Following the Money In Cybercrime 107
jbrodkin writes "Five dollars for control over 1,000 compromised email accounts. Eight dollars for a distributed denial-of-service attack that takes down a website for an hour. And just a buck to solve 1,000 captchas. Those are the going rates of cybercrime, the amounts criminals pay other criminals for the technical services necessary to launch attacks. This criminal underground was detailed Wednesday in a highly entertaining talk given by researcher Stefan Savage at the annual Usenix technical conference in Portland, Ore. Savage's research into the economics of cybercrime began as lip service to satisfy the terms of a government grant, but it turned out to be the key to stopping computer attacks. Targeted methods — such as using CAPTCHAs — don't stop criminals, but they add to the cost burden and put the inefficient criminal organizations out of business, letting security researchers focus only on the ones that survive."
Like antibiotics (Score:3)
Re: (Score:1)
Re: (Score:3)
antibiotics are often given a preventative and in many cases for livestock are continually given from birth to death as a preventative.
Re: (Score:2)
You don't get it, it has to be a car analogy. Like so;
Instead of keep patching up your car, get one that was built to last.
Re: (Score:2)
Re: (Score:2)
Taking vitamin supplements is for sucker, hippies and weirdos.
There's no evidence they do anything for people with even a halfway normal diet. In fact taking too much of some vitamins is actively bad for you.
The vitamin industry, of course, resists all attempts to make them validate their claims or do full testing, instead relying on superstition and handwaving.
There's a reason the supplement advertisers were made to ad small print to all their advertising material in the UK - "Dietary Supplements MAY be b
Re: (Score:2)
Re: (Score:2)
by creating orphan members of the closed organization who out of will to survive create their own organizations using past knowledge to protect themselves and their organization where their previous organization failed. just because an organization is vulnerable to being shut down doesn't mean the individuals of the organization are also vulnerable to never being allowed to start up again.
I was being sarcastic... I guess that was subtle for the internets.
That said, I was just thinking along the lines of "Eliminate the inefficient organizations and that just means more business for the efficient ones, who will invest that added income better."
Re: (Score:1, Funny)
disregard that, i suck cock.
Re: (Score:1, Funny)
you're a liar. i live at 4513 brittany ct. eau claire, wi 54701. present yourself to me, admit what you've done; then i will perform fellatio on you.
Re:Like antibiotics (Score:4, Interesting)
Well not really. Organized Crime grows but it doesn't reproduce well. If one does split it is often because there are some hot heads who think they can do it better, and takes resources away from the other. So we either get One Organization who is strong while the other is weak and will die off soon. Or both will be weaken and both would die off soon. Very Rarely would they split into 2 strong units.
However what could happen with all the small guys going away there is less competition for the big ones and then they can monopolize the market... FTC is kinda useless against Organized Crime.
But if they get too big it gets harder for them to operate without the law noticing and makes it easier for law to bring them down.
Re:Like antibiotics (Score:5, Insightful)
However what could happen with all the small guys going away there is less competition for the big ones and then they can monopolize the market...
Do these guys really compete at all?
I've never seen shoplifters or bunglers compete. There are simply too many soft targets out there.
But the rest of your analysis is otherwise pretty good, and the reduction of organizations might be mostly in the script kiddie market, with the few really good (bad) organizations being pretty much unaffected.
When the truth emerges about the current deluge of hackers it will probably be a huge mob of semi-literate kiddies running scripts and purchased hacks, mostly for harassment and diversion of government resources while the big boys break into money pits or marketable secretinformation sites.
While the harassment and dossing have been with us for some time, the tempo has been ramped up. Why are these people concentrating on government agencies like the FBI? My guess is they are being organized to act as a diversion by other governmental agencies or those guys after the big bucks. Maybe Iran is getting back at the west for wrecking their centrifuges. Who knows.
Personally I suspect its the same organizations helping themselves to the money and their government employers to the secrets.
Re: (Score:2)
Re: (Score:2)
Black Markets are part of economics not exceptions to it. Black Markets follow Economic Theory quite well, they often exist when government regulation messes with Demand for a product or service. For Example one of the largest black markets in New York State is Unpasteurized Milk, not that isn't slang for anything, it is Cows Milk that hasn't been threw the Pasteurizing or Homogenization process, people will pay a lot more for this because there is a limited supply and they can only get it threw the Black
Cheap Enough, But ... (Score:5, Insightful)
Re: (Score:3, Funny)
I pay using credit cards. Not my own, though.
Re: (Score:2)
Seems AC is making up stories.
If you had someone else's credit card why not just give it to the supplier in exchange for the hack, and let them sell it on to someone else rather than trigger a transaction that leaves a paper trail.
Re: (Score:2)
Because stolen credit cards can't be used once they are cancelled.
Re: (Score:2)
Wire transfer?
Re: (Score:2)
One time use credit card? Money order? A competent bank could create a temporary account for a wire transfer.
Re: (Score:3)
Re: (Score:3)
That's why you should pay them in Beenz. No one is going to want the steal them.
Re: (Score:3)
Better yet how much for them to mine bitcoins for you. They can pay themselves with 30% of the mining...
Re: (Score:3)
You pay these companies through web money accounts, which are effectively the same as cash. These transactions are usually non-reversible and run through companies like Western Union or Liberty Reserve. Credit cards are a completely worthless form of payments on those sites, and they recognize that.
Re: (Score:2)
Western union? Warcraft Gold?
Re: (Score:1)
Re: (Score:2)
Wow! (Score:5, Funny)
Re: (Score:2)
Economics (Score:5, Insightful)
Re: (Score:3)
Re:Economics (Score:4, Insightful)
Re: (Score:3)
Re: (Score:2)
Most people are too immature in basic high school to understand Economics -- at least to a useful level. And they are too concerned with tagging their photos in Facebook to care...
I'd be careful about casting stones, plenty of people posting on Slashdot don't even understand supply and demand.
Re: (Score:2)
Dunno, my high school required basic Econ to graduate, This was back in the 80's.
Re:Economics (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
But any rational person realizes that George H.W. Bush was quite correct in calling Reagan's version of economics out as "voodoo economics".
Re: (Score:2)
Freakonomics (Score:5, Insightful)
I don't know if you've read Freakonomics or not but that is basically the premise of the entire book(s). There are economics in everything, people respond to incentives and if you set up your incentives properly you'll get the result you desire. Fail to properly incentivize people and you can get all sorts of interesting results. I particularly like the Israeli Day Care example.
Re: (Score:2)
Re: (Score:2)
No they won't unfortunately. Those guys died off a long time ago since they were told all they had to do was die basically. The ones that are left are jaded and lack the fanatical conviction to just die already.
Re: (Score:2, Funny)
Freakonomics is to Economy like Donald Duck is to Ornithology.
Re: (Score:2)
You fail in so many ways.
1) Freakonomics is a collections of observations on a subject.
2) Economy is a complex system
3) Donald Duck would be a particular specimen
4) Ornithology is a field of study
Now I think I get what you were TRYING for but you obviously don't understand the basic concepts much less how they relate to each other.
Next time try something along the lines of Freakonomics is to Economics as the Origin of Species is to Biology. That comparison would at least be apples to apples (though a bit e
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
I wish I had taken an economics course in college.
I did, and you didn't miss much. Unfortunately, most of it involved a bunch of formulas that are only true when everybody acts completely rationally and don't take into account feedback at all. It was just an academic exercise.
The basic idea of supply and demand is the most fundamental thing you can learn about economies, and just about anybody can understand it.
Re: (Score:1)
Proving that you didn't learn much economics. You just regurgitated information you didn't understand.
The very basic economics formulas are centuries old and don't have a built-in feedback adjustment. You have to do that yourself. Which is why basic microeconomics has a lot of graphs with a supply curve and a demand curve and gives you problems asking what equilibrium price (or quantity) results from a stated change in quantity demanded, quantity supplied, shock to cost of production, etc etc.
They're pretty
Re: (Score:2)
I was talking about macroeconomics. The basic formulas for supply and demand are fine.
Macroeconomics claims to model bigger things, yet most of the formulas I was indeed forced to regurgitate were just not useful in the real world.
This opinion is also held by many mainstream economist. In fact, it seems to become popular again after every major crisis.
Re: (Score:2)
You just regurgitated information.
I was forced to, because that's what they decided constituted an education. That doesn't mean I didn't understand what they were trying to teach, and couldn't evaluate its worth.
You can find many that will distance themselves from, say, keynesian style macroeconomics, but you'd be hard pressed to find one that's just like "macroeconomics? pft, that stuff is shit in the real world."
Considering that what I was taught was a bunch of limited, academic navel gazing, there are plenty who would say it was worthless shit in the real world. That doesn't mean the whole field is worthless, and maybe things have improved, but when I took it, something like 17 years ago, most of it was a worthless academic exercise. In fa
Re: (Score:3)
That just proves that Newtonian mechanics isn't complete physics the same way that high school Macroeconomics isn't the complete economic picture. However, there is a difference: classical mechanics corresponds pretty closely to gross everyday observation of physical phenomena, but pure elementary Macro and Micro bear only the slightest correspondence to the gyrations and churn of the great big huge Global Economy, as frantically and inconsistently reported by every news organ in the world, and as debated e
Re:Economics (Score:5, Insightful)
The problem is ... which version of 'economics'?
It seems there's the broad, general sense of economics which attempts to explain how things work as an interconnected system. And, then there's the economics which is almost dogmatic ... it's a belief that under certain circumstances, and given a set of assumptions, a given outcome would naturally occur. Those, I'm not convinced are supported by anything more than a desire for it to be true.
I, for instance, have yet to be convinced that "trickle down economics" actually accomplishes what its proponents claim it will. I also, am completely unconvinced by things that the rampant socialists say would happen if we listened to them since their numbers are equally imaginary. They both amount to wishful thinking.
At a certain point, economics devolves into ideology and philosophy. And your belief in what works ceases to be empirical, and more focused on how you think the world should operate if you could rewrite reality to suit your own needs (or, force everyone to adopt your theories long enough for them to be proven true/fail utterly).
I agree that some understanding of economics is valuable ... but then it breaks down to become a belief system, and goes all to hell. Modern economics is like the Emperor's New Clothes ... as long as we all keep deluding ourselves that it works, everyone is happy. Occasionally, a glaring counter example comes along that people chalk up as being an anomaly.
It seems that goes for both ends of how people believe economics works.
Re: (Score:1)
I, for instance, have yet to be convinced that "trickle down economics" actually accomplishes what its proponents claim it will.
Really? So what will it take to convince you that "trickle down economics" actually accomplishes the opposite of what its proponents claim it will?
Because from there, it's an easy walk over to being convinced that those proponents know this and have been lying about their intentions the whole time.
Re: (Score:3)
Surprisingly little, but in the interests of being somewhat balanced, I chose to highlight that the two extremes are both a little shaky without actually focusing too much on one or the other.
As someone I used to
Re: (Score:2)
I, for instance, have yet to be convinced that "trickle down economics" actually accomplishes what its proponents claim it will.
I heard a (good) economist debunk it in one single sentence (I'm paraphrasing here): "If you give money to the rich, they'll put it in an offshore account or use it to purchase expensive art from other rich people. None of it goes back to the economy. If you give money to the poor, they use it to eat or to fix their car. It's back in the economy within a week."
But (Score:2)
https://secure.wikimedia.org/wikipedia/en/wiki/Economic_mobility [wikimedia.org] != https://secure.wikimedia.org/wikipedia/en/wiki/Social_mobility [wikimedia.org]
I'm confused (Score:3)
Was that supposed to mean that each of the thousand CAPTCHAs adds a dollar in cost to spammers? Because then I could see how that would cause some problems for them.
Re: (Score:2)
Was that supposed to mean that each of the thousand CAPTCHAs adds a dollar in cost to spammers?
Yes.
Re: (Score:2)
Re: (Score:2)
Was that supposed to mean that each of the thousand CAPTCHAs adds a dollar in cost to spammers?
Yes.
No. Read it again. It adds $1 to each block of 1,000 CAPTCHAs, not each of the 1000 CAPTCHAs.
that cheap, eh? (Score:2)
Re: (Score:1)
I use PayPal because you don't have to disclose anything to the sellers, you don't give a credit card number. I've heard they charge a few percent of the entire sum for each transaction though.
Of course you follow the money. (Score:5, Interesting)
Of course you follow the money. There aren't that many spammers; about three years ago, there seemed to be only about ten unique large-scale spammers. Taking one of them down made a significant dent in spam traffic for a month.
Junky spam and junky bogus web sites are obsolete, even in the criminal world. The old mindset was to filter out emails and sites that "looked junky". The old "Web Spam Challenge [lip6.fr] was based on this. They have a big file of pages which humans have classified, by a quick look, as "spam" or "not spam". Five or ten years ago, that sort of worked, because most of the junk sites were really tacky. Phishing sites used to have blatant misspellings. That's history. Today's crooks have good web site production values.
So you have to dig deeper. On the web spam/bogus web site front, part of the right answer is to find out who's behind the web site and do a background check. (We do that at SiteTruth.com, as I've mentioned before.) Right now, even a superficial check (is there a mailing address on the site? Is it a known phishing site? Do seals of approval check out? Non-junk SSL cert?) is enough to knock out a big fraction of the junk. The deeper checks (is there a business at that address? How long in business? How much revenue last year? What's their business credit rating?) tell us enough to have some confidence about business legitimacy.
The original article mentions "ordering tons of stuff from phishing scams to trace the path of the money." That's what the FBI should be doing more of. Law enforcement can have accounts created, plug into the credit card system, and watch their credit cards being used in real time. It's hard to do that without law enforcement authority.
Re: (Score:2)
a significant dent in spam traffic for a month.
A month.
Time to bring out draconian legislation that hits spammers where it hurts - go after the idiots who respond to spam, just like they go after the "johns" that try to pick up prostitutes... a few ads in the local paper saying that John Q Neighbor was trying to buy v14gr4 or an online degree should really help.
I hope you don't think I was being serious.
Busting CAPTCHAs is not a crime. (Score:5, Insightful)
It is not valid to label something a "crime" just because it's inconvenient for some people. The lesson to be learned here is that CAPTCHAs are a lazy (and often lousy) way to prevent "unauthorized" access.
Also, while most CAPTCHAs today can be busted with automated tools, as OP says it's often more economical to just hire teams of people from Pakistan or India to do it manually. The going rate on freelancer sites is about $1 per 1000, but sometimes it's even less.
Re: (Score:2)
Busting CAPTCHAs is not a crime. Not usually, anyway. Sure, it may violate a website's terms of service, but US courts so far (quite correctly) say that's not a crime, unless you're "stealing" a for-pay service. And maybe not even then. It is not valid to label something a "crime" just because it's inconvenient for some people. The lesson to be learned here is that CAPTCHAs are a lazy (and often lousy) way to prevent "unauthorized" access.
I didn't see anywhere in the article where it labeled solving CAPTCHAs as a crime. And I don't remember ever seeing anyone claiming that a CAPTCHA prevents unauthorized access either. What the article does say is that a CAPTCHA solving service is one of the tools that criminals employ in their trade. And while it might seem futile to use a CAPTCHA, doing so induces a cost to criminals that tends to limit how many criminals continue to operate.
In my experience, CAPTCHAs never completely solve the proble
Re: (Score:2)
"... And just a buck to solve 1,000 captchas. Those are the going rates of cybercrime..."
Which is very clearly an implication that busting CAPTCHAs is a crime. It is not explicitly stated, no, but it's a very strong implication! One could not blame a reader for reading that busting CAPTCHAs is, indeed a crime.
Re: (Score:2)
Re: (Score:2)
But since the author did put those words in that order, anybody who knows how to read English does, in fact, know that the implication was clearly int
Re: (Score:2)
"I *hope* that you're right, but that case had a lot of emotion running high (as well it should have... I thought that was the stupidest charge they could have possibly laid on her - assuming she's found guilty, the choice of the judge becomes "let someone responsible for the death of an innocent go" or "make internet access without reading the TOS of every single web site you access illegal with prison time")"
As the law stands now, breaking someone's Terms of Service is not a crime. And the reasoning is sound: if breaking Terms of Service were a crime, then any company could essentially define the law any way they wanted to, by what they put in their TOS.
Judges are FAR too jealous of their prerogatives to allow that. Besides the fact that it would be just plain a stupid idea to let corporations decide what the law should be.
Obligatory (Score:1)
xkcd [xkcd.com]
Stainless Steel Rat (Score:2)
This proves that
A: We're not serious about this.
B: It's probably half the government itself in an attempt to create people believing they need even more power.