The Underground Economy Ecosystem
Over the last decade, the nature of cybercrime has gradually transformed from destructive to profit-seeking. A complex underground economy has emerged in which there is a clear division of labour, as shown in the figure below.
The different roles that exist in the underground economy are briefly described below:
Traditional organised criminal groups: they are those that are engaged in real world crimes such as drug trafficking but may also be engaged in cybercrime. These criminals are driven by profit and are actively seeking money making opportunities in order to expand their wealth. It is this motivation which lures them into the online underground economy as cybercrimes has become increasingly lucrative due to identity theft and fraud.
==Financial crime/identity theft==
Identity-related crime is not a new phenomenon nor is it an Internet specific crime. However, there is little doubt that the Internet and other communication technologies have greatly facilitated this type of crime due to a rapid increase in the amount of personal information available. One example of such activities is carding, which refers to “the unauthorized use of credit and debit card account information to fraudulently purchase goods and services” (Peretti 2008).
Bank data stealers: they are the individuals who steal bank data from unsuspecting computer users as well as conventional card payment users.
Carders: they are the individuals who are engaged in criminal carding activities using the data listed above.
Plastic vendors and encoders: these are the individuals who sell blank credit cards. They often offer packaged services which includes the encoding and printing fraudulent credit cards. This is a preferred method for new carders because this is less costly than having to purchase hardware equipments such as an encoder and blank cards and the need to acquire the skills to use them.
Cashiers: these are the individuals who perform cash withdrawal from the fraudulently obtained bank accounts in person, usually at ATM machines in quiet areas. They are also known as “runners”.
Scammers: these are the individuals who fabricate fraudulent stories and trick victims into making financial losses. The Nigerian “419 Advance fee” scam is one of the most well known scams in recent years.
The products and services offered in this category are all aimed at attacking the integrity of computers. As previously described, the list of crimes belonging to this category includes hacking and cracking, vandalising, spying, denial of service, digital piracy and the infection of malware. The major actors in this category are:
Zero-day exploit finders: zero-day refers to the number of days since a software vulnerability has been discovered and zero-day exploits refer to the fresh vulnerabilities unknown to anyone. Zero-day exploit finders are the individuals whose job is to find previously unknown vulnerabilities in targeted applications and would sell such exploits to malware authors. These exploits are one of the most expensive items sold on the underground economy as they would allow infections which would in turn bring about a revenue stream.
Malware authors: malware, an abbreviation for malicious software are applications designed to exploit the vulnerabilities in software applications. There are several types of malware including web-based Trojans, conventional Trojans, virus and worms (Zhuge et al 2009). Competition between malware authors also exists and some malware are known to attack other malwares already installed on a victim’s machine.
Botnet herders: a botnet is a network of machines compromised bots and a bot is a malware acts upon commands received from a command server.
The services offered in this category are those which aim to disseminate malware as quickly as possible. The major actors in the category are:
Phishers: these are the people who specialise in creating legitimate looking messages with the aim of luring the unsuspecting victim into clicking on a link to visit an infected website or downloading an infected attachment. Most often social engineering skills are used to increase the legitimacy of the messages. Recently, there is an increasing threat of spear phishing whereby the phisher target specific individuals in an organisation.
Spammers: spammers specialise in mass mailing in order to attract visits to phishing sites. Spammers can also be botnet herders and they utilise their botnet to send out huge volumes of email.
Rogue web admins: they are usually administrators who run legitimate websites but are willing to infect their website with malware upon receiving financial reward, thus breaching the visitors trust.
Intruders & crackers: they are the hackers which are force an entry into machines and perform other cybercrimes such as spying, vandalising as well as espionage.
The services in this category are support services which may or may not be illegal. The actors in this category are:
Rogue hosting: these are hosting services aimed at providing a safe haven for malicious activities. The Russian Business Network (RBN) is one such service (Bizeul 2007).
Spoof website designers: these are web designers who are willing to build websites which mirror legitimate ones.
This category of services aim at providing security services for the cybercriminals such as a Virtual Private Network (VPN) service, proxies and SOCKs (encrypted proxies) all of which would allow cybercriminals to hide their true identity as well as protecting the confidentiality of their communications. This type of service is needed by all cybercriminals who wish to be secure.
==Virtual assets trading==
The services in this category are involved in the theft of virtual assets such as avatars, clothes, weapons, accessories and most importantly, virtual currency. These assets are most often from popular Massively Multiplayer Online Role Playing Games (MMORPG) such as the World of Warcraft (WoW) Second Life and Lineage 2.
Many invest a lot of time gaming. According to Muttil (2008), more than 25 percent of gamers spend more than 30 hours weekly on gaming. Since players spend so much time and effort in gaming, most games often offer virtual commodities such as weapons and tokens to give the players some advantage. Since many will invest many hours into trying to collect these virtual commodities, some prosperous gamers are willing to take shortcuts and pay real money to get advanced virtual objects to avoid boring routine work, commonly known as “grinding”.
To steal virtual assets, the first step is to steal gamer accounts and login credentials, most often carried out by the so-called “Envelope stealers” (Zhuge et al 2009). Once they have stolen the accounts, they sell the account login credentials to the virtual asset traders who would use the information to access the accounts (open the envelope) and steal all the virtual assets registered with the account. They would then sell the assets to the prosperous gamers.
In China, virtual asset trading is an increasingly lucrative business because the online gaming market is rapidly booming. Zhuge et al. carried out a study of the virtual assets trading via the Taobao online business platform, a Chinese trading platform similar to eBay. They found that 1.2 million virtual goods were on sale and 8.9 million exchanges have taken place within a six-month period (Zhuge 2009). Finally, they estimated that the market value of the virtual asset exchange solely on the Taobao platform is about 223 million RMB (US$33 million).
Money laundering is required for nearly all profit-seeking criminal activities because ultimately, most crimes involve some form of financial exchange and the criminals must hide the true source of illicit funds. Traditional methods include electronic funds transfer, fictional companies with foreign banks, cash smuggling, bank fraud, and informal money exchange brokers. There are two methods which have become prevalent in cybercrimes, money mules and e-currency exchangers.
Money mules: are people who receive proceeds of fraud from compromised bank accounts and forward the fund on to accounts controlled by the fraudsters who would then pay someone to cash out. There are two types of money mules: innocent mules are those who have no idea that the funds they are forwarding are proceeds of fraud; and professional mules are those who knowingly and purposefully providing the money laundering service for fraudsters. Money mules are recruited through a variety of methods:
- Unsolicited emails e.g. spams
- Classified adverts on legitimate recruitment websites
- Job vacancies published on fraudulent websites purporting to be a legitimate business
Attractive job titles such as “Financial Managers” and “Country representatives” are offered to lure victims and “no previous experience required” is often stated on the job adverts.
Exchangers and Virtual Payment Systems (VPS):
There are three types of VPS:
- National currency backed e-currencies: e.g. WebMoney (WMZ – WebMoney dollars)
- Precious metal such as gold backed e-currencies: e.g. e-Gold, Liberty Reserve and WebMoney Gold (WMG)
- Blended payment systems: e.g. Paypal and Western Union
The main advantage of the electronic currencies (e-currencies) is that they provide the anonymity sought by the cybercriminals and no risk of a chargeback. However, identity verification may be required for transferring large sums. E.g. in order to exchange a large sum of WMZ, one would be required to perform an identity verification to obtain a WM Passport. This is troublesome for the cybercriminals and this is where the exchangers come into the chain. Some exchangers with verified accounts who have a large amount of currencies are offering exchange services to the cybercriminals. Some are willing to turn a blind eye to the source of funds and preserve the anonymity of the cybercriminals.
Bizuel, D. (2007) Russian Business Network Study. Available from: http://www.bizeul.org/files/RBN_study.pdf.
Franklin, J., Paxson, V., Perrig, A., & Savage, S. (2007). An inquiry into the nature and causes of the wealth of internet miscreants. Proceedings of the 14th ACM conference on Computer and communications security (pp. 375-388). New York, NY, USA: ACM. doi:http://doi.acm.org/10.1145/1315245.1315292
Muttil, I. (2008) Securing Virtual Worlds Against Real Attacks. McAfee. Available from: http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_online_gaming.pdf
Paget, F. (2009) Financial Fraud and Internet Banking: Threats and Countermeasures. Available from: http://www.mcafee.com/us/local_content/reports/6168rpt_fraud_0409.pdf
Paget, F. (2010) Cybercrime and Hacktivism. McAfee Labs. Available from: http://entercept.biz/us/local_content/white_papers/cybercrime_20100315_en.pdf
Peretti, K. (2008) Data Breaches: What the Underground World Of “Carding” Reveals. U.S. Department of Justice. Available from: http://www.chtlj.org/sites/default/files/media/articles/v025/v025.i2.Peretti.pdf
Thomas, R., & Martin, J. (2006). the underground economy : priceless. The USENIX Magazine, 31(6), 7-16. Retrieved from http://www.usenix.org/publications/login/2006-12/openpdfs/cymru.pdf
Yip, M. (2011). An Investigation into Chinese Cybercrime and the Applicability of Social Network Analysis. ACM Web Science Conference 2011, 14-17 June 2011, Koblenz, Germany. Retrieved from http://eprints.ecs.soton.ac.uk/22351/
Zhuge, J., Holz, T., Song, C., Guo, J., Han, X., & Zou, W. (2009). Studying Malicious Websites and the Underground Economy on the Chinese Web. Managing Information Risk and the Economics of Security (pp. 225-244). Springer US. Retrieved from http://dx.doi.org/10.1007/978-0-387-09762-6_11