The money keeps pouring in: underground economy is a boom industry

G Data takes a detailed look at the structure of the black market

09/08/2009 | Bochum 

How does the black market work? What is traded? Who are the players and how do networks spread across the world communicate? G Data Security Labs experts looked into these and many other questions and spent several months hooked into illegal trading platforms and eCrime discussion boards. Their conclusion: just like real economic systems, the underground economy works in widespread manufacturer networks with sophisticated distribution methods and marketing strategies. G Data takes a close look at this economic circle in a new white paper, "Underground Economy".


"To carry out this research we delved deep into the structure of organised online crime. The community is spread all over the world, is well organised and is completely anonymous. Criminals operate in accordance with strict economic principles with clear emphasis on maximising profit. This market is also defined by supply and demand, meaning that so-called 'poor dogs' are quickly removed from portfolios. Boards are hosted by bullet proof providers," explains Ralf Benzmüller, Head of G Data Security Labs. "Trading platforms are often specialised, meaning that some operators trade exclusively in stolen credit card data and provide a service in transferring the stolen data to falsified credit card media."


Trading forums – Marketing –Services

The range of goods and services on offer in the Black Markets is vast and includes services such as computer viruses, botnet rental and cyber attacks on competitors or companies. The community's bread and butter is DDoS attacks, spam mailing, trade in stolen credit card data with a seal of quality, or hardware for prospective bank robbers.



Tab. 1:
Example of goods and services being traded (see white paper for more information)


Competition between providers is stiff. The pricing pressure appears to be immense with services in particular. Hence some syndicates provide e.g. DDoS attacks on webservers for just €10 per hour or €50 per day. However, price is far from the only marketing instrument used by the criminals. Advertising distributors have also been set up to create and post advertising banners, including service providers who look after the design, programming and web hosting. There are even store solutions for underground products and services. "Special offers, volume discount levels, guarantees, customer loyalty programs and advertising are also very commonplace. Dedicated supplier markets have even been developed for more recent services," says security expert Ralf Benzmüller.


Online advertising: Banner for DDoS attacks:


But services for online criminals go beyond even this, including consulting services for start-ups for an appropriate fee. These seem to offer regular mentoring programs that include moderated beginners forums, instructions and video tutorials. The criminal services offered by those who operate trading platforms even go as far as clearing payments and transferring money from bullet proof providers.


Communication channels and payment systems
Direct communication within this community is usually via Instant Messaging services such as MSN, ICQ, Yahoo Messenger or Jabber. For initial contact, cyber criminals will frequently access the private message functions that are available on all boards. Another service used by this community is Internet Relay Chat (IRC). Its diversity and lack of monitoring makes it an ideal platform for the underground community. Chat takes place here almost in real time. This makes it possible to bring multiple thousands of users together in a single chat room.

There is more information available in the G Data white paper "Underground Economy" on the right side of this side under "Attached Files".


Thorsten Urbanski