Inside the Hacker’s Bazaar
Better threat awareness has led organisations in the region to better protect themselves from cyberthreats, but the black markets that drive the cybercriminals are not as well understood. A report from Juniper Networks and the RAND Corporation takes a closer look at the economics of the underground
More pics ›
Recent years have seen a major uplift in awareness among organisations in the Middle East of the risks of cyberthreats, and as individual entities, many have taken steps to safeguard themselves against hacking, DDoS and other dangers. At the same time, there is an increasing amount of co-ordination between law enforcement, government and business to crack down on these threats, albeit with limited success so far.
However, as the tools, tactics and responses to cyberthreats continue, so to does the black market economy that is driving online criminal activity. A report from the RAND Corporation, sponsored by Juniper Networks, now aims to shed more light on the shadow operations of this sector. The report, entitled “Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar,” highlights the increasing sophistication in the markets for hacking tools, services and byproducts such as stolen credit card numbers.
The numbers involved in the economies and scale of the cyberunderground can be truly staggering. A 2011 estimate Russian Security company Group-IB put the value of the global cybercrime market at $12.5bn in that year. In 2008, a single fake anti-virus operation reportedly made a profit of $5 million.
“Hacking used to be an activity that was mainly carried out by individuals working alone, but over the last 15 years the world of hacking has become more organised and reliable,” said Lillian Ablon, lead author of the study and an information systems analyst at RAND, a non-profit research organisation. “In certain respects, cybercrime can be more lucrative and easier to carry out than the illegal drug trade.”
The growth in cybercrime has been assisted by sophisticated and specialised markets that freely deal in the tools and the spoils of cybercrime. These include items such as exploit kits (software tools that can help create, distribute, and manage attacks on systems), botnets (a group of compromised computers remotely controlled by a central authority that can be used to send spam or flood websites), as-a-service models (hacking for hire) and the fruits of cybercrime, including stolen credit card numbers and compromised hosts. Such services are available for hire, often with a given rate card for services with charges per number of stolen records or hourly rates for DDoS attacks.
A 2013 report by Fortinet also identified the increasingly complex nature of cybercrime organisations. Many cybercriminal organisations are now organised on hierarchical lines, with the people at the top separated from those most likely to get arrested — the ‘mules’ who are involved in money laundering activities — by several layers of ‘management’.
“I would say that the organisations before used to be a handful in terms of organised cybercrime — think of the RBN [Russian Business Network],” said Derek Manky, senior threat researcher at Fortinet’s FortiGuard Labs. “Everything from development to network infrastructure and management were essentially in-house to these operations. Nowadays, there’s more organisations, thanks to crimeware, crime services, existing source code, etc.
“The organisation’s ‘executives’ make decisions, oversee operations, and ensure that everything runs smoothly. Just as with legitimate businesses, these executives set up the original business model and infrastructure. Once they get the operation off the ground, they then move to a business development role and hand off the ‘dirty work’ to the infantry and are not involved with launching attacks.”
The RAND study said that according to some estimates, these underground marketplaces can reportedly reach 70,000–80,000 participants. They have also moved from being predominantly made up of individuals (80%) in the mid-2000s, to being made up mainly of small organisations (70%), organised crime (20%), cyberterrorists (5%) and state sponsored players (4%).
With the increasingly professional profile, the marketplaces are also becoming more sophisticated and more difficult to penetrate. The RAND study says there will be more activity in ‘darknets’, more checking and vetting of participants, more use of crypto-currencies such as Bitcoin, greater anonymity capabilities in malware, and more attention to encrypting and protecting communications and transactions. Helped by such markets, the ability to attack will likely outpace the ability to defend.
The threats, and the economic opportunities for these markets, will also only get worse: Hyper-connectivity will create more points of presence for attack and exploitation so that crime increasingly will have a networked or cyber component, creating a wider range of opportunities for black markets. Exploitations of social networks and mobile devices will continue to grow. There will be more hacking-for-hire, as-a-service offerings and cybercrime brokers. Better understanding of these markets will be key to better protection from the threats that they spur.
Adrian Pickering, vice president, Middle East & Africa, Juniper Networks, commented: “We are now living in a new era of cybercrime. New threats, new tactics, new incentives are now encouraging these gangs, operating in the black market underworld, to take greater risks. Juniper’s collaboration with RAND has unearthed a fascinating insight into the dark arts of these cyber criminals. The research has allowed us to learn the secrets of these sophisticated criminal networks, which the report has dubbed the ‘Hacker Bazaar’. We must disrupt the economics of hacking so we can break the value chains that drive successful attacks.”