We’ve all heard by now that developing viruses and other malware is a big business run by professional criminals rather than casual exploration by coders. But just how does the economy of online crime function? The answer turns out to be: a lot like the mainstream economy.
The topic of how the cybercrime economy works was one of the main themes explored at the Kaspersky Security Summit in Spain, which I attended last week. As with any business, there’s a need to rapidly change your product to meet market demands, a long-term trend for prices to drop, and a wide range of potential ways to make money. Here’s some of the insights I gleaned from the event.
It’s a multi-part economy. From the perspective of someone trying to get rid of malware or avoid dangerous web sites, it’s not always obvious, but most cyber-criminals specialise in particular areas rather than trying to do everything, CEO and founder Eugene Kaspersky said. “There are lots of different businesses in the Internet underground. Still there are businesses that develop malware, but many of them do just part of the job. Some of them just infect machines, but they don’t use infected machines, they trade access.”
“This economy is the mirror of the legal economy. Illegal software businesses are like any other business: the difference is that they don’t pay taxes.” That mirroring goes as far as having specialist resources devoted to developing the business; some malware vendors even offer technical support to buyers.
There are discounts for buying in bulk. Malware is like rice; it gets cheaper if you buy more of it. As an example, Kaspersky quoted a recent price seen online of $US50 for a single month of access to 400 machines for use in a botnet. If you sign up for six months, the total price is just $US220.
It’s an easy way to make money. Kaspersky describes the last five years as the “golden age of cybercrime”, since the rewards are large and the risk of being caught is very low. “Cybercrime is a very low-risk business. There are many arrests every year, but they are just the tip of the iceberg. Cyber-police departments are limited to national borders; they want to cooperate internationally, but there are too many bureaucratic procedures.”
Not all criminals think of themselves as criminals. Rather like people who work for major tobacco companies, there’s an element of denial for many professional malware builders. “Many don’t recognise that they are criminals,” Kaspersky said. “They say ‘It’s not real, it’s just Internet, it’s just some digits, it’s not real money, there are no victims’. And some of them they behave like urban Robin Hoods. ‘I don’t infect computers and I don’t steal money from my own country.’
Some old options eventually die, but new ones appear. While there are still people being infected with five-year old viruses because they’re too ignorant to patch their machines, some forms of malware do eventually disappear because the audience isn’t there. “The trojan malware which was designed to dial premium numbers disappeared because no-one uses modem connections. No business, no money, no crime.” Malware aimed at stealing character data and currency from online games has also experienced a similar decline.
At the same time, new options present themselves. “Now we’re in the year of mobile attacks. In the mobile malware business it’s not as big as computer crime but it’s growing very quickly.”
There are still amateurs out there. While professional criminals now dominate the space, there is still security activity motivated by non-financial concerns. RSA’s Uri Rivner pointed to activist groups such as LulzSec as the obvious example. “Anonymous and LulzSec are almost like idealist people They do it because they believe in some sort of target. They do it to embarrass these companies, and they do it to pressure these companies to behave differently.”
We’ll never be able to stop worrying about security. As Kaspersky put it: “Is it possible to make cybercrime less profitable? No. Are we able to get back to the pre-Internet era? No. “
Just as we don’t stop living in houses because they can be burgled, the secret is to recognise the potential for threats and plan accordingly. “It’s a part of this digital world. When you think about football, you also think about football hooligans. When you plan travel, you think about Icelandic volcanoes. When you plan computer systems, you think about security. “
Lifehacker’s weekly Loaded column lookst better ways to manage (and stop worrying about) your money. Angus Kidman travelled to Malaga as a guest of Kaspersky Lab.