Home / Blogs

Cyber Crime: An Economic Problem

Gadi Evron

During ISOI 4 (hosted by Yahoo! in Sunnyvale, California) whenever someone made mention of RBN (the notoriously malicious and illegal bulletproof hosting operation, the Russian Business Network) folks would immediately point out that an operation just as bad was just "next door" (40 miles down the road?), working undisturbed for years. They spoke of Atrivo (also known as Intercage). The American RBN, if you like.

In fact, while many spam operations use botnets and operate all around the world, a lot of the big players own their own network space and operate hosting farms, which are constant and "legitimate", right in the US — for years now.

While we may not be able to make contact and mitigate incidents in some countries, these operations inside the United States of America run undisturbed. They register thousands of domain names every day and fuel a whole economy, starting with spam continuing with phishing, malware and DDoS attacks, and ending in child pornography and more spam.


For years the Internet has become increasingly "dirty". It isn't just about the thousands and millions of concurrent security incidents (automated, malicious code-based and other) happening every minute of every day.

It isn't even about the next stage, the botnets and massive fraud attacks. It's about the problem not changing. The Bad Guys (TM) or miscreants as some of us tend to call them (I prefer criminals) are a business. They have R&D, operations, outsourcing and so on. They collect statistics to make sure their revenue stream is maintained, and act to rectify the situation if it isn't.

They (ab)use the Internet for their business, but have shown, in old Russian war style, that if you go against them, they are not afraid of destroying this revenue stream called the Internet. Scortched Earth is an acceptable strategy. The criminals established a working deterrence on the Internet, as unlike us, they are willing and capable of using their power, to let the Internet go (root server attacks, Blue Security incident, etc.).

To change this equation the first realization we had was that this is an economic problem.

Changing the economic equation

To impact their business you have to change how they treat it. This comes down to a basic cost vs. benefit calculation:

  • Cost (earning less or spending more)
  • Benefit (earning more or losing less)

Meaning, if it costs them one cent to send out 10 million spam messages, they are already spending more than they should. If they only earn a million USD a day, they are behind schedule for their quarterly revenue goals. Asymmetrical much? :)

Anecdote: some UK banks lose over a million POUNDS each and every DAY during phishing and banking malware attack waves.

We used to be able to impact their cost by "killing" their botnets, or making sure phishing sites stayed "on the air" for less time.

They have contingencies, design and operations to ensure they are never "down". They register domains for use just for a few minutes, and then discard them. Their botnets immediately jump to a new location if one "goes down", if it wasn't just a temporary location to begin with.

Graceful degradation is terminology not reserved just for the house of representatives.

This is not always true. When "bullet proof" hosting is found, they don't need to jump around. Example, some phishing sites hosted on Atrivo's IP space have been up and running since early 2007.

By taking down malicious sites, or as we like to call it, whack-a-mole (it just pops up somewhere else) we played the game, and they got better at what they did — they evolved.

The answer was: law enforcement. If the RISK factor became high enough, we could change the economics of the problem space.

Unfortunately, while having good intentions and good people, law enforcement is:

  • Considerably under-staffed
  • Hardly able to communicate inside the US
  • Barely able to communicate with agencies in other countries
  • When able to communicate, it often takes up to a year (unless they go off the books and talk to the folks directly rather than through Interpol)
  • When successful, often takes years (more than two) to build a case
  • Then, success is rare in comparison to the number of incidents

So what are we to do?

Law enforcement vs. maintaining our networks

At some point every network operators comes to this fork in the road. "Do I maintain my network and kick this SOB off my network, or wait for law enforcement?"

The answer should be self-evident by now, best intentions included.

This ties back in to the current situation with Atrivo / Intercage, which we will discuss later.

By Gadi Evron, Security Strategist. More blog posts from Gadi Evron can also be read here.

Related topics: Cyberattack, Cybercrime, Cybersecurity, DDoS, Law, Malware


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


I mentioned the economics part of it in a couple of papers I wrote .. Suresh Ramasubramanian  –  Sep 06, 2008 6:58 PM PDT

But what I'd regard as a definitive study on the economics of malware - by Professors Johannes Bauer of MSU and Michel van Eeten of TU-DELFT - is at http://www.oecd.org/dataoecd/53/17/40722462.pdf

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

DNS Security

Sponsored by Afilias

Mobile Internet

Sponsored by Afilias Mobile & Web Services


Sponsored by Verisign

IP Addressing

Sponsored by Avenue4 LLC

Promoted Post

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?