ATTACKER BEHAVIOR

Over the past years, cybercrime has become highly differentiated and professionalized with a vast ‘underground’ (illegal) market that supplies various services required for an attack (Franklin et al., 2007).

Cybercrime is also affected by the social relations among criminals. Because there is a risk of being cheated by a fellow criminal, Herley and Florencio (2010) argue that prices in the underground markets are driven down to reduce the risks for buyers. In turn, this makes it less attractive to offer valuable items and creates a cycle of decay. The authors suggest this leads to a two-tier structure with Internet relay chat (IRC) markets as the lower tier, filled with goods that are hard to monetize. Organization of criminal activi­ties rather than ad hoc action is the route to profit. Repeated transactions also form a mechanism that incentivizes buyers and sellers to uphold their promises. Wondracek et al. (2010) looked at parts of the online adult industry employing practices that can be at best described as shady: acquiring traffic and infecting visitors for a fee.

showed that traffic brokers honored the amount and origin of traffic they were con­tracted for. Another mechanism, deployed in recent years on marketplaces active in the ‘dark web^,, consists of seller ratings (Christin, 2013). Similar to eBay, criminal buyers rate criminal sellers after a transaction; the reputation effect increases the incentives of criminals to stay honest. Despite these differences, both tiers of the underground market generate large negative externalities for society.

To be economically rational, the anticipated success rate and monetary value of an attack need to outweigh its costs. Florencio and Herley (2013b) use this insight to explain the large gap between potential and actual harm online - the fact that most users do not get their accounts hijacked despite using pet names and birthdates as passwords. Automating attacks to scale is hard because of user diversity; it is also hard to know in advance which users offer sufficient financial prospects to be worth an attack. Herley (2012) presents this as the reason why Nigerian scams - the prince with $5 million in dire need of your help - are so obvious. These scams are expensive to run and the attacker wants only the most gullible users. In short, many attacks cannot be made profitable on scale, which is one of the reasons why many doomsday scenarios did not unfold as predicted.

Focusing defender efforts on bottlenecks in the attacker monetization chain can be an ingenious way to reduce attacks. A monumental study has been the work of Levchenko et al. (2011) investigating the spam value chain. The team tracked a billion spam URLs and placed orders for the offerings (including Viagra). The study found that spammers fulfilled most purchases with real products (albeit generic versions). Interestingly, spam­mers refund unsatisfied customers to appease the scarcest resource in the spam value chain: the payment channel. Credit card companies put pressure on the acquiring banks who provide spammers with the ability to receive payments.

Obviously, criminals do not like getting caught and paying a fine or spending time in jail reduces profitability. Law enforcement has been traditionally weak in cyberspace due to crimes crossing jurisdictions. This is gradually changing and law enforcement agen­cies are ramping up efforts, as evidenced by multiple high-profile arrests in recent years (Krebs, 2011). Anderson et al. (2013) believe investing in law enforcement abilities to arrest cybercriminals to be very efficient, as many attacks are run by a small number of gangs.

13.7