The Economist also picks up on the "bursting the bubble" paper from Florencio & Herley:
BIG numbers and online crime go together. One well-worn assertion is that cybercrime revenues exceed those from the global trade in illegal drugs. Another nice round number is the $1 trillion-worth of intellectual property that, one senator claimed earlier this year, cybercriminals snaffle annually.
It is hard to know what to make of these numbers. Online crooks, like their real-world brethren, do not file quarterly reports. In the absence of figures from the practitioners, experts tend to fall back on surveys of victims, often compiled by firms that sell security software. These have a whiff of self interest about them: they are the kind of studies that get press released but not peer reviewed.
A paper by two researchers at Microsoft, Dinei Florencio and Cormac Herley, shows why: because losses are unevenly distributed. ....
So, if the existing numbers are bad (as I posted), where are the good cybercrime numbers? And, of course, how to better measure the real cost of cybercrime?
Well, one way to find better numbers is to ask the criminals. But, this is also flawed. For a start, this only measures their take, not the cost to the victim, which can often be out by a factor of 10:1. Also, "Online crooks, like their real-world brethren, do not file quarterly reports."
Notwithstanding these flaws, it may be better than surveys. And some results are in:
In the latest instalment of a mammoth four-year exercise Chris Kanich of the University of California, San Diego, and colleagues tracked around 20 outfits that use spam to advertise illegal online pharmacies. First they secretly monitored the spammers’ payment systems. Then they obtained logs from one of the servers that power the illegal pharmaceutical sites. They even ordered (and—perhaps surprisingly—received) some of the non-prescription drugs on sale.
Their findings suggest that only two of the 20 or so operators bring in $1m or more per month. The criminals behind fake security software appear to reap similar rewards, say Brett Stone-Gross and colleagues at the University of California, Santa Barbara. Their study, due to be presented at next month’s eCrime 2011 conference in San Diego, puts the annual revenue of each criminal group at a few tens of millions of dollars. As with Mr Kanich’s study, it is not clear how much of this is profit.
OK, so we can guesstimate that each sector - grey market pharma, and grey market anti-virus, or whatever we call the vendors of fake security software to differentiate them from the vendors of exaggerated security software - can do maybe 100m per annum over the lot, assuming a normal industry distribution in a market with free entry.
Which might suggest that phishing is also capped at around that number: 100m per annum across all players. Or might not... Have we got a better number?
Such hauls fall well short of extravagant claims from the security industry that some spammers make millions every day. Stefan Savage, Mr Kanich’s PhD supervisor, says that the security industry sometimes plays “fast and loose” with the numbers, because it has an interest in “telling people that the sky is falling”.
Say hallelujah to that! I'd say the jury is still out, one paper is not enough, and their conclusion aren't easy to extrapolate from. But $100m might be a closer number than a billion.Posted by iang at November 13, 2011 04:21 AM | TrackBack