repairs in the future which wouldn't have been necessary could we afford to maintain our property.

I'd love to hear how you think this could be immoral living?

To some extent it's the system - capitalism is a predatory system in which those who have money make more by exploiting those who don't. And to some extent it's personal choice: we believe our business is a worthwhile part of the community even if as a whole the community don't value it as much as we do.

>>> Robin Hood would steal from the rich to give to the poor. Was this a moral act?

In his circumstances (assuming the tales to be true) then I think it is moral to steal from those with excess to prevent those with nothing from dying of starvation. It's not capitalist morality but it works for me! Moreover Robin Hood probably does the landowners a service by stopping them (the landowners) from killing off the people who are growing their food and keeping them in their luxury.

Basic premise is flawed

I challenge the premise that existence of a cybercrime "supply chain" increases the difficulty of fighting cybercrime. I believe the exact opposite. A supply chain provides more targets of opportunity, and breaking one link in the chain has the potential to put many other links out of business.

I also disagree with the pessimistic premise that we are in a downward spiral. The Internet is simply the latest new frontier, and frontiers have always been rife with crime. Eventually law enforcement and society catch up, and the criminals move on to the next frontier. In a sense, criminals exploit the lack of information. Imagine how much easier it must have been to be a criminal in the time before photographs?

Spam? I don't get any

I really don't get it. I use Gmail - but if they can do it, others can - and I get no spam. Zero. Zilch. I never, ever, have a single piece of spam get through. I use it both for my business, and for personal email (probably 4Gb/year worth), and I have yet to lose a real email. What's going on?

cybercrime is good

cybercrime is a good thing. if a person is willing to break the law id prefer they ran up charges on my credit card, than stabbed me ;)
call me crazy....

Not in your nature? Sure it is, but...

[RexDevious]

it never developed because you happen to be naturally better at things which didn't require it.

CASE STUDY: Matt Dillon

My brother own's a bar frequented by Matt Dillion, the mult-millionaire, super-naturally gorgeous, very famous actor. And he's never seen anyone so utterly terrible at picking up girls. Why? Because he's never *had* to be good at chatting up girls, he's been a movie star since he hit puberty. If he'd needed to learn how to chat up girls, he'd have learned.

You're bad at being dishonest for the same reason Matt Dillion is bad at picking up women.

But, if you'd lack any natural ability to achieve goals honestly, you would have had no other option but to develop the talent to lie, cheat and steal your way to success.

This is the same reason why beautiful girls seem dumb, and powerful people rarely have any other talent than gaining power.

To me, this last bit is the most troubling. We've created a world in which utterly worthless people have no other choice than to figure out how to exploit the worth of others in order to get anywhere in life.

Personally, I blame our "won't someone think of the children" policies. They keep dumb people alive long enough to develop the skill to exploit the intelligent people - who are completely unprepared to deal with dishonesty, cheating, and theft because they never needed to do the things that would have given them experience in those areas.

It's like that sig which floats around slashdot a lot:

"Never argue with a fool. They'll drag you down to their level, and then beat you with experience."

Re:Not in your nature? Sure it is, but...

[sm62704]

I don't know, maybe you're right, but I've been dirt-poor during periods in my life and never resorted to dishonesty. OTOH I know people who were born with money who steal for the hell of it.

Tami (AKA "Lucy Furr", she's in some of my journals) is one of those. Of course, her whole family is dishonest (and monied) from what I hear.

There's another woman I know (also in the journals), Casey, who's a crack whore despite being born into money. You just never know.

This is capitalism at work!

[xkr]

This is capitalism at work! I don't understand the problem. Doesn't everyone know that capitalism is the world's best system of government and that we fought (and are fighting) wars to force everyone to this system. We should be celebrating--"Capitalism works in poor countries!"

Our politicians don't get any spam. (The ones, that is, who actually own a computer.) Cybercrime is not their problem. Let the market figure out a solution.

"Yeah!"

I don't think that big.

[BenEnglishAtHome]

Office Space was trying to deal with too much money. Greed'll kill ya.

Personally, I'd want my ill-gotten gains to be sufficiently small that no one would notice. I have a life and a job. If I had some criminal enterprise on the side, I'd want it to be just big enough to keep me with a couple of grand in my pockets all the time. Then I could buy pretty much anything I wanted any old time without being noticed. A new target pistol? A night on the town? Expensive car repairs? A new flat-panel? A new media server for the house? Food and clothing? Just pull out a wad of $100s. The basic stress of making a living and paying for all the basic necessities disappears.

For big purchases, like a house or car, there's the completely traditional route, paid from my legit income. And I'm going to have no problem making my payments because all the expenses that might eat up my cash are taken care of from that ever-present walking-around money.

So the Office Space guys made too much money and earned too many problems along with it. If they had put in some kind of limiter to keep their ill-gotten gains below a reasonable amount, they could have lived easy and stayed under the radar. Yeah, greed by itself is bad but the combination of greedy AND stupid is just tragic.

Now, can anybody suggest a low-end criminal enterprise that would produce moderate additional income for minimal risk and effort? No? Darned if the real world doesn't put a major damper on most silly daydreams. Doncha just hate that?

I gotta get back to work.

IP addresses of compromised machines

[Atario]

I'll give you the list[1] right now. Here's the pseudocode that will give it to you:

for A = 0 to 255
  for B = 0 to 255
    for C = 0 to 255
      for D = 0 to 255
        print A.B.C.D
      next
    next
  next
next

[1] List may contain some non-compromised machines