It is easier than one might think to find online forums and other sites actively advertising and peddling the latest vulnerabilities, trojans, phishing kits and stolen credit card numbers — known simply as dumps.
This underground community is thriving and getting more organized by the day. It is being fueled by easy customer access to low-cost products with high profit potential, say many experts. Stolen personal information, for example, sells for as little as $2, and dumps begin as low as $10. The prices stay low because the supply is so large, experts say. Yet this pilfered merchandise can yield exponentially more for the buyer.
But beyond the economic model, the black market's success rests on its anonymity. Buyers and sellers transfer funds almost entirely through web-based transaction services, many of which fail to properly validate the identity of users, says Amir Orad, vice president of marketing with RSA Consumer Solutions, a division of RSA Security, Bedford, Mass., which monitors fraudulent online activity.
"Just like they can go to a bank with a forged ID to open a fake account, you can do the same online," he says. "There's no camera taking your picture. It's easier online. You can pretend to be a man if you're a woman."
Having these web-based transaction methods available is helping the underground market expand in scope, experts say.
"It makes it a little bit harder to track them down because the best way to catch these electronic criminals is to follow the money trail," says Jerry Dixon, deputy director, National Cyber Security Division for the United States Computer Emergency Readiness Team (US-CERT).
Buyers and sellers are more comfortable conducting business anonymously via the web instead of having to meet in a "dark alley" to exchange cash, Orad says. Typically the goods are advertised on open forums and sales are finalized in private IRC channels.
"[Web-based transaction services] are definitely contributing to the underground market," Orad says. "It's lowering the bar to commit these crimes."
Peruse many of the sites that offer cybercrime merchandise and chances are the peddler is asking for payment via some web-based transaction service. Most popular seems to be e-gold, a 10-year-old payment system that backs transfers by a 100 percent reserve of physical gold. Since its inception, e-gold has settled nearly 60 million transactions across 165 countries.
But e-gold also has drawn the fancy of cybercriminals, says Herbert Thompson, chief security strategist with Boston-based Security Innovation.
"You're trading fractional ownership of gold," he says. "You're not trading money in sovereign currency. There are benefits there from an underground perspective."
e-gold, based in Florida but registered in Nevis, West Indies, drew national attention when it was harshly criticized in a January Business Week investigative report. The story focused less on e-gold being used to buy and sell malware and stolen information and more on law enforcement's interest in cybercriminals using the service to launder money. The piece portrays e-gold as largely anonymous and unregulated, with few controls in place to verify legitimate transactions.
But Bill Cunningham, who works in business development at e-gold, says the article was off base. When a questionable transaction is discovered through "proprietary protocols," e-gold works to block the account as quickly as possible — though Cunningham would not elaborate on how the company identifies a suspect exchange. He adds that the company regularly cooperates with authorities.
"If you're in the system, I guess you can play games with [your identity], but that doesn't do you any good because you can't get the national currency out of the system," he says. "Ultimately you have to get value in and value out with a third-party exchanger." These entities, such as OmniPay, more strictly scrutinize identities, Cunningham says.
But why not also mandate that new e-gold users verify their identities with documents? After all, e-gold competitor GoldMoney requires new customers complete a six-step registration process, which includes asking for photographic identification and proof of residence. Cunningham says e-gold is considering new methods to verify users are who they say they are.
"There are some things planned in the future where we're going to be more rigorous in that regard," he says. "The technology is being worked on as we speak."
Still, illegitimate users of so-called digital currency are hard to catch and are not a major priority of law enforcement. FBI spokesman Paul Bresson says targeting the operators and financers of the sales sites makes more sense than going after the individual vendors.
"That's how we make the most significant impact on the overall crime problem," he says. "I think we have an interest in targeting those who traffic [the goods]. We can make multiple arrests, but there'd be others. At the end of the day, we want to ask ourselves if what we're doing is going to significantly impact the problem. I think the answer in those situations is that it is not."
There is reason to be hopeful, though, Dixon says. The U.S. Secret Service has made headway in tracking down cybercriminals. The agency is in the midst of Operation Rolling Stone, an undercover initiative that has led to more than 20 arrests of culprits who use the internet to "openly engage" in the sale of compromised credit card information, false identity documents and malicious software.
"It's gotten better with international cooperation," Dixon adds.
SHOW ME THE MONEY:
As good as gold
Tracking the flow of money through the internet is difficult, if for no other reason than the buyer and seller never have to meet in person.
But back payments with a non-sovereign currency, such as is the case with popular web transaction service e-gold, and enforcement becomes even harder, says an information security expert. And cybercriminals have taken notice.
"The benefit comes from a general lack of oversight by governmental agencies, such as the Secret Service, that have no inherent legal right to track the flow of non-sovereign currency," says Herbert Thompson, chief security strategist with Boston-based Security Innovation.
But Bill Cunningham, who works in business development at e-gold, disagrees.
"This does not in any manner prohibit authorities from tracking the flow of e-gold within the system, nor exchange into or from the system," he says. "As would be the case in dealing with any payment system, be it MasterCard, VISA, bank accounts or even cash, authorities do need to have the proper legal authorization."