Cybercrime & underground economy: operating and business model


| More

This analysis aims to provide a light research of the operating and business models used in cybercrime and underground economy activities: while not aiming to be an exhaustive nor complete research, I would like our readers to get the “big picture” and understand how today’s cybercriminals have grown up, both from an organizational and business point of view.

First of all, it is important to define what we exactly mean with the term “cybercrime”.  Cybercrime is mainly related to the following, illegal activities, mainly carried out through the Internet media:

  • Phishing
  • Malware
  • Scams
  • DDoS attacks
  • Child pornography
  • Generic Porn
  • On-line games

Often, IP classes used by cybercriminals (i.e. RBN), share their illegal services on various IP address, as we can see from the following screenshot, related to a research carried on by David Bizeul

Now, once realised which are the services that cybercriminals must sell out, it is pretty easy to figure out their needs in order to be able to supply all the above and the requests from other cybercriminals and cybergangs:

  • Hosting services
  • Good bandwidth

Obviously, criminal organisations just cannot call up a given ISP asking them for a hundred hosting contracts, since “we must host child porn and some fake bank Web Front-End”….. This means that cybercriminals need other “add-ons” such as:

  • Anonymization
  • Laxism in closing websites
  • Lack of cybercrime laws
  • (possibly) interaction with other cybercriminals

Well….RBN was the answer. Even if most of the security researchers guess RBN it is dead, my personal opinion is that the original RBN’s “team” have just been “unpacked”  into tens of smaller cybercrime groups, making even harder for Law Enforcement to track them down. IMU is just another example of a “cybercrime ISP”, including its own “dark links” with third-party companies.

RBN acted for some years as The Internet Service Provider for Cybercrime actions, delivering all kind of black-services to the whole world. The scheme shown below, grabbed from David Bizeul’s excellent research paper, shows the modus operandi proper of RBN.

In order to achieve all of the above goals, actions and crimes, a cybercrime organization must take the following steps:

Building the base: Malware and Botnets

Here the crime team builds the “tools” and the electronic weapons they will need in order to execute the crime cyber-actions. This mainly means creating the malware, often (ab)using of already-existing vulnerabilities – just has it happened with the most famous worms in the recent past, or with the China attacks towards Google and US Government agencies – or, in some other, few and mostly rare cases, developing and/or acquiring from the Black Market 0-days vulnerabilities. Often, the real job is done modifying already-existing vulnerabilities, so that antivirus and other defense tools will not be able to spot the on-going attack. Talking about Botnets, quite the same approach applies here as well: attackers may set up the Botnet on their own, rather than buying hours from already-existing Botnet infrastructures, at very cheap prices even!

Identity Theft

In this second step, attackers will run massive phishing attacks (or other kind of tricks, with the sole goal to steal IDs for different purposes), automated worms (i.e. on Facebook, Twitter, etc). A recent trend we have found is the one to exploit unknown (“fresh”) vulnerabilities on Social Networks, so that in this way the attackers may be able to gain thousands of IDs with a single attack action.

Identity thefts may range from zoomed, intentional and highly planned financial information thefts, rather than personal information theft, that would be used in order to achieve different goals from the above ones (meaning: fake credit requests, applying for ATMs and Credit/Debit Cards under a fake identity, etc..).

In the last months we’ve observed a very focused activity on e-banking information, with a couple of worms written explicitly with this goal in mind. A very recent example is Mariposa (“Mariposa worm”), a Russian botnet written in order to collect financial credentials and information from the infected PCs (see:;prev_next=prev)

e-crime execution

Once the tools are built and the botnets are working properly in order to steal IDs, the bad guys need to run e-banking attacks – using the stolen credentials – and frauds/scams, such as on eBay. On my opinion this third step is the most important one, and it should be deeply investigated. In fact, “e-crime execution” can be run in tons of different ways, including “old-school” schemes such as Credit Requests, using the new chances offered by today’s IT, tough. What I mean is that this part should be really exploded and carefully analyzed, in order to gain much more knowledge of all the existing, available options for cybercriminals.

Money Laundering

Here we go, the last but not least step…transforming all of those data into real money, without being caught. For sure this step is important as well, just like the previous one, since it’s among the less explored among security researchers, while the traditional “counter-fraud” and “anti money-laundering” already-existing departments in financial institutions often lack of real in-house knowledge when related to latest IT and ICT money-laundering techniques, aka “cyber laundering”.

In any case, in this last step the cybercriminals set up money-laundering networks, that may act in different ways, while relaying on different actors and criminal profiles. For example, during the world-famous 9.5 Million USD thief run by 4 hackers at RBS WorldPay, also known as “The International Carding Ring”, or the “TJX hack” run by Albert Gonzalez and its associates  the cybercriminals used hundreds of “mules” from all over the world.



The Mules or “e-mules” issue is a big problem, strongly supported somehow by the global economical crisis and breakdown all the countries of the world are experiencing. This leads to more and more people that, intentionally or not, may accept to became an e-mule, laundering money than sending it to places such as Russia, Ukraine and so on, directly in the hands of the cybergangs.

In order to let our readers gain a better understanding of how complex is the “ecosystem” of cybercrime, I’m adding the next scheme as a gold-mine. In fact, this is referred to a carding web site, where subscribers sell and buy stolen credit card information (as well as identities, banking credentials, etc.). As we can see, the structure is really complex and being a Member of a given cybercrime portal simply means that you are at the beginning of a scale-pyramid, that sees over the top the real Administrators of the crime web site. Among them, we can see as well the Trial Vendors and the Reviewed Vendors (that means, an important status in the crime-ecosystem), then jumping to the reviewers (1st level of Site Management), moderators , global moderator(s) and the real owners (possibly?), meaning the administrators.

Bringing all the above to a criminal scheme would just look like this:

So the actors we can see are mainly:

  • Hackers, Coders and Scammers, working on phases 1, 2 and 3;
  • Providers, e-launderers and e-mules, working on phases 3 and 4;

A centralized “brain”, one or more human minds, taking care of the two groups of actors and supervising all the phases.

(bottom line), the Underground Economy itself, meaning trading in stolen goods and information, malware, tools, expertise and skills.

After RBN, the technical approach kept quite the same, while we can find an extremely important, while small, difference with the previous scheme:

Right now what we have, with or without “RBNs” around us, is the fact that those 3 actor’s groups just became a single entity, coordinated and acting like a unique and single mind: the cybercrime organization model.


I hope this article may help out those security researchers, Law Enforcement Officers, Agencies, public and private Institutions in order to better understanding thus fighting nowaday’s cybercrime.

What I do expect to observe in the next months will be a total raise up of cybercrime actions, pushing more and more on 0-days vulnerabilities, social networks and mobile users (handsets) exploiting. The rule is always one and it’s pretty easy: trust no one.