Want to Stop Cybercrime? Follow the Money

Five dollars for control over 1,000 compromised email accounts. Eight dollars for a distributed denial-of-service attack that takes down a website for an hour. And just a buck to solve 1,000 captchas.

Those are the going rates of cybercrime, the amounts criminals pay other criminals for the technical services necessary to launch attacks. It's the kind of IT outsourcing no legitimate company would ever conduct, but it's a profitable business if done effectively.

This criminal underground was detailed Wednesday in a highly entertaining talk given by researcher Stefan Savage at the annual Usenix technical conference in Portland, Ore. Outrageous examples of outsourced cybercrime drew laughter from the audience, but Savage also presented an empirical approach to researching computer crime and devising the most effective - meaning the most financially feasible - methods of stopping it.

[QUIZ: Do you know IT security?]

Savage is a UC-San Diego professor and director of the Collaborative Center for Internet Epidemiology and Defenses (CCIED). Founded to study the technical components of cybercrime, CCIED started getting federal funding in 2004 and as a result had to incorporate economic models into its research to satisfy the government.

Savage admitted that his look at economics was "total lip service" at first, but later he and his team realized the financial basis for criminal hacking may be the key to solving the whole problem. They expanded their study of the money, even interacting with criminal organizations in devious ways, for example by adding their own code to hackers' code in order to monitor them, and by ordering tons of stuff from phishing scams to trace the path of the money.

"One key flaw was looking at this as purely a technical problem," Savage said. We can stop some attacks by reacting to each new threat with a new technology to stop it, and installing antivirus software on billions of PCs around the world at a high per-unit cost, but it is an unsustainable model.

"Your role as a defender is: When a new attack comes out, you need to come out with a new defense," he says. "Attackers, on the other hand, can attack proactively whenever they feel like it."

It's nearly impossible to measure the effectiveness of defense, and it is expensive to create new defenses, while the cost of committing cybercrime is cheap because of a vast black market.

If you don't have the expertise to steal email or credit card credentials, you just buy the compromised accounts from a website - in the customary lots of 1,000 that cyber criminals like to use.

"We buy and sell compromised hosts in lots of 1,000 where prices change based on supply and demand," he said.

Simply viewing the websites of businesses that sell access to compromised computers provides insight into their cost. One Russian site Savage showed listed the price of installing malicious software on computers.

"Ten cents is how much your machine is worth, and if you're in China your machine would be worth one cent," he said.

[FLIPSIDE: Cybercrime costs a business $3.8 million/year, study finds]

Next: Examples of how criminals profit

Subscribe to the Security Watch Newsletter

Comments