Examining the Forces Shaping Cybercrime Markets Online

Abstract

Malicious software is increasingly used by hackers and attackers in order to acquire sensitive information and compromise various systems. The sophistication of these tools has increased to such a point that individuals now sell various programs and services through electronic markets where data can be bought and sold. There is, however, minimal research examining the social dynamics that structure the relationships between buyers and sellers and the nature of the market dynamics overall. This study addresses this gap in the literature through a qualitative investigation of a sample of threads from 10 publicly accessible Russian web forums that facilitate the distribution of malware and attack tools. The findings indicate that price, customer service, and trust influence the relationships between actors in this market and influence the nature of exchanges in these forums.

Keywords

cybercrime malware botnets hackers subculture

Examining the Forces Shaping Cybercrime Markets Online

As technology increasingly permeates all facets of modern life, the risks posed by computer hackers have risen dramatically due to their ability to steal information, compromise sensitive networks, and establish launch points for future attacks (Brenner, 2008; Chu, Holt, & Ahn, 2010; Computer Security Institute, 2009; Denning, 2011; Holt, 2007; Holt & Lampke, 2010; Wall 2007). Many of these attacks stem from computer hackers living in China, Russia, and Eastern Europe who utilize malicious software, or malware, to automate various aspects of an attack (Brenner, 2008; Chu et al., 2010; Dunn, 2012; Holt, Soles, & Leslie, 2008; Taylor, Fritsch, Liederabch, & Holt, 2010). Malicious software, including viruses, trojan horse programs, and other tools, simplify or automate portions of a compromise making it possible to engage in more sophisticated or complex intrusions beyond the true skills of the attacker (Brenner, 2008; Computer Security Institute, 2009; Holt & Kilger, 2008; Taylor et al., 2010). In addition, the emergence of botnet malware, which combines multiple aspects of existing malware into a single program, enable hackers to establish stable networks of infected computers around the world (Bacher, Holz, Kotter, & Wicherski, 2005; Cooke, Jahanian, & McPherson, 2005; Ianelli & Hackworth, 2005; Rajab, Zarfoss, Monrose, & Terzis, 2006). In turn, botnets can be used to engage in the distribution of spam, denial of service attacks, and network scanning (Bacher et al., 2005; Choo, 2007).

The losses associated with malicious software infections and theft are massive, due in part to the costs to remove these programs from a network, declines in productivity among employees and computer systems, and customer apprehension about compromised web pages or online resources (Symantec Corporation, 2003; Taylor et al., 2010). For example, U.S. companies who participated in a recent Computer Security Institute survey (2009) reported losing an average of $40,000 dollars per respondent due to viruses and $400,000 due to another form of malware called botnet infections. Furthermore, the risk of malicious software is difficult to mitigate, as almost 25% of personal computers around the world that use a variety of security solutions have malware loaded into their memory, compared with 33.28% of unprotected systems (PandaLabs, 2007). Thus, malware infection poses a significant threat to Internet users around the globe.

At the same time, malware exists in a nebulous legal space, as there are no specific laws against the creation of malicious software programs. Individuals in both the security community and the malicious hacker underground create tools in order to help identify and exploit flaws in software (Gordon & Ma, 2003; Holt & Kilger, 2008; Holt et al., 2008; Taylor, 1999). The use of these tools in actual network settings without permission from the system owner is, however, illegal. Thus, individuals who write malicious code and sell it to others may have minimal legal culpability for the way that it is implemented (Brenner, 2008). Furthermore, the lack of standards for cybercrime legislation have enabled the formation of safe havens where malware writers and hackers can operate with minimal risk of extradition and prosecution (Brenner, 2008; Taylor et al., 2010). For instance, individuals sell services to host malicious software and pornographic materials in Malaysia and other parts of southeast Asia where there are reduced legal risks for the buyers, sellers, and operators (Chu et al., 2010).

The significant role and utility of malicious software in cybercrimes has led to a substantial body of research considering technical solutions to reduce their efficacy (Bacher et al., 2005; Cooke et al., 2005; Ianelli & Hackworth, 2005) or identify the factors affecting the likelihood of infection (Bossler & Holt, 2010; Choi, 2008). A smaller body of research has, however, considered the social factors that influence the creation, distribution, and use of malware in the hacker community (Chu et al., 2010; Gordon, 2003; Gordon & Ma, 2003; Holt et al., 2008). For instance, the evolution of malware and the growth of sophisticated attack infrastructures via botnets in the computer underground have revolutionized cybercrime and hacking. An online marketplace has emerged in forums and Internet Relay Chat (IRC) for the sale and distribution of malicious software, stolen data, and hacking tools that enable less skilled actors to gain direct access to services that extend their abilities (Chu et al., 2010; Franklin, Paxon, Perrig, & Savage, 2007; Holt & Lampke, 2010; Motoyama, McCoy, Levchenko, Savage, & Voelker, 2010).

Examinations of these online markets indicate that hackers can now buy and sell resources to facilitate attacks or sell information acquired through a compromise. In fact, hackers regularly sell credit card and bank accounts, pin numbers, and supporting customer information obtained from victims around the world in lots of tens or hundreds of accounts (Chu et al., 2010; Franklin et al., 2007; Holt & Lampke, 2010; Motoyama et al, 2010; Thomas & Martin, 2006). Individuals also offer cash out services to obtain funds from electronic accounts or automated teller machines offline, as well as checking services to validate whether an account is active and any available balances. Spam and phishing related services are also available, including bulk e-mail lists to use for spamming and e-mail injection services to facilitate responses from victims (Chu et al., 2010; Franklin et al., 2007). Some sellers also offer Distributed Denial of Service (DDoS) services and web hosting on compromised servers (Chu et al., 2010; Franklin et al., 2007; Motoyama et al., 2010).

These studies clearly demonstrate the burgeoning marketplace for hacking tools and stolen data, and some insights into the costs of goods and services. Few studies have, however, considered the social structures and relationships that affect the malware marketplace and the nature of buying and selling cybercrime services in a virtual environment (see Chu et al., 2010; Holt & Lampke, 2010; Motoyama et al., 2010). In addition, most of these studies utilize English language discussions within IRC channels (Franklin et al., 2007; Motoyama et al., 2010; Thomas & Martin, 2006) or forums (Holt & Lampke, 2010). As a result, there is generally little knowledge of the ways that foreign markets operate, especially those in nations who engage in high rates of cybercrime. In particular, Russian actors account for an overwhelming proportion of all losses associated with cybercrimes across the globe, whether related to malware, spam, or other attacks (Dunn, 2012; Symantec, 2012). Thus, there is generally little information on the way in which markets and forces may vary based on the language or location of participants (Chu et al., 2010; Holt & Lampke, 2010).

In order to address this gap in the literature, this study will explore the normative orders of the malware market using a qualitative analysis of a series of threads from publicly accessible Russian web forums that facilitate the creation, sale, and exchange of malware and cybercrime services. The findings suggest that malware markets are influenced by three factors: Price, customer service, and trust. In turn, the results provide insight into the affects of malware markets on cybercrime and hacking generally. Policy implications for law enforcement intervention are also discussed.

Data and Method

The data for this study were derived from a sample of 10 publicly accessible web forums; six trade in bots and other malicious code, while four provide information on programming, malware, and hacking. These data were collected using a snowball sampling procedure in fall 2007 and spring 2008. Specifically, two English language forums were identified through google.com using the search term “bot virus carder forum dump.” This is a standard technique used by social scientists to collect qualitative data online in order to obtain a wide sample of prospective sites (Holt, 2007, 2010; Silverman, 2010). After exploring the content of publicly accessible threads from these two sites, six other Russian language forums were identified via web links provided by forum users. Four additional Russian language forums were identified through links provided in these sites to create this sample of 10 forums. Thus, a sample of threads from each of these forums was examined by a native speaking Russian research assistant to ensure the content was focused on the sale and exchange of malware. Seven of these forums focus exclusively on either open sales or requests for malicious software, hacking tools, cybercrime services, and stolen data. The remaining four forums provide a mix of sales, information sharing, and resources to facilitate hacking and malware creation. The names of each forum and the participants have been removed to maintain some confidentiality for the participants and forum operators (Blevins & Holt, 2009; Holt, 2010; Holt, Blevins, & Burkert, 2010).

Within these forums, all of the available publicly accessible threads were downloaded and saved as web pages. There was a significant volume of information obtained, though the first 50 threads from each forum were translated from Russian to English to assemble a convenience sample of threads. A certified professional translator was identified who translated the first 50 threads from eight of the 10 forums. Additionally, 25 threads from forum 06 and 21 threads from forum 05 were translated. Due to the substantive use of technological jargon and hacker argot evident in these sorts of forums (Holt, 2010; Holt & Lampke, 2010), a dictionary of terms was created and provided to the translator to help provide some familiarity with key terms that may appear like “dumps” and “fullz.” The professional translator was also extremely technologically proficient and worked with technical documents regularly, making his recognition of jargon and prospective hacker slang quite high. Thus, the linguistic learning curve for the translator was quite short relative to others who may have little exposure to the conversations present in these forums.

Due to limited translator availability and duplicate translations in some of the forums, a native Russian graduate student was identified who translated additional content. This student translated an additional 150 threads from forums 03 and 04, and an additional 138 threads from forum 05. These three forums were selected for further analysis as they were very active and provided greater detail on the activities and practices of actors within malware markets. Duplicate threads were translated to determine interrater reliability, which appeared high across the two translators.

A total of 909 threads were derived from this convenient, yet purposive sample of 10 forums. The threads were composed of 4,049 posts, which provided a copious amount of data to analyze (see Table 1 for forum information). Moreover, the forums had a range of user populations from only 35 to 315 users. These threads span a 4-year period from 2003 to 2007, though the majority of threads were from 2007. In addition, these forums provide a substantive representation of malware and hacking markets since 630 of the 722 ads featured language soliciting or selling tools, services, or data that could be used to engage in cybercrime or some other illegal activity (see Table 2 for composition of products sold). The majority of these posts were sales related (73.1%), rather than purchase related (22.8%). The remaining 91 (13%) requests were related to a variety of other legitimate or gray market jobs in programming, web design, or the sale of hardware, software, e-mail accounts, and file-sharing service accounts. Given that 87.3% of the requests in these sites were related to tools and services to facilitate cybercrime, this analysis will focus in depth onv these items, using quotes from the data where appropriate.

Table 1.

Descriptive Data on Forums Used.

Forum	Total Number of Strings	Total Number of Posts	User Population	Timeframe Covered
01	50	183	88	6.00 months
02	50	164	50	20.00 months
03	200	1203	315	10.75 months
04	200	812	273	12.50 months
05	159	369	153	6.75 months
06	50	251	82	36.25 months
07	50	379	116	29.50 months
08	50	291	95	36.00 months
09	50	172	35	10.50 months
10	50	225	95	1.50 months
Total	909	4049	1302

Table 2.

Resources Offered in Hacker Forums.

Resources	Number of Posts	% of Total	Buy Posts	% of Total	Sell Post	% of Total
Cybercrime services	219	30	39	17.8	180	82.2
ICQ Numbers	73	10	9	12.3	64	87.7
Malware and related services	246	34	103	41.9	143	58.1
Other	92	13	22	23.9	70	76.1
Stolen personal information	92	13	21	22.8	71	77.2
Total	722	100	194	26.9	528	73.1

It is important to note that this data may not accurately reflect the current products or overall climate of malware markets due to its age. A range of new tools and products have emerged over the last 5 years due to the adoption of new technologies and platforms (Symantec, 2012), which may alter the shape of the marketplace. At the same time, malware markets are still operating and thriving, particularly in Russia and Eastern Europe (Dunn, 2012; Symantec, 2012). As such, it is imperative that researcher’s document changes in cybercrime market operations over time to provide baseline metrics of the shape and structure of the market (see Holt & Lampke, 2010). The findings of this study can provide a precedent for future research to document shifts and changes in the market over time. In turn, research can better understand how cybercrime markets change as a consequence of shifts in computer security protocols or law enforcement interventions (Chu et al., 2010; Franklin et al., 2007).

The subcultural values and norms that structure the market and relationships between actors were assessed using grounded theory methodology (Corbin & Strauss, 1990) and the concept of “normative orders” (Herbert, 1998, p. 347). Normative orders are a “set of generalized rules and common practices oriented around a common value” (Herbert, 1998, p. 347). An order “provide[s] guidelines and justifications” for behavior, demonstrating how subcultural membership impacts actions (Herbert, 1998, p. 347). This gives a dynamic view of culture, recognizing that individual behavior can stem from individual decisions as well as through adherence to subcultural values. Normative orders also provide for the identification of informal rules considered important by members of the subculture because of the values they uphold. Furthermore, this frame allows the researcher to recognize conflicts in the subculture based on the presence of contradicting orders (Herbert, 1998).

Herbert (1998) provides little guidance on how to actually measure normative orders, but identifies them through qualitative examination and consideration of the attitudes, beliefs, and perceptions individuals hold about their behaviors as demonstrated through verbal and nonverbal communication. Multiple studies have utilized ethnographic and qualitative research techniques to analyze the normative orders of various subcultures using web forums and other online content, including computer hackers (Holt, 2007), the customers of prostitutes (Blevins & Holt, 2009), data thieves (Holt & Lampke, 2010), and pedophiles (Holt et al., 2010). This study proceeds in the same fashion through the use of grounded theory methodology to identify normative orders through hand coded analyses (Corbin & Strauss, 1990).

Grounded theory analyses utilize a three-stage inductive methodology that is particularly useful as it permits the researcher to develop a thorough, well-integrated examination of any social phenomena (Corbin & Strauss, 1990). Any concepts found within the data must be identified multiple times through comparisons to identify any similarities (Corbin & Strauss, 1990). In this way, findings are validated by their repeated appearances or absences in the data, ensuring they are derived and grounded in the data. For example, terms such as trustworthy, reputable, or cheat were labels used to identify different sellers within these forums (see also Holt & Lampke, 2010). Specifically, posters repeated negative or positive comments relating to their thoughts and opinions on a particular seller or product were used to identify the key values that structure relationships between prospective buyers and sellers in the market. This strategy is used to structure the analysis, with examples and quotes from the data where appropriate.

Market Processes

In order to understand the normative orders that shape cybercrime markets, it is necessary to first consider the structure of the market as a whole. The forums identified in this study comprised an interconnected marketplace composed of unique threads that create an open advertising space. Individuals created threads posting their products or services to the rest of the forum (see Chu et al., 2010; Holt & Lampke, 2010; Motoyama et al., 2010). Alternatively, posters could describe in detail what they were interested in buying or acquiring on the open market. Both buyers and sellers provided as thorough a description of their products or tools as possible, including contact information, pricing information, and payment methods. This was demonstrated in a post by statement who offered databases for spam and identity theft:

I’m selling databases of postal clients for 700thous users 20WMZ, for 15 thousand users 7 WMZ (mail address_login_password). Spam database for 1 mil users for 15 WMZ, 700thou users 10WMZ. . . Payment by webmoney

As noted in the previous post, sellers preferred to use electronic payment systems to complete transactions. Forum users regularly paid for their goods and services using WebMoney [WM] or Yandex, and most sellers indicated pricing in U.S. Dollars, though a small proportion also listed the equivalent in Russian Rubles.

The preference for electronic payment systems is driven in part by the fact that they allow relatively immediate payments between buyers and sellers, and no need for face-to-face interactions. This provides a modicum of privacy and anonymity for the participants, and rapid dissemination of goods. At the same time, buyers are disadvantaged because a seller may not deliver the goods for which they provided payment. In addition, individuals could advertise their products directly to others with little regulation or constraint. Thus, buyers must carefully consider who they purchase goods and services from and in what quantities to reduce their risk of loss.

There were also no actual public transactions of goods for money observed in the forums, but posts from buyers and sellers gave some indication of how this process operated. An interested party contacts the individual who is either seeking or selling something via ICQ or e-mail. The parties negotiate what they need or require, and then payment is provided. In fact, most sellers specified that payments must be made in advance of any service or product being rendered. This process was demonstrated in a post from the user sanction who offered to encrypt trojans and malicious software: “You know me [contact me] in ICQ and obviously explain what I need to do. . . After that, as soon as I complete your order, you transfer money into my WebMoney purse. After that, you receive the product.” This post emphasizes the importance sellers place on receiving payment for their resources, which introduces the potential for buyers to lose money should a good or service not be delivered.

The unregulated nature of the market also provides no real formal leverage for a buyer should they be cheated or swindled (see also Holt & Lampke, 2010; Motoyama et al., 2011). There are informal mechanisms that can be applied such as calling a seller a ripper in public outlets to negatively impact their business (as discussed later in this article). The lack of methods to engender outside intervention on behalf of a wronged party suggest that the market appears to favor sellers rather than buyers. The same processes have been observed in open air drug markets (Jacobs, 1996; 2000; Jacobs, Topalli, & Wright, 2000), direct hawking markets for stolen goods (Cromwell, Olson, & Avary, 1991, 1993; Schneider, 2005; Stevenson, Forsythe, & Weatherburn, 2001; Sutton, 1998; Wright & Decker, 1994), and prostitution markets (Blevins & Holt, 2009; Holt, Blevins, & Kuhns, 2009) where individuals may be robbed or receive poor products and have few regulatory agencies to turn to for assistance. Thus, there may be some significant relationships between criminal marketplaces in the real world and in cyberspace.

Normative Orders of the Cybercrime Market

The inherent risks participants in the cybercrime market face coupled with the variety of resources sold have engendered the formation of distinct values that structure the interactions between buyers and sellers. Examining the exchanges between actors within this open market demonstrated a larger series of social forces that shape the market environment and the relationships between actors. Specifically, three interrelated normative orders were identified: price, customer service, and trust. The contours and relationships between each order will be explored in detail using quotes from the data where appropriate.

Price

The cost of goods and services played an important role in vetting of goods and services within the market. Price may be one of the most pertinent factors in cybercrime markets to draw in potential customers, as they may have limited funds or seek the greatest value for their investments (Franklin et al., 2007; Holt & Lampke, 2010; Motoyama et al., 2011). Individuals who offered a service or form of malware were subject to scrutiny based on the price for a product, particularly if it was perceived to be too high or low. The active questioning of costs helped to clarify the acceptable price for a given product, and reduce the likelihood that individuals would pay exorbitant fees for specific services. This was evident in an exchange where an individual sold a trojan program for $10 that was designed to steal ICQ numbers and passwords and send this information on to a specific e-mail account. The advertisement led to significant debate over the utility of the program and the veracity of the sellers’ claims based on the cost of the project. In order to quash further debate, the administrator of the forum, velentin, made a post stating: “yours is not functional, for that kind of money. For $10 you can get a sploit for 2 days for $5 (I can rent it out), buy traffick [SIC] for 2K and load the same pinch.” His comment emphasizes that better resources were available for a similar cost, thus prospective buyers should be cautious to pay for this service.

The importance of price in the decision-making process led some advertisers to offer discounts and deals to attract prospective customers. One of the most common techniques involved offering bulk discounts to sell products in large quantities. For example, the spam distribution services offered by Mastodon noted: “Price is $100 for million sent mails. Every third million is free. To regular clients discounts are 20%. Spam for your base is 50% off.” Individuals offering DDoS attack services that enable websites to be knocked offline also offered discounts. For instance, the provider cantar stated: “When ordering the DDoS service for 3–6 days, discount is 10%, with a DDoS service of more than 7 days, discount is 20%, and with a DDoS service for 3 sites, gives a free service for the 4th site.” The pricing and discount structures suggest that the price of goods and services are variable, but those making large purchases received the greatest overall value (see also Holt & Lampke, 2010). In addition, price serves as an important first step in establishing a relationship between buyers and sellers.

Customer Service

The second and interrelated normative order identified within these forums was customer service. Though competitive pricing may help entice prospective customers, individuals also sought the most satisfactory experience possible. The outcome of a purchase was significantly influenced by the ways that sellers cater to their customers, particularly those individuals without substantive technological skills (Holt & Lampke, 2010; Motoyama et al., 2011; Thomas & Martin, 2006). Since the market allows less proficient hackers to acquire goods and services that increased their overall attack efficacy, individual sellers took steps to ensure that all buyers would be satisfied with their products and services.

One of the most critical indicators of customer services lies in the speed with which sellers respond to requests from potential buyers. Sellers who are regularly online and could be easily contacted were more likely to generate positive reviews and feedback from customers. Some individuals would comment on their availability, stating: “knock me in ICQ, I am there often,” or “I am always online.” Those who did not quickly respond to messages from prospective buyers or were difficult to reach received negative comments from forum users. For example, a malware seller named slicked was not responding to messages, leading to a conversation about his service:

Planetoid: Does anyone know where slicked disappeared to, I haven’t seen him a week on ICQ.

Venom: Maybe he had enough with his trojan

Zood: No, he is a secret person. No one even knows where he is from, sometimes he disappears and reappears again.

In addition to the speed of contact, buyers valued sellers who immediately provide goods to their customers. For example, an individual with the handle grendel purchased a build of the trojan Pinch from the seller Downwind. He was happy with the product and noted the speed with which it was delivered, stating: “Thanks, I ordered it. Four minutes and it was ready. Respect.” The quality of the product or service a seller offered was also critical for their prospective buyers. This was exemplified in a post from the malware installer cyptor, who noted “our price may look to you not so adequate, but the quality will cancel this out, do not forget, that the cheap one pays twice.” If a tool was ineffective or data was insufficient, a buyer may post bad reviews or not recommend that provider. The importance of quality was particularly evident in posts from DDoS vendors who regularly noted that they would give customers a free 10-min test to measure the efficacy of their services against a particular target. This was demonstrated in an advertisement by letrin in forum 05: “DDOS Service, with quality and reliable. . . We give 10 minutes for a test. Always online, large BOT army, all is fast and organized.” Some vendors also offered money back guarantees, as in this example from forum 3: “If the site your order to attack comes alive earlier than the time chosen by you, then you will get money back.” Such a measure demonstrated a willingness to negotiate with prospective customers that could increase their overall business and reputation.

A small proportion of vendors also offered free gifts as a means to generate new customers or to keep current customers satisfied. For example, an individual named vivendi sold credit cards in forum 03, and one customer noted the level of service provided: “I took one card already for doing spam, domains, porn, the person is super, in the form of a discount he gave me a free card.” This comment demonstrates that free gifts can satisfy a customer, and may also draw in additional clients. Similarly, retrograde advertised a proxy service and gave a free gift to customers due to downtime over the New Year holiday, stating: “For all clients of our service, during this time of the New Year, we are compensating the two days of inactivity during this holiday period. . . . a few PIN numbers which will be given out as presents.” Such comments demonstrate that service providers would take multiple steps to maintain their customer base over time.

Another important indicator of customer service was the degree of support individuals offered for their products. Sellers whose services or products that required a higher degree of technological skill or knowledge to use often offered some form of customer support. For instance, individuals who advertised web hosting services commonly provided multiple chat lines for support. In fact, one seller named zevius had six separate ICQ support lines operating 24 hr a day, including one for “Complaints and suggestions regarding the work of the service, receipt of payment for services,” and four system administrators for “Solutions on difficult technical issues.” Thus, access to support is a critical service element that may help maintain clientele over time.

Trust

The third order identified in these forums was related to customer service and pricing: trust. Buyers in these forums sought out commodities that they valued, and had to pay for goods without actually interacting with a seller in person (Franklin et al., 2007; Holt & Lampke, 2010). As a result, they may not receive the goods they paid for or received bogus products with no value. In addition, most data and services sold were either illegally acquired or a violation of law, so the buyers could not pursue civil or criminal claims against a less than reputable seller. As a result, three informal mechanisms emerged within the market to ensure a degree of trust between participants and reduce the likelihood of loss.

The first mechanism available to validate a sellers’ claims was the use of checks or tests by the forum administration as a means to validate the quality of a product sold in the forum. For instance, one of the moderators of forum 05 described their checking process, stating: “Administration has the right to ask any seller to present his/her product for check. You present the product in the form that it is being sold, so that it can be checked for a test. No videos, audio, sreens.” Four of the forums in this sample utilized checking systems, though the seller was required to initiate the process of checking or testing. For example, an individual selling malware stated at the end of his advertisement: “I’d be happy to get checked out, guarantor and all the rest.” Similar comments were found in the other three forums, suggesting that reputable sellers would engage in the testing process. For instance, an individual selling credit card numbers had his services checked, and a review was posted by the forum moderator, slat434, which read: “Passed the check. At the time of the check, the person possessed quality product.” Some sellers also advertized that their products had been checked in other forums, and provided web links to verify this information. Offering products across forums could use crosssite advertisements as a means to garner more customers and higher levels of trust. In turn, buyers could validate a sellers’ reputation through multiple forms in order to establish trust.

The second method employed in the forums as a means to build trust was the use of guarantor programs. In order to help ensure that individuals acquire all goods or services for which they paid, guarantors serve as a specialized payment mechanism to ensure trust between participants. Guarantor services were best described by an individual named Chackrat, stating:

The seller and the buyer get in touch with one of the representatives of the guarantor service by icq and they come to agreement on the EXACT terms of the transaction. When agreement has been reached, the buyer gives the guarantor the amount of the transaction (or as it was shown in the contract). . . The Seller gives the goods to the buyer, after examining the quality of the goods, the buyer advises that the seller can give the money, and the guarantor gives the money. Commission is not charged by the guarantor.

This post demonstrates the value of guarantors to minimize the potential risk of loss that an individual may incur. Four of the forums identified in this sample offered or discussed payment services through guarantors. The presence of such a system may be an indicator of greater organization and sophistication within these markets relative to the others in this sample. It may also simply reflect variation in the overall nature of each forum. Thus, guarantors have a place within these markets, though they are not present in every forum.

The third way that individuals can gain or demonstrate trust within the forums was through customer feedback. Feedback was directly impacted by fair pricing and strong customer service, thought they were invaluable to understand the reliability of a seller and the quality of service they provide. Individuals who purchased a product or service could provide detailed comments about their experience with a seller for other users so that they may understand how that person operates. Posts that gave favorable reviews or positive comments demonstrated that an individual is trustworthy. For example, the seller track offered web hosting services and received a number of positive comments from customers saying things like: “I uze [SIC] the host! I like it!,” “Everything is quick and precise!,” and “I bought the domain+hosting+good person = I recommend it!” These favorable reviews clearly demonstrate that a seller or service provider could be trusted to provide quality products on time and without a great deal of difficulty. Such information helps to build a solid and trustworthy reputation for a seller, and may potentially increase their market share and customer base over time.

At the same time, individuals who provided bad services or were untrustworthy received negative feedback. When a customer lost money or did not receive products, the buyer could clearly elaborate what occurred. For instance, an individual named locat sought an experienced programmer for “developing server projects” with “Preferably experience developing polymorphic software.” He noted that “This ad is being published a second time since the previous person shamelessly gypped me out of $1,000, he seemed to have started to do something, took the money, and then dropped out of sight.” Related posts were found across the forums, as in the case of an individual named diesel who posted an ad for a log purchasing service. An individual named ne0 apparently purchased malware log files was dissatisfied, stating: “I write facts, so that people are more careful. . . Whoever does not trust me, should check. Whoever trusts me will be grateful for saved time and money. . . TS [topic starter] took the money for the order and disappeared.” Thus, negative feedback demonstrates how a person treats their clients and provides a metric by which others can assess seller quality and practices.

In the event that a person is slighted they may use the term cheat or ripper to refer to that seller (see also Holt & Lampke, 2010; Motoyama et al., 2011). Individuals who referred to someone as a cheat or provided negative feedback had an important impact on the social dynamics of a forum. The appearance of negative comments often led to significant debate and some degree of infighting among forum participants. If an individual was argued to have engaged in questionable behavior, others posted to support or refute these claims. Such discussions often foment debate, mistrust, and disorder among participants, thus forum moderators attempted to limit these discussions. This was exemplified by the forum moderator n30n who detailed how he would deal with such discussion:

For groundless complaints, swearing, flood, and multiaccounting—BAN. I've had enough. Groundless complaints include:

- He's a fraud artist! I regged [registered] a box, and he didn't break in to it,

- I transferred money, and that pers doesn't appear any more,–– this is your own fault. This means that you are a SUCKER. Never give pre-payment, transfer money with a protection code, but don't give it, just show that you have this money. Send test letters to broken-in mailboxes, accs, etc. require screens. If you decide to use someone's services, then take an interest as to what other forums this person offers them on and where you can see references regarding his work.

These comments clearly demonstrate the disruptive impact that claims of cheating can produce in these forums, and the significance of trust in structuring the relationships between actors. Furthermore, this post illustrates the relationship between trust, price, and customer service and their affect on the social dynamics of the forums in this sample.

Conclusions

This study sought to understand the social processes that structure relationships between buyers and sellers in the electronic market for cybercrime tools and services operating in Russia. The findings demonstrate that sellers take multiple steps to entice customers, including offering services at competitive pricing with support for nonskilled and skilled buyers alike (Chu et al., 2010; Franklin et al., 2007; Holt & Lampke, 2010; Motoyama et al., 2011). The glut of products available in the market coupled with an inability to inherently trust participants requires prospective buyers to review and evaluate sellers’ ads before making a purchase. Pricing structures appear to be an important draw for prospective customers, but individuals who offer solid customer support are also likely to increase their market share overall. Positive customer feedback is also critical to help determine the reliability of a seller since reviews give insight into the otherwise hidden process of buying and selling. In addition, prospective customers can utilize guarantors to complete a transaction with confidence.

As a result, the findings from this study support Mann and Sutton’s (1998) assertion that the hacker community has enabled the development of a cybercrime underworld supporting all facets of crime. In addition, it appears that this marketplace closely resembles other real-world markets for illicit goods and services (Cromwell et al., 1991, 1993; Holt et al., 2009; Jacobs, 2000; Schneider, 2005; Wright & Decker, 1994). For instance, the informal mechanisms within the market ensure trust between buyers and sellers in order to reduce the risk of lost funds. Participants in these markets are excellent targets for victimization because prospective buyers have money, limited knowledge of an actor’s identity, and are unlikely to contact law enforcement if they are cheated. Similar victimization patterns have been identified in the real-world, such as those who rob drug dealers (Jacobs, 1996, 2000) and the customers of prostitutes (Holt et al., 2009) because of the significant profit and low likelihood of police intervention.

The findings of this study also provide substantive implications for law enforcement and computer security professionals. The open nature of the forums identified in this sample provides a critical resource for law enforcement to monitor the activities of participants, and identify the source of various attacks against different targets. The market dynamics identified in this studyprovide key social indicators to identify individuals who are reputable and trustworthy within the forums. In turn, undercover agents can better target these individuals and gather information in order to develop cases against specific actors. Similarly, the value of trust between participants may serve as an excellent mechanism to disrupt market operations (see Chu et al., 2010; Franklin et al., 2007). For instance, investigators could post claims that an otherwise reputable seller cheated them. Repeated posts could negatively impact the perception of the user, and lead to infighting between participants. In turn, this may serve to reduce the overall efficacy of the market without the need for arrests (Chu et al., 2010; Franklin et al., 2007).

It is also essential that criminologists increasingly investigate the role of malware markets in the range of cybercrimes that occur. Exploratory qualitative studies such as this provide important first insights into the processes of the market, though the findings are temporally bound. The date of the forums used in this study may also limit the overall generalizability of these findings due to changes in the malware and tools that are currently available. Furthermore, the use of open forums may limit the representative nature of the data when compared against closed forums that require registration in order to access advertisements (Holt, 2007, 2010). Thus, substantive research is needed with more recent data to understand the conditions that affect the price of products, shifts in market forces, and changes in the processes of the market over time relative to new and evolving cyber threats. This can improve our overall understanding of the way in which macrolevel shifts in technology use affect market practices and relationships between buyers and sellers. The findings can also provide metrics to assess the value of prevention and enforcement strategies when implemented in the field (Chu et al., 2010; Holt & Lampke, 2010). This research can greatly improve our understanding of the shifting nature of cybercrime over time.

Footnotes

Declaration of Conflicting Interests

The author declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This research funded by the National Institute of Justice, Grant No. 2007-IJ-CX-0018. The opinions expressed are those of the author and do not reflect those of the National Institute of Justice.

References

Bacher

Holz

Kotter

Wicherski

(2005). Tracking Botnets: Using honeynets to learn more about Bots. The Honeynet Project and Research Alliance. Retrieved July 23, 2006, from http://www.honeynet.org/papers/bots/

Blevins

Holt

T. J.

(2009). Examining the virtual subculture of johns. Journal of Contemporary Ethnography, 38, 619–648.

Bossler

A. M.

Holt

T. J.

(2009). Online activities, guardianship, and malware infection: An examination of routine activities theory. International Journal of Cyber Criminology, 3, 400–420.

Brenner

S. W.

(2008). Cyberthreats: The emerging fault lines of the nation state. New York, NY: Oxford University Press.

Choi

K. S.

(2008). Computer crime victimization and integrated theory: An empirical assessment. International Journal of Cyber Criminology, 2, 308–333.

Choo

K. R.

(2007). Zombies and botnets. Trends and issues in crime and criminal justice. Australian Institute of Criminology. Retrieved December, 28, 2007, from http://www.aic.gov.au/en/publications/current%20series/tandi/321-340/tandi333/view%20paper.aspx

Chu

Holt

T. J.

Ahn

G. J.

(2010). Examining the creation, distribution, and function of malware online. Washington, DC: National Institute of Justice. Retrieved December, 20, 2011, from www.ncjrs.gov./pdffiles1/nij/grants/230112.pdf

Computer Security Institute. (2009). Computer crime and security survey. Retrieved September 20, 2011, from http://www.cybercrime.gov/FBI2009.pdf

Cooke

Jahanian

McPherson

(2005). The zombie roundup: understanding, detecting, and disrupting botnets. SRUTI ’05 Workshop Proceedings (pp 35–44). Berkeley, CA: USENIX Association.

10.

Corbin

Strauss

(1990). Grounded theory research: Procedures, canons, and evaluative criteria. Qualitative Sociology, 13, 3–21.

11.

Cromwell

P. F.

Olson

J. N.

Avary

D. W.

(1991). Breaking and entering: An ethnographic analysis of burglary. Studies in Crime, Law, and Justice, 8. Newbury Park, CA: Sage.

12.

Cromwell

P. F.

Olson

J. N.

Avary

D. W.

(1993). Who buys stolen property? A new look at criminal receiving. Journal of Crime and Justice, 16, 75–95.

13.

Denning

D. E.

(2011). Cyber-conflict as an emergent social problem. In Holt

T. J.

Schell

(Eds.), Corporate hacking and technology-driven crime: Social dynamics and implications (pp. 170–186). Hershey, PA: IGI-Global.

14.

Dunn

J. E.

(2012). Russia cybercrime market doubles in 2011, says report. IT World Today Retrieved May 26, 2012, from http://www.itworld.com/security/272448/russia-cybercrime-market-doubles-2011-says-report

15.

Franklin

Paxson

Perrig

Savage

(2007). An Inquiry into the nature and cause of the wealth of internet miscreants. Paper presented at CCS07, October 29–November 2, 2007 in Alexandria , VA.

16.

Gordon

(2003). Virus and Vulnerability Classification Schemes: Standards and Integration. Symantec Security Response. Retrieved October 3, 2005, from http://enterprisesecurity.symantec.com/content/knowledgelibrary.cfm?EID=0

17.

Gordon

(2003). Convergence of virus writers and hackers: Fact or fantasy? Cupertine, CA: Symantec.

18.

Herbert

(1998). Police subculture reconsidered. Criminology, 36, 343–369.

19.

Holt

T. J.

(2007). Subcultural evolution? Examining the influence of on- and off-line experiences on deviant subcultures. Deviant Behavior, 28, 171–198.

20.

Holt

T. J.

(2010). Exploring strategies for qualitative criminological and criminal justice inquiry using on-line data. Journal of Criminal Justice Education, 21, 300–321.

21.

Holt

T. J.

Blevins

K. R.

Burkert

(2010). Considering the pedophile subculture online. Sexual Abuse: A Journal of Research and Treatment, 22, 3–24.

22.

Holt

T. J.

Blevins

K. R.

Kuhns

J. B.

(2009). Examining diffusion and arrest practices among johns. Crime and Delinquency. doi:10.1177/0011128709347087

23.

Holt

T. J.

Kilger

(2008). Techcrafters and makecrafters: A comparison of two populations of hackers. In 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing (WISTDCS), pp. 67–78.

24.

Holt

T. J.

Lampke

(2010). Exploring stolen data markets online: Products and market forces. Criminal Justice Studies, 23, 33–50.

25.

Holt

T. J.

Soles

J. B.

Leslie

(2008). Characterizing malware writers and computer attackers in their own words. Proceedings of the 2008 International Conference on Information Warfare and Security, Peter Kiewit Institute, University of Nebraska, Omaha.

26.

Ianelli

Hackworth

(2005). Botnets as a vehicle for online crime. Pittsburgh, PA: CERT Coordination Center.

27.

Jacobs

(1996). Crack dealers apprehension avoidance techniques: A case of restrictive deterrence. Criminology, 34, 409–431.

28.

Jacobs

(2000). Robbing drug dealers: Violence beyond the law. New York, NY: Aldine de Gruyter.

29.

Jacobs

B. A.

Topalli

Wright

(2000). Managing retaliation: Drug robbery and informal sanction threats. Criminology, 38, 171–198.

30.

Mann

Sutton

(1998). Netcrime: More change in the organization of thieving. British Journal of Criminology, 38, 201–229.

31.

Motoyama

McCoy

Levchenko

Savage

Voelker

G. M.

(2011). An analysis of underground forums. IMC’11, pp. 71–79.

32.

PandaLabs. (2007). Malware infections in protected systems. Retrieved November 1, 2007, from http://research.pandasecurity.com/blogs/images/wp_pb_malware_infections_in_protected_systems.pdf

33.

Rajab

M. A.

Zarfoss

Monrose

Terzis

(2006). A multifaceted approach to understanding the botnet phenonmenon. IMC’06, pp. 41–52.

34.

Schneider

J. L.

(2005). Stolen-goods markets: Methods of Disposal. British Journal of Criminology, 45, 129–140.

35.

Silverman

(2010). Interpreting qualitative data: Methods for analyzing talk, text, and interaction (3rd ed.). Thousand Oaks, CA: Sage.

36.

Stevenson

R. J.

Forsythe

L. M. V.

Weatherburn

(2001). The stolen goods market in New South Wales Australia: An analysis of disposal avenues and tactics. British Journal of Criminology, 41, 101–118.

37.

Sutton

(1998). Handling Stolen Goods and Theft: A Market Reduction Approach. Home Office Research Study 178. London: Home Office Research and Statistics Directorate.

38.

Symantec Corporation. (2003). Symantec Internet security threat report. Retrieved October 3, 2005, from http://enterprisesecurity.symantec.com/content/knowledgelibrary.cfm?EID=0

39.

Symantec Corporation. (2012). Symantec Internet security threat report, Volume 17. Retrieved May 25, 2012, from http://www.symantec.com/threatreport/

40.

Taylor

P. A.

(1999). Hackers: Crime in the digital sublime. New York, NY: Routledge.

41.

Taylor

R. W.

Fritsch

E. J.

Liederbach

Holt

T. J.

(2010). Digital crime and digital terrorism (2nd ed.). Upper Saddle River, NJ: Pearson Prentice Hall.

42.

Thomas

Martin

(2006). The underground economy: Priceless.;Login: The Usenix Magazine, 31, 7–17.

43.

Wall

(2007). Cybercrime: The transformation of crime in the information age. Cambridge, UK: Polity Press.

44.

Wright

R. T.

Decker

S. H.

(1994). Burglars on the job: Streetlife and residential break ins. Boston: Northeastern University Press.