Slashdot Mirror

← Back to Stories (view on slashdot.org)

Following the Money In Cybercrime

Posted by timothy on from the prevailing-wages dept.

jbrodkin writes "Five dollars for control over 1,000 compromised email accounts. Eight dollars for a distributed denial-of-service attack that takes down a website for an hour. And just a buck to solve 1,000 captchas. Those are the going rates of cybercrime, the amounts criminals pay other criminals for the technical services necessary to launch attacks. This criminal underground was detailed Wednesday in a highly entertaining talk given by researcher Stefan Savage at the annual Usenix technical conference in Portland, Ore. Savage's research into the economics of cybercrime began as lip service to satisfy the terms of a government grant, but it turned out to be the key to stopping computer attacks. Targeted methods — such as using CAPTCHAs — don't stop criminals, but they add to the cost burden and put the inefficient criminal organizations out of business, letting security researchers focus only on the ones that survive."

25 of 107 comments (clear)

  1. Like antibiotics by DanTheStone · · Score: 2

    Now we just need to hope that they don't breed better attackers that are all resistant.

    1. Re:Like antibiotics by jellomizer · · Score: 3, Interesting

      Well not really. Organized Crime grows but it doesn't reproduce well. If one does split it is often because there are some hot heads who think they can do it better, and takes resources away from the other. So we either get One Organization who is strong while the other is weak and will die off soon. Or both will be weaken and both would die off soon. Very Rarely would they split into 2 strong units.

      However what could happen with all the small guys going away there is less competition for the big ones and then they can monopolize the market... FTC is kinda useless against Organized Crime.

      But if they get too big it gets harder for them to operate without the law noticing and makes it easier for law to bring them down.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:Like antibiotics by icebike · · Score: 4, Insightful

      However what could happen with all the small guys going away there is less competition for the big ones and then they can monopolize the market...

      Do these guys really compete at all?

      I've never seen shoplifters or bunglers compete. There are simply too many soft targets out there.

      But the rest of your analysis is otherwise pretty good, and the reduction of organizations might be mostly in the script kiddie market, with the few really good (bad) organizations being pretty much unaffected.

      When the truth emerges about the current deluge of hackers it will probably be a huge mob of semi-literate kiddies running scripts and purchased hacks, mostly for harassment and diversion of government resources while the big boys break into money pits or marketable secretinformation sites.

      While the harassment and dossing have been with us for some time, the tempo has been ramped up. Why are these people concentrating on government agencies like the FBI? My guess is they are being organized to act as a diversion by other governmental agencies or those guys after the big bucks. Maybe Iran is getting back at the west for wrecking their centrifuges. Who knows.

      Personally I suspect its the same organizations helping themselves to the money and their government employers to the secrets.

      --
      Sig Battery depleted. Reverting to safe mode.
    3. Re:Like antibiotics by wisnoskij · · Score: 2

      antibiotics are often given a preventative and in many cases for livestock are continually given from birth to death as a preventative.

      --
      Troll is not a replacement for I disagree.
  2. Cheap Enough, But ... by WrongSizeGlass · · Score: 4, Insightful

    But how do you pay these "companies" when you want to purchase their services? I'm sure not going to give them credit card, or an electronic bank transfer. Do they accept BitCoins? ;-)

    1. Re:Cheap Enough, But ... by Anonymous Coward · · Score: 3, Funny

      I pay using credit cards. Not my own, though.

    2. Re:Cheap Enough, But ... by wintercolby · · Score: 2

      They'll just be stolen by the people you pay, anyway

      --
      Most ignorance is vincible ignorance. We don't know because we don't want to know. --Aldous Huxley
    3. Re:Cheap Enough, But ... by Lunix+Nutcase · · Score: 2

      That's why you should pay them in Beenz. No one is going to want the steal them.

    4. Re:Cheap Enough, But ... by scorp1us · · Score: 2

      Better yet how much for them to mine bitcoins for you. They can pay themselves with 30% of the mining...

      --
      Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
    5. Re:Cheap Enough, But ... by hellkyng · · Score: 2

      You pay these companies through web money accounts, which are effectively the same as cash. These transactions are usually non-reversible and run through companies like Western Union or Liberty Reserve. Credit cards are a completely worthless form of payments on those sites, and they recognize that.

  3. Wow! by eln · · Score: 5, Funny

    At those prices, I can't afford to NOT spam!

  4. Economics by SniperJoe · · Score: 5, Insightful

    I am beginning to think that everyone should be forced to take an economics course in their lifetime. So much of the world is driven by economics that I think you'll understand the world quite a bit better if you understand the dollars and cents behind it. Perhaps its a case of "the more economics you know, the more economics you see."

    1. Re:Economics by betterunixthanunix · · Score: 2

      Theoretically this should be part of basic high school education, but considering that we only barely expect our high school graduates to be literate (at least in America), I doubt we will see such a situation any time soon.

      --
      Palm trees and 8
    2. Re:Economics by JustSomeProgrammer · · Score: 4, Insightful

      My world history class in college was centered on the history of trade since people always migrated along those paths and society developed along those paths. It was really interesting and taught me that yes, money really does make the world go round.

    3. Re:Economics by operagost · · Score: 4, Insightful

      If our students understood economics, there would be fewer of them going to college with the false expectation that a degree will guarantee them a secure job, and even fewer who believe politicians who promise "free" anything.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    4. Re:Economics by gstoddart · · Score: 5, Insightful

      I am beginning to think that everyone should be forced to take an economics course in their lifetime.

      The problem is ... which version of 'economics'?

      It seems there's the broad, general sense of economics which attempts to explain how things work as an interconnected system. And, then there's the economics which is almost dogmatic ... it's a belief that under certain circumstances, and given a set of assumptions, a given outcome would naturally occur. Those, I'm not convinced are supported by anything more than a desire for it to be true.

      I, for instance, have yet to be convinced that "trickle down economics" actually accomplishes what its proponents claim it will. I also, am completely unconvinced by things that the rampant socialists say would happen if we listened to them since their numbers are equally imaginary. They both amount to wishful thinking.

      At a certain point, economics devolves into ideology and philosophy. And your belief in what works ceases to be empirical, and more focused on how you think the world should operate if you could rewrite reality to suit your own needs (or, force everyone to adopt your theories long enough for them to be proven true/fail utterly).

      I agree that some understanding of economics is valuable ... but then it breaks down to become a belief system, and goes all to hell. Modern economics is like the Emperor's New Clothes ... as long as we all keep deluding ourselves that it works, everyone is happy. Occasionally, a glaring counter example comes along that people chalk up as being an anomaly.

      It seems that goes for both ends of how people believe economics works.

      --
      Lost at C:>. Found at C.
    5. Re:Economics by dmgxmichael · · Score: 2

      Worse, if more people understood economics, there'd be even fewer engineers and more parasites (lawyers, politicians and bankers)

    6. Re:Economics by gstoddart · · Score: 2

      Really? So what will it take to convince you that "trickle down economics" actually accomplishes the opposite of what its proponents claim it will?

      Surprisingly little, but in the interests of being somewhat balanced, I chose to highlight that the two extremes are both a little shaky without actually focusing too much on one or the other.

      Because from there, it's an easy walk over to being convinced that those proponents know this and have been lying about their intentions the whole time.

      As someone I used to work for used to say ... it's not a lie if you believe it.

      I believe it's entirely possible to believe that trickle down economics would work, and that it it would begin by benefiting those advocating it ... as I said, after a certain point, one's economic theories become closely tied with one's beliefs.

      Trying to falsify the beliefs of another is usually an impossible task. I don't need to believe them to be intellectually dishonest ... I just think that the belief that trickle down economics is so tied into the rest of how they perceive economics as working, that there's no separating the two. It's an article of faith.

      Those who worship at the feet of "The Free Market" will pretty much always take it as a given that tax cuts for the rich will trigger spending which will in turn excite the economy, and therefore benefit everyone. I think it lets the wealthy skim off the cream, leaving the rest of us with less (which is why the top richest people get richer and everyone else ends up broke).

      Somehow, they think that's to everyone's benefit, but I've never been clear on exactly how that was supposed to work for the rest of us.

      To a certain extent, Capitalism seems like a ponzi scheme. Certainly, that's how they're running the stock market over the last decade or so.

      --
      Lost at C:>. Found at C.
    7. Re:Economics by idontgno · · Score: 2

      That just proves that Newtonian mechanics isn't complete physics the same way that high school Macroeconomics isn't the complete economic picture. However, there is a difference: classical mechanics corresponds pretty closely to gross everyday observation of physical phenomena, but pure elementary Macro and Micro bear only the slightest correspondence to the gyrations and churn of the great big huge Global Economy, as frantically and inconsistently reported by every news organ in the world, and as debated endlessly and fruitlessly by every pundit, economist, politician, or CEO in existence.

      High school economics is more obviously idealized and incomplete than high school physics, because high school physics is more closely correlated to observable reality.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
  5. Freakonomics by Lifyre · · Score: 4, Insightful

    I don't know if you've read Freakonomics or not but that is basically the premise of the entire book(s). There are economics in everything, people respond to incentives and if you set up your incentives properly you'll get the result you desire. Fail to properly incentivize people and you can get all sorts of interesting results. I particularly like the Israeli Day Care example.

    --
    I'll meet you at the intersection of "Should be" and "Reality"
    1. Re:Freakonomics by Anonymous Coward · · Score: 2, Funny

      Freakonomics is to Economy like Donald Duck is to Ornithology.

  6. I'm confused by interkin3tic · · Score: 2

    It suggests that CAPTCHAs can narrow the profit margin, but just a few lines above that it says they only cost a dollar to overcome. So these spammers will sell 1000 e-mail accounts for 8 dollars, and adding a dollar to the end cost to compensate for the CAPTCHAs would totally destroy their business model?

    Was that supposed to mean that each of the thousand CAPTCHAs adds a dollar in cost to spammers? Because then I could see how that would cause some problems for them.

  7. that cheap, eh? by treywilliams · · Score: 2

    I wonder what the going rate for stealing credit card numbers that have been saved on a website for returning customers. I know, because I've been the victim on identity theft twice now, and let me tell you, it ain't pretty. Recovering financially takes a year or more through vigorous DIY credit repair strategies and can make you weary of future online purchases. I read in another recent post all the grief that PayPal gives its customers and I can also attest to the fact that they are the most self-serving douche bags on the internet. Their operation is criminal... negligent at best. But seriously, $8 for a denial of service attack is super cheap. Hopefully as people start getting more serious about cybercrime, we can look back in 10-20 years and look at the internet as the Italian mafia with its godfathers being Google, PayPal, Facebook and the rest of the power holders sitting in prisons or at least crashing and burning financially.

  8. Of course you follow the money. by Animats · · Score: 5, Interesting

    Of course you follow the money. There aren't that many spammers; about three years ago, there seemed to be only about ten unique large-scale spammers. Taking one of them down made a significant dent in spam traffic for a month.

    Junky spam and junky bogus web sites are obsolete, even in the criminal world. The old mindset was to filter out emails and sites that "looked junky". The old "Web Spam Challenge was based on this. They have a big file of pages which humans have classified, by a quick look, as "spam" or "not spam". Five or ten years ago, that sort of worked, because most of the junk sites were really tacky. Phishing sites used to have blatant misspellings. That's history. Today's crooks have good web site production values.

    So you have to dig deeper. On the web spam/bogus web site front, part of the right answer is to find out who's behind the web site and do a background check. (We do that at SiteTruth.com, as I've mentioned before.) Right now, even a superficial check (is there a mailing address on the site? Is it a known phishing site? Do seals of approval check out? Non-junk SSL cert?) is enough to knock out a big fraction of the junk. The deeper checks (is there a business at that address? How long in business? How much revenue last year? What's their business credit rating?) tell us enough to have some confidence about business legitimacy.

    The original article mentions "ordering tons of stuff from phishing scams to trace the path of the money." That's what the FBI should be doing more of. Law enforcement can have accounts created, plug into the credit card system, and watch their credit cards being used in real time. It's hard to do that without law enforcement authority.

  9. Busting CAPTCHAs is not a crime. by Jane+Q.+Public · · Score: 5, Insightful

    Busting CAPTCHAs is not a crime. Not usually, anyway. Sure, it may violate a website's terms of service, but US courts so far (quite correctly) say that's not a crime, unless you're "stealing" a for-pay service. And maybe not even then.

    It is not valid to label something a "crime" just because it's inconvenient for some people. The lesson to be learned here is that CAPTCHAs are a lazy (and often lousy) way to prevent "unauthorized" access.

    Also, while most CAPTCHAs today can be busted with automated tools, as OP says it's often more economical to just hire teams of people from Pakistan or India to do it manually. The going rate on freelancer sites is about $1 per 1000, but sometimes it's even less.