Economics of Cybercrime – Crime is Paying Well

By John Kipp, Sera-Brynn COO

As a cybersecurity firm, our focus, and thus bulk of our time, is spent helping clients prevent cyberattacks, recover from cyberattacks and meet compliance requirements such as PCI, HIPAA, SSAE-16 SOC II, FISMA, and so on.

But what about the perpetrators? Who are these attackers and what do they gain from it? Why does it seem like the attacks are worse and happening more often?

As with most things, the bottom line is money.

Cybercrime is extraordinarily profitable and it’s becoming easier to do every day. Accordingly, the market for it is growing and maturing at an alarming rate. This is verified by the ease with which sophisticated attacks can be perpetrated in conjunction with the increasing global losses to cybercrime. In 2014, a study by the Center for Strategic International Studies estimated global losses at $445b. While it is difficult, if not impossible, to quantify losses precisely, the message is the same: it’s profitable, it’s growing and it can’t be ignored.

The Business

Would you believe many criminal organizations are actually run like a real business? Except for the fact that they’re committing crimes, of course. But besides that, operationally, these organizations are very similar to what you’d find in other fee for service type industries. They have budgets, sources for revenue, they conduct market research, and ROI analysis. They are innovative, resourceful and entrepreneurial. They have products, market places and a worldwide customer base. This is why phrases like Cybercrime-as-a-Service, Malware-as-a-Service and crimeware are becoming more common.

A couple of recent examples are exploit kits and ransomware. The number of exploit kits for sale continues to rise. They go by names such as Neutrino, Angler, Nuclear, Elderwood, Hello and Blackhole. Many of these kits are even designed with ease of use in mind. They have web-based interfaces that were developed with UX (User Exerpience) best practices baked in. In April of 2014, 67 million exploit kit-related events had been detected at that point of the year.

The recent Flash compromises were created by end users who purchased these types of exploit kits for this purpose.

Ransomware such as Cryptowall, Cryptolocker, CTB, and more recently, Locker and TeslaCrypt, is becoming quite prevalent. There are tool kits for sale on the “dark web” that can be purchased and used to create the ransomware. The end user does not need to be a highly skilled programmer – they just need the tool kit. Selling tool kits vice actual malware enables the developers to monetize their product in a way that will reduce the likelihood of being caught. The bulk of the risk lies with those who use the kits to make and distribute the malware. As long as ransoms continue to be paid, ransomware isn’t going to go away any time soon. Since CryptoLocker generated approximately $3m during a 9 month period between 2013 and 2014, it’s pretty clear this particular problem is one we’re going to have to deal with for years to come.

The Dark Web…or is it Deep Web?

These two terms have been thrown around quite a bit in recent years. They are not the same thing, but they are somewhat related. So what are they?

Dark Web: Websites on the Dark Web are publically visible, but the IP addresses of the servers they reside on are hidden. They are able to hide using Tor or I2P encryption tools. They will not show up in search engine results and it’s extremely difficult to find out who is behind them. In order to visit them, the user must be using the same encryption tool as the web server. While the Dark Web is often associated with sites such as Silk Road, Silk Road Reloaded and markets for selling hacked credit card and health record data, it is also used by individuals in repressed societies/countries where communication with the outside world is heavily monitored or blocked.

Deep Web: Deep web is simply any website/web page that is prevented from showing up in search engine results. Thus, one may consider the Dark Web as a subset of the Deep Web. However, the bulk of what’s in the Deep Web is not so interesting. It’s usually staging versions of live websites (staging is sort of a testing phase prior to “going live”) and things of that nature. Also, password protected pages within a website are typically hidden from search engines. Think of your online bank account.

Illicit Markets: Forums such as rescator(dot)cm on the Dark Web for purchasing credit card and health record data have been mentioned quite a bit in the news due to data breaches at Target, Home Depot, Anthem and the US Government’s Office of Personnel Management (OPM). However, as recently noted by Brian Krebs on his blog, there are other forums such as (now defunct) Enigma that are popping up. Through these forums, criminals looking to get a hold of a wide variety of types of data and/or access to systems of various organizations can be matched with hackers. Effectively, if someone has a hacking job they’d like performed, they can get bids on it. It is suspected that it was on one of these forums that the recent AshleyMadison breach was actually solicited from.


This is the lifeblood for keeping transactions anonymous. The most common type of cryptocurrency is Bit Coin. In and of itself, there’s nothing “bad” or nefarious about cryptocurrency. It’s simply meant to prevent any individual country/person from controlling the currency. However, with the anonymity it affords through encryption, it happens to be perfect for cybercrime transactions. This is why perpetrators behind ransomware can be paid while avoiding identification and capture. Not that they don’t make mistakes and occasionally get caught, some do, but with cryptocurrency in use, the job is made that much more difficult for law enforcement.

Real Currency – Wire Transfers

Wire transfer fraud has been around for many years. Much longer than the high-tech cyber crimes we see today. The end goal is the same, but the methods have drastically changed. In the last 20 years, the number of wire transfers has nearly doubled and now exceeds more than 130 million per year. Wire fraud used to rely on social engineering and human error. However, now a criminal has a variety of ways to compromise accounts and steal funds. With all the personal and business information that’s been lost just in the last six months through data breaches across every industry, users have to be on the alert for well-crafted, hard-to-detect attempts to infect a computer with malware, phishing scams, and email compromise.

Wire fraud schemes range from account takeovers, targeting employees with requests to pay vendor invoices, emails with modified templates that change the beneficiary, and attempts to defeat dual controls or out-of-band confirmation.

Business owners and individuals should be on the alert for wire fraud and as a best practice, manually review or obtain verbal confirmation before wiring money. In most cases, banks are not liable for a fraudulent transfer and recovering the money will be difficult or impossible.