In-Depth

A Peek Inside the Web's Underground Economy

New research sheds light on how bank-account credentials, credit-card numbers and other illicit goods are sold in a paranoid online black market.

• By Scott Bekker
• February 01, 2009

Gonzalez, also known by the screen names "Segvec," "Soupnazi" and "CumbaJohnny," was indicted in August 2008 along with 10 other people from the United States, Estonia, the Ukraine, Belarus and China. The charges related to a high-profile scheme involving "war-driving"-that is, searching for vulnerable wireless networks using a laptop computer and a moving vehicle-near major retail stores, including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. According to the Gonzalez indictment, the conspirators hacked into the retailers' wireless networks to steal credit- and debit-card numbers. In all, members of the ring, allegedly led by Gonzalez, stole and sold, or attempted to sell, more than 40 million card numbers.

Gonzalez, in the proud tradition of federal informants dating back to the Mafia crackdowns of the 1970s, was already an informant for the U.S. Secret Service when the retail war-driving scheme hatched, and he's accused of using his inside knowledge of prosecutions to steer select underground allies clear of trouble.

The Gonzalez story is one of the intriguing pieces in a global portrait of the security underworld described in a November 2008 report by software giant Symantec Corp. The report, "Symantec Report on the Underground Economy," marked a change for Symantec. Normally, when IT "white hats" look at security, it's from a technical perspective. The usual approach is to say, for example: "This vulnerability exists in Windows; there's a known exploit for it. But if you apply this patch, you're covered." Trend analyses have tended toward the technical as well, pointing out increases in specific attack types such as SQL injection attacks or Trojan-horse programs. It's a high-percentage approach-no matter who's causing trouble and why, blocking the incoming attacks through technological fixes is largely effective.

Every once in a while, though, it's useful to view security from the other side. Who are the attackers? What are their priorities? What are they taking from systems and what do they get for the effort? The change of perspective can be handy for channel partners because they can use that information to update their approaches to security sales and to prioritize methods for protecting their clients.

Taking a Deep Dive
The Symantec underground-economy report interrupted the Cupertino, Calif.-based security giant's twice-yearly publication schedule of its Symantec Internet Threat Report.

"In the previous [Internet threat] report, we did some work on the underground economy. I guess it struck a nerve," says Kevin Haley, director of product management for security response at Symantec. "We got a lot of feedback on it, and there's a tremendous amount of interest. We can look at the amount of malware and see how the numbers have risen, but this really explains why."

Symantec will return to the more standard technical descriptions and empirical trend lines when it releases its next threat report this spring, but its publication cycle seems to be permanently altered. "Instead of doing the report every six months, we decided that we would release it once a year, and then we would do these deep dives in between," Haley says. Meanwhile, for the past few years, competing security vendor McAfee Inc. has been producing a Virtual Criminology Report that also has a strong focus on motives for attacks and law enforcement responses and challenges.

To pull together its underground-economy report, Symantec assigned some employees to monitor Web forums and Internet Relay Chat (IRC) servers that were known as forums for selling credit-card numbers, bank-account information and other valuable data and attack tools.

"We observed $276 million worth of buying and selling going on. And we're not saying we monitored every conversation that was happening in the underground economy," Haley says. "What you're seeing is that a lot of people are engaged in the underground economy and are clearly making a living at it. It's self-sustaining. People are making money, and they're investing in that business. It's kind of a vicious cycle."

Life Underground
Following are some of the highlights of Symantec's report on the underground economy:

What's in Demand:
Of the $276 million, nearly 60 percent of requests and offers involved credit-card numbers. Had all the available credit cards been maxed out by criminals and all affected bank accounts successfully emptied, the total loss would have been more than $5 billion, although Symantec doesn't claim that figure is a real value of the assets that were for sale.

Where the Action Is:
Under his Segvec screen name, Gonzalez had been helping the U.S. Secret Service round up an English and Russian Web forum called ShadowCrew, which he moderated. That sting, known as Operation Firewall, led to 19 indictments in 2004. However, much of the activity is now moving away from those stable-and fairly easy-to-track-Web sites. Instead, most of the buying and selling action now pops up on IRC servers, according to Symantec. While many IRC servers are legitimate homes for discussions about politics, electronic games or sports, the IRC technology is also useful for selling and buying bank-account and credit-card numbers, identity information and toolkits for illicit activity. "IRC is an instant-communication protocol with a number of attractive aspects for operators in the underground economy," the report notes. "It offers real-time group communications, requires very little bandwidth and the IRC client software is freely available across all operating systems."

Here Today, Gone Tomorrow:
Symantec's researchers found that many IRC-based marketplaces tend to wink in and out of existence very rapidly, making them much harder targets for law enforcement. Over the year that Symantec researchers observed the underground economy, the median lifespan for an IRC server was 10 days. However, some were far more persistent, with impressive scope. One of the largest IRC-based marketplaces that Symantec found spanned dozens of servers in North America and Europe, with about 28,000 channels and 90,000 users.

Shadowy Business:
Many of the services for sale in the underground economy have more in common with a John le Carre spy novel than they have with the face-to-face exchange at the beginning of the movie "The Matrix."

Symantec researchers found markets for all sorts of cloak-and-dagger job descriptions. Among them: the cashier. Because many bank accounts can be cashed out only from inside the nation where they were issued, criminals often need a local cashier to help obtain funds from a compromised bank account in another country. Often these requests must be gender-specific to match the account name, according to the report.

Another item for sale is a drop location, where goods purchased with stolen credit cards can be shipped.

There's also a thriving market for card-duplication services. Once credit-card information has been stolen from digital records, it can be replicated on a physical plastic card that can be swiped through a store's card reader or inserted into an automatic teller machine.

Org Chart:
"Groups operating out of North America tend to be loosely organized, often made up of acquaintances who have met in online forums and/or IRC channels and who have chosen to associate with each other," the report reads. Some North American groups rely on "more professional" Eastern European groups to provide high-quality fraudulent cards. "This arrangement is mutually beneficial to operators in Eastern Europe, who require physical access to U.S banks or ATMs in order to exploit stolen U.S. card data," according to the report.

"Another trait likened to that of organized crime is that Eastern European groups have been known to use physical violence in repercussions against competitors, which Symantec has not observed elsewhere," the report continues. However, despite the Glock found in Gonzalez' Miami hotel room, the U.S. market has not been linked with significant violence, according to the report.

Price Tags:
Symantec's research team pulled together typical prices for various offerings. Of highest value: bank-account credentials, which commanded prices ranging from $10 to $1,000. Prices depended on the amount in the account, whether it was a corporate or a personal account and its location. The account offered for $1,000 reportedly had a balance of $130,000, researchers said. In addition, "EU accounts were advertised at a considerably higher cost than their U.S. counterparts, which may be because EU accounts are rarer than U.S. accounts," according to the report. Add a name, address and date of birth to an account and its value rose even more, the researchers found.

Credit-card numbers, which were also sold in bulk amounts from 50 to 2,000 numbers, also varied in price based on location, with supply and demand holding sway. "Cards from countries such as the United Arab Emirates were the most costly, at an average of $25 each, while cards issued from the United States were the least expensive," the report noted.

Entire phishing scams were offered for sale as well. Buyers could choose to have a phishing scam designed and hosted, or just rent or buy a list of e-mail addresses to use for fraudulent messaging themselves.

Tool Time:
Various attack tools are also traded in the online underground, according to the report. It wasn't just do-it-yourself items like SQL Injection tools, scanners and auto-rooters or specific kits with names like MPack, IcePack or Neosploit. Also on offer were complete botnets-networks of already-compromised computers that can be used for launching denial-of-service attacks, scanning for vulnerabilities or conducting spam or phishing campaigns. According to the report, one advertisement claimed to have access to a botnet of 2,000 compromised computers. Botnet sales differed-some consisted of tools to start building a botnet, others of botnets for rental, still others were botnets for outright sale. Botnet access was one of the most expensive tool options offered, at prices of up to $300 per botnet, but the networks of zombie systems are effectively an investment in infrastructure that an attacker can profit from again and again.

Lessons Learned
Symantec's Haley says there's a message in the report for hard economic times: "From a reseller perspective, I think customers will be looking carefully at all their costs in this economic environment. Nobody likes to spend money on security; it's not why anybody buys their computers. But I think it's clear that security remains a critical component moving forward."

Kevin Prince, chief architect at Perimeter eSecurity, an on-demand security services provider based in Milford, Conn., wasn't involved with Symantec's report, but he agrees that a clearer picture of the underground economy is valuable. "We've got a better understanding of how that whole criminal organization works," Prince says. "But they're getting much better at hiding from us. They have ways of communicating with forums and encrypted channels, and all of it is done on the Internet in a very anonymous way."

Prince also sees the recessionary expectations for this year as making the shadowy online markets even more attractive to would-be criminals.

"This was the first year that I really felt strongly that economic conditions and other things that are happening in the world are going to impact information security," Prince says. "Some people will do things they ordinarily wouldn't do," he says, referring to a greater-than-usual risk of internal security threats. For example, employees who have been laid off but still have access to company systems may be tempted to compromise or sell company data out of desperation or spite.

Meanwhile, economic conditions create other security holes that online criminals can exploit. When gasoline prices hit $4 a gallon nationwide last year, "almost overnight, there was a double-digit increase of remote workers," Prince notes. "Having these remote users can really cause a lot of security concerns, and we'll have more telecommuters when gas prices go back up." In addition, he says: "In times like these, people will turn to freeware or open source software and they'll try to do more with less." The problem: "We've seen [attackers] take the software, modify it and put it back," with those modifications later causing headaches for unsuspecting users.

All told, the Symantec report describes a robust and easy-to-use online marketplace for stolen information and digital attack tools. Partners whose customers collect credit-card information, bank-account data or customer-identity information will obviously be interested in the details. But knowing about the availability of and prices for threats such as botnets-which may well affect an inattentive customer's network-can bolster any partner's arguments in favor of stronger security solutions.