At Usenix, a cybersecurity researcher explains how the key to stopping computer criminals is in the economics of cybercrime.
Five dollars for control over 1,000 compromised email accounts. Eight dollars for a distributed denial-of-service attack that takes down a website for an hour. And just a buck to solve 1,000 captchas.
Those are the going rates of cybercrime, the amounts criminals pay other criminals for the technical services necessary to launch attacks. It's the kind of IT outsourcing no legitimate company would ever conduct, but it's a profitable business if done effectively.
This criminal underground was detailed Wednesday in a highly entertaining talk given by researcher Stefan Savage at the annual Usenix technical conference in Portland, Ore. Outrageous examples of outsourced cybercrime drew laughter from the audience, but Savage also presented an empirical approach to researching computer crime and devising the most effective - meaning the most financially feasible - methods of stopping it.
QUIZ: Do you know IT security?
Savage is a UC-San Diego professor and director of the Collaborative Center for Internet Epidemiology and Defenses (CCIED). Founded to study the technical components of cybercrime, CCIED started getting federal funding in 2004 and as a result had to incorporate economic models into its research to satisfy the government.
Savage admitted that his look at economics was "total lip service" at first, but later he and his team realized the financial basis for criminal hacking may be the key to solving the whole problem. They expanded their study of the money, even interacting with criminal organizations in devious ways, for example by adding their own code to hackers' code in order to monitor them, and by ordering tons of stuff from phishing scams to trace the path of the money.
"One key flaw was looking at this as purely a technical problem," Savage said. We can stop some attacks by reacting to each new threat with a new technology to stop it, and installing antivirus software on billions of PCs around the world at a high per-unit cost, but it is an unsustainable model.
"Your role as a defender is: When a new attack comes out, you need to come out with a new defense," he says. "Attackers, on the other hand, can attack proactively whenever they feel like it."
It's nearly impossible to measure the effectiveness of defense, and it is expensive to create new defenses, while the cost of committing cybercrime is cheap because of a vast black market.
If you don't have the expertise to steal email or credit card credentials, you just buy the compromised accounts from a website - in the customary lots of 1,000 that cyber criminals like to use.
"We buy and sell compromised hosts in lots of 1,000 where prices change based on supply and demand," he said.
Simply viewing the websites of businesses that sell access to compromised computers provides insight into their cost. One Russian site Savage showed listed the price of installing malicious software on computers.
"Ten cents is how much your machine is worth, and if you're in China your machine would be worth one cent," he said.
In one example of how someone can profit off cybercrime with very little technical know-how, there is a business that pays people to abuse access to their employers' resources. For example, you might be instructed to insert a tiny piece of HTML code into your company's website in order to gain a commission for each person who is compromised by visiting the site. It's not your expertise that's important - it's your password to the Web server.
"You don't need to know anything," Savage said. "This is outsourcing taken to its logical conclusion."
Savage detailed a few of his team's projects that involved getting a bit more personal with the cybercrime underground. CCIED infiltrated the Storm botnet, which was going wild in 2007, with honeypots that "poisoned" 1% of the URLs being distributed inside the botnet.
"This potentially allows you to observe what is going on and influence their actions," Savage said. "We were able to measure delivery probability, click-through rate and conversion rate."
Through this type of work, they found that pharma scams need to send 12 million emails to gain one purchase, but can still earn millions of dollars a year.
The real question is, how do you stop all of this? One example related to CAPTCHA technology - the annoying thing that makes you type in a random string of letters and numbers - shows how economic research can make us safer on the Web.
It turns out that using character recognition software programs is less economically feasible than just paying humans to type in the letters and numbers, because companies that host websites periodically change their CAPTCHA system to fool the software. But humans don't even have to know English to solve CAPTCHAs. They just have to be able to recognize the characters.
You can pay for CAPTCHA entry the same way you pay for credit card and email credentials. But on the other end is a worker earning just $1 or even less for an eight-hour shift in which they enter 1,000 CAPTCHAs.
Savage's team bought up lots of CAPTCHA recognition services to see how big the available capacity is. One provider had 400 or 500 people at work at any given time, with the whole industry solving millions of CAPTCHAs a day with cheap human labor.
This may make adding CAPTCHA technology to websites seem like a futile exercise. But it's just the opposite. Forcing criminal enterprises to pay for this service brings most of them to a tipping point where the whole enterprise is no longer economically feasible.
"If you don't have CAPTCHA, people with bad business plans can afford to exploit your resources," Savage said. "CAPTCHAs keep it to a small percentage of people who have good business models and can afford the cost."
By limiting the pool of criminals, this lets the computer defense industry put more resources into stopping a smaller amount of attacks.
But as anyone who has gotten a virus knows, it's not perfect.
It's easy to spam and phish because of the existence of large botnets full of infected computers.
This has effectively created a platform economy in which the botnets are the platform, Savage said. While he didn't make this specific comparison, it sounds very much like how popular operating systems, browsers and devices are the platforms for large-scale software development. The goals are much different, though.
Unfortunately for the criminals, they can't even trust each other. Hackers who sell software that infects PCs are like normal companies in the sense that "they do not want you to pirate their software," Savage said.
"These guys have a problem with this since they are selling to criminals," he said.
One such software author took the extraordinary step of distributing versions of the software compromised with malware, so people who downloaded pirated copies would get infected themselves.
"This has been effective and kept his price high," Savage said. "He sells it for $500."
And if you've ever wondered what would happen if you actually respond to one of those Viagra ads, it turns out you will almost always get some pills - real or not - in return for your credit card payment, as long as the company has a way of getting their wares past Customs. And if you're not satisfied with the product, getting a refund is easy. These companies need to fly under the radar, and want as little attention from credit card companies as possible.
"They have far better customer service than any business you've ever dealt with," Savage said.