A Blog by Jonathan Low

 

Sep 25, 2021

The Secret Weakness of Cyber-Criminals: They Burn Out

Like many other gig-work occupations, much of the work done by cyber-criminals is routine, boring, poorly paid and requires little technological skill. As a result, those who do it burn out because there is no future in it. 

That is why counter-cyber efforts are increasingly focused on discouraging that workforce. JL

Ben Collier reports in the Wall Street Journal:

Cybercrime isn’t the province of individual renegades. It’s big business. And for most of the people involved, it’s often a boring, low-paid, dead-end job full of frustration that ultimately leads to burnout. Most earn pocket change, and weren’t developing hacking skills or building any reputation in the hacking community. And many complained about the hassles of the business; work-life balance isn’t one of the perks. Most cybercriminals are simply cogs in a sprawling network of services that support those who launch attacks.

Picture someone involved in cybercrime. Are you seeing a highly skilled lone-wolf hacker? Or maybe a spy for a foreign government, or an organized-crime boss? If you are, you’re missing the big picture.

Cybercrime Ecosystem

There is an old-fashioned image of a lone hacker looking for software vulnerabilities to attack. But cybercrime economies rely on a number of specialist services. A criminal looking to distribute malware needs to find buyers, acquire and configure malware kits, and cash out any funds received. Here's a look at some of the services that keep a criminal network running.

Diagram map

The Selling Syndicate

A criminal group that provides cybercrime services for a fee. They try to cultivate a customer base and compete with other cybercrime syndicates for customers.

Underground cybercrime forum

A place where criminals learn illicit skills, meet business partners, make friends, buy and sell tools and services, and discuss life. Run by moderators who enforce rules, ban users, and screen out police.

Support workers

The selling syndicate relies on illicit infrastructure and legions of support workers to make sure the customer gets a high-quality service.

Bulletproof hosting

Attack services need to be hosted on servers - often in countries where authorities won’t take them down.

 

Server management

Harder than it sounds - managing the command and control infrastructure, and setting it back up when law enforcement or a hosting company take it down

 

Customer/community management

The customer is always right - these illegal startups will often employ people to keep the community happy, run promotional offers or competitions, and respond to complaints.

 

Website management

Building and maintaining the user interface that buyers use to purchase and launch attacks

 

Graphic design

These businesses often employ dedicated advertising or design staff to make the product look attractive and get new customers.

 

Botnets

Networks of infected computers - these are a crucial resource for cybercrime, and can be used for anything from distributing malware to launching attacks.

 

Payment services

Managing payments from customers and then beginning the complex process of cashing out

 

Avoiding authorities

Very important - keeping everything secure, and making sure your users don’t do anything that would bring down more heat than you can handle

Suppliers of Illicit Services

The selling syndicate putting together a cybercrime package either may buy ready-to-use cybercrime tools, pay someone else to make them, or code them themselves. A wide range of attack services are available to buy on cybercrime forums or dedicated websites.

Unauthorized access

Compromising the target’s computer for a fee, often with a view to releasing their private information (doxxing) or installing stalkerware to spy on them

 

Compromised account

Criminals sell access to large numbers of compromised email accounts, high-value social-media accounts, or stolen credit cards

 

Ransomware

Encrypts victims' data, rendering it inaccessible until a ransom is paid. Ransomware developers sell or lease their ransomware variants like other software to buyers who execute the attack.

 

Spam

Spam-for-hire allows you to send large numbers of emails to millions of victims, giving you the chance to spread malware or enroll them in your scam.

 

Harassment

Many aspects of online harassment can be automated - setting up hundreds of social media bots to send abuse, for example.

 

Denial of service

Using networks of compromised machines, attackers can send huge amounts of web traffic to their victims, knocking them offline.

The Buyers

Once the selling syndicate has put together a package of services required for an attack, they are ready to sell or lease it to a buyer---anyone from teenage gamers looking to knock each other offline to someone who wants to attack an organization to steal or extort funds.

Money Laundering

Different criminal specialists can assist in laundering money via cryptocurrencies, store credit, or various kinds of assets that can be bought and then resold for clean money.

Source: Ben Collier, University of Edinburgh;
Kevin Hand/THE WALL STREET JOURNAL

Those characters are out there. But the most dangerous cybercrime isn’t the province of individual renegades. It’s big business. And for most of the people involved, it isn’t the exciting, lucrative world—even glamorous, in its way—that some media depictions might suggest. It’s just a job. Often a boring, low-paid, dead-end job full of frustration that ultimately leads to burnout. Most cybercriminals are simply cogs in a sprawling network of services that support those who launch attacks.

And that has important implications for how to police cybercrime. In short, the key is to focus not on the leaders of criminal enterprises or their lieutenants, but rather on the legion of cybercrime workers and the networks they maintain.

Complex operations

Cybercrime has grown into a huge industry increasingly based on division of labor and specialization. The predominant business model is what has become known as cybercrime-as-a-service. For the most part, a group of artisans build sophisticated digital tools, and a much larger community of people buy them and use them to commit cybercrimes.

At the low end of the scale, teenagers are paying a $5 monthly subscription fee for so-called booter services, which allow them to direct botnets—networks of commandeered computers—to knock rival videogame players offline with denial-of-service attacks. More-harmful services, such as ransomware attacks, are managed in a more business-to-business manner, requiring a lot more money. What the whole range of services have in common is that the users need almost no technical skill. For that, they rely on the providers, who not only sell them the necessary tools but also offer technical support.

This all relies on substantial criminal business operations, centered on networks of computer servers. And that has created a range of boring but essential jobs keeping these businesses’ hardware humming and managing their customers. People need to set up servers, manage networks of infected computers, get a website up and running and oversee payment systems. When a customer can’t get your service to work, or they threaten to move to one of your competitors, you need community managers and support staff ready to respond, to avoid losing business.

Disgruntled workers

My colleagues and I have spent late nights interviewing the people running these services, hung out in their online forums and chat channels, and scraped vast amounts of data (tens of millions of posts from dozens of forums) about what they’re up to.

Our interviewees—who often got into these businesses dreaming of eventually becoming a skilled hacker—told us that the entry-level administrative and customer-service work is perceived as easy, so it’s initially attractive to newcomers. “It’s autopilot,” said one interviewee working as an administrator of booter services. “I can sit in my chair, smoke weed and still make money.”

However, most of the people we interviewed and encountered in online forums were earning pocket change, and they weren’t developing hacking skills or building any reputation in the hacking community. And many complained about the hassles of the business; work-life balance isn’t one of the perks of the cybercrime industry.

For instance, if a server goes down at 4 a.m., someone has to get up and fix it or face a sea of angry customers. On a chat channel we were monitoring, we saw an administrator on vacation desperately trying to use a hotel’s patchy Wi-Fi to get a botnet running again.

As we spoke to these cybercrime service workers, it became clear that many were prone to a malady familiar to employees in more-reputable industries—burnout. As one cybercrime administrator said to me: “After [running a cybercrime service] for almost a year, I lost all motivation, and really didn’t care anymore. So I just left and went on with life. It wasn’t challenging enough at all….Lots of people are starting to see what I and lots of others see. It’s a place where you learn nothing new and don’t go much of anywhere.”

Action and messaging

This has important implications for policing. As part of our research we observed what happened when law-enforcement authorities used various tactics against the cybercrime businesses we studied. Tactics focused on arrests and harsh sentences for the leaders of cybercrime enterprises seem simply not to work. When major players were arrested, the effect was negligible, with new businesses moving to take their place in a matter of days, sometimes using the same infrastructure of computer servers and service workers.

But when authorities targeted the support staff—the labor force that the cybercrime industry depends on—with a few arrests and made their jobs even more miserable than usual through coordinated shutdowns of server networks, the effect was much greater. This is not unlike putting pressure on a mafia accountant, as opposed to arresting crime bosses.

In our research, we saw that when authorities attacked the cybercrime infrastructure this way, the services became unreliable and their customers thought they were being scammed, flooding their chat channels with complaints. When servers went down, so did the business of all the criminals who were renting that infrastructure. Cyberattacks declined.

Conventional wisdom suggests that disrupting the infrastructure of cybercrime services by taking down their servers is merely a game of Whac-A-Mole, with these groups able to set up new systems fairly quickly. But that doesn’t take into account the effect on cybercrime workers: We found that these takedowns were extremely frustrating for the people working behind the scenes. We even began to see people quitting the business, burned out from the stress of having to provide round-the-clock customer service and system administration under increasing scrutiny from the police.

This has implications not only for police action but also for messaging by law-enforcement authorities. When companies are hacked or the police launch a sting operation against cybercrime operations, the authorities are often at pains to emphasize how skilled and dangerous the criminals are, how much money they make, how much harm they cause. However, this may be the wrong approach, risking making jobs in the cybercrime industry seem more skilled and glamorous than they actually are.

So perhaps rather than arrests, the way forward lies in disrupting cybercrime’s infrastructure, making the administrative work in the industry even less appealing than it already is and so driving people out of the business and discouraging potential new recruits. Instead of describing hacking as skilled, exhilarating, lucrative work, police and media coverage might do well to reflect its reality: closer to “The Office” than “The Matrix.”

0 comments:

Post a Comment