Cybercrime Paying Well, Growing Strong

As the legitimate economy careens toward a recession, a new study by Symantec shows one area that’s seemingly immune to the downturn–cybercrime.

Symantec’s study was performed over a yearlong period where the security giant spied on a number of digital underground forums. The underground economy seems to be made up of a number of loosely connected individuals and some organized groups, according to the report.

The stolen goods and fraud-related services market has boomed of late, and Symantec estimates the combined value of goods in underground forums was about $276 million from June 2007 to June 2008.

For security solution providers and Symantec channel partners, the Symantec studies are one more weapon they can use to educate their customers about the threats and challenges that exist, says Dean Turner, Director of Symantec’s Global Intelligence network, and help customers choose solutions that protect them from threats like data loss or theft, identity theft and phishing scams.

“Our research helps our partners educate their customers by demonstrating the scope of the issues and exactly what’s at stake, which is part of the education process whether they’re talking to corporate customers, government customers or anyone else,” Turner says.

While for most end-users, the idea of an ‘underground economy’ evokes images of secret, clandestine dealings and shadowy figures, the truth is that much of these cybercrimes are occurring right under the noses of average citizens.

Turner says many of these transactions are conducted using public Internet Relay Chat (IRC) servers and a number of specific techniques designed to catch the eyes of like-minded buyers and sellers.

“It’s not like we broke into any secret channels – these things are happening on public IRC servers! These criminals are hiding in plain sight,” Turner says.

Cybercriminals use a number of techniques to advertise their wares, such as multicolored text, the capitalization certain words and repetition of sales pitches to help their sales offers to stand out from the crowd. Sometimes sellers request very specific goods and services, for example, credit cards from a named country, Symantec adds. The millions leeched from the legitimate economy are most often reinvested into even more online scams.

Credit card data made up about 31 percent of the advertised sales recorded by the Symantec study. These stolen credit card numbers sold for anywhere between 10 cents and $25 per card, with the average stolen credit card limit coming in at around $4,000. Credit card information is often sold to fraudsters in job lots, with discounts for large purchases.

Login details for online accounts were also popular as the second most commonly offered commodity for sale. Stolen login details were offered for anything between $10 and $1,000, depending on the balance available and the location of users’ compromised accounts. The average balance of these accounts was around $40,000, according to Symantec.

Other items cybercriminals offered for sale included e-mail accounts, pirated computer games and application software, and those were paid for using online currency accounts, according to the report.

Underground forums also provide a thriving marketplace for all forms of hacking tools and service. Botnets, or networks of compromised PCs, can be bought for an average of $225. Phishing scam hosting services range from $2 and $80. Keystroke logger prices came in at around $23. Site-specific exploits of financial sites were far more lucrative, averaging $740 per site hit, and prices ranging from $100 to $2,999.

As the underground economy becomes more efficient and effective, it often mimics the business practices of legitimate firms. Symantec’s research showed that online fraudsters are even making use of outsourcing, as North American cybercriminals are using Eastern European suppliers for goods and services like malware creation and ATM skimming kits.

While the geographical location of cybercrime servers is constantly in flux as cybercriminals try to stay one step ahead of law enforcement, North America still leads the pack as the location of 45 percent of cybercrime servers. Europe, however, is gaining with 38 percent of servers located there. Twelve percent of systems were scattered around the Asia-Pacific region and 5 percent were located in Latin America, according to Symantec.