Hackers' bazaar: the markets for cybercrime tools and stolen data.

• Author: Ablon, Lillian

MALICIOUS hackers and cyberattacks are getting more attention these days--a result of both an uptick in the number amount of attacks as well as of increased public attention and fascination.

2014 was the year the hack went viral. Notable data breaches included those at retail giants Target and Home Depot, health-care provider Community Health Systems, financial institution J.P. Morgan Chase, and entertainment giant Sony. For the retail sector in particular, the stolen data from these hacks appeared within days on black market sites.

These cyber black markets offer the computer-hacking tools and services to enable and carry out cybercrime attacks, as well as the byproducts from those attacks the stolen credit cards, personally identifiable information, and intellectual property.

The RAND Corporation, with support from Juniper Networks, wanted to under stand the landscape and the character of these cybercrime black markets: what the markets look like today, where they came from, as well as where we're headed in the future.

To do so, we sought out and interviewed experts ranging from academics, to

Different Types of Cyber Threat are distinguished by motivation and intent:

* Cybercriminals: use cyber means to go after financial data

* Nation-States: use cyber means to monitor, exploit, or attack

* Hacktivists: use cyber means to send a message, sometimes politically motivated

* Cyber-terrorists: use cyber means to recruit, spread propaganda, or instill fear

security researchers, reporters, security vendors and law enforcement personnel folks who have a personal connection to these markets, from a variety of angles. We also reviewed literature and technical reports on this topic and personally observed some of the marketplace forums and websites.

The markets for cybercrime tools and stolen data have become so pervasive and accessible that the malicious hacking trade today can for some people in certain aspects be more lucrative and easier to carry out than the illegal drug trade. The hacking trade has matured into specialized markets, in which those who have gained the greatest access deal freely in its tools and spoils: exploit kits (software for creating, distributing, and managing attacks), bot-nets (remotely controlled computers used for sending spam or flooding websites), "as-a-service" offerings (hacking for hire), compromised hosts, and a continually flooded market for stolen credit-card numbers and other personal credentials.

These markets are dispersed, diverse, and segmented; constantly changing and innovating to both keep pace with consumer trends as well as to prevent law-enforcement and security vendors from understanding them. They come in many forms. Some are dedicated to one product or a specialized service. Others offer a range of goods and services for a full lifecycle of an attack--from the tools needed to exploit a system, all the way through to the cyber laundering of the stolen goods.

1. The Current State of These Markets: Where Are We Now?

   Today, the markets for cybercrime tools and stolen data are quite advanced. Cybercrime markets are rapidly growing, maturing, and continuously innovating. They are full of increasingly sophisticated organizations, people, products, and methods for communicating and conducting business transactions. They are resilient in the face of takedowns and constantly adapting to new tactics and techniques of law enforcement and computer security vendors. Finally, they are easy to enter.

   Cyber Crime markets: The collection of skilled and unskilled suppliers, vendors, potential buyers, and intermediaries for goods or services to facilitate digitally based crimes (e.g., stealing financial data, ecommerce accounts, and social media credentials; intellectual property theft; and takedowns of sites)

2. How Did We Get Here?

   Less than 15 years ago, cybercrime was committed by ad hoc networks of individuals motivated largely by ego and notoriety, who mostly wanted to get on to systems and prove themselves to one another. Job opportunities and fame resulted from this display of technical abilities. This was the age of the lone-wolf hacker, where most participants had some sort of technological skill and already knew each other on- or off-line.

   Cybercrime grew as more of the world gained a digital component. Access to computing technology became more prevalent, and there were more technologically savvy people. Criminal enterprises recognized this as a golden opportunity to exploit users and systems for less risk than through traditional crime avenues. As a result, motivations shifted towards financial gain, and more crime contained a digital nexus or electronic connection.

   Today, cybercrime has become the province of large, highly organized groups, with robust infrastructure and social organization, often connected with traditional crime groups. These groups pursue specific actions such as stealing information or installing malware.

3. Who Participates in These Markets?

   Participants range across all skill levels and occupy different roles depending on their technical abilities as well as reputation.

   Within these markets, there are often hierarchies and specialized roles: administrators sit at the top, followed by subjectmatter experts who have sophisticated knowledge of particular areas (e.g., exploit-kit creators...