Just the news we all wanted to hear: cybercrime black markets are getting to be much more efficient, well-organized and better able to profit from stolen payment data. As those efficiencies squeeze out more profits, the incentive for more large-scale cyber attacks increase.
This pick-me-up comes courtesy of a new report from The RAND Corporation, which has just completed a study of cybercrime global operations. (By the looks of things, they apparently have better pension plans and 401(k) matching, too.)
The cyberthief “market—once a varied landscape of discrete, ad hoc networks of individuals initially motivated by little more than ego and notoriety—has emerged as a playground of financially driven, highly organized and sophisticated groups. In certain respects, the black market can be more profitable than the illegal drug trade (because) the links to end-users are more direct and because worldwide distribution is accomplished electronically (so) the requirements are negligible,” the report said.
The black-market follows the same economic laws and practices as other markets, RAND’s research concludes, and because of that it impacts financial industry prices. Rand’s research also showed the cyberthief community is resilient and bounces back even after a takedown or arrest.
“Black-market evolution mirrors the normal evolution of a free market, with both innovative and growth. Prices for credit cards, for example, are falling because the market is flooded with records, and bonnets and DDoS capabilities are cheaper because more options are available,” the report said.
The report said that “there will be more activity in cryptocurrencies, greater anonymity capabilities in malware, and more attention to encrypting and protecting communications and transactions ..(and) exploitation of social networks and mobile devices will continue to grow.”
“There has been a steady increase in the availability of goods and services offered, from stolen records and exploit kits to “stolen-to-order” goods, such as intellectual property and zero-day (more commonly, half day) vulnerability. Greater availability of as-a-service models, point-and-click tools, and easy-to-find tutorials markets make it easier for technical novices to use what these markets have to offer,” according to to the report.
Research shows that experts disagree on who will be impacted most by the growth of the cyber black market, whether it be small or large businesses, or individuals, and what products will be affected most — data records and credit card information or nonfungible goods like intellectual property. Experts also disagree on what types of attacks the market will see most (large-scale targeted vs. “smash-and-grab” attacks).
Still, questions remain about strengthening defense against cyber criminals in the black market, specifically as the Rand Corporation suggests, if there should be “mandates for encryption on point-of-sale terminals, safer and stronger storage of passwords and user credentials, implementation of “chip and PIN” in the U.S.” And if companies do not comply to mandates, should they be liable for data breaches? That’s the questions the industry is going to need to continue to press, the report states.
“What can be surmised from interviews with expert observers is that the hacker market poses a formidable challenge and an increasing threat to businesses, governments and individuals operating in a digital world,” the report concludes.