Taking Down the Underground EconomyExperts Analyze Difficulties Shuttering Online Forums
As news of the Target Corp. data breach started to spread, the company was working to mitigate the situation while cybercriminals were apparently already busy trying to sell the compromised information to fraudsters online.
Following a breach, sensitive information, including credit card data, is often sold through the online criminal economy. The underground economy is a complex ecosystem where compromised data is sold for use in committing fraud.
In addition to credit card data, information being sold includes Social Security numbers, along with names, addresses and phone numbers. While federal agencies and the security industry have been monitoring these underground online criminal forums for quite some time, it's proven difficult to shut them down.
Kyle Adams, a chief software architect at Juniper Networks, a network solutions provider, says cyber-attackers use several tactics to avoid law enforcement interference with underground forums, including anonymization technologies, bullet-proof hosting and anonymous currency, such as Bitcoin.
"Things like anonymous proxies and virtual private networks are used to hide the identity of customers to avoid sting operations, or feds posing as hackers and targeting customers," Adams says. "These services are also used by the criminals to hide their identity when communicating on the Internet, hacking and transferring money."
Criminals are using these highly sophisticated tools to anonymize their efforts, and this has made it extremely difficult for law enforcement to crack down on fraud, Adams says. "These tools tend to be so well-designed that there are no known techniques for breaking through them," he says. "The only strong technique law enforcement has at their disposal is to 'hack back,' which is not always legally permissible, and not always technically possible because the target is likely better at security than [the good guys] are."
Following a security incident, like the Target breach for instance, credit card information quickly floods the underground markets, says JD Sherry, vice president of technology and solutions at Trend Micro. "The quicker you can flood the market, the higher the price [per card] you'll get," he says. "The clock is ticking as law enforcement or credit agencies will begin to shut down those assets. As time lapses, your chance of actually leveraging those assets for fraud decreases."
"After a breach, the freshest data is typically available on the harder-to-access sites, ones where you need to get vetted to get in," says Lillian Ablon, information systems analyst at RAND Corp.
As time goes on, the data starts to trickle down to the sites that are more open and easier to find, she says. "Prices decrease the longer the goods are on the market, as there's a higher likelihood that the banks/customers have shut down those cards," Ablon says.
In 2011, a typical credit card number was selling for $2.50 on black market forums, Sherry says. That price dropped to $1 in 2013 because of an increase in supply. Today, depending on the size of a credit card breach, prices can range from $20 to 75 cents per card, according to research conducted by Juniper Networks.
"Not only is the cost going down to acquire tools to create cybercrime, you're also seeing, because of supply-and-demand economics, stolen asset values go down," Sherry says.
"When you go and look on black market [online] forums, usually prices are based on how complete the information is," says Juniper Networks' Adams. "If the stolen record has been tested and works, criminals will charge more money for it."
If cybercriminals have all the pieces, they can sell what's known as a whole identity, which can include Social Security numbers, names, addresses and credit card information, Adams says. "The more information you have, the more valuable it is because when you have a whole identity, you can use that to get driver's licenses and passports, among other things," he says.
And it's not just credit card numbers or Social Security numbers that are being sold. Credentials for social media accounts can cost more to purchase than a stolen credit card because the credentials could serve as an entry point to launch attacks on victims' other online accounts, including online banking or e-commerce accounts, according to a study by Juniper Networks and RAND Corp. That study found that hacked social media and other online accounts can be worth anywhere from $16 to $325, depending on the account type.
Selling Stolen Information
Ablon of RAND Corp. says stolen information can be sold online in multiple ways. For instance, some underground sites just offer advertisements where the buyer will have to reach the seller directly for more details.
"Some sites sell directly, and have drop-down menus or point-and-click for easy purchase," Ablon says. Some purchasing, she says, is conducted on IRC, or Internet Relay Chat, channels, which are designed for group communication in discussion forums.
A majority of the forums or websites selling this information are open to the public. "You or I could find these sites, sign up and be a buyer right away," Ablon says. "We don't need much vetting to get in or to buy the most basic stuff."
Those looking for better fraud tools and more up-to-date information, however, must take steps to build up their reputation in the forums, she says. "As [the criminal] buys more, participates more ... in the form of leaving comments or posting content and tutorials, they will get more access, especially to protected sections of the forum."
Tom Kellermann, managing director for cyber protection at Alvarez and Marsal, a business management firm, says the vetting phase is a security mechanism for these forums. "The forum will try to identify if you're a ripper [someone who does bad deals] or if you're a law enforcement officer," he says. "They even do some things like require a phone number so they can assess your status through hacked telecommunications accounts."
Rather than using the forums, some cybercriminals who have stolen a relatively small number of records may try to use the compromised credentials themselves, Adams points out.
"But if they compromised a whole lot, then the next step is to try and sell all that information in bulk on one of the black market forums," he says. "Someone will buy it from the cybercriminal. They, in turn, ship over [the stolen credentials], and then there's payment in Bitcoin [or some other virtual currency]."
Some underground forums function for extended periods, experts say, while others may pop up just for one specific batch of stolen cards.
If an underground forum is hosted on the public Internet, it may continue to function for as long as a year, Adams says. Forums can also be hidden using Tor, which directs Internet traffic through a network consisting of thousands of relays to conceal a user's location or Internet usage, Adams says.
Criminals will utilize bullet-proof hosting - using hosting firms that are lenient in the types of information customers are uploading - for their underground forums, which are used to sell stolen content, distribute cracked software and communicate with one another, Adams says. And website hosting providers for these forums, often based in Eastern Europe, rarely keep paper trails of their customers and almost never respond to foreign law enforcement requests, he says.
"Many of these forums are set up in regions of the world where law enforcement does not have much influence," says Jon Clay, Trend Micro's director of global threat research. "The other challenge is many of these forums are set up on public forum sites where they live in parallel with legitimate forums, so even if one gets shut down, a new one is easily created."
Etay Maor, senior fraud prevention strategist at IBM, says law enforcement agencies in other parts of the world may not take part in takedowns of these underground sites, making it more difficult to target these operations. "It may be a matter of priority, but taking down a site in specific regions and countries may be close to impossible - and the cybercriminals know this," he says.
The use of anonymous currency, such as Bitcoin, allows for the exchange of money in the black market without leaving any paper trail, Adams says. "Technologies such as Bitcoin and disposable credit cards make it much easier for criminals to conduct business without extremely complicated laundering schemes," he says.
Because of the huge demand for stolen data to support fraud, cybercriminals will always find ways to communicate with one another, Maor says. "This is not limited to forums and also happens in private messaging and instant messaging," he says. "When the demand is so high, taking down a site or two, or 10, will not suppress the demand."
Law Enforcement Progress
Security experts cite recent botnet takedowns as key examples of how law enforcement is going after the underground economy and fraud.
In June 2013, Microsoft, the Federal Bureau of Investigation and the Financial Services Information Sharing and Analysis Center shut down more than 1,400 botnets responsible for spreading the Citadel malware that compromises online credentials and identities (see: Microsoft, FBI Take Down Citadel Botnets).
Then there was the arrest of Aleksandr Andreevich Panin, a primary developer and distributor of the SpyEye malware. SpyEye has infected more than 1.4 million computers in the U.S., and was the dominant malware toolkit used from 2009 to 2011 (see: SpyEye Developer Pleads Guilty).
From 2009 to 2011, Panin allegedly developed, marketed and sold various versions of the SpyEye virus, along with co-defendant Hamza Bendelladj. SpyEye was sold for prices ranging from $1,000 to $8,500.
But working to fight fraud that's facilitated through these underground forums is an ongoing battle. "The government is spending a lot of time trying to track down these websites [and fraud operations]," Adams says.
Extensive information sharing helps spread the word about these forums and the latest fraud trends. "It's sharing of content, information and breach data around how someone was penetrated, and what were the tactics, tools and procedures," says Sherry of Trend Micro.
And while some organizations are hesitant to share information on breaches, such sharing is crucial, Maor says. "Communication is getting better [and] they're talking about it more openly."