Much like the cantina on Star Wars’ desert planet Tatooine, the underground economy is a hub of criminal activity and trade. Fraudsters from all over the world congregate to trade stolen record sets of credit cards, personally identifiable information and online banking credentials. Law enforcement has called it “organised crime” and indeed it is very organised – but not in the sense of The Godfather. Although these crime forums do have administrators, they’re not Dons whose bidding must be obeyed by everyone beneath them in the social hierarchy.
The underground is organised in the same way that eBay is organised – there’s a set of laws between buyers and sellers that must be followed, a set of services designed to improve the security of all parties (escrow services, for example) as well as a dispute resolution process. While there are certain statuses such as a “verified vendor” status that can be obtained, and while hierarchy may exist within the groups that are represented in the forums, all members (as long as they are not a ripper) are considered equal.
While fraudsters may be equal in terms of rank, when it comes to sophistication – they are not. Much like in the hacking community, the higher the sophistication level of individuals, the lesser they are in numbers. Most of the “hackers” out there are script kiddies, who are only sophisticated enough to follow a set of actions that were invented by someone more sophisticated. The same applies to fraudsters. Naturally, there are less “big fish” (or should I say “big phish”) in the ocean than “little fish.”
One of the effects the underground economy has on the actual ability for one to commit fraud is that it lowers the bar of entry. By having fraudsters who specialise in specific areas instead of the entire process, by creating a market of commodities and services and by the sharing of knowledge, less sophisticated fraudsters can join in on the fun that would have been out of their reach otherwise. A fraudster who lacks the sophistication to hack into a merchant’s site to get a list of credit cards could simply buy them from someone who is. A fraudster, who lacks the sophistication to build a scam page for his phishing attack can simply get a free phishing kit from one of the multiple repositories available.
Over time, the tools and techniques that were solely used by the “big fish” trickle down through the pyramid. The ability to conduct a phishing attack became more accessible when they were bundled into kits and distributed for free. The same holds true for Trojans. While some versions of the Zeus banking Trojan still cost several thousands of dollars, the older versions are available free of charge. New services and tools are constantly being developed by fraudsters, continuously driving the bar of entry for various fraudulent activities lower and lower.
Fortunately, this model doesn’t only pose risks to organisations targeted by fraudsters – but opportunities as well. Anti-fraud professionals can use the current model of the underground to disrupt fraudster activities and reduce fraud levels, at least temporarily, even when dealing with a sophisticated issue such as automatic money transfers executed by Man-in-the-browser (MITB) scripts.
Even if only a temporary fix (and far from being bulletproof), it could still affect the bottom-line and reduce fraud losses perpetrated by banking Trojans. By the time the new version would be widely available, the ante could be upped once again. These cat and mouse games can also help ensure that Trojan developers are forced to keep their focus on retaining the existing abilities of their malware (in the case of Man-in-the-browser, the ability to transfer funds automatically out of a victim’s accounts) rather than focus on developing new and more innovative fraud tools.
The question is how many fraudsters from the bottom of the pyramid target the bank. If a financial institution is considered relatively hard to defraud and it is almost exclusively targeted by sophisticated fraudsters, these actions will have very little effect. In the world of fraud mitigation, financial institutions mostly play on the defensive. Every soldier will tell you that a good defensive tactic would be to change things up a bit from time to time. The effects may only be temporary, but throwing the enemy off guard, even if only for awhile, may be the difference between win or lose.
(The writer is the head of cyber intelligence for the FraudAction Intelligence team at RSA.)
