Microsoft study debunks profitability of the underground economy

Microsoft study debunks profitability of the underground economy

Summary: Cybercrime, what cybercrime and millions of dollars in profits?!A newly released paper presented by Cormac Herley and Dinei Florencio at this year's  Workshop on the Economics of Information Security 2009 entitled "Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy" debunks the often taken for granted profitability of the underground economy comparing it to that of a Market for Lemons, where the seller knows more about the product than the buyer.

SHARE:

Cybercrime, what cybercrime and millions of dollars in profits?!

A newly released paper presented by Cormac Herley and Dinei Florencio at this year's  Workshop on the Economics of Information Security 2009 entitled "Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy" debunks the often taken for granted profitability of the underground economy comparing it to that of a Market for Lemons, where the seller knows more about the product than the buyer.

Earlier this year, the same researchers also debunked the profitability of phishing (Microsoft study debunks phishing profitability) in general, using the Tragedy of the Commons as an analogy for their findings.

I beg to differ with the conclusions drawn in both papers, and here's why:

According to the executive summary:

"Stolen credentials are traded in bulk for pennies on the dollar. It is suggested that large sums move on these markets. We argue that this makes very little sense. Using basic arguments from Economics we show that the IRC markets studied represent classic examples of Lemon Markets. The ever present rippers who cheat other participants ensure that the market cannot operate effectively. Their presence represents a tax on every transaction conducted in the market. Those who form gangs and alliances avoid this tax, enjoy a lower cost basis and higher profit."

It does makes sense since the report's findings are flawed, in the sense that they draw conclusions based on a highly outdated form of communication between cybercriminals - the Internet Relay Chat or IRC.

Trading with stolen credit card information over IRC is so Web 1.0, it encompasses a tiny percentage of these trades, the majority of which happen in closed invite-only portals next to the plain simple private communications with the vendor itself lacking a fancy online store for the stolen goods. Therefore, generalization based on a single, largely outdated distribution and advertising channel for stolen goods undermines the majority of conclusions made.

The researchers also find no sense in statements such as :

"For example,  Symantec finds the asking price for a CCN varies between $0.5 and$12, even when the available balance is several thousand dollars. This makes very little sense. Why would anyone sell for 50 cents an asset that is worth $2000? If turning the CCN into cash requires skill that the seller does not possess it would surely be a skill worth learning."

They would not only because they would still break-even (earn profit) if they do so, but also, because depending on their position within they underground marketplace, they may in fact be willing to earn less, but forward the responsibility (and potential imprisonment if detected) to the buyers of credit card details while attempting to cash out the money.

Based on personal observations of numerous monetization approaches throughout the past several years, there's a majority within the underground ecosystem that whereas may indeed look like a hardcore cybercriminal cashing-out money from each and every phished and Zeus-ed (banker-malwared infected host) on his own, is in fact reselling access and the accounting data to the organized cybercrime syndicates with experience in obtaining the cash. If these cybecriminals were to "learn the skill" of how to do, they would inevitably be earning more, however, the money made is proportional with the increased risk of getting caught based on their lack of experience, so reselling the data to experienced parties as fast as possible, remains their only option.

Next -->

Another important factor to consider is the current oversupply of stolen credit cards and accounting data, which combined with the decreasing by the hour liquidity of the commodity asset (the compromised web site may alert affected customers, or the customers themselves receive ID theft alert, or detect malware and block the card immediately) prompts them to quickly find a buyer, which is where the terms "fresh credit cards" or "virgin CCs" come from.

And since the value of the asset (stolen credit cards) is decreasing, the average seller is willing to ignore profit maximization for the sake of earning revenue, and a positive return on investment by using a simple logic in regard to the time value of money - a dollar today is worth more than a dollar earned tomorrow. What does this mean? It means that knowingly or unknowingly, perhaps even left without a choice since the details of a stolen credit card details today will worth nothing in , cybercriminals take advantage of the time preference.

Here are some of the characteristics of Lemon markets applied to the underground economy in the study, and the reasons why I find the conclusions drawn largely flawed:

  • Asymmetry of information, in which no buyers can accurately assess the value of a product through examination before sale is made and all sellers can more accurately assess the value of a product prior to sale - Where do I begin? Buyers with well known and proven reputation, combined with a multitude of positive feedback by happy sellers command the market, and these people would not only include screenshots of their web malware exploitation kits, but will also come up with videos, in fact even issue demo accounts to potential buyers. The practice of issuing demo accounts or providing screenshots from within a particular service while it's attacking has proven pretty successful so far, at least judging from the hundreds of "happy cybercriminals" recommending others to do business with a particular vendor of a particular product/service. The value of the asset, whether a web malware kit or stolen credit cards is verifiable. In the web malware kit, either a trusted and well known administrator will get a free copy of it, test it and post positive feedback resulting in sales for the author, or the buyer will assess its value based on the modularity of the kit, and exploits used and the unique differentiation factors compared to other kits. In the stolen credit card case, either the reputation of the seller, or the small number of valid credit cards provided as a proof for the validity of the bulk order will result in a transaction. However, the singly most valuable boost for such an advertising campaign remains the moment when the malware kit is used in the wild and receives publicity thanks to a security vendor that has detected it as the kit used in a major successful malware attack.
  • Sellers have no credible quality disclosure technology - Data speaks for itself. A screenshot demonstrating the conversion rate from traffic to infected hosts based on multiple browsers speaks for itself. Combined with a credible reputation from the seller and the countless number of happy clients, or sometimes a plain simple confirmation from a forum/community administrator that the seller is a well known cybercriminal and can be trusted can close the deal. The quality disclosure within the underground market place sometimes comes in the form of simple CHANGELOGS, to-do lists compared with the current features, or plain simple screenshot of a particular kit in action. As far as credit cards are concerned, valid samples of this commodity good are offered to potential buyers. Take for instance the ubiquitous Zeus crimeware kit and the fact that third-party developers are continuously improving its features, and keeping an account for the new features.
  • Either there exist a continuum of seller qualities or the average seller type is sufficiently low - The research further implies that "The evidence certainly indicates that the average seller quality in the Underground Economy is extremely low, and cheating and dishonesty are rampant." Even if we take the truthfulness of this statement for granted, it would make the big picture even worse. Picture the currently booming cybercrime economy with massive malware generation that's entirely relying on low quality releases. What if, they actually start bothering for the quality of their products? Scammers or the so called rippers are present at the invite-only and closed communities, and they will always be, no doubt about it. In fact two years ago, it would have been nearly surreal to think that coders of popular crimeware kits like Zeus, or web malware exploitation ones would become victims of software piracy within the underground economy, inevitably shifting the trade of these products from a black market to a grey market where the manufacturer (author of crimeware) is no longer able to run a business model since ironically, there's no intellectual property law enforcement in a highly illegal market. Numerous authors, have however, not only attempted to forward responsibility for fraudulent activity to the customers by including disclaimers within their products, but also, issue licenses and copyright noticed which if in reality even get enforced would incriminate them as the actual owners of the crimeware kit. One thing remains for sure - when doing business no one is shooting into the dark, reputation, positive feedback, actual screenshots and demonstrations issued for a trusted seller is closing a deal.
  • Deficiency of effective public quality assurances (by reputation or regulation and/or of effective guarantees / warranties - Quality assurance has been improving, and is in fact an inseparable part of the underground ecosystem.  From quality assurance in malware campaigns, in the form of managed crypting in order to achieve a lower detection rate, to the automatic multiple-firewall bypass verification for a particular malware sample, cybercriminals are in fact constantly creating new market niches, and setting new benchmarks for the rest of the participants to catch-up with.

Next -->

Stolen credit cards are not the cornerstone of the underground economy, which like other economies is shifting from generating most of its revenue from products to generating it from services, or value-added ones. Cybercrime-as-a-Service is become the efficient response to the previously known inefficient models.

For instance, managed spam services, segmentation and localization of the harvested emails for better targeting, managed translation and social engineering services allowing Chinese spammers to disseminate a campaign in multiple languages next to performing targeted attacks by spamming banker malware, all indicate the sophistication of the underground economy and its clear obsession with quality assurance, which in the long term will come in the form of standardization courtesy of the managed service providers.

Combined with the efficiencies achieved on the behalf of the sellers and their evident interest in vertical -integration in order to not only diversify, but also occupy different underground market segments, indicate the dynamics of the underground economy where the ones diversifying monetization tactics with personal security in mind, earn most of the money.

The bottom line - is in fact no one selling gold for the price of silver? That would have been true if the gold wasn't originally obtained for the price of iron, or stolen from other trading partners, allowing the new owner to earn a profit despite the lower selling price.

And even if the underground economy's profitability is greatly overhyped, a statement with I don't agree, the direct costs of cybercrime related incidents are pretty evident to everyone. And that's just the tip of the iceberg, since in the underground economy, the market capitalization is irrelevant to the fact that millions of end users and companies are suffering direct costs related the services and products -- including the supposedly low quality ones -- currently in circulation.

What do you think? TalkBack.

Topics: Malware, Banking, Microsoft, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

43 comments
Log in or register to join the discussion
  • "Microsoft study" ----> stops reading

    Microsoft+study = has historically been proven to generate marketing lies.
    nizuse
    • Pathetic argument.

      This academic paper is written by two researchers employed by Microsoft. The byline makes that abundently clearly. The paper is published, and avialable for anyone to read.

      The critical response is to read the paper, and engage in meaningful discussion. If there is bias in the arguments, they will be evident.

      The pathetic and juvenille response is to simply dismiss it because comes from Microsoft. I don't believe there is any marketing message in this document - its about discussig approaches to reducing cyber-crime.
      TheTruthisOutThere@...
      • I'm afraid he is right

        Given MS's long history of Machiavellian propagandising ("Get the facts", Jeff Jones, etc) from a perspective of always trying to make the MS product look good and the competing product look bad without regard to actual performance characteristics, one would be foolish to spend much time on the materials MS pays to have produced.
        Its a big industry, if there is any truth to what MS is trying to push, someone will come up with a credible study supporting that conclusion. Why waste your time on materials originating financially from a company which is known to deliberately, consistently, and frequently use deception as a marketing methodology?
        dfolk2
        • The skill is called "critical reading"

          The skill is called "critial reading", not "pre-concluded ignoring".

          You should read everything with a view as to who is saying it, and why - especially if its a marketing document. But this isn't a marketing document, its a research paper that doesn't obviously push any Microsoft product.

          TheTruthisOutThere@...
          • Another skill

            Another skill would be not wasting ones times.

            On the other hand, I'm sure that MS funds actual studies at times, not intended simply for propaganda purposes. I suppose such researchers probably do feel discouraged by having their work dismissed out of hand as a result of MS's historically abysmal ethics effectively being smeared upon them.
            The deal is , that because of MS's ethics, you have to spend so much more time checking out the fine details on anything MS funds that it becomes a much more major project to determine if the study is an honest portrayal of well considered facts, or just the usual self serving stuff they are infamous for shoveling out.
            dfolk2
          • Another skill nr 2 = time management

            so many things to do, limited time.

            Solution: do not spend time on inherently unreliable sources.

            And MS is inherently unreliable. And also unethical I might add. Enough court rulings to prove that.

            But hey - go ahead giving MS the benefit of the doubt with your critical reading skills. I have got better things to do.
            nizuse
  • I politely disagree.

    First:
    "Trading with stolen credit card information over IRC is so Web 1.0, it encompasses a tiny percentage of these trades"

    So if there is a vast multitude of activity on IRC pertaining to this kind of thing, and that is only a tiny percentage of it then I guess most of the population of the world is attempting this elicit behavior. The above quote is classic example of the "Their opinion is wrong, I have a better opinion" type of argument, which never seems to supply proof to back it up.

    In response to this observation:
    "This makes very little sense. Why would anyone sell for 50 cents an asset that is worth $2000? If turning the CCN into cash requires skill that the seller does not possess it would surely be a skill worth learning.?

    ...we get:
    "they may in fact be willing to earn less, but forward the responsibility (and potential imprisonment if defected) to the buyers of credit card details while attempting to cash out the money."

    If that was true then the potential for risk must be massive. In fact close to insurmountable. Selling something for 50 cents or even 50 dollars, that has a potential value of $2000, because trying to get the value out of it has a potential to put you in jail inherently means the risk is absolutly wild. People sell drugs and don't have anything remotely close to that huge of a cost to potential profit spread. Drug dealers risk going to jail as much as anyone if they are caught. Its an absolutly ludicrous conclusion to imply that someone would sell a $2000 value credit card number for 50 cents if there was any decent hope of getting the money out of it without going to jail.

    Consider, to make $2000 the seller would have to sell 4000 CCN at 50 cents a piece. Whats more risky; cleaning out one $2000 account or selling 4000 CCN? Its a stupid conclusion to say anything with something even close to $2000 of real value with any serious possibility of getting that value out of it would sell for 50 cents, risk of jail or not.

    And this:
    "the average seller is willing to ignore profit maximization for the sake of earning revenue, and a positive return on investment by using a simple logic in regard to the time value of money - a dollar today is worth more than a dollar earned tomorrow"

    It is another classic example that almost sounds like it makes sense unless you just think in a very straightforward way that makes common sense. First, if there is such a rapid depreciating time value of the CCN for example that its worth it to sell it off, again at 50 cents, or even 50 dollars, it backs up the Microsoft reports main contention, and that is that the products offered for sale often have no real value.

    You can count on the fact that if its sold for 50 cents today instead of $2000 it could be worth, simply due to such rapidly declining time value of money in the product, whats the product really worth lets say even two hours later. If something, anything, anything is ever sold at such a cost reduced price due to the time value of money, count on it being a piece of crap by time its in your hands.

    The bottom line seems to be that there is a two tier system and the lower tier, just as the report suggested is rife with low to non existant value products and rippers who peddle them. The old adage that if it sounds to good to be true it probably is to good to be true. And something touted to generate anything like $2000 but sells for less then one tenth of that is too good to be true.

    Everything in the Microsoft report rings true while the position taken in the article relies on faulty logic.

    Cayble
    • Re: I politely disagree.

      Thanks for the comment. Here are some responses to your points:

      "So if there is a vast multitude of activity on IRC pertaining to this kind of thing, and that is only a tiny percentage of it then I guess most of the population of the world is attempting this elicit behavior. The above quote is classic example of the "Their opinion is wrong, I have a better opinion" type of argument, which never seems to supply proof to back it up."

      Do you honestly think this is the best place and time to provide all the juicy details regarding particular portals and groups doing these trades over the Web? Especially in times when I got everyone I talk about on my RSS feed :

      http://ddanchev.blogspot.com/2009/06/from-ukrainian-blackhat-seo-gang-with.html

      Appreciate my rhetoric regarding the proof. Investigations are ongoing. Also, the main reason why I find the conclusions made in the study wrong, is because they used the wrong sample - IRC, which none of the real carding communities use nowadays. It's a leftover from carding 1.0

      "Selling something for 50 cents or even 50 dollars, that has a potential value of $2000, because trying to get the value out of it has a potential to put you in jail inherently means the risk is absolutly wild."

      I observe the communities, profile and analyze the trading practices, which does not necessarily mean that the rationality which you expect from fellow "real-life" criminals has to be the same. Have you, for instance considered "penetration pricing" within the underground marketplace, that is the situation where new market entrants are attempting to generate sales by on purposely undercutting the prices for credit cards offered by the organized gangs? It's happening, what's also happening is that these very same organized gangs are buying -- remember they have established customer base, years of reputation and lots of advertising compared to the new market entrants who would be automatically labeled as scammers due to the suspiciously low prices -- the credit cards from the new market entrants, and are naturally increasing the price.

      On their way to gain market share, the new market entrants possessing huge number of credit cards for which they've been maintaining a botnet for a month or less, should not be excluded.

      "And something touted to generate anything like $2000 but sells for less then one tenth of that is too good to be true."

      It is, that's the problem and that's why there's an oversupply of stolen credit card numbers. Keep in mind that even though a $2000 credit card might be sold for 50 cents, the process of cashing out the money through a different or the same vendor will end up in -40% of the money for the vendor that cashed them out. Basically, a cybecriminal may have access to a $10,000 credit card, which he bought for 10 bucks, but he will inevitably and indirectly pay the price by losing a huge percent of balance by allowing a vendor offering security and experience while cashing out the money. These cases are often the ones that make the headlines, especially the organized attempts to do so.

      A money mule syndicate that's in operation since 2002 states what all money mule syndicates and related services state:

      http://ddanchev.blogspot.com/2008/10/money-mules-syndicate-actively.html

      "You take 45% commission of the processed check, minimal amount is $3000"

      Even if someone decides to start selling a credit card with a balance for $10,000 for the price of $5,000 in an attempt to make logical sale like you assume he will, it will be pointless to the both, the seller and the buyer to engage in a transaction. The seller will be undercut by the new market entrants, or even the big market players which engage in bulk sales and, and even if the buyer buys it, he will again have to sacrifice 40% of the balance through the money mule service cashing it out and earning revenue in the process.

      If the guy decides not on use this service, he's increasingly the chance of getting caught, but he will end up the entire balance.

      "Everything in the Microsoft report rings true while the position taken in the article relies on faulty logic."

      Time and place for everything, keep an eye on my research, if you've been keeping track of it so far, you'll get the impression that I rarely speculate about anything, and stick to the facts.
      ddanchev
      • have to agree with polietly disagree

        Microsoft's paper certainly has flaws. I agree that public IRC channels probably isn't where lucrative business is being done. At the same token, MS provides real data. Your theoretical approach might ring true at moments, but dynamic systems are notoriously difficult to predict -- see the current economic crisis. So without data, MS provides the best evidence. Your blog is great, but being realistic here "just trust me, wait and see future research" isn't a real argument.

        That being said, your blog is definitely one of the best technical blogs. You should get some leeway. However, I don't know a better forum for disclosing botnet/criminal details. To get the information you usually have to break terms of use, hack, or lie. Likewise you probably not working with law enforcement or following chain of custody. I could be wrong -- but I think you'd be in the rare minority if that was the case. Therefore if you're not making a legal case, and you're definitely involved in journalism, where is better to publish factual data?

        Now truth be told, I think the most significant "flaw" of the MS paper is it's topic. They explicitly state they're studying IRC channels -- and generally assumed they're looking at public channels as they distinctly address the 2nd tier as a better place. Therefore, they're basically studying bottom barrel stuff. If you read Levitt he argues that low level criminals (drug dealers) basically make no money. So to get accurate data, you need to join a tight group or find another way to measure.

        If you look for another way to measure I think examining the managed services is the way to go. If people are consistently paying good prices for hosting, bot clients, spamming services, and exploit packs then there's evidence that they're making money somewhere. If the market makes any sense at all, it would collapse otherwise. Before I start speculating too much, I'll shut up and get enough data for a proper paper.

        mwollenweber
  • How much or how little the criminals are making makes no difference.

    They are costing us billions either way.
    kozmcrae
    • Why not read the article, then?

      If you have the mental faculties necessary to read a 10 page article, you might find an answer to exactly that question.

      They say this:

      [i]Why does this matter? If all we cared about were the direct losses from cybercrime it might not be important. Why should we care if one subset of cybercriminals get cheated by another? However, the gains enjoyed by par-
      ticipants in the underground economy are not an accurate measure of the size of the problem. For example, Kanich et al. show that a 350 million email campaign resulted in a mere $2731 in revenue for the spammer. Clearly, this gain is minor in comparison to the externalities: the value of the infrastructure required to handle and store this email, the spam filtering work required, and the time wasted by recipients.[/i]

      If you read the rest of the article, they explain why it might be important.
      TheTruthisOutThere@...
      • On this blog I learn more from the comments.

        The author often leaves important information out of the article. I find out what's missing in the comments.
        kozmcrae
        • I was referring to the academic paper

          I was referring to the academic paper, not the blog posting. However, I agree that its a growing trend here at ZDNet to only report half the story (then imply that they are only blogs, so thats ok).

          Free is great, but I'm starting to think that maybe if we want good journalism, we need to be paying for it.
          TheTruthisOutThere@...
    • True

      It is not how much does the criminal make but how much do we, collectively, do to prevent and stop the criminals is constantly making money.
      phatkat
  • Considering MS s/w is the main target.......

    They would say that wouldn't they.

    Seems profitable for MS with their illegal monopoly
    Alan Smithie
    • ?

      Monopolies aren't illegal, sorry Alan.
      rtk
      • Abuse

        Microsoft was convicted of abusing their monopoly, not merely having a monopoly,
        epcraig
        • Agreed

          Alan inferred there was such a thing as an illegal monopoly.
          rtk
  • You are way off base

    I found the MS article refreshing: an analysis by people who can count. Sorry to say your rebuttal tries several different arguments and doesn't back any of them up.

    "Another important factor to consider is the current oversupply of stolen credit cards and accounting data."

    No, increasing supply drives the price down only when demand can't keep up. The demand for free money is infinte.

    "Data speaks for itself. A screenshot demonstrating the conversion rate from traffic to infected hosts based on multiple browsers speaks for itself."

    No. Altering a screenshot is hardly a big deal for someone who specializes in technology, stealing and deception.

    "The bottom line - is in fact no one selling gold for the price of silver? That would have been true if the gold wasn?t originally obtained for the price of iron."

    Really? Ever met someone who was willing to sell you gold real cheap just because his acquisition costs were low?
    TKindle
    • In fact yes...

      People will sell stolen gold for less than its true value. Why, they trust that you as the purchaser of stolen gold are more likely to buy it and say nothing to law enforcement because of the bargain you are getting.
      zkiwi