The Underground Economy
Full Title of Reference
The Underground Economy: Priceless
Rob Thomas and Jerry Martin, The Underground Economy: Priceless, 31 USENIX ;login: 6 (2006). Web
- Issues: Cybercrime
An analysis of the ways in which miscreants in the underground economy monetize stolen credit card data, bot networks, compromised hosts and other spoils of cybercrime.
The underground economy is fertile ground for the pursuit and prosecution of the miscreants. Most of the underground economy servers are public, advertised widely, and easy to find (standard IRC ports, very descriptive DNS RRs, etc.). There is absolutely no presumption of privacy in the underground economy; the channels aren’t hidden, the channels have no keys, and the servers have no passwords. There is evidence of physical crime as well as online crime, and admissions of guilt, and all are readily available. Although the data in this article is obfuscated, these stanzas of gross fraud come with the name, address, phone number, SSN, and mother’s maiden name of the victim. That seems ready-made for a complaint. It is time to use the miscreants’ greatest asset, the underground economy, against them.
One can readily see the plethora of advertisements by the miscreant mer- chants and the miscreant consumers regarding compromised ﬁnancial accounts, drops (compromised ﬁnancial accounts used to launder funds), and cashiers (those who can clean them out): <A> i have wells and boa logins and i need to good drop man .......ripper f#@! off <=== .Have All Bank Infos. US/Canada/ Uk ...Legit Cashiers Only Msg/me <C> HELLO room... I am Ashley from the State... I got drops for US banks and i need a very trust worthy and understanding man to do deal with ... the share its 60/40...Msg me for deal The miscreant spammers are some of the most highly paid individuals in the underground. It’s easy to see why—spam works, and yields high prof- its.
This is the greatest failure of new technology—a rush to market, without consideration of the risks and a cost/beneﬁt analysis. This is at the heart of the security problem. Certainly, that is not to say that industries should not capitalize on technological advances but, rather, that they should consider risk and threat mitigation strategies prior to bringing any product to market.
Those who actively participate in the underground economy have another problem—how to move the signiﬁcant quantity of illegally obtained funds. There are a variety of solutions they discuss, such as offshore trusts to protect their ﬁnancial assets against lawsuits. Lawsuits, prying eyes, and seizure are all mitigated through the use of offshore banking. Several offshore banks will wittingly accept such accounts.
CASHIERS: The miscreants advertise for cashiers for both logical and physical (e.g., go collect the money at a Western Union site) account cleanups. Cashing out these accounts often must be accomplished from within the country where the account resides. Enter the bank broker, the miscreant who will cash out the account. Demand is high for these miscreants, and they never ask questions. When a cashier attempts to clean out a bank account (50% always goes to the cashier) on behalf of another miscreant, that cashier must have some semblance of legitimacy with the bank. Increasingly, the miscreants are ﬁnding that a male voice attempting to clean out an account obviously belonging to a female isn’t accepted by the banks. Thus is born a new skill set: gender-based cashiers. There are plenty of female miscreants, willing to clean out accounts both virtually and physically.
One of the hottest commodities in the underground economy is the drop. A drop can have one of two deﬁnitions. The ﬁrst deﬁnition of a drop is a location to which goods or cash can be sent. The person who owns the drop will then resend the items or hold them for pickup. There is a charge for this service, of course, ranging from a 70/30 (30% to the drop owner) split to a 50/50 split. Drops include homes and businesses, and often the drop owner is clueless about the contents of the dropped package. In this case, the drop owner is paid a ﬂat fee by the shipper or the broker. The second deﬁnition of a drop is a bank account through which money can be moved. This is a convenient way to cash out bank accounts, online ﬁnan- cial accounts such as PayPal, and credit cards. The drop owner almost always receives 50% of the take, although competition in this space is reducing that percentage. The location of the drop is critical, as some com- panies won’t ship overseas.
How much money do the miscreants make in the underground economy? More to the point, how much money do they steal? Here’s a snapshot from one underground economy trading channel over a 24-hour period. These are the total account values for ﬁnancial accounts to which these criminals have obtained access. These are just the samples; these miscreants claim to have many more accounts to sell, and they offer up the samples as adver- tising. All amounts are in U.S. dollars, and some of these account totals are impressive, while others are quite small. The true account owner probably doesn’t consider them unimportant, however:
<A> Total: $310.64—A is from Country A Total $930,391.94—B is from Country B <C> Total $216,934.93 <C> Grand Total $1,803.59—C is from Country C <D> Total: $49.00—D is from the Country D <E> Total $258,602.27—E is from Country E <F> Total $60.07—F is from the Country D <G> Grand Total $1,987.97—G is from Country F <H> Total $48,096.65—H is from Country A Total $33,332.76—I is from Country B So, with one channel, one 24-hour period, and just a few samples, at least US$1,599,335.80 has gone to fund multinational criminals.
PRIVACY IN THE UNDERGROUND ECONOMY:
Most of the underground economy servers are public, advertised widely, and easy to ﬁnd (standard IRC ports, very descriptive DNS RRs, etc.). There is absolutely no presumption of privacy in the underground economy; the channels aren’t hidden, the channels have no keys, and the servers have no passwords. The clients in these channels are widely divergent. Think about what has just been shared: 1. There is no need for specialized IRC clients. 2. There is no need to rapidly track ever-changing DNS RRs and IPs. 3. There is no need to pull apart every new permutation of malware. 4. There is no need to hide, period.