Mapping the underground cybercrime economy in order to disrupt it

You’ve surely heard – everybody has – about the existence of an underground economy that allowed the proliferation of Internet crime. Many years ago cyber crooks could mostly rely on their own knowledge, skills and ad hoc payment solutions, but today these schemes may involve a dozen different, globally distributed parties, each specializing in and responsible for some particular piece of the operation.

This change has made researchers slowly realize that when it comes to fighting this abuse, concentrating only on protecting users and systems is a flawed strategy.

“The spectrum of solutions—automated software updates, personal anti-virus, network packet scanners, firewalls, spam filters, password managers, and two-factor authentication to name a few—all attempt to reduce the attack surface that criminals can penetrate,” noted Kurt Thomas and Elie Bursztein, members of the Google Anti-Fraud and Abuse Research team.

“While these safeguards have significantly improved user security, they create an arms race: criminals adapt or find the subset of systems that remain vulnerable and resume operation.”

They, along with colleagues from several universities and organizations, believe that disrupting the relationships between the various actors in the underground economy that’s propping up Internet crime, damaging the infrastructure that makes it possible, and hampering the functioning of the profit centers that transfer money from victims and institutions to the crooks is the right way to tackle this problem.

But, they argue, in order to discover which approaches would be most successful, defenders first have to map those dependencies. And so they did.

“To satisfy this gap, we developed a comprehensive taxonomy that captures the myriad components of the underground economy,” they explained in a report presented at the Workshop on the Economics of Information Security 2015.

“We systematized the findings of the last decade of black market into a framework of profit centers that draw revenue into the underground and support centers that streamline abuse. As a part of our analysis, we emphasized the fragile dependencies introduced by underground commoditization that are ripe targets for disruption. We believe that researchers and industry can leverage our framework to evaluate novel approaches in undermining existing cybercrime operations and to predict future trajectories of Internet crime,” they concluded.

This group was not the first one that thought about disrupting the functioning of malicious services by striking at their infrastructure and systems for profit extractions.

Recently, a team of researchers has shared their own successful approach for sabotaging DDoS-for-hire services. Others have shown how the creation of fake social media accounts in order to spam users can be made more difficult and, therefore, the effort potentially prohibitively expensive.