The Symantec Report on the Underground Economy
, released in November 2008, details “an online underground economy that has matured into an efficient, global marketplace in which stolen goods and fraud-related services are regularly bought and sold,” and where the estimated value of goods offered by individual traders is measured in millions of dollars.
The implications for small and medium-sized businesses are profound.
“Today’s cybercriminals are thriving off of information they are gathering without permission from consumers and businesses,” says Stephen Trilling, vice president, Symantec Security Technology and Response. “As these individuals and groups continue to devise new tools and techniques to defraud legitimate users around the globe, protection and mitigation against such attacks must become an international priority.”
This article presents the key findings of the report, with special attention paid to those areas of concern to SMBs.
The Symantec Report on the Underground Economy is based on data gathered from underground economy servers between July 1, 2007 and June 30, 2008. It discusses some of the more notable groups involved in cybercrime activity, and examines the major advertisers and most popular goods and services available. In addition, it includes an overview of the servers and channels that have been identified as hosts for trading, and provides a snapshot of software piracy. The report is intended to be an analysis of certain aspects of the underground economy rather than a survey of Internet cybercrime as a whole.
- Groups and organizations. There are a number of groups and organizations that have been active in the trade of fraudulent goods and services in the underground economy. The majority of these groups function through a number of Web-based forums devoted to online fraud. Although there is a wide variety of individuals and groups active in the underground economy, there appears to be some correlation between the level of organization and specific regions. For example, various arrests and indictments of underground economy participants suggest that groups in Russia and Eastern Europe are more organized in their operations, with greater ability to mass-produce physical credit and debit cards. In contrast, groups operating out of North America tend to be loosely organized, often made up of acquaintances who have met in online forums and/or Internet relay chat (IRC) channels and who have chosen to associate with each other.
- Advertisers on underground economy servers. During the reporting period, Symantec observed 69,130 distinct active advertisers and 44,321,095 total messages posted to underground forums. The potential value of the total advertised goods for the top 10 most active advertisers was $16.3 million for credit cards and $2 million for bank accounts. Furthermore, the potential worth of the goods advertised by the single most active advertiser identified during the study period was $6.4 million.
- Goods and services advertised. Of the categories advertised on underground economy servers observed by Symantec, credit card information ranked highest during this reporting period, with 31% of the total. The second most common category of goods and services advertised was financial accounts at 20% of the total. (While stolen bank account information sells for between $10 and $1,000, the average advertised stolen bank account balance is nearly $40,000.) The third most common category of advertised goods and services for sale was spam and phishing information, with 19% of the total. Consumer Reports estimated the cost of phishing attacks to be $2.1 billion for U.S. consumers and businesses in 2007.
- Value of total advertised goods. Symantec estimates the value of total advertised goods on observed underground economy servers at over $276 million for the reporting period, with credit card information accounting for 59% of that total. (That’s not surprising given that credit card information was the highest priced good in the underground economy.)
- Servers and channels. According to the report, 98% of underground economy servers have a lifespan of less than six months. North America had the largest number of these servers, hosting 46% of the total. One of the largest IRC server networks observed by Symantec had approximately 28,000 channels and 90,000 users at one point.
- Pirated software. During this reporting period, desktop computer games were the most pirated software by a significant margin, accounting for 49% of all file instances observed. In the words of the report, “Given the steadily increasing popularity of electronics games, this is not surprising. Retail sales of desktop games reached $9.5 billion in the United States alone in 2007, a 28% increase from 2006. In comparison, retail sales in the United States of software other than games were an estimated $3.3 billion in 2007.” The second highest category was for utility applications, while third place was claimed by multimedia productivity applications (such as photo editors, 3D animation editors, HTML editors, etc.).
For small and midsize businesses, the Symantec Report on the Underground Economy has particular relevance. For example, credit card information is the most popular category of goods and services available for sale. This category includes credit card numbers, CVV2 numbers, expiry dates, and credit card dumps. The CVV2 number is a three- or four-digit number on the credit card and is used for transactions via the Internet or phone. The number helps to verify that the person completing the transaction is, in fact, in possession of the card. A credit card dump is the information contained in the magnetic stripe on the back of a credit card and includes the account number, expiration date, and sometimes additional information such as the cardholder name.
As the report observes:
“Credit card information may be in such demand because using fraudulent credit card data for activities such as making online purchases is relatively easy. Online shopping can be easy and fast, and a final sale often requires just credit card information. Someone knowledgeable enough could potentially make many transactions with a stolen card before the suspicious activity is detected and the card is suspended.”
As a result, efforts to prevent the fraudulent use of credit card information need to be a priority.
But a more disturbing finding of the report, perhaps, is that the underground economy has matured into an efficient, global marketplace. The fact is, it is now relatively easy to buy and sell fraudulent goods and services online. Items sold can include credit card data, bank account credentials, email accounts, and just about any other information that can be exploited for profit. Services can include cashiers who transfer funds from stolen accounts into currency, phishing and scam page hosting, and job advertisements for roles such as scam developers or phishing partners.
As David McKinney, one of the authors of the report and a threat analyst with Symantec Security Technology and Response has observed:
“The underground economy is self-sufficient. What this means is that the tools necessary to produce goods and services are also available for sale in the underground economy. This indicates that the market has matured enough that productivity gains can occur through the division of labor; i.e., the economy makes it viable for individuals to increasingly specialize in the tasks they excel at.”
As the Symantec Report on the Underground Economy shows, a wide variety of goods and services are being advertised on underground economy servers, and the online underground economy itself has evolved into a self-sustaining marketplace.
With the online underground economy now such a key sector of the criminal world, small and midsize businesses need to be more vigilant than ever about protecting their sensitive information and being aware of any breaches to their networks.