Monday, March 19, 2007

The Underground Economy's Supply of Goods

Symantec (SYMC) just released their latest Internet Security Threat Report, a 104 pages of rich on graphs observations, according to the data streaming from their sensor network :

"Volume XI includes a new category: “Underground Economy Servers”. These are used by criminals and criminal organizations to sell stolen information, including government-issued identity numbers, credit cards, bank cards and personal identification numbers (PINs), user accounts, and email address lists. To reduce facilitating identity theft, organizations should take steps to protect data stored on or transmitted over their computers. It is critical to develop and implement encryption to ensure that any sensitive data is protected from unauthorized access."

In between their coverage on various segments such as vulnerabilities, phishing, spam, and yes malware despite that I'm having my doubts on SMTP as the major propagation vector on a worldwide scale, I came across to a nice figure summarizing their encouterings while browsing around various forums and web sites.

The question is - why are these underground goods cheaper than a Kids' menu at McDonalds as I've once pointed out at O'Reilly's Radar post on spamonomics? Because in 2007 we can easily speak of "malicious economies of scale" thus, profit margin gains despite the ongoing zero day vulnerabilities cash bubble at certain forums, doesn't seem to be that very important. So can we therefore conclude that greed isn't the ultimate driving force, but trying to get rid of the stolen information in the fastest way possible in between taking into consideration its dissapearing exclusiveness with each and every minute? The principle goes that a dollar earned today is worth more than a dollar earned tomorrow, but how come? Simple, by tomorrow the exclusiveness of your goods might by just gone, because the affected parties detected the leaks and took actions to prevent the damage.

Issues to keep in mind regarding the graph:
Harvested spam databases have been circulating around for years and so turned into a commodity, for instance, I often come across geographically segmented databases or per email provider segmented ones, not for sale, but for free. So how come the "good" is offered for free? It's obviously fine for the "good" to be offered for free when there's a charge for service, the service of verifying the validity of the emails, the service of encoding the message in a way to bypass anti spam filters, and the service of actually sending the messages

Where's the deal of a malicious party when selling an online banking account with a $9,900 balance for just $300? For me, it's a simple process of risk-forwarding to a party that is actually capable of getting hold of the cash

Yahoo and Hotmail email cookies per piece? Next it will be an infected party's clickstream for sale, and you'll have the malicious parties competing with major ISPs who are obviously selling yours for the time being.

Compromised computers per piece? Not exactly. Entire botnets or the utilization of the possible services offered on demand for a price that's slightly a bit higher than the one pointed out here.

Psychological imagation is just as important as playing a devil's advocate to come up with scenario building tactics in order to protect your customers and yourself from tomorrow's threats.

Related images:
surveying potential buyers of zero day vulnerabilities in order to apply marginal thinking in their proposition
- advertisement for selling zero day vulnerabilities
- listing of available exploits
- zero day vulnerabilities shop, I'm certain it's a PHP module that's currently hosted somewhere else
- the WebAttacker toolkit
- The RootLauncher
- The Nuclear Grabber and geolocated infections-- site dissapeared already