Following the Money In Cybercrime 107
jbrodkin writes "Five dollars for control over 1,000 compromised email accounts. Eight dollars for a distributed denial-of-service attack that takes down a website for an hour. And just a buck to solve 1,000 captchas. Those are the going rates of cybercrime, the amounts criminals pay other criminals for the technical services necessary to launch attacks. This criminal underground was detailed Wednesday in a highly entertaining talk given by researcher Stefan Savage at the annual Usenix technical conference in Portland, Ore. Savage's research into the economics of cybercrime began as lip service to satisfy the terms of a government grant, but it turned out to be the key to stopping computer attacks. Targeted methods — such as using CAPTCHAs — don't stop criminals, but they add to the cost burden and put the inefficient criminal organizations out of business, letting security researchers focus only on the ones that survive."
Of course you follow the money. (Score:5, Interesting)
Of course you follow the money. There aren't that many spammers; about three years ago, there seemed to be only about ten unique large-scale spammers. Taking one of them down made a significant dent in spam traffic for a month.
Junky spam and junky bogus web sites are obsolete, even in the criminal world. The old mindset was to filter out emails and sites that "looked junky". The old "Web Spam Challenge [lip6.fr] was based on this. They have a big file of pages which humans have classified, by a quick look, as "spam" or "not spam". Five or ten years ago, that sort of worked, because most of the junk sites were really tacky. Phishing sites used to have blatant misspellings. That's history. Today's crooks have good web site production values.
So you have to dig deeper. On the web spam/bogus web site front, part of the right answer is to find out who's behind the web site and do a background check. (We do that at SiteTruth.com, as I've mentioned before.) Right now, even a superficial check (is there a mailing address on the site? Is it a known phishing site? Do seals of approval check out? Non-junk SSL cert?) is enough to knock out a big fraction of the junk. The deeper checks (is there a business at that address? How long in business? How much revenue last year? What's their business credit rating?) tell us enough to have some confidence about business legitimacy.
The original article mentions "ordering tons of stuff from phishing scams to trace the path of the money." That's what the FBI should be doing more of. Law enforcement can have accounts created, plug into the credit card system, and watch their credit cards being used in real time. It's hard to do that without law enforcement authority.
Re:Like antibiotics (Score:4, Interesting)
Well not really. Organized Crime grows but it doesn't reproduce well. If one does split it is often because there are some hot heads who think they can do it better, and takes resources away from the other. So we either get One Organization who is strong while the other is weak and will die off soon. Or both will be weaken and both would die off soon. Very Rarely would they split into 2 strong units.
However what could happen with all the small guys going away there is less competition for the big ones and then they can monopolize the market... FTC is kinda useless against Organized Crime.
But if they get too big it gets harder for them to operate without the law noticing and makes it easier for law to bring them down.