Among the research topics of the Security Group the main stream of this research topic is to understand the various economic trade-off between different regulations and get a better understaing of the mechanisms behind malware markets.
The former is a project that mostly focuses on air traffic management case studies (for which se have some case studies through the SECONOMICS and EMFASE projects). The latter is based on exploration of black market forums.
Many criminal activities in the “ordinary world” are motivated, empowered, and encouraged by “underground” markets in which stolen goods are traded and money laundering is a everyday service. Thomas C. Schelling, Nobel prize for Economics, refers to these markets as “those markets that we don’t like, that work entirely too well: for example, the market for stolen goods, that encourages burglary[..]” (from Micromotives and Macrobehavior).
The news is, cybercrime is itself (at least allegedly) organised and motivated by an underground economy, often referred in the news as the black markets of cybercrime. As with any illegal, non-regulated economic activity, assessing to what degree such a structure is effective in motivating, encouraging and supporting criminal activities is not straightforward. In the past, Cormac Herley et al. analysed some of these black markets, and concluded (in a publication that we liked a lot (PDF)) that traders are nothing but scammers that scam wanna-be scammers. However, their analysis aimed at a subset of the underground black markets: the Internet Relay Chat (IRC) markets. These are un-regulated, anonymous, feedback-less channels through which unaware “criminals” try to buy credit cards allegedly worth thousands of US Dollars for a few bucks.
But the black markets are not only banking information and recycled credit cards. Attacking tools such as Exploit Kits are traded in the cybercrime markets (see this report by Symantec), and these tools are reportedly responsible for 60% of the final user infections (as reported by Google (PDF)).
So, if those tools are available through the black markets, and are responsible for driving attacks against millions of computer world-wide, then maybe the black markets are not all scam machines for scammers.
With the purpose of better understanding the nature of these markets, in the last years we infiltrated many. We learned how these underground markets work, what are the trade dynamics, who are the major players, what are the products, the services and the prices that come along with the traded goods.
The above Figure is an excerpt taken from one of the black markets we are studying. In red a translation of the text for those who do not have a fluent Russian (most of those markets are, in fact, run almost exclusively in Russian language). In particular, this is the advertisement of a (back in 2011 and mid-2012) very popular exploit kit. The product description comes along with a list of vulnerabilities it can attack, prices and additional services that come along with the exploit kit.
We are now using this knowledge to understand and consequently model the economic-empowered and motivated attacker. As a first step, we used our knowledge from the black markets to build a decision model that predicts in which conditions a potentially malicious player decides to be a criminal (and join the black markets) rather than being a lawful person. Such a model can be an effective tool in the hands of policy makers that can make policies and laws specifically oriented at discouraging black market participation.
RAND Corporation recently released a report on cybercrime activities, for which the University of Trento has been involved as a domain expert.
For more information on our models see our paper and/or contact us directly. For a deeper insight on the attack tools traded in the black markets (we are testing them!) see our Malware Analysis page in this wiki. If you are interested in what vulnerabilities are traded in the black markets, we are monitoring those as well. Make sure to check out the Predictive Models for Vulnerabilities section!
The following is a list a people that has been involved in the project at some point in time.