Large calculator on a wooden table showing the economics of cybercrime

Disrupting the Economics of Cybercrime

If I were to ask you what cybercrime arena was the most profitable for the criminal, you might be surprised by the answer. It was an unexpected discovery for my fellow co-founders and me eight years ago: when we wanted to find the place where our bot detection concepts would have the greatest impact, it turned out that the digital advertising ecosystem was rife with bot-based fraud. Billions of dollars were—and are—stolen each year from brands, publishers, and advertising technology organizations by fraudsters.

Some of these fraudsters simply set up botnet operations to click on tens of millions of fake ads that they’d finagled onto empty websites they owned so they could siphon off enough cash to cover their expenses for the weekend. Others were peeling off thousands or millions of dollars every day. Taking down a cybercriminal operation, as we did with the 3ve botnet in 2018, feels good: it’s a huge accomplishment for cyber defenders.

But 3ve was just one operation. Even though the people behind that particular botnet were indicted and several are currently behind bars, there’s always another fraudster ready to step up and try something new.

What we figured out was that in order to really combat fraud—and indeed, cybercrime as a whole—we have to change the economics of the whole deal: we have to make it more expensive or the consequences (like prison) too high for fraudsters to even bother trying to carry out an operation than they could possibly get out of it.

Developing a technological solution to an economic problem, though, is much harder than developing a technological solution to a technological problem.

Herd immunity

Our inspiration is similar to the concept of herd immunity: the more people in a crowd who are immune to an infection, the less likely it is that those who aren’t immune can catch it. It’s effectively “safety in numbers”, but in an immunological sense.

Now take that idea and apply it not only to one specific virus, but to every virus that anybody in the group is exposed to. And make the immunity learn from any sickness that manages to make it through so that nobody else can succumb.

That’s where our concept of “collective protection” comes from. Any attack on any one of our partners becomes a defense for all of our partners. And the more people (or partners) inside that group, the stronger the entire group becomes.

Raising the price on cybercrime

The economics of the concept returns to the equation when you consider that fraudsters can’t simply move on from one unsuccessful target to another when the entire ecosystem is protected from that particular attack. When there are fewer and fewer targets available for an attack, that attack becomes less lucrative for the fraudsters. And when so much of the ecosystem is being seen by a collective protection framework, the amount of time an attack has between deployment and discovery shrinks dramatically.

There’s simply less money on the table for fraudsters to snatch at, because their attacks will be identified and blocked faster than ever before. And when an operation is shut down, fraudsters are either put in jail or have to start from scratch, finding new ways to try and exploit the systems in place to grab a piece of the pie.

When all of the “easy” attack vectors are covered, the attacks that follow get increasingly contrived and complex. And the more complex an attack, the harder it is for the fraudsters behind it to have found and actually built the mechanism behind it.

And then the herd finds it and blocks it and the whole cycle starts over, but now with yet another vector protected from fraud.

That’s how the economics of cybercrime is disrupted: it becomes more expensive and time-consuming for attackers to develop ever more complex mechanisms to go after their targets, and the window of opportunity continues to shrink with more partners joining the herd. At some point, the see-saw flips and it’s no longer worth it for the attackers to continue to try.

Going on offense

But none of that implies the herd, while protected, should simply sit back and invite the attack. We can expedite that inflection point by playing some offense of our own. When the herd is large enough, the protectors find themselves in a unique position: they’re able to begin running counteroffensives to root out the attackers and develop defenses even before the attackers are able to deploy a new mechanism.

In the context of cybersecurity, that can take the form of disinformation campaigns on the part of the defenders, leading attackers to believe that attacks have been successful or undetected, while in fact gathering information to reverse-engineer and identify the culprits. It can mean finding attackers’ hiding spots and learning about operations yet to be deployed and building plugs for those holes in the wall to send attackers back to square one before they’ve made a dime off their work. And it can mean shifting the weights on that see-saw further in the opposite direction to flip it sooner than it might have.

It changes the game.

Yes, there’ll always be fraudsters out there, trying to capture what they can. But the more people in the herd, the faster those attackers will get caught, and the less damage they’ll be able to do.

Cybercrime is an economic problem as much as it is a technological one. But we have the capacity to solve it with technology, and it only requires everyone to combine our knowledge and leverage resources through collective protection.