Cyber crime is gaining more and more momentum as a source of threats for final users. Credit card, banking and financial frauds are continuously reported in the news and often studied in the literature: recent studies have uncovered a whole infrastructure of services that are available to cyber criminals to deploy their attacks. Cyber crime activities are supported by infrastructures and services originating from an underground economy. Exploitation tools, automated redirection of user connections to arbitrary domains, and trading of new malware or vulnerabilities are only examples. These infrastructures and services must be sustained and provided by an underlying economy.
Market design is a problem of great interest in economics, as a successful market necessarily involves an equilibrium of forces that on one side encourages trading, and on the other discourages “cheaters”. Cyber crime markets represent, intuitively, a fascinating case study for these issues: they are run by criminals (who are not trustworthy by definition), are typically run on-line, and are to a degree anonymous. How can anonymous criminals trust other anonymous criminals in delivering the promised service or good after the payment has been issued?
Yet, empirical evidence from numerous studies shows that the attack tools traded in these markets do work, and the losses caused by cybercrime are real. How can these observations be reconciled with the understanding that cybercrime markets cannot work? The explanation, presented in the “Then and Now: On The Maturity of the Cybercrime Markets” Research Paper[1] from the University of Trento (by Luca Allodi et al.), is that current markets are run under a different structure than IRC markets: rather than anonymous, free-to-join, unregulated communities of criminals, modern cyber crime markets are run as virtual forums. Forums provide an easy way for the community administrators to control the flow of users into the community and to enforce, through moderation, a number of rules that can be aimed – in a coherent market design structure – at mitigating the issues of information asymmetry. Proper regulation is, therefore, the key to a successful market.
[1] Allodi, Luca, et al. “Then and Now: On The Maturity of the Cybercrime Markets. The lesson that black-hat marketeers learned”. IEEE Trans. On Engaging Topics in Computing 4(1):35-46, 2015 http://dx.doi.org/10.1109/TETC.2015.2397395
Access to Download the Report