Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Cybercrime Is a Franchise Model That Scales 100

Presto Vivace notes a report from the RSA conference on the cybercrime economy, and it's not an optimistic one. Part of the problem is that in many places cybercrime pays much better than legitimate work, including security research. "As the panelists explained, a single spam message might be tied to as many as 10 separate organizations and perhaps five suppliers. Every task in the criminal economy has become a separate specialty. Some people sell e-mail lists, others sell lists of compromised IP addresses, there are sellers of credit card numbers, and those who sell access to bot nets. Then there are those who handle product fulfillment for spammers, and those who specialize in laundering money."
This discussion has been archived. No new comments can be posted.

Cybercrime Is a Franchise Model That Scales

Comments Filter:
  • by Anonymous Coward on Friday April 11, 2008 @12:10PM (#23038134)
    One of the big problems the guys in Office Space faced was how to launder their money. They were computer programmers who had no knowledge of the intricacies of money laundering. It's good to see someone recognized the problem and is now providing solutions for those of us who don't know how to launder money ourselves.
    • by CogDissident ( 951207 ) on Friday April 11, 2008 @12:13PM (#23038170)
      Its not as hard as you think. If you can get the money off-shore (such as an offshore account in the pacific), and then throw it to a numbered account in a swiss bank, its basically done.

      The hard part is getting it out of the country of origin, without it being linked to you as having "left" from you.
      • Re: (Score:3, Funny)

        by Anonymous Coward
        So what you're saying is that it's easy, except for the hard part.
        • So what you're saying is that it's easy, except for the hard part.

          Ha ha ha, that's funny, and whee ae the mods at?

      • The hard part is actually getting back INTO the country. You can charge their visa card from a bank outside of the USA very easily.

        Once you have a million dollars, you have to bring that money back INTO the US to buy that house and car, and with no legal income, that is what raises a red flag with the IRS, and the FEDS, who monitor all money transactions over $5,000 now (used to be 10k before 911). You can still make the money, but you can't spend it.

        The traditional way is to open a "legit" biz with high
      • by redxxx ( 1194349 )

        The hard part is getting it out of the country of origin, without it being linked to you as having "left" from you.
        The money is coming out of a black global economy, so you shouldn't really have to worry about getting the money out of the country. Just have the folks sending you the money send it directly to a country with friendly banking laws. You don't need to 'touch' it.
    • The Russian Mafia is more than happy to help you in your future business endeavors.
      • The Russian Mafia is more than happy to help you in your future business endeavors.
        Sorry, not to get too offtopic, but this reminds me of Snow Crash. "Cosa Nostra - You've Got a Friend in the Family"
    • Funny offtopic story. My wife's aunt was just telling me about how a few weeks ago she thought she was going to jail for laundering money, meaning she ran it through the washer. She really didn't know what it really meant. This is also the same woman that thought people had to wear special shoes on the lower hemisphere so that they didn't fall off the earth.
    • I would assume you just leave it in the pockets on your pants when you launder them...
    • Office Space was trying to deal with too much money. Greed'll kill ya.

      Personally, I'd want my ill-gotten gains to be sufficiently small that no one would notice. I have a life and a job. If I had some criminal enterprise on the side, I'd want it to be just big enough to keep me with a couple of grand in my pockets all the time. Then I could buy pretty much anything I wanted any old time without being noticed. A new target pistol? A night on the town? Expensive car repairs? A new flat-panel? A new m
  • Cut of the source (Score:4, Insightful)

    by pembo13 ( 770295 ) on Friday April 11, 2008 @12:15PM (#23038188) Homepage
    Kill all bot nets. Seriously. And have companies who sell operating system take some financial responsibility for future security.
    • by moderatorrater ( 1095745 ) on Friday April 11, 2008 @12:29PM (#23038366)

      Kill all bot nets. Seriously.
      Agreed, although botnets are a tool, not necessarily a source. They make computing power cheap for the underworld, but everyone here should know that computing power is already cheap. The diversified IP addresses is harder for them to mimic, but not impossible.

      And have companies who sell operating system take some financial responsibility for future security.
      Absolutely ridiculous. I've heard this before, and I think it makes as much sense as holding the door manufacturer responsible for home break ins. Microsoft has never claimed to be completely secure and they haven't made any contracts specifying that they should be. They allow other products to work on their platform, and these other products have threatened legal action if Microsoft makes their OS secure (although not in those exact words). It also patches on a regular cycle and it's ultimately a decently secure OS (when you take the patches into consideration).

      The ultimate responsibility for what happens on someone's computer is theirs. There's a lot of hatred for Microsoft floating around here, and for good reason, but holding them responsible because people can't protect their computers in the most rudimentary ways is wrong. It also opens the doors for holding any software responsible for any hacking that occurs on them, even if the user could have prevented it with negligible effort. Considering the state of security in the software industry, that would destroy pretty much every company in existence and set us back 10-20 years.
      • by gmuslera ( 3436 )
        Botnets=83.4 of ALL spam (check Marshal's Trace center) at least measured some days ago. All the other sources of spam are definately a minority there.

        Microsoft never claimed to be completely secure? Probably all the sale speech for all Microsoft products (since windows 95 or before) includes some kind of claim regarding security (usually in the form of "this is safe, anything else is not") And probably the security experts aren't the main customer base of Windows, normal people only know that it says that
      • by SamSim ( 630795 )

        that would set us back 10-20 years.

        Great, so there'd be almost no cybercrime!

      • Absolutely ridiculous. I've heard this before, and I think it makes as much sense as holding the door manufacturer responsible for home break ins.

        It's more like holding a lock-maker responsible if their locks are faulty.

        The ultimate responsibility for what happens on someone's computer is theirs. There's a lot of hatred for Microsoft floating around here, and for good reason, but holding them responsible because people can't protect their computers in the most rudimentary ways is wrong.

        It should

      • And have companies who sell operating system take some financial responsibility for future security.

        Absolutely ridiculous. I've heard this before, and I think it makes as much sense as holding the door manufacturer responsible for home break ins.

        Hyperbole notwithstanding, anyone can make a door and reasonably assess the security of a door themselves. Not everyone can make an operating system and reasonably assess the security of an operating system.

        Confusing a door, which any idiot can make in an afternoon

    • Re:Cut of the source (Score:4, Interesting)

      by Dada Vinci ( 1222822 ) on Friday April 11, 2008 @12:30PM (#23038378)
      Not all botnets are the fault of insecure operating systems. People who exclaim "Oh, look, somebody I don't know emailed me a file called CutePuppies.exe! I think I'll click on it!" pretty well destroy any sort of security scheme. Vista tried to solve that by preventing users from running programs (under the guise of User Account Control) but that just led to rebellion because people don't want to have to explicitly grant access to every program that wants to read to disk or connect to the Internet. When I install the new Firefox I don't want to have to authorize each and every operation it performs (write to disk, read from disk, connect to Internet, etc).
      • Re: (Score:3, Interesting)

        Not all botnets are the fault of insecure operating systems.

        Not all, but most definitely are:

        - Unpatched Windows XP (and below) PC's
        - patched but already infected Windows PC's
        - patched but rootkitted Windows PC's
        - patched Windows PC's just infected this week with a zero-day exploit.

        So the rest of the botnets would be shared webservers running insecure PHP bulletin boards, and servers running unpatched MS SQL, but these are a tiny fraction.

        As you can see, Microsoft's greed is largely responsible for most of

        • Your plan to force Microsoft to update Windows sounds good as long as Windows is the only operating system with problems. But what happens when a Linux distro has a security hole? (Yes, it can happen.) Who, exactly, does the government force to update it? If it's Ubuntu then it's easy enough, but what about CentOS/Debian? How do you force volunteer developers with a non-heirarchical structure to update code? And do we really want the government to get to define what a "security hole" is? I think there
          • But what happens when a Linux distro has a security hole?

            It has already happened, and not only with distros, but with Apache and the Linux Kernel as well. What happens? Simple. It's quickly discovered, and then patched within a day :)
            • It has already happened, and not only with distros, but with Apache and the Linux Kernel as well. What happens? Simple. It's quickly discovered, and then patched within a day :)

              So what? It's the same problem you have with Microsoft stuff. The patches come out quick enough, it's just that people don't patch their systems or keep them up to date and that's how they get infected.
      • Re: (Score:3, Funny)

        by ratboy666 ( 104074 )
        The solution? CutePuppies.exe is not executable. End of discussion.

        If you want to actually execute it, you have to:

        1 - save it to disk
        2 - change its permissions
        3 - then (and only then) execute it.

        It is preferable to force a command line session (terminal window) for step 2, with a "difficult" sequence. Say.. chmod +x CutePuppies.exe. And it should show up on the desktop either...

        No "is this allowed?" dialog. No "please enter your password" dialog. Just.. don't.. execute.. it.

        I would even go so far as to for
  • by name*censored* ( 884880 ) on Friday April 11, 2008 @12:17PM (#23038210)
    Crime doesn't pay. Pfft.

    BRB, watching to see if the kettle boils.
  • Making money by creating value vs making money by just taking it from other people. Hmm.. what's going to easier?

    There are after all established concepts of taxes, payday loans and patents that pretty much amount to the same thing.
    • What !? How are payday loans theft ?
      • Legally they aren't. In theory they don't have to be. In practice they pretty much are. The pay day loan industry is predatory beyond belief, victimizing the poorest and least educated members of society. Unfortunately in most states there isn't actually a LAW against convincing some poor schmuck with a middle school education that a loan with an effective interest rate of 25-50% a week is in his best interest.
  • by mrroot ( 543673 ) on Friday April 11, 2008 @12:18PM (#23038224)
    Part of the problem is that in many places cybercrime pays much better than legitimate work, including security research.

    Crime almost always "pays better" than so-called legitimate work (is crime really considered a profession?) Well I guess you could say it is a part of the problem, but the OTHER part of the problem is the risk of getting caught is too low. It is a risk/reward model. There are other factors in play here too, for example people's morality. Even if there were little risk and great reward, some people have a moral system that would still prohibit them from undertaking a life of crime.
    • by iamacat ( 583406 ) on Friday April 11, 2008 @12:25PM (#23038314)

      Even if there were little risk and great reward, some people have a moral system that would still prohibit them from undertaking a life of crime.
      But if you think about it, the highest moral system would actually push people into life of crime. There are lots of evil entities that need stealing from (nuclear weapons manufacturing, Bin Laden family in Saudi Arabia, Dick Cheney, Microsoft, RIAA, ...) and lots of hungry children in Africa. It's not immoral to steal from crooks!
      • by mrroot ( 543673 ) on Friday April 11, 2008 @12:29PM (#23038364)

        But if you think about it, the highest moral system would actually push people into life of crime. There are lots of evil entities that need stealing from (nuclear weapons manufacturing, Bin Laden family in Saudi Arabia, Dick Cheney, Microsoft, RIAA, ...) and lots of hungry children in Africa. It's not immoral to steal from crooks!
        So who decides who is a crook and who is not? I guess you feel like you have a pretty good handle on that, or at least you just rattled off all the names you have been told are crooks. Congratulations, you have conformed.
        • by iamacat ( 583406 )

          So who decides who is a crook and who is not?

          We The People.

          In the perfect world, we would have a working democracy and organizations like RIAA would be legally disbanded and their money redistributed to their victims (such as artists) or used for worthwhile social programs. Unfortunately, we have a two-party system that stacked the rules to prevent election of grass-root candidates. Truly courageous people should join an uprising to restore working democracy. But in the meantime, stealing some money out of the system to weaken it's power can also be

          • by JordanL ( 886154 )

            We The People.
            Let's see...

            1. Stealing from the "rich", (theoretically).
            2. Giving to the "poor", (theoretically).
            3. Discerened by the angry mob.
            4. Done on the basis that people have a moral right to what other people earn.

            Sounds a lot like Communism to me, and we all know how well that worked out.
        • Obliviously men with small penises or low libido and women with small breasts.

        • Wait, you seemingly attempted to ridicule this guy without offering your own opinion on what makes a crook a crook.

          Mine: An individual or corporate entity that lies, cheats, and swindles for their own gain. Not just to the detriment of "society", but an individual as well.

          Based on my definition it seems his list hits the nail on the head. Microsoft is already a convicted monopolist. RIAA has gotten quite a few slaps in court for trying shifty tactics. Dick Cheney, enough has been proffered on this forum abo
      • by Lumpy ( 12016 )
        when you send money to starving children in africa. you actually give money to the warlords and corrupt governments profiting off those starving children.

        • by iamacat ( 583406 )
          Oh really? Even if I actually travel to Africa and personally hand out hot soup in the cities?
          • Re: (Score:1, Troll)

            by mi ( 197448 )

            Oh really? Even if I actually travel to Africa and personally hand out hot soup in the cities?

            Yes, even then. By feeding their populace, you'll be freeing the warlords from having to concern themselves with, you know, governing the country. From providing the food, to education, to building and maintaining roads, all the way up to the monetary policy... You are likely one of the voices in the chorus condemning Bush for spending too much on Iraq "instead of helping social programs". Now imagine, if some ub

      • Robin Hood would steal from the rich to give to the poor. Was this a moral act? Is it only when the rich originally stole from everyone else that it is moral? And what of the poor who were given wealth? Can they save any for a rainy day, or would that make them no longer poor and ineligible for the next payout to the poor from Robin Hood? If poor people constantly spend every cent they receive, whether from assistance or earned to remain poor, is that moral behavior? Can they be faulted if that is ho
        • Re: (Score:3, Interesting)

          by pbhj ( 607776 )
          According to the UK government my family live well below the poverty line (about two-thirds of a poverty level income), so I feel I can offer some insight!

          >>> Can they save any for a rainy day, or would that make them no longer poor and ineligible for the next payout to the poor from Robin Hood?

          If you're a medieval peasant (probably a serf) given enough money to buy a sack of flour you won't go hungry for a few weeks. You'll still be in need, with more money you could buy vegetables, more still you
    • by Lumpy ( 12016 )
      Exactly. Online gambling is illegal here in the states. That has not stopped the huge flow of american companies setting up offshore internet gambling sites and processing the credit cards through various processing houses that happily hide the money flow.

      In fact knowing a lot of this makes you a lot of money consulting people and companies wanting to do such a thing.
    • by dave562 ( 969951 )
      Crime almost always "pays better" than so-called legitimate work (is crime really considered a profession?)

      Crime really is a profession. The "criminal world" is in reality just the free market at work. There are services that people want performed and there are those who perform the service. Like a lot of laws, most of the computer trespass laws are there to protect stupid/uneducated people from themselves. They are there to protect those people from "being taken advantage of" by others. Of course in

  • Then there are those who handle product fulfillment for spammers

    Wait, those spam messages are actually selling something? I always just thought that it was a ruse to get your CC info.
    • Re: (Score:3, Informative)

      by sco08y ( 615665 )
      I've actually tried, out of curiosity, to order something. I rarely get to a working web page, let alone an order form. Sometimes you'll see a 1800 number. Many times you'll just be redirected to a page full of ads.
  • Who buys crap from spammers? Even my 84-year old father (who has a difficult time remembering the "desktop" I'm talking about isn't the table his keyboard is setting on) knows the difference between a spam email and a legitimate one. We all laugh at the garbage they try to sell, and these days pretty much assume it's more likely a scam or an attempt at identity theft. So who the hell are these people who think it's a good idea to respond to the email from Hector McGillicuddy for Viagra?
    • Re: (Score:3, Interesting)

      by CodeBuster ( 516420 )
      It probably has less to do with actually selling a particular product than it does with saturation advertising which is designed to bypass the natural mental defenses that people have built up to advertising in general by so completely saturating the mind with brand image, logo, slogan, etc...that when the decision to make a purchase finally does come it is made on an almost subconscious level (i.e. you drop the item in your shopping cart without even thinking about it really). That is the angle that most s
    • by dave562 ( 969951 )
      I've always wondered this myself. The only theory that I've been able to come up with goes something like this.... The spammers aren't trying to sell products. Even the products that are being sold are often fakes. The real mechanism at work is capturing credit card data. Lets just pretend that for every 1,000,000 spam messages that are sent out, there is 1 that actually makes it through all of the filters and into the email box of someone who thinks, "Gee, I wish I could have lasted longer last night
      • The real mechanism at work is capturing credit card data.

        That's the thing, though... if all they're after is credit card info, why bother with product fulfillment? That's what TFA referred to as one of the parties involved, so there's got to be more to it than just that. And wouldn't credit card companies figure out the statistics pretty quickly if a particular customer of theirs has a really high percentage of credit card numbers that end up being used fraudulently?

        That makes me think that those stealing card numbers and/or personal data aren't bothering with p

    • So who the hell are these people who think it's a good idea to respond to the email from Hector McGillicuddy for Viagra?

      Addicts, usually.

      When Chris "Rizler" Smith was convicted and sentenced to 30 years in prison for his numerous crimes (among them, pharmacy spamming and money laundering,) court transcripts showed that he routinely spammed known repeat addicts of controlled substances. This was his prime target market.

      Not everybody is purchasing their meds from criminal spam operations. But people who have

  • WTF? (Score:1, Funny)

    by Anonymous Coward
    I clicked the link for the article and all I got was a giant full screen xerox advertisement. I guess there is supposed to be an article of some kind?
    • Damnit, I clicked the link looking for a fullscreen xerox ad, and all I got was this lousy article:

      The Cybercrime Economy
      Posted by Thomas Claburn, Apr 9, 2008 08:33 PM

      Dot-coms daunted by the financial downturn would be well advised to look to the cybercrime economy.

      Cybercriminals "have very sound business models," said Joe St Sauver, manager of Internet2 Security Programs through the University of Oregon at an RSA Conference panel on Wednesday, "better than many corporate business plans I routinely see."

      The
      • A typical scam: They're wired money and asked to send out a lesser amount via Western Union. Only later do they learn that wire transfers can be reversed, whereas Western Union money transfers are irrevocable.

        And they're taking advantage of the victim's greed. His desire to participate in the scam. I mean, they typically do this under the pretense of laundering money, so the victims aren't exactly blameless in many of these scams.

        The question is, should we then protect the victims? People who were so wil

  • Economies of scale (Score:3, Informative)

    by Facetious ( 710885 ) on Friday April 11, 2008 @12:28PM (#23038350) Journal
    The risk/reward concept of crime is complicated by economies of scale. Prior to the Series-Of-Tubes(TM), it was fairly difficult to con more than one person at a time. Now, many high school students have the power to con millions of people across international borders. The potential reward has gone up. The perceived potential of risk has gone down. Thus, cybercrime rises.
  • by Animats ( 122034 ) on Friday April 11, 2008 @12:31PM (#23038390) Homepage

    We need the FBI Baltimore office [fbi.gov] taken out of the business of distributing child porn and put on this problem. After ten years of work, they've arrested over 6,000 people.

    How many computer criminals have they arrested? The Department of Justice doesn't seem to provide useful statistics [cybercrime.gov], but it looks like the number per year is in the 10-100 range.

    This is backwards, given the relative size of the problems.

    Part of the problem is that the FBI has a measurement bias against white-collar crime. See the FBI Crime Statistics [fbi.gov] page. Violent crimes are counted if they are reported; white collar crimes are only counted if there's an arrest.

    • Money is immaterial to government organizations like the FBI so long as there is enough to pay salaries and fund organizational needs. Beyond that these organizations exist in the political realm where the success is measured and rewards doled out based upon achievement of political objectives and saving money or spending the money of the taxpayers wisely is pretty far down the list of political priorities in most government organizations. Besides, if you spend less money then you get a hand shake for comin
  • The article seem to say that crime pays, and better (at least if you live in Romania or do security research for the bad guys) and that basically there is no punishment. That look like a call to arms for a new generation of scrip... i mean, spam kiddies.

    Not sure how much it will scale before reaching some kind of saturation point. There are some numbers that cut in some way the amount of players in the field (like 50% of all internet spam coming from just one botnet, or malware removing other kind of malwar
  • The best we have from a judge — just quoted in a different article-submission [slashdot.org] is:

    It refers to itself as an Internet marketing company. Some, perhaps even a majority of people in this country, would call it a spammer.

    Awesome, judge, let's leave the judging to the demos... "Community standards", anyone?

    Heck, according to my Firefox (2.0.0.13, thank you very much) spell-checker, the very word "spammer" does not even exist — much less legally defined. (Well, the word "firefox" does not exist e

  • Not just cyber (Score:3, Interesting)

    by sm62704 ( 957197 ) on Friday April 11, 2008 @12:45PM (#23038512) Journal
    They keep parroting that "crime doesn't pay" but it obviously DOES pay, and it pays well. Most crimes are not solved. Most criminals are not caught - only the stupid ones and the unlucky ones get caught.

    In fact, society should be damned glad that most slashdotters are honest and have conscienses (no that's not spelled right, so jail me) because if most of us were dishonest we could do one hell of a lot of damage!

    Some times I wish I could be dishonest, I'd be a rich man. But it's just not in my nature.
    • it never developed because you happen to be naturally better at things which didn't require it.

      CASE STUDY: Matt Dillon

      My brother own's a bar frequented by Matt Dillion, the mult-millionaire, super-naturally gorgeous, very famous actor. And he's never seen anyone so utterly terrible at picking up girls. Why? Because he's never *had* to be good at chatting up girls, he's been a movie star since he hit puberty. If he'd needed to learn how to chat up girls, he'd have learned.

      You're bad at being dishonest for th
      • by sm62704 ( 957197 )
        I don't know, maybe you're right, but I've been dirt-poor during periods in my life and never resorted to dishonesty. OTOH I know people who were born with money who steal for the hell of it.

        Tami (AKA "Lucy Furr", she's in some of my journals) is one of those. Of course, her whole family is dishonest (and monied) from what I hear.

        There's another woman I know (also in the journals), Casey, who's a crack whore despite being born into money. You just never know.
    • only the stupid ones and the unlucky ones get caught.
      Not only do the stupid and unlucky ones get caught, we incarcerate them and pay to keep them alive. It seems like these people are more likely to escape the gene pool if we simply take the labels off things.
      • by sm62704 ( 957197 )
        Ah, but there's the fallacy. They reproduce at a much greater rate than you or I do. Evolution is about reproduction.

        I have two kids, Linda has 15 counting the one that died. She beats me at the genetic olympics. She just got out of prison 2 months ago.
  • by Bob9113 ( 14996 ) on Friday April 11, 2008 @12:47PM (#23038534) Homepage
    Part of the problem is that in many places cybercrime pays much better than legitimate work, including security research.

    Another part of the problem is that our cyber enforcement budget leans heavily toward pornography, gambling, and copyright.

    Yet another part is that corporations and politicians are unwilling to kill their fatted calf that is "legitimate" UCE.
  • "Location, location, location!"

    In this case...online. Don't forget to get an easy to remember .com address! I was telling someone about a website of mine last night, that ends in '.info', and they put a '.com' after the .info! Urg.
  • Perhaps one should credit the success and scaling capacity with the inherent decentralization of the organized crime network discussed in the post. I recently read The Starfish and the Spider [amazon.com] and the organized crime network seems to closely mirror a self healing, mostly decentralized network of peers as described in the book. If one person in the network described in the article is caught another takes his/her place with perhaps even more people. Kind of a fascinating dynamic.

    Makes me glad the author of t

  • I am a recovering "security professional". After an eye-opening experience long ago where I realized that I knew at least as much as the experts. So I managed to do pretty well for myself during the boom years. Then ran screaming from the Real World and goofed off with a few consulting gigs to keep me from being completely retired.

    Those gigs were rarely happy ones. I came to the conclusion that there is no adequate technical solution to the security problem. Arguing that any given platform (Mac OS X, L
  • This is capitalism at work! I don't understand the problem. Doesn't everyone know that capitalism is the world's best system of government and that we fought (and are fighting) wars to force everyone to this system. We should be celebrating--"Capitalism works in poor countries!"

    Our politicians don't get any spam. (The ones, that is, who actually own a computer.) Cybercrime is not their problem. Let the market figure out a solution.

    "Yeah!"

  • I'll give you the list[1] right now. Here's the pseudocode that will give it to you:

    for A = 0 to 255
      for B = 0 to 255
        for C = 0 to 255
          for D = 0 to 255
            print A.B.C.D
          next
        next
      next
    next







    [1] List may contain some non-compromised machines

Keep up the good work! But please don't ask me to help.

Working...