Chapter 4. The Underground Economy of Security Breaches

Chenxi Wang

The latest statistic from NetCraft puts today’s Internet at 185,497,213 sites. Though the absolute number suffered some loss lately due to the late economic downturn, the Internet growth at mid-2008 was measured at over 130,000 sites per day! It is estimated that the worldwide Internet user population will reach 500 million some time soon. The Internet is fast becoming one of the most significant markets in our modern economy.

Not surprisingly, just like its physical counterpart, the Internet is fostering one of the biggest underground economies.

As one might expect, this cyber underground has one main goal: money. The actors in this economy employ a wide array of digital ammunitions—including malware, botnets, and spam—to help them achieve this goal.

Unlike the physical world, where behavior can be held in check in most places by laws and regulations, the laws that govern the digital universe are, for all intents and purposes, ill-defined and poorly enforced. As a result, the cyber underground flourishes. In recent years, cyber attacks have graduated from the ad hoc, script-kiddie attacks to large-scale, organized crimes.

The 2007 CSI/FBI Study offers these statistics:

  • The average annual loss due to computer crime jumped from $168,000 in 2004 to $350,424 in 2006. This figure represents a three-year high since 2004.

  • For the first time in history, financial fraud overtook virus attacks as the largest cyber source for financial losses.

The cyber underground is, without a doubt, a global, thriving economy whose actors can reap handsome benefits from their activities and investments. The increasingly organized nature of the market and its growing sophistication mark a move toward automation and optimization, ultimately yielding higher financial gains for the criminals.

So how does this underground economy work? How do the various actors interact with each other and conduct illicit activities? This chapter presents high-level results of my investigation into these topics.

I’ll end this article with some suggestions for ways we could disrupt the cyber underground or mitigate its destructive effects. But I’m not a law enforcement professional, so finding solutions is not my role. Rather, I hope to initiate an open discussion that will spur a community effort to combat the rise of this underground economy.

The Makeup and Infrastructure of the Cyber Underground

Perverse as it may sound, the cyber underground is a thriving community, with all kinds of collaboration and trading taking place every minute. The members of that community rarely work alone; it is a common practice for different parties to exchange assets (e.g., data and malware) to achieve mutually beneficial goals or shorten the time to launch an attack.

The cyber underground breaks down into an assortment of different actors, which I loosely classify as follows:

Malware producers

Much of the malware for purchase today is of production quality: highly functional, easy to use, and effective. A professional malware writer goes through production cycles similar to those of a legitimate software producer, including testing, release, and frequent updates once out in the field.

Resource dealers

These actors profit by selling computing or human resources. Computing resources often come from a botnet comprised of infected machines that can execute commands given remotely as part of an attack. Human resources represent actual hackers, residing in all corners of the world, waiting to be mobilized. A resource dealer’s existence depends on the ability to tap into the massive botnet pool, and as such they are constantly on the lookout to amass more botnet resources. Their main mission is the creation, maintenance, and expansion of botnets.

Information dealers

An information dealer sells valuable information—such as customer data, bank accounts, and security vulnerabilities—for a profit. Their main goal, therefore, is to gather more information of that nature. An information dealer is sometimes the customer of malware producers, paying for information-stealing malware. In February 2008, the security firm Finjan reported that a database of information containing more than 8,700 FTP user accounts was up for sale. In the wrong hands, this information can result in a massive compromise of trusted domains. A person with valuable credit card information is called a “carder.”

Criminals, fraudsters, and attack launchers

These are the final consumers of the underground economy. They pay for resources, malware, and information to launch attacks such as financial frauds, distributed denial-of-service (DDoS), and other crimes.


This player in the cyber underground holds legitimate bank accounts but acts on behalf of fraudsters to route and accept money through those accounts. The cashier is the party that cashes out an account and sends the money (often via Western Union) to the fraudster. A cashier typically receives handsome financial rewards.

As the descriptions show, these categories of cyber criminal often play interlocking roles, each being a client or supplier for other categories. In addition, a single party often plays multiple roles: a malware producer may sell valuable information that he reaped from unleashing the malware, and a resource dealer may produce malware to perpetuate the reach of a botnet. When necessary, the different actors may trade their respective assets for mutual gains.

An interesting development in this underground economy is the adoption of traditional business tactics. Many form long-term business relationships with their vendors and consumers. A malware producer, for instance, will thoroughly test her code before release and will often issue updates and patches to keep her customers happy. The cyber underground is, for all intents and purposes, a serious industry. As we’ll see later, cyber criminals even carry out their own variant of demographically targeted advertising!

The Underground Communication Infrastructure

Internet Relay Chat (IRC) networks are a classic and well-understood method for communication in the cyber underground. A proliferation of cheap hosting services worldwide is making it extremely easy to set up professionally managed IRC networks. If one network starts to be monitored by law enforcement, criminals can move to different networks with relative ease. When one notorious network called Shadowcrew was taken down by the Secret Service, it had approximately 4,000 members and was conducting a booming business of trading stolen personal data.

IRC members often take measures to conceal their identities. On sites like Shadowcrew and BoA Factory, members often use anonymizing proxies or virtual private networks (VPNs) to avoid being traced.

The underground market and its members are also avid users of social networking. Public forums represent a well-exercised way to vet potential business partners. Many members trade on reputation; a fraudulent transaction may result in some level of complaints against the person in the open trading channel, and the negative reputation will severely impede this person’s further trading activities.

The Attack Infrastructure

The different actors in the cyber underground use a variety of tools and mechanisms to obtain information, garner resources, and launch attacks. In addition to one-off exploits and attacks targeting a particular vulnerability or a particular system, which we explore in depth in later sections, many attacks often involve the use of a botnet.

Attackers create a botnet by luring unsuspecting users to download malicious code, which turns the user’s computer into one of the “bots” under the command of the bot server. After installation, the infected bot machine contacts the bot server to download additional components or obtain the latest commands, such as denial-of-service attacks or spam to send out.

With this dynamic control and command infrastructure, the botnet owner can mobilize a massive amount of computing resources from one corner of the Internet to another within a matter of minutes. It should be noted that the control server itself might not be static. Botnets have evolved from a static control infrastructure to a peer-to-peer structure for the purposes of fault tolerance and evading detection. When one server is detected and blocked, other servers can step in and take over. It is also common for the control server to run on a compromised machine or by proxy, so that the botnet’s owner is unlikely to be identified.

Botnets commonly communicate through the same method as their creators’ public IRC servers. Recently, however, we have seen botnets branch out to P2P, HTTPS, SMTP, and other protocols. Using this real-time communication infrastructure, the bot server pushes out instructions, exploits, or code modifications to the bots. The botnet, therefore, can be instructed to launch spam, DDoS, data-theft, phishing, and click fraud attacks. As such, botnets have become one of the most versatile attack vehicles of computer crime.

Get Beautiful Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.