Researchers at Carnegie Mellon are working to understand and potentially thwart the growth of Internet black markets — where attackers use well-developed business practices to hawk viruses, stolen data and attack services.
Adrian Perrig and Jason Franklin — working in conjunction with Vern Paxson of the International Computer Science Institute and Stefan Savage of the University of California, San Diego — have designed new computer tools for this effort.
"These troublesome entrepreneurs even offer tech support and free updates for their malicious creations that run the gamut from denial-of-service attacks designed to overwhelm websites and servers to data-stealing Trojan viruses," said Carnegie Mellon's Perrig, an associate professor of electrical and computer engineering and engineering and public policy.
In order to understand the millions of lines of data derived from monitoring the underground markets for more than seven months, researchers developed automated techniques. These systems helped them measure and catalogue the activities of the shadowy online crooks who profit from spewed spam, virus-laden PCs and identity theft. The researchers estimate that the total value of the illegal materials available for sale in the seven-month period could total more than $37 million.
"Our research monitoring found that more than 80,000 potential credit card numbers were available through these illicit underground web economies," said Carnegie Mellon's Franklin, a Ph.D. student in computer science.
However, the researchers warned that because checking the validity of the card numbers was not possible without credit card company assistance, the cards seen may not have been valid when they were observed.
Whatever the purchases, a buyer will typically contact the black market vendor privately using email, or in some cases, a private instant message. Money generally changes hands through online non-bank payment services, making the criminals difficult to track.
"We believe these black markets are growing, so we will have even more incidents to monitor and study in the future," Perrig said.
That growth is also reflected in the latest Computer Security Institute (CSI) Computer Crime and Security Survey that shows average cyber-losses more than doubled after a five-year decline. The 2007 CSI survey reported that U.S. companies on average lost more than $300,000 to cyber crooks compared to $168,000 last year.