With hackers and the security research community constantly finding new ways to break every piece of software that touches the Internet, it’s easy to get lost in the endless cycle of hacks and patches and hacks. But one team of Googlers and academic researchers has stepped back from that cycle to take a broader view of the maelstrom of scams, fraud and theft online. The result is a portrait of the digital underworld that goes beyond the traditional idea of corporate security to sketch the entire supply chain of online crime from hacking accounts to cashing out—focusing on where that chain can be weakened or snapped.
In a research paper published Thursday on Google’s security blog, a group of researchers from Google’s fraud and abuse group and six universities pulled together a kind of meta-study on the anatomy of the cybercriminal underground, focusing on illicit sub-industries like spam, click fraud, scareware, ransomware, and credit card theft. None of the data in the paper is new. Instead, it reviews years of existing cybercrime research to look for patterns and methods of disrupting those illicit schemes. The researchers’ conclusion—perhaps a surprising one for a company as focused on technical security and engineering as Google—is that nuts-and-bolts technological security isn’t enough for a company seeking to protect its users. Putting an actual dent in the cybercriminal economy requires using legal and economic strategies to directly attack the weakest points in its infrastructure: everything from botnet takedowns to payment processing.
Nuts-and-bolts technological security isn’t enough for a company seeking to protect its users.
“Our biggest takeaway is that though a lot of these problems seem intractable from a technical perspective, if you look at this from the supply chain and an economic light, they become solvable,” says Kurt Thomas, one of Google’s authors on the study. “We wanted to collaborate with external researchers to figure out exactly how criminals make money from the black market and identify their brittle infrastructure that’s cost sensitive. If you raise those costs, you disrupt credit card fraud, spam, or these other forms of abuse.”
WIRED spoke with Thomas, his fellow Google researcher Elie Bursztein, as well as their co-authors from New York University and the Universities of California at San Diego and Santa Barbara to ask them to pull a few lessons out of their sweeping study of the Internet’s underbelly. Here are their recommendations:
Use the Black Market As A Mirror for Your Security
Rather than endlessly bolster security against imagined threats, the researchers recommend that companies infiltrate the online black markets inhabited by the actual criminals exploiting their systems. There they can see their own stolen data and hijacked or bot-operated accounts being sold and even track those commodities’ prices. Thomas and Burzstein say that they closely follow the price of the bot-controlled Google accounts used for everything from YouTube and Chrome web store spam to fake reviews of malicious Android apps to hosting phishing sites on Google Drive. (They declined, however, to name the actual cybercriminal markets that they monitor.)