Home / Blogs

Cyber Crime: An Economic Problem

During ISOI 4 (hosted by Yahoo! in Sunnyvale, California) whenever someone made mention of RBN (the notoriously malicious and illegal bulletproof hosting operation, the Russian Business Network) folks would immediately point out that an operation just as bad was just “next door” (40 miles down the road?), working undisturbed for years. They spoke of Atrivo (also known as Intercage). The American RBN, if you like.

In fact, while many spam operations use botnets and operate all around the world, a lot of the big players own their own network space and operate hosting farms, which are constant and “legitimate”, right in the US—for years now.

While we may not be able to make contact and mitigate incidents in some countries, these operations inside the United States of America run undisturbed. They register thousands of domain names every day and fuel a whole economy, starting with spam continuing with phishing, malware and DDoS attacks, and ending in child pornography and more spam.


For years the Internet has become increasingly “dirty”. It isn’t just about the thousands and millions of concurrent security incidents (automated, malicious code-based and other) happening every minute of every day.

It isn’t even about the next stage, the botnets and massive fraud attacks. It’s about the problem not changing. The Bad Guys (TM) or miscreants as some of us tend to call them (I prefer criminals) are a business. They have R&D, operations, outsourcing and so on. They collect statistics to make sure their revenue stream is maintained, and act to rectify the situation if it isn’t.

They (ab)use the Internet for their business, but have shown, in old Russian war style, that if you go against them, they are not afraid of destroying this revenue stream called the Internet. Scortched Earth is an acceptable strategy. The criminals established a working deterrence on the Internet, as unlike us, they are willing and capable of using their power, to let the Internet go (root server attacks, Blue Security incident, etc.).

To change this equation the first realization we had was that this is an economic problem.

Changing the economic equation

To impact their business you have to change how they treat it. This comes down to a basic cost vs. benefit calculation:

  • Cost (earning less or spending more)
  • Benefit (earning more or losing less)

Meaning, if it costs them one cent to send out 10 million spam messages, they are already spending more than they should. If they only earn a million USD a day, they are behind schedule for their quarterly revenue goals. Asymmetrical much? :)

Anecdote: some UK banks lose over a million POUNDS each and every DAY during phishing and banking malware attack waves.

We used to be able to impact their cost by “killing” their botnets, or making sure phishing sites stayed “on the air” for less time.

They have contingencies, design and operations to ensure they are never “down”. They register domains for use just for a few minutes, and then discard them. Their botnets immediately jump to a new location if one “goes down”, if it wasn’t just a temporary location to begin with.

Graceful degradation is terminology not reserved just for the house of representatives.

This is not always true. When “bullet proof” hosting is found, they don’t need to jump around. Example, some phishing sites hosted on Atrivo’s IP space have been up and running since early 2007.

By taking down malicious sites, or as we like to call it, whack-a-mole (it just pops up somewhere else) we played the game, and they got better at what they did—they evolved.

The answer was: law enforcement. If the RISK factor became high enough, we could change the economics of the problem space.

Unfortunately, while having good intentions and good people, law enforcement is:

  • Considerably under-staffed
  • Hardly able to communicate inside the US
  • Barely able to communicate with agencies in other countries
  • When able to communicate, it often takes up to a year (unless they go off the books and talk to the folks directly rather than through Interpol)
  • When successful, often takes years (more than two) to build a case
  • Then, success is rare in comparison to the number of incidents

So what are we to do?

Law enforcement vs. maintaining our networks

At some point every network operators comes to this fork in the road. “Do I maintain my network and kick this SOB off my network, or wait for law enforcement?”

The answer should be self-evident by now, best intentions included.

This ties back in to the current situation with Atrivo / Intercage, which we will discuss later.


By Gadi Evron, Security Strategist

Filed Under


I mentioned the economics part of it in a couple of papers I wrote .. Suresh Ramasubramanian  –  Sep 7, 2008 1:58 AM

But what I’d regard as a definitive study on the economics of malware - by Professors Johannes Bauer of MSU and Michel van Eeten of TU-DELFT - is at http://www.oecd.org/dataoecd/53/17/40722462.pdf

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign