1. /
  2. Confident Insights Newsletter/
  3. Symantec Provides Details on ‘Booming’ Underground Economy

Symantec Provides Details on ‘Booming’ Underground Economy

January 27, 2009


A new report from Symantec describes an online underground economy that has matured into an efficient, global marketplace in which stolen goods and fraud-related services are regularly bought and sold.
If there is any confusion still lingering about the health of the online underground economy, a new report from Symantec ought to dispel it.
The Symantec Report on the Underground Economy, released in November 2008, characterizes this illicit economy as “booming,” adding that it “has matured into an efficient, global marketplace in which stolen goods and fraud-related services are regularly bought and sold, and where the estimated value of goods offered by individual traders is measured in millions of dollars.”
The potential value of advertised goods observed by Symantec between July 1, 2007 and June 30, 2008 on underground economy servers was more than $276 million. That figure was determined using the advertised prices of the goods and services, and it indicates how much advertisers would make if they liquidated their inventory.
This article summarizes the findings of the report that will be of particular interest to large organizations.

A thriving business

The Symantec Report on the Underground Economy looks at some of the more notable groups involved in cybercrime activity and examines the major advertisers and most popular goods and services available. It also includes an overview of the servers and channels that have been identified as hosts for trading, and provides a snapshot of software piracy.
  • Groups and organizations. Numerous groups and organizations are active in the trade of fraudulent goods and services in the underground economy. The majority of these groups function through Web-based forums devoted to online fraud. And as the report observes, “considerable evidence exists that organized crime is involved in many cases.” Although a wide variety of individuals and groups are active in the underground economy, there appears to be some correlation between the level of organization and specific regions. For example, various arrests and indictments of underground economy participants suggest that groups in Russia and Eastern Europe are more organized in their operations, with greater ability to mass-produce physical credit and debit cards. In contrast, groups operating out of North America tend to be loosely organized, often made up of acquaintances who have met in online forums and/or Internet relay chat (IRC) channels and who have chosen to associate with each other.
  • Advertisers on underground economy servers. During the reporting period, Symantec observed 69,130 distinct active advertisers and 44,321,095 total messages posted to underground forums. The potential value of the total advertised goods for the top 10 most active advertisers was $16.3 million for credit cards and $2 million for bank accounts. Furthermore, the potential worth of the goods advertised by the single most active advertiser identified during the study period was $6.4 million.
  • Goods and services advertised. Of the categories of goods and services advertised on underground economy servers observed by Symantec, credit card information ranked highest during this reporting period, with 31% of the total. Symantec speculates that credit card information is in such demand because using credit card data fraudulently is relatively easy. Often an online purchase requires only the credit card information. The second most common category advertised was financial accounts at 20% of the total. (While stolen bank account information sells for between $10 and $1,000, the average advertised stolen bank account balance is nearly $40,000.) The third most common category of advertised goods and services for sale was spam and phishing information, with 19% of the total.
  • Value of total advertised goods. Symantec estimates the value of total advertised goods on observed underground economy servers at over $276 million for the reporting period, with credit card information accounting for 59% of that total. (That’s not surprising given that credit card information was the highest priced good in the underground economy.) Symantec researchers add: “Although law enforcement agencies have been concentrating their efforts on arresting and indicting those involved in fraud and identity theft, the global nature of these criminal enterprises increases the difficulty of locating their operations and shutting them down.”
  • Servers and channels. Due to the inherent illegality of the underground economy, the lifespan of its servers is, not surprisingly, relatively brief. According to the report, 98% of underground economy servers have a lifespan of less than six months. North America had the largest number of these servers, hosting 46% of the total.
  • Malicious tools. Malicious tools enable attackers to gain access to a variety of valuable resources such as identities, credentials, hacked hosts, and other goods and services. Some malicious tools and services are designed to counter security measures such as antivirus software to increase the lifespan of a malicious code sample in the wild. As the report explains, “The result is a cycle whereby malicious tools must be continuously developed and used to produce other goods and services.” The highest priced attack tool during this reporting period was a botnet, which sold for an average of $225. On average, binders were the most expensive malicious code-related good advertised in the underground economy, with an average price of $27. Often called joiners, binders are programs that allow multiple executables to be combined into a single executable file.
  • Pirated software. During this reporting period, desktop computer games were the most pirated software by a significant margin, accounting for 49% of all file instances observed. As the report observed, “Given the steadily increasing popularity of electronics games, this is not surprising. Retail sales of desktop games reached $9.5 billion in the United States alone in 2007, a 28% increase from 2006. In comparison, retail sales in the United States of software other than games were an estimated $3.3 billion in 2007.” The second highest category was for utility applications, while third place was claimed by multimedia productivity applications (such as photo editors, 3D animation editors, HTML editors, etc.).

Fighting back

As new tools and techniques to defraud legitimate users are developed every day, it’s clear that protection and mitigation against attacks must become an international priority. There are a number of general measures that enterprises can employ to protect against fraud-related activities. According to Symantec:
“Organizations should monitor all network-connected computers for signs of malicious activity including bot activity and potential security breaches, ensuring that any infected computers are removed from the network and disinfected as soon as possible. Organizations should employ defense-in-depth strategies. Defense-in-depth emphasizes multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection methodology. Defense-in-depth should include the deployment of antivirus, firewalls, and intrusion detection systems, among other security measures.”
Symantec also recommends that enterprises notify their ISPs of any potentially malicious activity.
To protect against identity theft, organizations that store personal information should take steps to protect data transmitted over the Internet or to limit the exposure of confidential information stored on their computers by successful intrusions. This should include requiring that all sensitive data is strongly encrypted and educating users on the proper procedures for using such programs.
Symantec recommends that enterprise users protect themselves against phishing threats by filtering email at the server level through the mail transfer agent (MTA). Enterprises should also keep their employees notified of the latest phishing attacks and ways to avoid them.
Additional measures to protect against fraud-related activities can be found here.


Today’s cybercriminals are thriving off of information they gather without permission from businesses and consumers. A wide variety of goods and services are now being advertised throughout the online underground economy, and the economy itself has evolved into a self-sustaining marketplace. The Symantec Report on the Underground Economy provides an analysis of certain aspects of the underground economy that all enterprises should be aware of.

Back to Newsletter