The global cyber-crime-based economy has become a self-sustaining system and oversees the theft, laundering, spending, and reinvesting of £1.07 trillion by cyber-criminals across the globe, a study by security firm Bromium has revealed.
In recent years, cyber-crime has turned into a constantly shifting and evolving global menace which governments and organisations across the world are struggling to cope with. New malware variants are being created and unleashed at a pace much faster than it takes for the cyber-security community to get rid of existing ones.
At the same time, using experience gained from previous exploits, cyber-criminals are now using innovative tactics or a combination of tactics to infiltrate enterprise IT systems, to harvest data of millions of people, or to sabotage critical infrastructure firms or government bodies.
Despite losing billions to cyber-crime and suffering loss of reputation and the ability to sustain their operations, a lot of businesses still view cyber-crime as malicious activities carried out by certain groups of people to fulfill their political, ideological, or financial motives.
However, cyber-crime isn't just a formidable foe to governments, businesses, and privacy-conscious individuals, but is also a well-oiled global industry that fuels the theft, laundering, spending, and reinvesting of £1.07 trillion by cyber-criminals across the globe.
This revelation was made by security firm Bromium in an independent study that was commissioned to look into the interconnected dynamics of cyber-crime and to measure how cyber-criminals acquire illicit profits and reinvest their gains to carry on their trade. According to the Bromium study, cyber-criminals earn at least £1.07 trillion in revenue which is equivalent to the GDP of Russia or the 13th highest GDP in the world.
Out of the £1.07 trillion earned by cyber-criminals, as much as £612 comes from illegal online markets, £356 million from the theft of trade secrets, £114 million from the data trading, £1.14 billion from selling crimeware-as-a-service, and a little over £700 million from ransomware sales.
"Revenue generation in the cyber-crime economy takes place at a variety of levels – from large ‘multi-national' operations that can make profits of over $1 billion (£710 million); to smaller SME style operation where profits of US$ 30,000 (£21,420) - US$ 50,000 (£35,700) are the norm. There is now a growing interconnectedness and interdependence between both the illegitimate and legitimate economies," noted Bromium.
According to Dr Michael McGuire, senior lecturer in Criminology at the University of Surrey and the author of the report, “companies and nation states now make money from The Web of Profit. They also acquire data and competitive advantages from it, and use it as a tool for strategy, global advancement, and social control. There is a range of ways in which many leading and respectable online platforms are now implicated in enabling or supporting crime (albeit unwittingly, in most cases).”
Today's cyber-criminals are also exploiting vast platforms such as Uber, Facebook and Amazon to harvest data belonging to millions of people, to disseminate malware, to sell illegal goods and services, and to launder money. Because of their very presence, these vast platforms have now become facilitators rather than creators, letting people find value despite not producing anything themselves.
“The main contribution of platforms is to connect individuals with a service or product. The platforms produce nothing themselves in this process, but the end-user consumers provide platforms with the most precious of all commodities within an information-based economy – their data. We are now seeing the same thing in the cyber-criminal underworld,” said Dr McGuire.
The cyber-crime industry is so well-structured and well-managed that there are now a large number of websites run by cyber-criminals that offer ratings, descriptions, reviews, services, and even technical and customer support, thereby enabling smooth trading of cyber-weapons that can be used on a global scale.
In US dollar terms, such criminal websites are now selling zero-day Adobe exploits for up to US$ 30,000 (£21,400), zero-day iOS exploits for up to US$ 250,000 (£180,000), malware exploit kits for up to US$ 200 (£143) to US$ 600 (£428) per exploit, custom spyware for US$ 200 (£143) each, SMS spoofing services at US$ 20 (£14) per month, and offering hackers for hire at various rates.
"These platforms fuel industrial scale revenue generation, with their own sets of digital currencies and exchanges, production zones, tools supply, technical support, global distribution mechanism and marketplaces. They deal with specialised producers, suppliers, service providers and consumers," Bromium added.
Commenting on the report's findings, Andy Kays, CTO at Redscan told SC Magazine UK that the figures and other details mentioned in the report provided yet more evidence of how pervasive cyber-crime has become.
"Only through improving our understanding of how criminals operate can we develop the tools and procedures needed to defend against them. The report says that the cyber-security industry should focus more on prevention, but this is only part of the way to mitigate risk - knowing how to detect and respond to threats to shut them down quickly and effectively is also extremely important," he added.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout