Tuesday, June 30, 2020

Taking down 'the Amazon of cybercrime' - a look inside a dark web story

Ads for websites that sell stolen payment card data and online accounts

Back in March, 2020, as the coronavirus pandemic began to dominate the news, one cybercrime story seemed to get washed aside by the rising tide of COVID-themed cybercrime attacks: the taking down of the 'Amazon.com of cybercrime.' I'm fairly sure that, in more normal times, more people would have paid more attention to this headline:
The FBI arrested the alleged hacker behind the 'Amazon.com of cybercrime,' which it says sold $17 million worth of stolen accounts for Gmail and other sites
For me, there were several reasons to smile when this headline appeared, not the least of which was the fact that it represents a very positive step forward for law enforcement in the ongoing effort to rein in cybercrime, an effort I have tried to support for many years.

On top of that, I happen to know Special Agent Brian Nielsen, whose very impressive work is cited in article and in the criminal complaint filed in US District Court in San Diego. The complaint named Kirill Victorovich Firsov as "a Russian cyber hacker, and the administrator of the Deer.io cyberplatform,"

Firsov was arrested on a Sunday night in March at JFK Airport and the complaint was unsealed the next day (a PDF of the complaint is here and if you look at the timing it suggests there was some very fast and skillful foot work by the San Diego feds).

However, the aspect of this headline that really put a smile on my face was the term Amazon.com of cybercrime. This way of characterizing dark web crime markets—like those that Firsov enabled—is something that I came up with in 2018; for example, see this article: Next Generation Dark Markets? Think Amazon or eBay for criminals.

When journalist Jeff Elder from Business Insider called me about the Firsov arrest I used that same characterization. Jeff obviously found it helpful because the article began like this: "When the FBI arrested the alleged leader of an illegal online marketplace last week, they may have made a small dent in what one expert calls "the Amazon.com of cybercrime."

That expert was me. You can read the article here (apparently MSN has a "reprint" arrangement with Business Insider—the article is now pay-walled on the latter's site). This is the part that cites me directly:

"This is the Amazon.com of cybercrime, with easy-to-use, easy-to-access availability and participation – as a buyer or vendor," says independent threat researcher Stephen Cobb, who previously tracked illegal marketplace activity for Eset, a cybersecurity company.

Apart from Eset being ESET, Jeff was true to our conversation and the point I was trying to make. My efforts were undoubtedly bolstered by the fact that I had prior experience—from early 2019—covering this topic with another journalist, Kai Ryssdal from Marketplace on NPR. That meant I had quite a bit of "evidence" that I could share with Jeff. Like this screenshot of an online market, annotated here for educational purposes:

As you can see, markets like this make buying stolen payment card data as easy as buying something on eBay or Amazon. And of course, they provide an easy way for the criminals who do the data stealing to monetize their operations. Like any well-organized market there are incentives—like seller and product ratings—to ensure that shoppers get good products at competitive prices.

These Amazon-style mechanisms help to explain how a bunch of criminals can buy and sell things without ripping each other off, as does the use of digital currency and an escrow system. The marketplace provider withholds payment to the seller until the buyer gets the goods and approves them.

By charging a fee for escrow and other services, the marketplace provider stands to generate considerable revenue while maintaining a semblance of respectability as "merely enabling commerce." (That is just one of many ethical cop-outs that help to sustain cyber-criminal activity.)

Flashback: Kai goes to the Amazon (of cybercrime)

So, how did I end up to talking to journalists about dark markets like this? Journalists who cover breaking news like to talk to people who are considered experts in the field of human endeavor to which the news pertains. Some experts welcome such conversations as an opportunity to provide context and clarity to complex topics, thus helping to broaden understanding of such topics.

If the expert happens to be self-employed and short of funds for marketing and PR, this interaction can be mutually beneficial. It can also be helpful to companies who are interested in "educating the market" for their products, which is why ESET—a maker of security software—was happy for me to work on this when I worked there (disclaimer: I no longer work for ESET and have zero financial ties to the company; I think they make good products but I know I make no money if you buy them).

The radio piece that I did with Kai Ryssdal about the business of cybercrime and the online markets that support it was skillfully orchestrated by Maria Hollenhorst. A lot of preparation was needed to produce a segment that was relatively short, but full of information. I thoroughly enjoyed working on it and was very impressed with how quickly Kai saw what I was hoping he would see: that the dark web enables "crime as a business enterprise," complete with Amazon and eBay style marketing techniques. So please enjoy listening to: Ever wondered what the dark web is like?