Why don’t cybercrime rewards work?

Rewards have been offered for information leading to the arrest of high-profile malware creators/operators for some time. How successful have those various initiatives been, and what are the limiting factors?

The Microsoft Anti-Virus Reward program has been around since late 2003, bounties have been offered for the creators of Sasser, Sobig, Blaster, Conficker and now Rustock, to name a few high profile ones. The reward money is put up by Microsoft, but it is up to law enforcement to decide who qualifies for the reward based on arrest and conviction.

Despite the rewards on offer, successes are outnumbered by “cold-cases”. In 2005 two people shared a $250000 reward for information that led to the conviction of Sven Jaschan, the person behind the Sasser worm.

The successes have been limited in number though, there have still been no arrests relating to Sobig, and most notably the reward for information relating to the creator(s) of Conficker still goes unclaimed. Microsoft isn’t the only source of tempting reward cash either, as far back as 2004, SCO offered another $250,000 for the arrest and conviction of the author(s) of MyDoom, that too remains yet to be claimed.

There are probably a few reasons for this limited success; criminals operate online under pseudonyms and are traditionally very tight-lipped about their real identities. Although rewards often do turn up valuable information in “real-world” crime it has to be recognised that the chances of witnesses being present are that much higher. In the online world, the assumption has to be that most witnesses will somehow also be involved.

In thee high profile cases the reward of $250,000 (or even $500,000 when to rewards are on offer) may be very small when compared to the kinds of profit that organised criminal gangs can make by simply continuing “business as usual”. Perhaps bizarrely trust will also play an important role. The online underground, like any more legitimate online business is based to a large degree on trust and credibility.

To break ranks and claim a $250000 reward will effectively end any further participation you may have end in the world of online crime. It’s a career limiting move as they say… If you are asking someone to give up their career, however illegal, it seems the rewards need to be considerably higher.

Never underestimate the small guy though and the power of the mean green, as my friend Julio Canto from Virustotal said to me on Twitter “probably it is more focused on individual that still finds 250K’s as interesting :) even a small fish can cause troubles“.

As Solutions Architect for Trend Micro, Rik Ferguson interacts with CIOs from a wide variety of blue chip enterprises, government institutions, law enforcement organisations. Recognised as an industry thought leader and analyst, Rik is regularly quoted by the press on issues surrounding Information Security, Cybercrime and technology futures. With over 15 years experience in the IT Industry with companies such as EDS, McAfee and Xerox Rik’s broad experience enables him to have a clear insight into the challenges and issues facings businesses today.