The massive retailer data breaches that have taken place this year have resulted in millions of credit card numbers being pilfered in the dark corners of the web. But while many may think that the data resale exchanges between cyber criminals is amateur, in many instances an extremely organized framework is at play, according to a cyber crime expert.
Presenting at this year's DefCon conference in Las Vegas, Tom Holt, an associate professor at Michigan State University that specializes in cyber crime, discussed his research on the inner workings of the stolen data markets and the relationships between buyers, sellers, and others involved in the transactions.
Understanding the workings of the cyber criminal underground is essential in targeting groups and causing disruption, Holt said Friday during this presentation.
"When we think about the markets themselves they are organized in a unique fashion," he said. "At the individual level, we're talking about a process where we're seeing peers and colleagues; at the formal forum level, we're seeing a more formal organization that takes place."
Holt described the organization composition of the market, detailing how many individuals work together; the relationship between the buyers and sellers, how data dumps are the most popular products sold, and how customer service goes a long way in the profitable success of the criminal business.
In one example, Holt described a seller on a forum who would replace any credit card numbers that did not work as a gesture of good customer service.
"Customer service is an important venue within these marketplaces to generate attention to your business," he said. "If you want people to come back and buy from you on a consistent basis, offer them something and give them a reason to come back to you."
Some forums even include review sections where buyers could leave feedback on sellers and the performance of their transactions, he added.
Rather than being run like the wild west, many of these forums have "a good degree of administrative oversight," he said. These admins will actively go in and remove any vendors who rack up negative feedback.
"The ones that are heavily managed [by administrators] will figure out what's going on and block the individual," he said.
The importance of understanding these dark markets come into play when law enforcement looks to take action against them.
One way to cause disruption may be to impact the payment processors cyber criminals use, much like the takedown of Liberty Reserve, Hold said. However, he believes that the best way to go after the markets, based on how they're organized, is to take out the entire forum.
"A one-on-one basis removal is not going to work," he said. "Taking out an entire site is going to have a much more dramatic impact."