Skip to main content

Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy

Abstract

The underground economy has attracted a lot of attention recently as a key component of cybercrime. In particular the IRC markets for stolen identities, phishing kits, botnets, and cybercrime related services have been extensively studied. It is suggested that sophisticated underground markets show great specialization and maturity. There are complex divisions of labor and service offerings for every need. Stolen credentials are traded in bulk for pennies on the dollar. It is suggested that large sums move on these markets.

We argue that this makes very little sense. Using basic arguments from economics we show that the IRC markets studied represent classic examples of lemon markets. The ever-present rippers who cheat other participants ensure that the market cannot operate effectively. Their presence represents a tax on every transaction conducted in the market. Those who form gangs and alliances avoid this tax, enjoy a lower cost basis and higher profit. This suggests a two tier underground economy where organization is the route to profit. The IRC markets appear to be the lower tier, and are occupied by those without skills or alliances, newcomers, and those who seek to cheat them. The goods offered for sale there are those that are easy to acquire, but hard to monetize. We find that estimates of the size of the IRC markets are greatly exaggerated. Finally, we find that defenders recruit their own opponents by publicizing exaggerated estimates of the rewards of cybercrime. Those so recruited inhabit the lower tier; they produce very little profit, but contribute greatly to the externalities of cybercrime.

Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, log in via an institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   169.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   219.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Acquisti, A., Grossklags, J.: Uncertainty, ambiguity and privacy. In: Proceedings of the Fourth Workshop on the Economics of Information Security (WEIS). Cambridge, MA (2005)

    Google Scholar 

  2. Akerlof, G.A.: The market for ‘lemons’: Quality uncertainty and the market mechanism. Quarterly Journal of Economics 84(3), 488–500 (1970)

    Google Scholar 

  3. Anderson, R.:Why information security is hard – an economic perspective. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC), pp. 358–365. (2001)

    Google Scholar 

  4. Anderson, R.,Moore, T.: The economics of information security. Science 314(5799), 610–613 (2006)

    Google Scholar 

  5. Berton, P.: Klondike: The Last Great Gold Rush, 1896-1899. Mcclelland and Stewart (1972)

    Google Scholar 

  6. Brady, H.: The EU and the fight against organised crime (2007). http://www.cer.org. uk/pdf/wp721_org_crime_brady.pdf

    Google Scholar 

  7. Coase, R.H.: The nature of the firm. Economica 4(16), 386–405 (1937)

    Google Scholar 

  8. Cova,M., Kruegel, C., Vigna, G.: There is no free phish: an analysis of “free” and live phishihg kits. In: Proceedings of WOOT. USENIX Association, Berkeley (2008)

    Google Scholar 

  9. Dhanjani, N., Rios, B.: Bad Sushi: Beating Phishers at their Own Game. Blackhat, 2008.

    Google Scholar 

  10. Federal Trade Commission: Identity theft survey report (2007). www.ftc.gov/os/2007/ 11/SynovateFinalReportIDTheft2006.pdf

    Google Scholar 

  11. Ford, R., Gordon, S.: Cent, five cent, ten cent, dollar: Hitting spyware where it teally hurt$. In: Proceedings of the New Security Paradigms Workshop (NSPW), pp. 3–10. ACM Press, New York (2006)

    Google Scholar 

  12. Franklin, J., Paxson, V., Perrig, A., Savage, S.: An inquiry into the nature and causes of the wealth of Internet miscreants. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 375–388. ACM Press, New York (2007)

    Google Scholar 

  13. Fultz, N., Grossklags, J.: Blue versus red: Toward a model of distributed security attacks. In: R. Dingledine, P. Golle (eds.) 13th International Conference on Financial Cryptography and Data Security, LNCS, vol. 5628, pp. 167–183. Springer, Berlin Heidelberg (2009)

    Google Scholar 

  14. Geer, D., Conway, D.: The /0wned price index. IEEE Security & Privacy 7(1), 86–87 (2009)

    Google Scholar 

  15. Geer, D., Conway, D.: What we got for Christmas. IEEE Security & Privacy 6(1), 88 (2008)

    Google Scholar 

  16. Gordon, H.S.: The economic theory of a common-property resource: the fishery. The Journal of Political Economy 62(2), 124–142 (1954)

    Google Scholar 

  17. Grigg, I.: The market for silver bullets (2008). http://iang.org/papers/market_for_silver_bullets.html.

    Google Scholar 

  18. Hardin, G.: The tragedy of the commons. Science 162(3859), 1243–1248 (1968)

    Google Scholar 

  19. Herley, C., Florêncio, D.: A profitless endeavor: phishing as tragedy of the commons. In: Proceedings of the New Security ParadigmsWorkshop (NSPW), pp. 59–70. ACM Press, New York (2008)

    Google Scholar 

  20. Holz, T., Engelberth, M., Freiling, F.: earning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones. Reihe Informatik. TR-2008-006 (2008). http: //honeyblog.org/junkyard/reports/impersonation-attacks-TR.pdf

    Google Scholar 

  21. John, J.P.,Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying spamming botnets using Botlab. In: Proceedings of NSDI. USENIX Association, Berkeley (2009)

    Google Scholar 

  22. Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G.M., Paxson, V., Savage, S.: Spamalytics: An empirical analysis of spam marketing conversion. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 3–14. ACM Press, New York (2008)

    Google Scholar 

  23. Levitt, S.D., Venkatesh, S.A.: An economic analysis of a drug-selling gang’s finances. Quarterly Journal of Economics 115(3), 755–789 (2000)

    Google Scholar 

  24. Li, Z., Liao, Q., Striegel, A.: Botnet economics: Uncertainty matters. In: M.E. Johnson (ed.) Managing Information Risk and the Economics of Security, pp. 245–267. Springer, New York (2008)

    Google Scholar 

  25. Mankiw, N.G.: Principles of Economics. South-Western College Publishers (2007)

    Google Scholar 

  26. Moore, T., Clayton, R.: Examining the impact of website take-down on phishing. In: Proceedings of the 2nd APWG eCrime Researchers Summit, pp. 1–13. ACM Press, New York (2007)

    Google Scholar 

  27. Ozment, A., Schechter, S.: Milk or wine: does software security improve with age? In: Proceedings of the 15th USENIX Security Symposium, article no. 7. USENIX Association, Berkeley (2006)

    Google Scholar 

  28. Smith, A.: An Inquiry into the Nature and Causes of theWealth of Nations.W. Strahan and T. Cadell (1776)

    Google Scholar 

  29. Symantec: Symantec Internet Security Threat Report XIII (2008). http://eval. symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_ internet_security_threat_report_xiii_04-2008.en-us.pdf

    Google Scholar 

  30. Symantec: Symantec Report on the Underground Economy XII (2009). http://eval. symantec.com/mktginfo/enterprise/white_papers/ent-whitepaper_ internet_security_threat_report_xii_09_2007.en-us.pdf.

    Google Scholar 

  31. Thomas, R., Martin, J.: The underground economy: Priceless. USENIX ;login 31(6), 7–16 (2006)

    Google Scholar 

  32. Zhuge, Z., Holz, T., Song, C., Guo, J., Han, X., Zou, W.: Studying malicious websites and the underground economy on the Chinese web. In: M.E. Johnson (ed.) Managing Information Risk and the Economics of Security, pp. 225–244. Springer, New York (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Cormac Herley .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer Science+Business Media, LLC

About this paper

Cite this paper

Herley, C., Florêncio, D. (2010). Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy. In: Moore, T., Pym, D., Ioannidis, C. (eds) Economics of Information Security and Privacy. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-6967-5_3

Download citation

  • DOI: https://doi.org/10.1007/978-1-4419-6967-5_3

  • Published:

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-1-4419-6966-8

  • Online ISBN: 978-1-4419-6967-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics