Security Experts:

Black Markets for Cybercrime a Specialized and Mature Economy: Report

Analysis of Cybercrime Markets and Stolen Data

Cybercrime Black Market Viewed as Being More Profitable and Low-risk Than Illegal Drug Trade

Cybercrime has evolved from a shadowy world dominated by individuals looking for notoriety and engaged in a game of one-upmanship, competition to a mature market-based economy thriving in the darkest parts of the Internet, according to an in-depth RAND study.

"The hacker market, once a varied landscape of discrete, ad hoc networks of individuals initially motivated by little more than ego and notoriety, has emerged as a playground of financially driven, highly organized and sophisticated groups," RAND researchers wrote in Tuesday's "Markets for Cybercrime Tools and Stolen Data: Hackers' Bazaar" report, sponsored by Juniper Networks.

Today's black market is a multi-billion dollar ecosystem where buyers can buy tools, technology, services, and stolen goods from sellers through a combination of familiar e-commerce tools, digital currencies, and secure communication protocols, according to the study. The black market is much more sophisticated than originally thought, and operates just like a legitimate economy, subject to normal market forces such as supply and demand.

The cybercriminal underground "mirrors the normal evolution of a free market, with both innovation and growth," the report said.

The existence of the underground economy is not exactly a well-kept secret. There has been a lot of recent research on the type of tools and services available, such as the thriving market for stolen credit and debit cards, the fact that criminals can rent or buy most of the tools and infrastructure they need for cheap, and an attempt to identify some of the malicious sites hidden inside the Tor network. The RAND study differs from previous work because it is an economic analysis of the complete black market, and not just on a specific geographic region or a segment of offerings, said Lillian Ablon, a RAND researcher and one of the principal authors of the study. Researchers found significant levels of economic sophistication, maturity, reliability, accessibility, and resilience in the products, distribution channels, and actors involved in these operations.

Specialization and resilience are some of the hallmarks of a mature economy, Ablon said. In a resilient economy, if one business shuts down, whether voluntarily or because of a law enforcement action, other participants step in and close that gap quickly. For example, when the alleged author of the Blackhole Exploit kit was arrested, total exploit-based attacks didn't decline dramatically because other exploit kits filled that vacuum. Or when Silk Road was shut down, a replacement Silk Road 2.0 opened for business shortly afterwards, Ablon noted.

Cybercrime Marketplaces

Criminals can shop for hacking tools and exploit kits, hosting infrastructure and distribution systems, and stolen information just by visiting a storefront. Sellers use anything from instant messaging chat channels, forums, to sophisticated e-commerce sites, the report found. Much of the transactions are paid for with digital currencies such as Bitcoin, Pecuni, AlertPay, and PPCoin, to protect the anonymity of the marketplace participants. Much of the communications are conducted over secure instant messaging or private forums that require select membership.

Today's "black markets have seen a shift, a huge movement, into the darkness," said Ablon.

Recent arrests of major figures in the cybercrime underground and law enforcement's increasing successes in shutting down servers hosting malware and illegal marketplaces mean access to many of these black markets have become more restricted, said Lillian Ablon, a RAND researcher and one of the principal authors of the report. Cybercriminals have to be vetted before they can gain access, but once in, there are no restrictions in what the criminals can do or buy.

There are still certain rules of behavior, just like any other market, and the rule-breakers tend to be in the "lower" levels of the black market, which has less strict vetting rules. About 30 percent of the sellers of financial data are considered "rippers," or those who don't deliver what they offer, the report found. Reputation still matters, for both the sellers and buyers, since violators such as these rippers are reported and removed from the marketplace fairly quickly, the report said.

The cybercrime black market is increasingly being viewed as being more profitable and low-risk than the illegal drug trade, Ablon said. Some criminal organizations can reach 70,000 to 80,000 victims worldwide and earn hundreds of millions of dollars, the study found. It's easier to find victims and the barriers to entry for cyber-criminals are negligible. For example, botnets which be used to launch distributed denial-of-service attacks, are available for as low as $50 for a 24-hour attack.

"These tools, sold on the black market as traditional software or leased like any other managed service, can help enable the most unskilled hackers to launch fairly elaborate and advanced attacks," the study said.

There are some geographic differences and areas of specialization. Cybercriminals from China, Latin America, and Eastern Europe were known for quantity in malware attacks, while Russian criminals were generally considered to offer better quality, the report found.

As end users become more hyper-connected, with more devices being able to connect to the Internet, criminals will see more points of attack and exploitation, Ablon said. The increased attack surface will mean wider selling opportunities on the black market, she said. There will be more malicious activity in the darknets, increased vetting of participants in these black markets, and a greater popularity of cryptographic currencies such as Bitcoin.

Products will also evolve in its sophistication, such as adding encryption to protect data being transferred from compromised systems and anonymity capabilities to malware harder to detect. The black markets will be instrumental in distributing these anonymous, stealthy, and potent attacks, making more likely the "the ability to attack will likely outpace the ability to defend," the report found.

While there is a growing number of services such as hacking-for-hire, hosting providers, and Malware-as-a-Service being offered on the black market, experts could not agree whether the black market will eventually transform into a service-based economy, which products will be on the rise, or which types of attacks will be more prevalent, Ablon said. Most interestingly, experts disagreed whether individuals or businesses would be the most affected by the ever-expanding black market, she said.

The full report from RAND is available online.

RelatedWhat Happens to Stolen Data After a Breach?

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.