Understanding the Black Market in Internet Crime

Here's a interesting paper from Carnegie Mellon University: "An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants."

The paper focuses on the large illicit market that specializes in the commoditization of activities in support of Internet-based crime. The main goal of the paper was to understand and measure how these markets function, and discuss the incentives of the various market entities. Using a dataset collected over seven months and comprising over 13 million messages, they were able to categorize the market's participants, the goods and services advertised, and the asking prices for selected interesting goods.

Really cool stuff.

Unfortunately, the data is extremely noisy and so far the authors have no way to cross-validate it, so it is difficult to make any strong conclusions.

The press focused on just one thing: a discussion of general ways to disrupt the market. Contrary to the claims of the article, the authors have not built any tools to disrupt the markets.

Related blog posts: Gozi and Storm.

Posted on October 29, 2007 at 2:23 PM • 5 Comments

Comments

mfheadcaseOctober 29, 2007 4:08 PM

Ummm, the methods for blackmarket disruption focused on by the secondary articles, would work yes... but they also invite retaliation on the straight market.

A couple of black hats could just as well turn their botnets toward disruption of legit commerce using similar methods.

Not to mention that the methods basically come down to slander and fraud if they were used against people in a legit market.

DavidOctober 29, 2007 4:26 PM

Actually, they may count as slander in this domain as well. Do slander laws make an exception when you're slandering a handle used for illegal transactions?

... actually, how do slander laws apply to handles in general? Is it slander if I post false information about an anonymous account? I'd think it should be, but I'm curious about the present state of things.

SteveJOctober 29, 2007 4:50 PM

I am not a lawyer, and neither do I play one in a TV mini-series.

However, I believe that in order to sue for defamation, you need to demonstrate damages. I doubt that a court would recognise that damage to a profitable criminal reputation constitutes a loss which warrants compensation.

RogerOctober 29, 2007 11:44 PM

The real issue here, and the root cause of storm, is the ability of "domain tasters" to register domains for several days for free. This is a policy that ICANN could change in a minute, but hasn't. They could also require registrars to disable domains that configure fast-flux DNS, which is not RFC-compliant, but to-date ICANN has sat on it's hands doing nothing while the problem simply gets larger. Compare this with the Bush administration's handling of Global Warming (among other things) and you can see why the Internet needs a change of
government as much as the US.

NY-LawyerOctober 31, 2007 10:18 AM

Common-law countries (mostly the English-speaking countries) have a "clean hands" doctrine. It means that courts won't "get their hands dirty" handling cases on behalf of criminal enterprises.

So, if someone breaches a contract to deliver supplies to a meth lab, the lab owners can't sue (they, of course, have other methods of enforcement). If someone slanders (oral) or defames (written) some hacker's handle, the courts won't get involved.

However, if the handle is used for legitimate reasons (e.g., a pseudonym) the courts might listen. Suppose someone slanders or defames Mark Twain. Samuel Clemmons could have taken him to court. However, intent to harm Clemmons would be the issue (it is impossible to harm a fictional character, Twain in this example).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..