The Cybercrime Service Economy13-Feb-2008
The article below is from Harvard Business Online and can be referenced at: http://harvardbusinessonline.hbsp.harvard.edu/hbsp/hbr/articles/…
(Harvard Business Online) - Anyone who doubts that internet commerce faces serious threats from online criminals should consider this: Criminal hacking has spawned a full-blown service economy-one that supports growing legions of relatively lower-skilled but fulsomely larcenous hackers.
In the past year, entrepreneurs, many of them based in Russia, have begun to create criminal hacking enterprises aimed not at stealing but at providing services to help others steal. Business has quickly taken off. Per unit of risk-of apprehension, prosecution, and incarceration-enabling online crime pays better than perpetrating it directly. Criminal services entrepreneurs are netting millions of dollars a month. Some experts estimate that, all told, they earned $1.5 billion in 2007.
Last year, two Russians created a subscription-based identity theft service. Rather than steal personal credentials themselves, the two hacked into PCs and then charged clients $1,000 per compromised machine for 30 days of unfettered access. The clients are betting that during the 30-day period (one billing cycle) victims will bank or otherwise submit personal data online.
To offer their subscription service, the hackers contracted with yet another service provider to obtain a sophisticated distribution system for the illicit code, called a bot, that they would use to infect the PCs. That distributor enticed website owners to hide its bot on their sites by promising weekly payments based on the volume of traffic, much the way newspapers are paid by advertisers according to the number of visitors to their websites. Other service businesses aggregate large networks of compromised computers, called botnets, and rent out portions of their networks for whatever task the client has, perhaps to distribute spam, disable a competitor's website, or infiltrate a firm's network in order to steal intellectual property.
As with any service business, customers willing to pay extra can obtain premium offerings. The two hackers behind the subscription service will "clean up" your data-get rid of low-value information and generate helpful reports itemizing what you've stolen. The botnet rental operations offer ancillary consulting to maximize the effectiveness of your attack; some guarantee specified service levels or your money back.
The biggest factor driving the emergence of this new service economy is the obvious one: an explosion of online banking and shopping, coupled with consumers' increasing willingness to disclose personal information over the internet. For those with the technical skills, opportunities for exploitation are richer than ever before.
But something else is happening, too. Those gifted hackers are now enabling the far larger market of wannabes whose deficient skills would otherwise shut them out of the cybercriminal enterprise system. By creating services for those people, hackers can generate huge profits without actually committing fraud. Gold prospectors may or may not strike it rich, but folks selling pans and pickaxes make a heck of a living either way.