The Cybercrime Service Economy
Posted by Scott Berinato on February 1, 2008 12:29 PM
Anyone who doubts that internet commerce faces serious threats from online criminals should consider this: Criminal hacking has spawned a full-blown service economy--one that supports growing legions of relatively lower-skilled but fulsomely larcenous hackers.
In the past year, entrepreneurs, many of them based in Russia, have begun to create criminal hacking enterprises aimed not at stealing but at providing services to help others steal. Business has quickly taken off. Per unit of risk--of apprehension, prosecution, and incarceration--enabling online crime pays better than perpetrating it directly. Criminal services entrepreneurs are netting millions of dollars a month. Some experts estimate that, all told, they earned $1.5 billion in 2007.
Last year, two Russians created a subscription-based identity theft service. Rather than steal personal credentials themselves,
the two hacked into PCs and then charged clients $1,000 per compromised machine for 30 days of unfettered access. The clients are betting that during the 30-day period (one billing cycle) victims will bank or otherwise submit personal data online.
To offer their subscription service, the hackers contracted with yet another service provider to obtain a sophisticated distribution system for the illicit code, called a bot, that they would use to infect the PCs. That distributor enticed website owners to hide its bot on their sites by promising weekly payments based on the volume of traffic, much the way newspapers are paid by advertisers according to the number of visitors to their websites.
Other service businesses aggregate large networks of compromised computers, called botnets, and rent out portions of their networks for whatever task the client has, perhaps to distribute spam, disable a competitor's website, or infiltrate a firm's network in order to steal intellectual property.
As with any service business, customers willing to pay extra can obtain premium offerings. The two hackers behind the subscription service will "clean up" your data--get rid of low-value information and generate helpful reports itemizing what you've stolen. The botnet rental operations offer ancillary consulting to maximize the effectiveness of your attack; some guarantee specified service levels or your money back.
http://conversationstarter.hbsp.com/2008/02/
