Cormac Herley: Economics and the Underground Economy
Legal & Management
Milano Ballroom 5-6-7-8
About: The popular and trade presses are full of stories about the underground economy and the easy money to be made there. We are told that phishers and spammers harvest money at will from the online population. Even those without skills can buy what they need and sell what they produce on IRC markets. Estimates of the size of this underground economy vary, but common to most accounts is that it is large and growing rapidly.
In a careful examination of the evidence, we find that these claims are speculation, unsupported by evidence. Estimates of the cybercrime economy are enormous extrapolations from very noisy and poorly-sourced data. Reports that exploits like phishing and spam are worth billions appear to be off by orders of magnitude. Our analysis suggests that the laws of economics have not been suspended. Phishing and spam are subject to the tragedy of the commons so that returns are kept low. IRC channels are infested with rippers so that buying and selling is hard. Cybercrime is a ruthlessly competitive business, and low-skill jobs still pay like low skill jobs. Much as in the regular economy, to do well you need a rare skill or a barrier to entry. However cybercrime is still a very big deal.