RSA: The Elusive Structure of the Cyber-criminal Economy

At the RSA Conference in San Francisco, security researchers outlined the underground economy for cyber-crooks. The black market for stolen data is thriving in an increasingly sophisticated and compartmentalized landscape.

As it turns out, stealing credentials is actually the easy part of cyber-theft. The hard part is using them to pilfer bank accounts.

Fortunately for phishers, they have no shortage of help in that regard. This ecosystem of hackers, malware writers and money mules was on full display at this week's RSA Conference, where researchers described an increasingly compartmentalized hacker underground where thieves can buy subscriptions to online fraud services.

"As soon as you pay for the subscription, your Trojan will start being distributed, you will have access to all these machines, [and] you will have access to all of the credentials-bank credentials and credit cards-that are being collected by the Trojan you are distributing. But you don't have to do anything," explained Uri Rivner, head of new technologies for RSA Consumer Solutions in EMC's RSA security division.

Subscriptions can cost $300 a month, he said. Renting out networks of compromised computers can cost as little as $23 for 1,000 bots, Rivner said. However, that price won't buy an attacker a monopoly.

"If you have a Trojan and you want this computer to be infected with your Trojan, you want only your Trojan to be on this computer because you don't want to compete with the other fraudsters on the same resource," he told eWEEK. "So if you want an exclusive, it costs you much more because they can't sell your computer to other bad guys."

In his session, titled "How to Become a Successful Online Fraudster," Rivner painted a picture of an increasingly compartmentalized hacker underground. On one end are "harvester fraudsters" who steal information. On the other end are what Rivner calls the "cash-out fraudsters," who are in charge of recruiting and managing money mules who accept stolen funds into their accounts before transferring it as part of money laundering schemes. Sometimes, the mules don't know that they are part of an illegal operation and are lured by promises of part-time work. Keeping mules is much harder than recruiting them, Rivner said, because as soon as the money is tracked to them, they come under the scrutiny of banks.

When it comes to malware, attackers can purchase Trojans such as Limbo and Zeus for their schemes. High-end Trojans like the infamous however Sinowal are not on the open market.

The prevalence of stolen data has actually at times led to a commodization of certain information, such as credit cards. In a report last year, security vendor Finjan reported that the price of credit card and bank account numbers once valued at a $100 each or more had dropped to as little as $10 to $20 apiece. While vendors at this year's RSA show spoke often of the importance of interoperability and cross-vendor cooperation, attackers are beating that drum as well.

"They're definitely working together a lot more than they might have in years past," said Joe Stewart, director of malware research at SecureWorks. "It's a whole economy. So much of it is turnkey now-get your own botnet."