Framing Dependencies Introduced by Underground Commoditization Kurt Thomas Danny Yuxing Huang† David Wang Elie Bursztein Chris Grier Thomas J. Holt∗ Christopher Kruegel§ Damon McCoy‡5◦ Stefan Savage† Giovanni Vigna§ Google †University of California, San Diego §University of California, Santa Barbara 5University of California, Berkeley ◦International Computer Science Institute ∗ Databricks ‡George Mason University Michigan State University Abstract Indeed, the combination of universal Internet connectivity Internet crime has become increasingly dependent on the un- and fragile homogeneous software systems provided fertile derground economy: a loose federation of specialists sell- ground for the development of large-scale host infections ing capabilities, services, and resources explicitly tailored with a centralized command and control infrastructure (c.f. to the abuse ecosystem. Through these emerging markets, the DDoS botnets of the early 2000s). However, the more modern criminal entrepreneurs piece together dozens of à significant evolution—taking place almost entirely in the last la carte components into entirely new criminal endeavors. decade—has been around the motivation and structure of From an abuse fighting perspective, criminal reliance on this these attacks. In particular, the rise of e-commerce, both black market introduces fragile dependencies that, if dis- monetized directly through sales and indirectly via advertis- rupted, undermine entire operations that as a composite ap- ing, engendered Internet-attached hosts with latent value that pear intractable to protect against. However, without a clear could then be monetized via abuse. The confluence of these framework for examining the costs and infrastructure behind two factors—the ease with which hosts could be compro- Internet crime, it becomes impossible to evaluate the effec- mised at scale and the fact that each such hosts could be mon- tiveness of novel intervention strategies. etized for profit—fueled a bloom in criminal entrepreneurship that underlies most threats we experience today online. In this paper, we survey a wealth of existing research in order to systematize the community’s understanding of the Starting with early partnerships between malware authors underground economy. In the process, we develop a taxon- and e-mail spammers (largely focused on the simple problem omy of profit centers and support centers for reasoning about of laundering MTA origin), miscreant innovators soon iden- the flow of capital (and thus dependencies) within the black tified a broad range of monetization strategies and associated market. Profit centers represent activities that transfer money technical needs. Through their actions, today we understand from victims and institutions into the underground. These that a compromised host can encapsulate a broad range of activities range from selling products to unwitting customers extractable value: both through its commodity technical re- (in the case of spamvertised products) to outright theft from sources (e.g., its bandwidth and IP address for sending spam, victims (in case of financial fraud). Support centers provide its CPU for mining crypto-currencies, its storage for hosting critical resources that other miscreants request to streamline content for some scam) and through its unique data resources abuse. These include exploit kits, compromised credentials, (e.g., account usernames and passwords entered, PageRank and even human services (e.g., manual CAPTCHA solvers) of site, credit card numbers, social network membership, and that have no credible non-criminal applications. We use this so on). framework to contextualize the latest intervention strategies Extracting all of this value can be complex and require a and their effectiveness. In the end, we champion a drastic range of specialized knowledge and capabilities. Indeed, it departure from solely focusing on protecting users and sys- would be challenging for any single actor to operate the myr- tems (tantamount to a fire fight) and argue security practi- iad components making up a modern scam. Instead, the emer- tioners must also strategically focus on disrupting frail under- gence of underground marketplaces has allowed individual ground relationships that underpin the entire for-profit abuse actors to specialize in particular capabilities, services, or re- ecosystem—including actors, infrastructure, and access to sources types—without needing to own the entire value chain. capital. Thus, a criminal entrepreneur today will use their own seed capital to purchase individual resources or capabilities à la 1 Introduction carte (e.g., compromised accounts, CAPTCHA solving, or malware) and combine them in new ways. It is this emer- Over the last two decades, attacks on computer systems gence of markets that is the final component of the modern have transitioned from rare incidents to ubiquitous events. abuse ecosystem and has served both to rapidly distribute new Part of this transformation has been driven by technology. 1 business models and to reduce costs through economies of profit. In the process, we capture the stratified roles and their scale. However, migration to this market introduces visible, inter dependencies into a taxonomy of underground organi- cost-sensitive dependencies that, if disrupted, undermine en- zation. These roles place an increased importance on open tire criminal profit-generating schemes that as a composite communication and self-policing between criminal commu- otherwise appear intractable to defeat. nities, the consequences of which open criminal activities to While individual elements of the abuse ecosystem have the research community at-large. been covered to various degrees in the academic literature, none captures the rich fabric of this underground economy 2.1 What is the Black Market? in its full breadth nor provides the context required to under- Computer-based crime and abuse has a long history, with stand the structure and inter-dependencies between individual well-documented cases of computer fraud dating back to the elements. It is this broader perspective that motivates our sur- 1970s.1 Personal computers provided a common substrate for vey paper. Indeed, it is our contention that a systematized would-be actors, giving birth to the first widespread viruses in understanding of underground relationships is critical to de- early 1980s, and the Internet provided a broad transmission veloping effective, long-lasting countermeasures. We cham- vector allowing the first network worms to emerge in the late pion that research and industry must make a drastic depar- 1980s. However, it is only in the 21st century that this activity ture from solely focusing on protecting users and systems morphed from the independent actions of a small number of (tantamount to a fire fight) and strategically pursue disrup- motivated individuals, to a burgeoning set of cooperative en- tions of the brittle dependencies that underpin the entire for- terprises, shared business models, stratified service offerings, profit abuse ecosystem—including actors, resources, and cap- and ever increasing degrees of specialization. ital flow. To this end, our paper makes four contributions: The core of this transformation is the emergence of a • Underground Structure. We define a framework for “black market” economy, built around for profit cybercrime, in which a large number of geographically distributed ac- structuring underground assets based on the role they 2 play in the monetization process: profit-creating activ- tors trade in data, knowledge and services [5, 6]. Absent such a structure, early miscreants needed to operate every ities (scams), cost centers (infrastructure services and 3 markets), and value realization (internal and external facet of their business. By contrast, the same scams today cash-out services). may involve a dozen different parties each responsible for some particular piece of the operation. This is possible be- • Classification. For most of the best-known scams, ser- cause a shared marketplace allows for economies of scale, vices, and capabilities, we explain how they have been and encourages specialization and competition (and hence ef- specialized, how they fit into our structure, the kinds of ficiency). We find evidence of this specialization within un- business models that they naturally express, and the de- derground forums that sell a la carte access to virtually ev- pendencies they produce. ery part of the criminal “value chain” including compromised hosts, fraudulent accounts, stolen credit cards, and even hu- • Interventions. We examine various techniques—both man laborers. Thus, it is possible for a criminal entrepreneur proposed and explored—for intervening in different to outsource these parts of their business and combine them parts of abuse markets with an eye for evaluating how in innovative ways to support new value creation strategies different actions impact miscreant profitability. (typically scams based on defrauding consumers, businesses • Standing Challenges. We stratify the breadth of method- or both). However, whether this commoditization has yet ologies thus far for studying cybercrime and identify key achieved wide-spread adoption within the criminal commu- challenges that will shape the field moving forward. nity remains an open research question. Commoditization directly influences the kinds of business Finally, pursuing research into the abuse ecosystem re- structures and labor agreements that drive recent cybercrime. quires a great