Slashdot Mirror

← Back to Stories (view on slashdot.org)

Following the Money In Cybercrime

Posted by timothy on from the prevailing-wages dept.

jbrodkin writes "Five dollars for control over 1,000 compromised email accounts. Eight dollars for a distributed denial-of-service attack that takes down a website for an hour. And just a buck to solve 1,000 captchas. Those are the going rates of cybercrime, the amounts criminals pay other criminals for the technical services necessary to launch attacks. This criminal underground was detailed Wednesday in a highly entertaining talk given by researcher Stefan Savage at the annual Usenix technical conference in Portland, Ore. Savage's research into the economics of cybercrime began as lip service to satisfy the terms of a government grant, but it turned out to be the key to stopping computer attacks. Targeted methods — such as using CAPTCHAs — don't stop criminals, but they add to the cost burden and put the inefficient criminal organizations out of business, letting security researchers focus only on the ones that survive."

5 of 107 comments (clear)

  1. Wow! by eln · · Score: 5, Funny

    At those prices, I can't afford to NOT spam!

  2. Economics by SniperJoe · · Score: 5, Insightful

    I am beginning to think that everyone should be forced to take an economics course in their lifetime. So much of the world is driven by economics that I think you'll understand the world quite a bit better if you understand the dollars and cents behind it. Perhaps its a case of "the more economics you know, the more economics you see."

    1. Re:Economics by gstoddart · · Score: 5, Insightful

      I am beginning to think that everyone should be forced to take an economics course in their lifetime.

      The problem is ... which version of 'economics'?

      It seems there's the broad, general sense of economics which attempts to explain how things work as an interconnected system. And, then there's the economics which is almost dogmatic ... it's a belief that under certain circumstances, and given a set of assumptions, a given outcome would naturally occur. Those, I'm not convinced are supported by anything more than a desire for it to be true.

      I, for instance, have yet to be convinced that "trickle down economics" actually accomplishes what its proponents claim it will. I also, am completely unconvinced by things that the rampant socialists say would happen if we listened to them since their numbers are equally imaginary. They both amount to wishful thinking.

      At a certain point, economics devolves into ideology and philosophy. And your belief in what works ceases to be empirical, and more focused on how you think the world should operate if you could rewrite reality to suit your own needs (or, force everyone to adopt your theories long enough for them to be proven true/fail utterly).

      I agree that some understanding of economics is valuable ... but then it breaks down to become a belief system, and goes all to hell. Modern economics is like the Emperor's New Clothes ... as long as we all keep deluding ourselves that it works, everyone is happy. Occasionally, a glaring counter example comes along that people chalk up as being an anomaly.

      It seems that goes for both ends of how people believe economics works.

      --
      Lost at C:>. Found at C.
  3. Of course you follow the money. by Animats · · Score: 5, Interesting

    Of course you follow the money. There aren't that many spammers; about three years ago, there seemed to be only about ten unique large-scale spammers. Taking one of them down made a significant dent in spam traffic for a month.

    Junky spam and junky bogus web sites are obsolete, even in the criminal world. The old mindset was to filter out emails and sites that "looked junky". The old "Web Spam Challenge was based on this. They have a big file of pages which humans have classified, by a quick look, as "spam" or "not spam". Five or ten years ago, that sort of worked, because most of the junk sites were really tacky. Phishing sites used to have blatant misspellings. That's history. Today's crooks have good web site production values.

    So you have to dig deeper. On the web spam/bogus web site front, part of the right answer is to find out who's behind the web site and do a background check. (We do that at SiteTruth.com, as I've mentioned before.) Right now, even a superficial check (is there a mailing address on the site? Is it a known phishing site? Do seals of approval check out? Non-junk SSL cert?) is enough to knock out a big fraction of the junk. The deeper checks (is there a business at that address? How long in business? How much revenue last year? What's their business credit rating?) tell us enough to have some confidence about business legitimacy.

    The original article mentions "ordering tons of stuff from phishing scams to trace the path of the money." That's what the FBI should be doing more of. Law enforcement can have accounts created, plug into the credit card system, and watch their credit cards being used in real time. It's hard to do that without law enforcement authority.

  4. Busting CAPTCHAs is not a crime. by Jane+Q.+Public · · Score: 5, Insightful

    Busting CAPTCHAs is not a crime. Not usually, anyway. Sure, it may violate a website's terms of service, but US courts so far (quite correctly) say that's not a crime, unless you're "stealing" a for-pay service. And maybe not even then.

    It is not valid to label something a "crime" just because it's inconvenient for some people. The lesson to be learned here is that CAPTCHAs are a lazy (and often lousy) way to prevent "unauthorized" access.

    Also, while most CAPTCHAs today can be busted with automated tools, as OP says it's often more economical to just hire teams of people from Pakistan or India to do it manually. The going rate on freelancer sites is about $1 per 1000, but sometimes it's even less.