If the CHS attack made you wonder what someone would do with all that data, this report answers the question in systematic detail.
Cybercriminals not only steal personal records and sell them to other lawbreakers, they make and market the tools that others might use to steal records, the report explains.
For example, click through to the report’s page 14 (PDF) and look at the bar chart showing the number of new “exploit kits” being offered each year over the past nine years.
Since 2008, the growth in these tools of mayhem has been explosive.
Why is all this happening? To paraphrase Ronald Reagan, it’s “the magic of the markets.”
“The black market (for data) can be more profitable than the illegal drug trade,” the RAND authors say. “No one knows (or is willing to hazard a guess) how many people participate in this market. Similarly, few want to estimate how large the market is, although the general feeling is that it is large, and one expert noted that it generates billions of dollars, at the least.”
In recent years, as the black market in cybercrime matured, a segment of it integrated vertically, leveraging the Internet as have many other industries to expand its reach to buyers, sellers and producers globally, while opening up career opportunities across a range of skill levels.
“The organization structure already exists,” RAND researcher and report co-author Lillian Ablon said in an interview. “You’ve got your set rules and you know who you’re reporting to. Back in the day, these markets really were ad hoc. To do business, you had to know the person” you were dealing with, plus “you all had to have your technical chops.”
“Now,” Ablon said, “anyone can get in.”
There are job slots up and down the cybercrime organizational pyramid (See p. 6), with something for just about anyone, from mules handling the money on the bottom, to subject-matter experts developing and using the tools near the top, to administrators at the peak overseeing and coordinating it all.
The only prerequisite seems to be a willingness to break the law.
“If you are developing an exploit kit, you may have some smarts,” Ablon said, “but if you’re buying and selling credit card data, you may not need those smarts.”
According to its Securities and Exchange Commission filing on the incident, CHS pinned its cyberattack on a hacker group originating in China, one normally associated with the theft of intellectual property.
Ablon’s research points out that hackers from certain regions tend to go after certain types of information. Cybercriminals from Russia and the Ukraine, for example, focus on financial data while Chinese hackers often go for intellectual property, but those are only tendencies, Ablon said.
“We’re not saying there is not financial crime in China, or that Eastern Europeans are ignoring” intellectual property, she said. But the theft of 4.5 million records from CHS may have been merely an attempt by the hackers to salvage at least something from a failed attempt to find intellectual property.
“If you’re conducting a robbery, you’re going to take whatever you can find. The records are collateral damage in a sense where the end goal was something else,” Ablon said.
Follow Joseph Conn on Twitter: @MHJConn