The FBI reports that, for the first time, revenues from cybercrime have exceeded drug trafficking as the most lucrative illegal global business, estimated at reaping in more than $1 trillion annually in illegal profits.
According to an article, The New Face Of Cybercrime from ChannelWeb It didn’t happen overnight. According to the Q2 2008 Web Security Trends Report by Finjan, a San José, CA-based security company, these cybercrime organizations—some claiming up to tens of thousands of members—have all emerged over the past two years to create a viable shadow economy. “It’s a contemporary economy mediated by Internet workings. It just happens to be illegal,” said Peter Cassidy, secretary-general of the APWG, a nonprofit organization dedicated to counteracting cybercrime.
“What we’ve seen is really a deep stratification of electronic crime into a growing, prosperous and responsive economy, with a number of specialty organizations, syndication and deepening organization of peers, both within a vertical skillset and across the entire enterprise of electronic crime,” said Cassidy, “Increasingly, we see this is turning into big business.”
Just like a Mafia family, they’re organized into strict hierarchies. They’re headed by a criminal boss, who is seconded by an underboss, providing Trojans for attacks while acting as the command and control center of the operation. Spearheading the malware attacks against businesses and individuals are the campaign managers, who direct their drones in affiliation networks further down the chain of command to actively steal the data from users’ computers.
The stolen data—generally users’ credit cards and social security numbers—is often sold by cyber resellers, who specialize solely in buying and selling the stolen data.
“This is definitely an area of growing concern,” said Dave Marcus, security research and communications manager for McAfee. He continues, “Instead of accessing and stealing information, they’ll sell account information for a premium.” Marcus said that the resellers typically post the stolen information on Web sites, then it is offered for sale to hackers based on brand, location, and additional value-added features. Marcus said that one Web site discovered by McAfee Avert Labs offered stolen bank accounts for sale with much higher prices from U.S. financial institutions such as Citibank and Bank of America than for smaller credit unions and more obscure foreign banks. Criminals who want to use the information can then contact the resellers to negotiate a price.
Driven by the laws of supply and demand, the price of an average identity has dropped in recent years from $100 to somewhere between $10 and $20 apiece, with the commoditization of data such as credit card and bank account numbers with pins.
However, other information is even more valuable. Experts say that prime real estate for cybercriminals surrounding health-related data, internal corporate notes, and Outlook and FTP accounts that can provide access to intellectual property go for much higher prices on the black market. As a result, attackers will increasingly be targeting health and government organizations, as well as corporate intellectual property, security experts say.
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.