Underground Cybereconomy Thrives

By Matthew Harwood

The total value of advertised goods in the underground cybereconomy is valued at $276 million, according to a new report on cybercrime from Symantec, which monitored criminal activity on underground economy servers between July 2007 and June 2008.

Symantec defines cybercrime as "any crime that is committed using a computer, network, or hardware device. The computer or device may be the agent of the crime, the facilitator of the crime, or the target of the crime."

Cybercriminals operate in online forums as well as use internet relay chat (IRC) channels to advertise, request, and sell goods and services, such as stolen credit cards, bank account information, and spam and phishing information. Symantec, however, notes that more sophisticated cybercriminals will likely switch to IRC channels as their marketplace to communicate as more and more forums are infiltrated and monitored by law enforcement.

Much of the market's worth is derived from the sale of stolen credit card information, which, according to Symantec, accounts for 59 percent of the underground economy. Stolen credit cards are also the most advertised and requested good on these online forums.

"Credit card information may be in such demand because using fraudulent credit card data for activities such as making online purchases is relatively easy," said the report. "Online shopping can be easy and fast, and a final sale often requires just credit card information."

The second most advertised good for sale online is financial account information. The report says financial account information is popular because it allows for someone to withdraw funds directly. The international nature of cybercrime, however, means cybercriminals must get creative when trying to cash out a bank account from another country.

"Since bank accounts can only be cashed out from within the issuing country, criminals may prefer the use of cashiers that specialize in extracting currency from these accounts," the report said. "Such cashiers use a variety of methods to convert the information into true currency, transferring money either through wire transfers or to online currency exchange accounts."

Spam and phishing information ranked third as the most advertised good or service on online criminal forums, but it was the second most requested good or service. According to an article from Consumer Reports quoted by Symantec, phishing attacks cost U.S. businesses and consumers $2.1 billion last year.

Cybercriminals operate on servers located all over the world. According to Symantec, North America ranked first with 46 percent of underground economy servers; followed by Europe, the Middle East, and Africa with 38 percent; then Asia-Pacific with 12 percent; and finally Latin America with 5 percent.

The geographic range of underground servers allows cybercriminals to migrate to lesser known servers when law enforcement closes in on a specific server.

"When ... servers are shut down, users will start new servers or relocated to the most convenient server at that time," the report said. "As a result, the geographic locations of underground economy servers are constantly changing."

Symantec reports that the average lifespan of 98 percent of underground economy servers monitored is less than six months. One server the company monitored had approximately 20,000 channels and 90,000 users

The report also discovered that of all pirated software, computer games rank highest. Computer games accounted for $9.5 billion in retail sales last year as opposed to all other software sold, which brought in $3.3 billion in retail sales.

Symantec says that the online sale of illegal goods and services forms a self-sustaining marketplace.

"The profits can ... build an underground economy business as profits from one exploit can be reinvested and used to hire developers for other scams, used to purchase new malicious code or new phishing toolkits, and so on."

View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.