The Economics of Cybercrime

By Richard Stiennon

(Back to article)

Many IT manages are frustrated by what seems to be an endless investment in security with no stop to security incidents. Is the answer better management? Better tools? Some all-encompassing new architecture from your router supplier?

Let’s step back a little, first. The Internet itself, while leading to a bubble on venture investment, was only a minor part of the overall economy a few short years ago. But look what has happened since the bubble burst.

The Internet has continued to grow. Some forecasts predict there will be one billion people connected to the Internet within the year. While, Nielsen Net Ratings reports a lower number, the fact is there are hundreds of millions of people on the Internet today and they are engaging in commerce.

They are purchasing things, subscribing to sites, emailing, banking, and investing. It is not unexpected that such a target rich environment attracts criminal elements.

Few of those hundreds of millions of new Internet users will know about the destruction of Usenet news by spammers in the wake of the first incident: an ad for green card services offered by two immigration attorneys in Florida. But most of them eventually learn about spam, phishing attacks, and Trojans; often too late to defend themselves.

Money is to be had and cyber crooks are flocking to the Internet like gold diggers to the motherlode. This means studying the economics of cybercrime will lead to effective counter measures. Ignoring the economics of cybercrime could be disastrous.

There are three business models for cyber criminals that can be addressed today. For each there is a need for the enterprise to understand how to counter the threat.

Advanced Fee Scams: By now you have received your first such email. It is craftily worded. It appears to come from someone who does not speak your native language. It appeals to your greed.

All that is needed is your contact information. In return you could reap millions. The very presence of these in your inbox every day indicates that the scam artists are succeeding at hooking enough victims to fuel their business model.

The best way to target this threat is through international law enforcement. One step you can take is reporting 419 scams (named after a Nigerian statute) to the email provider from which they originate. That will help increase the costs for the scammers.

Although there are no published numbers I am sure that these scammers must send out millions of emails to rope in hundreds of “marks” of which probably 1% ever yields a profit. Canceling their Yahoo! or Hotmail accounts will hurt their business. Report them.

Extortion: Hackers have taken a page out of the age old protection racket. Using the power of huge botnets they threaten the demise of your Web operations unless you pay their fees.

Do I need to tell you not to pay them? Call in law enforcement, and then take the money you would have spent on paying off the extortionists to beef up your defenses. Put in syn-flood blocking equipment. Multi-home your servers — especially your DNS servers. Arrange for large amounts of excess bandwidth to survive the onslaught of an attack.

Identity theft: Phishing, targeted attacks against data repositories, laptop theft, and Trojan horses are all tools of the trade for cyber criminals who are reaping the rewards from identity theft.

These attacks are best countered by examining the economics of cybercrime. Because it is so easy to get into a bank account with a stolen username/password, or apply for a loan with someone’s complete identity, an active market has arisen for identities. Prices range from $1 for a SSN (social security number) to $8 for complete credit card details.

The ultimate solution would be to make information that comprises an “identity” worthless. That day is far away, but in the meantime it is the responsibility of financial institutions that provide access to accounts online to protect those assets.

If you receive multiple phishing attacks targeting a particular bank, you can be assured those attacks are working. A cyber criminal would not go through the labor intensive (and expensive) effort of creating a mirror site, mass mailing, and collection of credentials, unless they were working.

You will not see a phishing attack against a bank that deploys strong authentication and uses out of band (mail, phone) communication to confirm unusual transactions. The phishers are smart enough to move on when they encounter good banking practice.

The crux of the cybercrime problem is money. That is what the cyber criminal is after. By starving their sources of revenue they will be put out of business. Allowing them to continue to prosper will encourage more to join the gold rush. If we study the economics we will understand the most effective ways to fight cybercrime.

Richard Stiennon is the former VP of Threat Research at Webroot Software and now the founder of IT Harvest, an IT security research firm. He is a holder of Gartner's Thought Leadership award for 2003 and was named "One of the 50 Most Powerful People in Networking" by Network World Magazine.