As Economy Dives, Underground Thrives

By Matthew Hines  |  Posted 2008-11-25 Print this article Print

While legitimate financial markets may be struggling to maintain any sense of momentum, underground cybercrime networks are thriving and becoming more self-dependent, a new report from security giant Symantec maintains.

Based on its assessment of Web servers used by cybercriminals to advertise and sell-off stolen data, the underground is not slowing down in parallel to the world economy, or even being choked by the sheer glut of data commandeered by attackers, as some experts have said it might in the past, the company reports.

Rather, the e-black markets, which traffic goods including stolen social security numbers, bank and credit card accounts, and hijacked e-mail addresses and passwords, are only becoming more robust. Many of the largest domains also feature soup-to-nuts services that help criminals either garner such data or somehow monetize it once they've got their hands on it, Symantec reports.

"There are a wide variety of goods and services being advertised on underground economy servers, and many of these goods and services form a self-sustaining marketplace," Symantec researcher M.K. Low said in a report summary posted on the company's Security Response blog.

Further, Low said there is growing evidence that participants in the underground markets are actually reinvesting their ill-begotten profits into their own infrastructure and business efforts.

In addition to uncovering evidence that such constituencies are hiring developers to write new exploits to serve up on their targets the researcher contends that the bad guys are also sharing more of their intelligence and stolen assets than ever before.

The entire market effect is helping more attackers get into the business and/or expand their schemes faster than ever, the researcher said.

"Profits from one exploit can be reinvested and used to hire developers for other scams, used to purchase new malicious code or new phishing toolkits, and so on. Participants in the underground economy can use e-mail addresses obtained from hacked databases or hacked e-mail accounts in tandem with mass-mailers for sending out substantial amounts of spam or phishing e-mails. A bot herder can program a botnet to automatically distribute spam to thousands of addresses," writes Low.

Attackers are also sharing larger numbers of stolen account passwords to help accelerate each others' work, according to the expert.

"From there, it is often simple for someone to go online and use the password recovery option offered on most registration sites to have a new password sent via e-mail and gain complete access to these accounts. This danger is compounded by the habit many people have of using the same password for multiple accounts," he said.

Symantec contends that the Web-server-based underground markets are still not as widespread as those run over IRC, but indicated that the groups working together online are becoming increasingly organized.

"While apparently not as profuse as underground economy IRC channels, these forums have been responsible for a sizable amount of the trade in fraudulent goods and services online," the company said in its report. "There has been much speculation and debate as to the level of organization and professionalism of these groups, mainly because of the nature of the forums, which exist primarily to provide a means for participants to collaborate with each other, offer their skills, and buy and sell fraudulent and stolen goods and services."

"Thus, these forums could be more aptly defined as a loose collection of individuals with a common purpose rather than as highly organized and cohesive groups. Nonetheless, research indicates that there is a certain amount of collaboration and organization occurring on these forums, especially at the administrative level. Moreover, considerable evidence exists that organized crime is involved in many cases," Symantec reported.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel