Who's Really Paying Cybercriminals?

This week sees the arrival of LondonCyber, a conference organised by the British Government's Foreign Office and reported to have been so thoroughly stage-managed that the media have been carefully kettled away in a special media centre to ensure they are not allowed to directly interact with any of the attendees.

While many questions are being asked at that conference, we wonder whether the organisers will allow anyone to ask the question uppermost in Spamhaus' mind at the moment: namely, why have governments not constricted the flow of money to cybercriminals at the choke point of transaction processors (credit card processing banks)?

As an example, and whatever view you take of the banks' action to withdraw the facilities used by Wikileaks (and on that topic Spamhaus has of course to be strictly neutral), there can be little doubt that their action was encouraged by the US Government.

Transaction processors control the fund transfer services that cybercriminals use to purchase and receive their illicit goods and services. Researchers have thoroughly documented particular banks in Azerbaijan, Latvia and St Kitts and Nevis which are being used by the cybercriminals to receive payments for the bogus prescription drugs, fake anti-virus and fraudulent brand-name products they sell by means of spam and blackhat SEO. All this could be stopped in very short order if government agencies decided that they wanted it stopped.

Transaction processors not only aid the flow of cash from spam and fraud victims to criminals, they are also subsidising their procurement activities. Cybercriminals need such large numbers of domain names to operate their botnets, spam runs and affiliate programs that the cost of those domain names would normally be a major expense for them. However, by using stolen payment cards that expense can be avoided.

In the normal course of events it might be expected that fraudulent transactions would be refunded to the victims whose cards were used, and then charged back to the registrar or reseller who accepted the payment. And that--in the normal course of events--should encourage the registrars or resellers involved to be more careful about the authenticity of the payment cards they accept in their online system.

However, based on discussions with several registrars, Spamhaus has recently discovered why this mechanism is totally ineffective. It seems that the transaction processors operate a "chargeback floor" below which it costs them more to charge a transaction back than the transaction itself is worth. So when the cybercriminals buy domains with stolen payment cards, they are careful to stay under the chargeback floor and thus ensure that the banks (and their customers)--rather than the registrars--bear the cost of their fraudulent transactions.

Spamhaus believes it is high time that those channels for payments to the spammers and the chargeback floors which assist them in evading payment for services they use be reexamined to stop abusive transaction processors that are used by cybercriminals. If the banks don't want to do this, then governments should intervene and insist on it.