The world of computer hackers who sell stolen credit card numbers, spyware, and cyber weapons is often likened to an "underground," a word that implies the existence of a place cut off from most Internet users and existing in a corner of the Web that most people never see. But a new report concludes that the markets actually function more like thriving bazaars subject to the same economic forces as legitimate stores. And just like those legitimate stores, the bazaars aren't that hard to find.
A simple YouTube search can unearth dozens of videos describing how to use hacker kits to break into Web sites or steal bank account login credentials. Google "buy stolen credit cards" and you'll eventually get directions to dozens of storefronts that offer up pilfered account data. The cyber black market "has emerged as a playground of financially driven, highly organized and sophisticated groups," conclude the authors of a new report from the Rand Corp., the independent research group that often provides analysis to the Defense Department and U.S. intelligence agencies.
"Almost any computer-literate person" can get access to the cyber black markets, which have been "growing in size and complexity" for nearly a decade, the report found. From the late 1990s to around the mid-2000s, the market largely consisted of "ad hoc networks of individuals initially motivated by little more than ego and notoriety." Today, it is a decentralized but highly organized world with its own procedures for vetting buyers and rooting out unreliable or fraudulent sellers using a system of community-based ratings that the authors likened to Amazon reviews.
"It isn't a bunch of kids anymore. These are people who do this for a living," Martin Libicki, the Rand project leader, said in an interview. (The report was sponsored by Juniper Networks, a Sunnyvale, Calif.,-based company that manufactures computer networking equipment.)
The black market stores are run by hackers living around the world, inlcuding the United States and Asian and European countries. Among the items for sale are a wide range of hacker toolkits and cyber weapons, including so-called zero day exploits, which target vulnerabilities in software that haven't been discovered by their manufacturers. Government intelligence agencies often use those same virtual holes to gain clandestine access into foreign computer systems in order to implant eavesdropping equipment and potentially take control of the systems themselves.
Many computer security experts believe that the National Security Agency is one of the largest purchasers of zero days on a "gray market" that is not precisely illegal, but doesn't operate in the open, either. In this market, large defense contractors as well as smaller computer security firms often act as brokers between the NSA and independent security researchers, or hackers who discover the zero days and then sell them. The NSA hangs onto the zero days and incorporates them into new cyber weapons and espionage tools.
To buy a zero day, a purchaser has to know one of those researchers or work with a broker who can make an introduction to them, the Rand report found. The exploits can only be used once and are hard to come by, which is one reason they're so expensive. The price for zero days varies in the extreme, from a few thousand dollars to as much as $300,000, the Rand authors found. Rare instances of zero days selling for as much as $1 million have been reported.
Some computer security companies and software vendors will pay researchers a "bug bounty" for zero days, so that they can be taken off the market and not used for attacks. But hackers can fetch 10 to 100 times more on the gray markets, where government and agencies and corporations are the big buyers, as well as on the black market where criminals are the likely purchasers, the Rand study found.
Zero days feature prominently in cyber weapons like the Stuxnet worm that the United States and Israel used to disable centrifuges in an Iranian nuclear plant between 2007 and 2010. Stuxnet used at least four zero days, which allowed the worm to penetrate software inside the plant and ultimately take control of equipment that regulated how fast the centrifuges were spinning.
A panel of experts appointed by President Obama to review the NSA's operations in the wake of leaks by former contractor Edward Snowden called on the agency to halt its acquisition of zero days and said the government should be in the business of informing companies about the weaknesses in their products, not hoarding information that could be used to exploit them. A separate group of advisers is reviewing that recommendation, but the White House hasn't announced their results.
The Rand report doesn't address the NSA's purchases of zero days. But it suggests that the agency's efforts to thwart privacy-protecting technologies such as encryption could help fuel the market for illicit hacking. If more people use encryption and other tools to shield their communications from the government's prying eyes, that in turn will give hackers a reason to develop and sell new tools to try and break those communications.
Although the cyber black market deals in illicit goods and services, the sellers are subject to the same laws of supply and demand as their licit counterparts. For instance, after hackers stole upwards of 70 million people's credit card and personal information from the retail chain Target last year, credit card numbers flooded the cyber black market. As customers became aware their accounts may have been compromised, they started canceling their cards, and the prices for purloined numbers fell. Demand for the numbers was limited by how long they could still be used to make unauthorized purchases, the Rand authors found.
Just as with commercial retailers, "Goods and services tend to be reliable (though not always), and implementation and transactions are quick and efficient," the report said. Experts whom the Rand researchers interviewed were cautious to speculate about how much money the cyber black market generates, but one asserted that it accounts for billions of dollars in annual revenues, at least. Some individual sellers can reach between 70,000 and 80,000 people and bring in hundreds of millions of dollars, the authors found.
"In certain respects, the black market can be more profitable than the illegal drug trade; the links to end-users are more direct, and because worldwide distribution is accomplished electronically, the requirements [for setting up shop] are negligible," the report said.
In addition to credit cards, popular items for sale include toolkits for stealing login and password credentials for social media sites; spearfishing services designed to trick users into opening viruses masquerading in legitimate-looking emails; and networks of hijacked computers, or botnets, that can be used to overwhelm Web sites and cause them to crash.
Efforts by law enforcement agencies to shut down online black markets -- the takedown of the Silk Road site, where hackers did business alongside drug dealers and arms merchants is one example -- are just making criminals tighten up their own security, the report found. Some markets are vetting customers and sellers and are moving their business to private networks that only allow trusted customers. They're also using anonymizing and encrypting communications to shield people's identities and protect their transactions. The report predicts that these techniques, which help buyers and sellers evade detection by law enforcement, will increase, as will the use of digital currencies, such as Bitcoin, to pay for hacker tools and services.
What's more, the black market is highly resistant to outside disruptions -- like suppliers suddenly going out of business -- another way it's like a traditional marketplace, the report found. As soon as one merchant closes shop or is taken down by authorities, another rushes in to take its place.
The market is also diverse. Some sellers specialize in one product or service -- renting access to a botnet, for instance -- whereas other hackers have set up variety stores that offer many different items.
The authors predict an increased demand for tools and services that target social networks and mobile devices, and that more brokers will enter the market to act as go-betweens for hackers and their prospective clients. That will put more people at risk for their data being stolen and their communications being spied upon. As for how to stop those harmful outcomes, the report offers few suggestions and concludes that the deck is essentially stacked against the victims.
"The ability to attack will likely outpace the ability to defend," Rand concluded. "Attackers can be hedgehogs (they only need to know one attack method, but do it well) while defenders must be foxes," knowledgeable in every tool and technique their adversaries might use against them.
Daniel Mihailescu / AFP