It used to be that computer attacks were perpetrated mostly for fame and recognition. In the last five years the motivation behind the majority of attacks seems to have shifted inexorably from fame to fortune. Parallel to this shift we are now witnessing the emergence of a new attack economy, an efficient multilayer marketplace for information security attacks.

I’ve heard many reports of the rise of organized cybercrime. This is a disturbing trend because it introduces better financing and more teamwork on the attacker side. But an even more disturbing trend is the emergence of a layer of increasingly sophisticated markets for trading information related or derived from cyberattacks.

In a way, cybercrime is following in the footsteps of any maturing industry. New industries start up as highly vertically integrated — a single person or company creates an entire “value chain” from primary resources to the finished product. In the attack marketplaces, the primary resources are vulnerabilities and potential victims and the finished product is money or exploitable information (identities, compromised hosts). As with any new industry, the cybercrime industry started as a vertically integrated industry. Most often, the same person or organization discovers a vulnerability, creates exploit code and launches an attack against a specific target or against the Internet in general.

As industries mature, however, they gradually become less vertically integrated. Parts of the value chain break away and become specialized industries of their own. For example, tires used to be made by carmakers and then became a global industry. Each step in the supply chain becomes more and more specialized and focused, while markets and intermediaries emerge to trade amongst the newly created industries. So, car manufacturers buy steel and tires in open and competitive markets instead of making their own.

Cybercrime is undergoing this transformation and therefore appears to be coming of age. Several markets have emerged on various Web sites, Internet Relay Chat channels and chat rooms where attack information, code and identities are traded. Attackers are specializing and focusing on different steps of the attack value-chain: discovering vulnerabilities; writing exploit code; collecting and managing zombie armies; trading and exploiting identities. Each step in the value chain is bracketed by markets for the primary inputs and outpouts. For example, an exploit writer can buy several vulnerabilities, write exploit code for each and then bundle them into a packaged attack toolkit. In addition, shared code, libraries, toolkits and frameworks allow for rapid attack-application development.