Cybercrime Is a Franchise Model That Scales

Presto Vivace notes a report from the RSA conference on the cybercrime economy, and it's not an optimistic one. Part of the problem is that in many places cybercrime pays much better than legitimate work, including security research. "As the panelists explained, a single spam message might be tied to as many as 10 separate organizations and perhaps five suppliers. Every task in the criminal economy has become a separate specialty. Some people sell e-mail lists, others sell lists of compromised IP addresses, there are sellers of credit card numbers, and those who sell access to bot nets. Then there are those who handle product fulfillment for spammers, and those who specialize in laundering money."

Office Space clearly had an impact

[by Anonymous Coward]

One of the big problems the guys in Office Space faced was how to launder their money. They were computer programmers who had no knowledge of the intricacies of money laundering. It's good to see someone recognized the problem and is now providing solutions for those of us who don't know how to launder money ourselves.

Re:Office Space clearly had an impact

[CogDissident (951207)]

Its not as hard as you think. If you can get the money off-shore (such as an offshore account in the pacific), and then throw it to a numbered account in a swiss bank, its basically done.

The hard part is getting it out of the country of origin, without it being linked to you as having "left" from you.

Re:

[by Anonymous Coward]

So what you're saying is that it's easy, except for the hard part.

Re:

[Pharmboy (216950)]

The hard part is actually getting back INTO the country. You can charge their visa card from a bank outside of the USA very easily.

Once you have a million dollars, you have to bring that money back INTO the US to buy that house and car, and with no legal income, that is what raises a red flag with the IRS, and the FEDS, who monitor all money transactions over $5,000 now (used to be 10k before 911). You can still make the money, but you can't spend it.

The traditional way is to open a "legit" biz with high

Re:

[CogDissident (951207)]

Charities need a lot of documentation to function (I'm on the board of a rather large one).

Corporate purchases are watched pretty carefully, especially offshore stuff. They're actually really easy to track weird spending habits. How often do companies spring up out of nowhere, and suddenly start having hundred thousand dollar offshore contracts every few months (or a hundred thousand spread out over a year, still suspicious).

Re:

[bberens (965711)]

Or keep the money and gamble it at your favorite casino without ever telling them your name. You give them dirty money and even if you lose a percentage, whatever you walk away with is clean money. In fact, it's better to lose some. If you win enough money, they'll make you report it for tax purposes.

Re:

[smooth wombat (796938)]

You give them dirty money and even if you lose a percentage, whatever you walk away with is clean money.

You mean like these folks did [wgal.com]?

Re:

[chuckymonkey (1059244)]

Funny offtopic story. My wife's aunt was just telling me about how a few weeks ago she thought she was going to jail for laundering money, meaning she ran it through the washer. She really didn't know what it really meant. This is also the same woman that thought people had to wear special shoes on the lower hemisphere so that they didn't fall off the earth.

Re:

[Timothy Brownawell (627747)]

I would assume you just leave it in the pockets on your pants when you launder them...

Re:

[Foobar of Borg (690622)]

The Russian Mafia is more than happy to help you in your future business endeavors.

Sorry, not to get too offtopic, but this reminds me of Snow Crash. "Cosa Nostra - You've Got a Friend in the Family"

Cut of the source

[pembo13 (770295)]

Kill all bot nets. Seriously. And have companies who sell operating system take some financial responsibility for future security.

Re:Cut of the source

[moderatorrater (1095745)]

Kill all bot nets. Seriously.

Agreed, although botnets are a tool, not necessarily a source. They make computing power cheap for the underworld, but everyone here should know that computing power is already cheap. The diversified IP addresses is harder for them to mimic, but not impossible.

And have companies who sell operating system take some financial responsibility for future security.

Absolutely ridiculous. I've heard this before, and I think it makes as much sense as holding the door manufacturer responsible for home break ins. Microsoft has never claimed to be completely secure and they haven't made any contracts specifying that they should be. They allow other products to work on their platform, and these other products have threatened legal action if Microsoft makes their OS secure (although not in those exact words). It also patches on a regular cycle and it's ultimately a decently secure OS (when you take the patches into consideration).

The ultimate responsibility for what happens on someone's computer is theirs. There's a lot of hatred for Microsoft floating around here, and for good reason, but holding them responsible because people can't protect their computers in the most rudimentary ways is wrong. It also opens the doors for holding any software responsible for any hacking that occurs on them, even if the user could have prevented it with negligible effort. Considering the state of security in the software industry, that would destroy pretty much every company in existence and set us back 10-20 years.

Re:

[gmuslera (3436)]

Botnets=83.4 of ALL spam (check Marshal's Trace center) at least measured some days ago. All the other sources of spam are definately a minority there.

Microsoft never claimed to be completely secure? Probably all the sale speech for all Microsoft products (since windows 95 or before) includes some kind of claim regarding security (usually in the form of "this is safe, anything else is not") And probably the security experts aren't the main customer base of Windows, normal people only know that it says that

Re:Cut of the source

[Dada Vinci (1222822)]

Not all botnets are the fault of insecure operating systems. People who exclaim "Oh, look, somebody I don't know emailed me a file called CutePuppies.exe! I think I'll click on it!" pretty well destroy any sort of security scheme. Vista tried to solve that by preventing users from running programs (under the guise of User Account Control) but that just led to rebellion because people don't want to have to explicitly grant access to every program that wants to read to disk or connect to the Internet. When I install the new Firefox I don't want to have to authorize each and every operation it performs (write to disk, read from disk, connect to Internet, etc).

Re:

[Spy der Mann (805235)]

Not all botnets are the fault of insecure operating systems.

Not all, but most definitely are:

- Unpatched Windows XP (and below) PC's
- patched but already infected Windows PC's
- patched but rootkitted Windows PC's
- patched Windows PC's just infected this week with a zero-day exploit.

So the rest of the botnets would be shared webservers running insecure PHP bulletin boards, and servers running unpatched MS SQL, but these are a tiny fraction.

As you can see, Microsoft's greed is largely responsible for most of

Re:

[Dada Vinci (1222822)]

Your plan to force Microsoft to update Windows sounds good as long as Windows is the only operating system with problems. But what happens when a Linux distro has a security hole? (Yes, it can happen.) Who, exactly, does the government force to update it? If it's Ubuntu then it's easy enough, but what about CentOS/Debian? How do you force volunteer developers with a non-heirarchical structure to update code? And do we really want the government to get to define what a "security hole" is? I think there

Re:

[ratboy666 (104074)]

The solution? CutePuppies.exe is not executable. End of discussion.

If you want to actually execute it, you have to:

1 - save it to disk
2 - change its permissions
3 - then (and only then) execute it.

It is preferable to force a command line session (terminal window) for step 2, with a "difficult" sequence. Say.. chmod +x CutePuppies.exe. And it should show up on the desktop either...

No "is this allowed?" dialog. No "please enter your password" dialog. Just.. don't.. execute.. it.

I would even go so far as to for

Re:

[g0bshiTe (596213)]

The solution? CutePuppies.exe is not executable. End of discussion.

What fantasy land do you live in? http://www.symantec.com/avcenter/attack_sigs/s22902.html [symantec.com]
http://www.securityfocus.com/news/11511 [securityfocus.com] Concerning the Flash Vuln
http://www.securityfocus.com/news/11512 [securityfocus.com] How fully patched Vista box owned due to the flash vuln, with little to no user interaction.
When an attack exploits a weakness in something running on the system then in essence CutePuppies.exe may not run without interaction, but CutePuppie

And my mother always said that

[name*censored* (884880)]

Crime doesn't pay. Pfft.

BRB, watching to see if the kettle boils.

Re:

[eli173 (125690)]

http://xkcd.com/357/ [xkcd.com]

Re:

[Miseph (979059)]

How original, what's next, an "in Soviet Russia..." joke? [imageshack.us]

For those who don't get it, Randall, the guy on the left, writes XKCD, and the guy on the right is me (check out the name badge, infidels).

Off course

[iamacat (583406)]

Making money by creating value vs making money by just taking it from other people. Hmm.. what's going to easier?

There are after all established concepts of taxes, payday loans and patents that pretty much amount to the same thing.

Re:

[Arthur B. (806360)]

What !? How are payday loans theft ?

Is pay really the reason?

[mrroot (543673)]

Part of the problem is that in many places cybercrime pays much better than legitimate work, including security research.

Crime almost always "pays better" than so-called legitimate work (is crime really considered a profession?) Well I guess you could say it is a part of the problem, but the OTHER part of the problem is the risk of getting caught is too low. It is a risk/reward model. There are other factors in play here too, for example people's morality. Even if there were little risk and great reward, some people have a moral system that would still prohibit them from undertaking a life of crime.

Re:Is pay really the reason?

[iamacat (583406)]

Even if there were little risk and great reward, some people have a moral system that would still prohibit them from undertaking a life of crime.

But if you think about it, the highest moral system would actually push people into life of crime. There are lots of evil entities that need stealing from (nuclear weapons manufacturing, Bin Laden family in Saudi Arabia, Dick Cheney, Microsoft, RIAA, ...) and lots of hungry children in Africa. It's not immoral to steal from crooks!

Re:Is pay really the reason?

[mrroot (543673)]

But if you think about it, the highest moral system would actually push people into life of crime. There are lots of evil entities that need stealing from (nuclear weapons manufacturing, Bin Laden family in Saudi Arabia, Dick Cheney, Microsoft, RIAA, ...) and lots of hungry children in Africa. It's not immoral to steal from crooks!

So who decides who is a crook and who is not? I guess you feel like you have a pretty good handle on that, or at least you just rattled off all the names you have been told are crooks. Congratulations, you have conformed.

Re:

[iamacat (583406)]

So who decides who is a crook and who is not?

We The People.

In the perfect world, we would have a working democracy and organizations like RIAA would be legally disbanded and their money redistributed to their victims (such as artists) or used for worthwhile social programs. Unfortunately, we have a two-party system that stacked the rules to prevent election of grass-root candidates. Truly courageous people should join an uprising to restore working democracy. But in the meantime, stealing some money out of the system to weaken it's power can also be

Re:

[JordanL (886154)]

We The People.

Let's see...

1. Stealing from the "rich", (theoretically).
2. Giving to the "poor", (theoretically).
3. Discerened by the angry mob.
4. Done on the basis that people have a moral right to what other people earn.

Sounds a lot like Communism to me, and we all know how well that worked out.

Re:

[Herkum01 (592704)]

Obliviously men with small penises or low libido and women with small breasts.

Re:

[Lumpy (12016)]

when you send money to starving children in africa. you actually give money to the warlords and corrupt governments profiting off those starving children.

Re:

[iamacat (583406)]

Oh really? Even if I actually travel to Africa and personally hand out hot soup in the cities?

Robin Hood Rich/Poor Dichotomy

[Dareth (47614)]

Robin Hood would steal from the rich to give to the poor. Was this a moral act? Is it only when the rich originally stole from everyone else that it is moral? And what of the poor who were given wealth? Can they save any for a rainy day, or would that make them no longer poor and ineligible for the next payout to the poor from Robin Hood? If poor people constantly spend every cent they receive, whether from assistance or earned to remain poor, is that moral behavior? Can they be faulted if that is ho

Re:

[pbhj (607776)]

According to the UK government my family live well below the poverty line (about two-thirds of a poverty level income), so I feel I can offer some insight!

>>> Can they save any for a rainy day, or would that make them no longer poor and ineligible for the next payout to the poor from Robin Hood?

If you're a medieval peasant (probably a serf) given enough money to buy a sack of flour you won't go hungry for a few weeks. You'll still be in need, with more money you could buy vegetables, more still you

Re:

[iamacat (583406)]

So do most american citizens believe they should be fined $100K for each MP3 shared on LimeWire? That somebody should take 10% of their hard earned money and use it to kill people half way across the globe? That they shouldn't have an option of voting for a pro-market economy, anti-tax, pro-environment and pro-choice candidate in a presidential election?

Clearly we lack the mechanism to set consistent rules in "fair, non-authoritarian fashion by a group process".

Re:

[Lumpy (12016)]

Exactly. Online gambling is illegal here in the states. That has not stopped the huge flow of american companies setting up offshore internet gambling sites and processing the credit cards through various processing houses that happily hide the money flow.

In fact knowing a lot of this makes you a lot of money consulting people and companies wanting to do such a thing.

Re:

[dave562 (969951)]

Crime almost always "pays better" than so-called legitimate work (is crime really considered a profession?)

Crime really is a profession. The "criminal world" is in reality just the free market at work. There are services that people want performed and there are those who perform the service. Like a lot of laws, most of the computer trespass laws are there to protect stupid/uneducated people from themselves. They are there to protect those people from "being taken advantage of" by others. Of course in

I don't get it...

[Leomania (137289)]

Who buys crap from spammers? Even my 84-year old father (who has a difficult time remembering the "desktop" I'm talking about isn't the table his keyboard is setting on) knows the difference between a spam email and a legitimate one. We all laugh at the garbage they try to sell, and these days pretty much assume it's more likely a scam or an attempt at identity theft. So who the hell are these people who think it's a good idea to respond to the email from Hector McGillicuddy for Viagra?

Re:

[CodeBuster (516420)]

It probably has less to do with actually selling a particular product than it does with saturation advertising which is designed to bypass the natural mental defenses that people have built up to advertising in general by so completely saturating the mind with brand image, logo, slogan, etc...that when the decision to make a purchase finally does come it is made on an almost subconscious level (i.e. you drop the item in your shopping cart without even thinking about it really). That is the angle that most s

Re:

[dave562 (969951)]

I've always wondered this myself. The only theory that I've been able to come up with goes something like this.... The spammers aren't trying to sell products. Even the products that are being sold are often fakes. The real mechanism at work is capturing credit card data. Lets just pretend that for every 1,000,000 spam messages that are sent out, there is 1 that actually makes it through all of the filters and into the email box of someone who thinks, "Gee, I wish I could have lasted longer last night

Re:

[Leomania (137289)]

The real mechanism at work is capturing credit card data.

That's the thing, though... if all they're after is credit card info, why bother with product fulfillment? That's what TFA referred to as one of the parties involved, so there's got to be more to it than just that. And wouldn't credit card companies figure out the statistics pretty quickly if a particular customer of theirs has a really high percentage of credit card numbers that end up being used fraudulently?

That makes me think that those stealing card numbers and/or personal data aren't bothering with p

Economies of scale

[Facetious (710885)]

The risk/reward concept of crime is complicated by economies of scale. Prior to the Series-Of-Tubes(TM), it was fairly difficult to con more than one person at a time. Now, many high school students have the power to con millions of people across international borders. The potential reward has gone up. The perceived potential of risk has gone down. Thus, cybercrime rises.

The problem: FBI Baltimore

[Animats (122034)]

We need the FBI Baltimore office [fbi.gov] taken out of the business of distributing child porn and put on this problem. After ten years of work, they've arrested over 6,000 people.

How many computer criminals have they arrested? The Department of Justice doesn't seem to provide useful statistics [cybercrime.gov], but it looks like the number per year is in the 10-100 range.

This is backwards, given the relative size of the problems.

Part of the problem is that the FBI has a measurement bias against white-collar crime. See the FBI Crime Statistics [fbi.gov] page. Violent crimes are counted if they are reported; white collar crimes are only counted if there's an arrest.

Re:

[CodeBuster (516420)]

Money is immaterial to government organizations like the FBI so long as there is enough to pay salaries and fund organizational needs. Beyond that these organizations exist in the political realm where the success is measured and rewards doled out based upon achievement of political objectives and saving money or spending the money of the taxpayers wisely is pretty far down the list of political priorities in most government organizations. Besides, if you spend less money then you get a hand shake for comin

Inciting crime?

[gmuslera (3436)]

The article seem to say that crime pays, and better (at least if you live in Romania or do security research for the bad guys) and that basically there is no punishment. That look like a call to arms for a new generation of scrip... i mean, spam kiddies.

Not sure how much it will scale before reaching some kind of saturation point. There are some numbers that cut in some way the amount of players in the field (like 50% of all internet spam coming from just one botnet, or malware removing other kind of malwar

And we STILL don't have a LEGAL definition of spam

[mi (197448)]

The best we have from a judge — just quoted in a different article-submission [slashdot.org] is:

It refers to itself as an Internet marketing company. Some, perhaps even a majority of people in this country, would call it a spammer.

Awesome, judge, let's leave the judging to the demos... "Community standards", anyone?

Heck, according to my Firefox (2.0.0.13, thank you very much) spell-checker, the very word "spammer" does not even exist — much less legally defined. (Well, the word "firefox" does not exist e

Not just cyber

[sm62704 (957197)]

They keep parroting that "crime doesn't pay" but it obviously DOES pay, and it pays well. Most crimes are not solved. Most criminals are not caught - only the stupid ones and the unlucky ones get caught.

In fact, society should be damned glad that most slashdotters are honest and have conscienses (no that's not spelled right, so jail me) because if most of us were dishonest we could do one hell of a lot of damage!

Some times I wish I could be dishonest, I'd be a rich man. But it's just not in my nature.

Another Part of The Problem

[Bob9113 (14996)]

Part of the problem is that in many places cybercrime pays much better than legitimate work, including security research.

Another part of the problem is that our cyber enforcement budget leans heavily toward pornography, gambling, and copyright.

Yet another part is that corporations and politicians are unwilling to kill their fatted calf that is "legitimate" UCE.

Remember that ancient business adage

[Tumbleweed (3706)]

"Location, location, location!"

In this case...online. Don't forget to get an easy to remember .com address! I was telling someone about a website of mine last night, that ends in '.info', and they put a '.com' after the .info! Urg.

I stopped being optimistic about security long ago

[david_bonn (259998)]

I am a recovering "security professional". After an eye-opening experience long ago where I realized that I knew at least as much as the experts. So I managed to do pretty well for myself during the boom years. Then ran screaming from the Real World and goofed off with a few consulting gigs to keep me from being completely retired.

Those gigs were rarely happy ones. I came to the conclusion that there is no adequate technical solution to the security problem. Arguing that any given platform (Mac OS X, L

Re:

[sco08y (615665)]

I've actually tried, out of curiosity, to order something. I rarely get to a working web page, let alone an order form. Sometimes you'll see a 1800 number. Many times you'll just be redirected to a page full of ads.