The Wild, Wild Web: How To Catch Cybercrooks

Hacking programs are being more accessible, making taking precautions online more important. Kacper Pempel/Reuters

When cybercriminals can easily buy cheap hacking programs with exotic names like Fiesta, Lucky, Nuke, Siberia, Sploit, Tornado, Sweet Orange and Cool, what chance that anything online can remain safe? Lillian Ablon and Martin C. Libicki offer ideas for how to close down Web thieves.

Black markets for computer-hacking tools, services and by-products, including stolen credit card numbers, continue to grow, posing threats to businesses, governments and individuals. A prominent recent example was the capture of an estimated 40 million credit card numbers and 70 million user accounts in the December 2013 breach of retail giant Target. Within days, those data appeared—available for purchase—on black market websites.

The markets for cybercrime products and by-products have become so pervasive and accessible that the malicious hacking trade today can be, in certain respects and for some, more lucrative and easier to carry out than the illegal drug trade. Once the domain of lone hackers, cybercrime has become a burgeoning powerhouse of highly organized groups, often tied to drug cartels, mafias, terrorist cells and even nation-states.

It has matured into specialized markets, in which those who have gained the greatest access deal freely in the tools and spoils of the trade: exploit kits (software for creating, distributing and managing attacks), botnets (remotely controlled computers used for sending spam or flooding websites), "as-a-service" offerings (hacking for hire), compromised hosts and a continually flooded market for stolen credit card numbers and other personal credentials.

Consumers and businesses have fortified their data systems in response, but hackers have come back stronger. Increased arrests, meanwhile, spur increased media attention, which advertises the lucrative markets to those once unaware of the possibilities and reveals the tactics and techniques of law enforcement to those already in the markets, causing them to adapt. As more participants enter the market, and as current participants upgrade their methods of conducting business, the increasingly competitive and resilient hackers go after bigger targets and become harder to take down.

Everything from cars to toasters will offer hackers points of entry.

As a result, the ability to attack is outpacing the ability to defend. Hyper-connectivity—particularly through the rise of the "Internet of Things"—will create even more opportunities for attack, as everything from insulin pumps and pacemakers to cars, toasters and refrigerators will offer malicious hackers networked points of entry. Exploitation of social media networks and mobile devices will also grow. Crime will increasingly have a networked or cyber component.

Sketching the current and predicted landscape for cybercrime can lay the groundwork for exploring options to minimize the harmful influence of these markets. As part of ongoing studies on the future security environment, we examined these markets with support from Juniper Networks, a Silicon Valley manufacturer of networking equipment.

Our findings could help private firms, public law enforcement agencies and network security vendors gain a better understanding of the cybercriminal activity they aim to suppress. Without studying this activity and exploring the options to subdue it, very little is likely to change.

There are YouTube videos for "where to buy credit cards."

The black markets for cybercrime are a collection of activities that range from simple to extremely sophisticated and that operate all over the world, from New Jersey to Nigeria to China. There is no single location from which the markets emanate; a unique aspect of operating in cyberspace is that it is simultaneously nowhere specific yet everywhere. Goods and services are usually reliable.

Implementation and transactions are quick and efficient. Cybercrime black markets are comparable to other underground markets for illicit goods, such as drugs, with the difference being that digital goods carry less risk and, for some, offer greater profit. Some organizations can make hundreds of millions of dollars per year.

The number of participants in cyber black markets is likely to rise, because it is easier to get involved than it was 10 years ago. This is due to the proliferation of websites, forums and chat channels where goods can be bought and sold. An increased number of YouTube videos and Google guides for "how to use exploit kit X" or "where to buy credit cards" also facilitates entry into the market, especially for buyers.

Figure 1 shows the proliferation of exploit kits over the past decade. Too numerous to name them all, the kits tend to go by feisty names such as Fiesta, Liberty, Lucky, Nuke, Siberia, Sploit, Tornado, Blackhole, Whitehole, Sweet Orange and Cool. The price for kits varies based on whether they are purchased outright or rented. Do-it-yourself kits can cost as little as $15; high-end rentals can command $10,000 per month.

Figure 1. Dozens of New Exploit Kits Expand the Cybercrime Market Each Year, While the Old Kits Remain in Use
SOURCE: Markets for Cybercrime Tools and Stolen Data: Hackers' Bazaar, 2014. NOTE: Annual data are noncumulative.

Originally, the major players in the cyber black market were former state employees of Eastern European countries who were well educated but found themselves searching for gainful employment after the Berlin Wall fell in 1989. Since then, the entrepreneurial savvy of the players has soared with the entry of a whole new generation of "digital natives" who can do more things for themselves. (They do not have to, for example, hire anyone to reverse-engineer a program or create an exploit.)

In terms of quantity, the leaders in malware attacks today operate out of China, Latin America and Eastern Europe. In terms of quality, the leader is Russia. There are Vietnamese groups that focus on e-commerce, while a majority of Russian, Romanian, Lithuanian, Ukrainian and other Eastern European groups focus on attacking financial institutions.

Chinese hackers are believed to focus on seizing intellectual property, as underscored in May 2014 by the U.S. Department of Justice's accusations against five members of the Chinese military who have allegedly stolen trade secrets from five American companies and the United Steelworkers.

Some groups have partnered across international lines. As one expert put it, "Groups that would traditionally never work together are working together." One Vietnamese group partnered with Nigerians on a fraud scheme involving stolen e-commerce accounts. A Colombian group set up money-laundering "villages" in China.

U.S.-based participants in the market are becoming more involved. In 2007, the majority of participants were from Russia, with the United States having only a small representation. By 2013, almost a fifth of the market was U.S.-based, ranked third behind Ukraine and Romania.

Although English is the universal language of commerce, it is not necessarily the universal language of this commerce. The Web forums are generally in Russian or Ukrainian. There are reports of English-only, Mandarin-only, German-only and Vietnamese-only sites, among others. At the same time, the victim-deception campaigns of "phishing," "spear-phishing" and other social engineering operations are typically conducted in English, because a majority of the targeted victims know that language.

A stolen Twitter account now costs more than a stolen credit card.

The product slate keeps evolving with the technology. Malware for mobile devices has been growing, in part because attacking mobile devices now brings in money faster than attacking personal computers.

A stolen Twitter account now costs more than a stolen credit card, because a Twitter account potentially has a greater yield, for two reasons: A Twitter account can be used to target friends and family through spear-phishing schemes, and many unsuspecting consumers use the same password for their social media accounts as they do for their online banking and e-commerce accounts. Twitter is also becoming a channel of choice for the everyday transactions of malicious hackers, who are increasingly using private Twitter accounts to make deals rather than using open online forums or chat rooms.

Whatever is new or novel for the traditional consumer—from mobile devices to cloud computing to social media platforms—offers new entries for attack and will thus elicit a counterpart exploit on the black market. The trend will accelerate, because more and more of the world will have a digital component: By 2020, the number of connected devices will outnumber that of connected people by a ratio of 6:1, compared with about 3:1 today, doubling the avenues of potential exploitation.

Law enforcement "takedowns" (or arrests) have had little effect on the size or composition of the black market. As one entity goes down, another takes its place, often within days. As the enduring entities implement countermeasures (such as stronger encryption, more vetting and increased stealth), the market just hiccups, becoming somewhat less accessible and less open but mostly returning to normal.

More of the market's transactions simply move to the "darknet"—that is, to anonymous private networks that use encryption and proxies to obfuscate who is communicating with whom. Illicit websites are also starting to accept only digital cryptocurrencies, with their anonymity, non-traceability and other security advantages.

As one entity goes down, another takes its place, often within days.

The consequences of takedowns are transitory not only because of the market behaviors cited above but also because many countries condone hacker activity that is illegal in the United States. One Russian hacker was arrested, released on a technicality, given an apology and now has ties to the government. China tends to turn a blind eye as well. On the other hand, Vietnam is very helpful to law enforcement groups, and Romania, Ukraine and Poland have been selectively helpful.

Despite the transitory effects of cybercrime takedowns, they have recently been on the rise, for three reasons. First, law enforcement has gotten better over the past 10 to 15 years. Those entering the profession today have grown up comfortable with technology and computers, and training in the digital world has improved for law enforcers all over the world.

Overseas partnerships and cross-pollination of ideas have also strengthened law enforcement—although perhaps more so at the federal level. Leadership in law enforcement, intelligence and the U.S. Department of Defense has accorded cybercrime top priority and moved resources accordingly.

Second, suspects are going after bigger targets and thus are attracting more attention. Since around 2002, attacks have shifted from opportunistic one-offs (against whichever individuals may have been unsecure) to companies. Now that companies understand they are targets, they are more willing to work with law enforcement, and the public-private partnership has tightened.

Third, because almost every aspect of crime today involves a digital component, law enforcement has a multitude of opportunities to encounter crime in cyberspace and to learn from these encounters. (Figure 2 illustrates the biggest data breaches in history as a result of malicious hacking.)

However, as mentioned above, law enforcement could also become a victim of its own success. More arrests and takedowns lead to more media coverage, drawing more perpetrators into the black markets and compelling those already in the markets to grow smarter.

Data breaches by size (number of user accounts captured by hackers)

Figure 2. Data Breaches Show No Sign of Letting Up
SOURCE:, as of July 2, 2014. Used and adapted under Creative Commons Attribution-NonCommercial 3.0 licensing guidelines. NOTE: Orange represents an "interesting story"; the other colors are grouped generally by year.

Today, malicious hackers appear to have the upper hand. The maturation of cybercrime markets threatens individuals, businesses, law enforcement agencies, national governments and military services around the world. The deleterious effects on cybersecurity suggest the need for coordinated efforts across the private and public sectors, nationally and internationally, to suppress the black market activity.

In the private sector, computer security companies, device manufacturers, Internet service providers and defense contractors should routinely collaborate on developing updated approaches to thwarting online attacks. Beyond the technical solutions (such as ever-thicker firewalls and ever-stricter access controls), there are intriguing possibilities for private firms to harness the power of their legitimate markets to fight illegitimate ones.

For example, more private firms could sponsor "bug bounty" programs or related contests, which offer financial rewards to anyone who finds or reports a bug, virus or other vulnerability in a particular computer software product. Google's bounty program pays $3,000 to $5,000 for ordinary, easier-to-find bugs, with bounties in the range of $20,000 or even upward of $200,000 or more for exotic and exceptionally nefarious bugs, or those that affect a large market segment.

The U.S. government could funnel money to security vendors to help with their bug bounty programs, or even create its own. As for computer hacking contests, one good example is the annual Pwn2Own competition, which began in 2007 and paid out $850,000 of prize money in 2014.

Companies could offer pay to lure hackers away from illicit markets.

Commercial companies, defense contractors and government agencies alike could also offer better pay and incentives to lure talented hackers away from the illicit markets and into legitimate business and government operations (especially those targeting the activities of other hackers).

All of these strategies could work in tandem: The bug bounty programs and recurrent contests could serve as recruiting programs for permanent hires. With better pay and incentive packages, the savviest hackers would gravitate toward legitimate work, and the private firms and government agencies would reap the benefits while removing the dangers. Over time, this approach might even stop the arms race between security vendors and those trying to render their products obsolete.

When hackers succeed in stealing customer data and placing the data on the open market, banks or other merchants could possibly buy back their customers' stolen information. This strategy would raise valid ethical questions about legitimate businesses participating in the black market for the implicit purpose of paying "ransom" for data "hostages."

But if the information is already stolen, this strategy might be a viable way to protect it. On the other hand, this strategy could backfire by alerting the attackers to what merchants believe is most important, or most vulnerable, thereby bidding up the price for this particular kind of stolen data and enticing the thieves to seize even more.

Law enforcement agencies could pursue several strategies, some of which would benefit from advice from computer security firms. For instance, law enforcement agencies could explore the costs and benefits of establishing fake credit card shops, fake forums, fake websites or other cyber sting operations to boost the number and quality of arrests, while simultaneously tarnishing the reputation and confidence of the black markets.

These agencies could also explore the ramifications of hacking back—or including an offensive component within law enforcement—to deny, degrade or disrupt black market business operations. The lessons learned from infiltrating, disrupting and combating the black markets for illegal drugs and illegal arms could also be applied to the black markets for cybercrime.

Law enforcement could establish fake credit card shops, fake forums, fake websites.

Law enforcement and other government agencies could perhaps use the black market to their advantage in their own offensive operations: By using black market cybergoods, such as exploit kits and encryption tools, a government officer would appear online as just another criminal, would not stand out and would reduce the risk of being "fingerprinted."

Public opinion could collapse, however, if word got out that the U.S. government were involved in the black market. Therefore, this tactic might be allowed for only highly sensitive operations or extremely targeted attacks.

Law enforcement agencies will also need to determine whether it is more effective to pursue the small number of top-tier cybercriminals or the large number of lower-tier participants. Worldwide, law enforcement agencies will need to work together to prosecute and extradite the most wanted criminals, coordinating their arrests and indictments.

From a regulatory standpoint, both private companies and law enforcement agencies should inform legislators about the costs and benefits of implementing various potential mandates: for encryption on point-of-sale terminals (cash registers and online shopping carts), for safer storage of passwords and user credentials, for worldwide adoption of credit cards with embedded computer chips and personal identification numbers and for regular checks of websites to prevent common vulnerabilities. All such mandates would be intended to put a dent in the black market or to force major changes in how it operates.

The urgency of these strategies will grow over time. In their absence, not only will very little likely change to deter the criminals, but the victims will stand to lose more and more.

A Glossary of Cybercrime

As-a-service: pertaining to outsourced hacking.

Botnet: a collection of compromised computers remotely controlled by a central authority to send out spam, spread malware, launch attacks or support illegal websites.

Bug bounty: a reward given for finding and reporting a bug or vulnerability in a computer software product.

Cryptocurrency: a digital currency that incorporates codes and often offers anonymity.

Darknet: an anonymous private network that uses encryption and proxies to obfuscate who is communicating with whom.

Distributed denial of service: an attack by multiple compromised systems on a single system.

Encryption: the process of encoding messages or information in such a way that only authorized parties can read it.

Exploit kit: a tool that can be used to create, distribute and manage malware to control user Web traffic, infect users or manage networks of infected machines.

Fraudware/fakeware: malicious software that poses as legitimate but is really not; it may falsely notify a user that a computer is infected with (other) malware.

Hacking: gaining access to a computer surreptitiously.

Malware: software intended to damage or disable computers or computer systems. Types of malware include viruses, worms, and Trojans.

Phishing: the attempt to capture usernames, passwords, and financial information by masquerading as a trustworthy entity using email or other electronic communications.

Rippers: people who do not provide the underground goods or services they advertise.

Spear-phishing: phishing attempts directed at specific individuals or companies.

Watering-hole attack: an attack on a popular website to infect all legitimate visitors.

Zero-day vulnerability: an exploitable vulnerability unknown to a software vendor and for which no patch has been created.

Lillian Ablon and Martin C. Libicki are professors at the Pardee RAND Graduate School. This article first appeared in the Rand Review, the flagship magazine of the nonpartisan, nonprofit RAND Corporation, and on the RAND website.