How do people end up working for cybercriminals?
There are thousands if not millions within the modern cybercrime ecosystem. Few masterminds and a vast army of workers who sell their skills to the highest bidder. Where did they come from? Research shows that what started as innocent curiosity gradually led to crossing the line to the dark side.
Modern cybercrime is dangerously effective because it's a business. Ransomware, spyware, malware, and any type of 'ware' can be sold and bought as a service. Professionals who create the software might never even use it, while threat actors operating the software might have no idea how to make it.
But where do all these people come from? A team of researchers analyzed thousands of messages on criminal forums to answer just that during the Black Hat USA 2021 conference.
A team of security researchers uncovered a private chat log of over 6,000 messages sent over two years where threat actors privately discussed how to spread the Geost botnet, an Android banking malware targeting mainly Russian citizens.
Even if some people may drift, they favor informality over cyber-crime forums. It tells us that if they potentially had a choice, they would probably instead be making money legally or at least informally,Masarah Paquet-Clouston.
"The interesting thing is that in the private chat, they were discussing conversations that happened in the public space," Serge-Oliver Paquette, a senior manager of data science at Secureweork, said during the briefing.
The team of researchers uncovered that three key people in the leaked chatlog looked for skilled 'workers' in a Russian-speaking internet marketing platform where users mainly look for advice and opportunities to earn extra cash.
Key threat actors browsed for a so-called informal workforce, or anyone looking to make some money on the side, using their skills, be it coding, web development or anything else. Unsurprisingly, platforms that enable such activities are called informal platforms.
However, threat actors employed informal platforms seeking help to develop Android portals that would allow them to spread infected Android APK's, namely the Geost botnet.
"They were not the botmasters or motivated offenders behind Geost botnet, but they seemed rather those individuals at the periphery of the criminal scheme, helping APK's to spread in the wild," Masarah Paquet-Clouston, a security researcher at GoSecure, said during the presentation.
The research shows that on their own, the offenders would not have had the capacity or tools to carry out the scheme. But an informal workforce enables low-skilled threat actors to complete ambitious tasks.
Chatlog analysis showed that Geost botnet was never mentioned in any of the discussions between perpetrators and potential hirees, which begs the question whether members of the informal workforce were aware of the use of services they provided or not.
To get to the bottom of this, researchers took every interaction between the trio spreading the Geost botnet and people they've talked with and cross-referenced all of their nicknames with 38 platforms related to the spread of cybercrime.
The team has found that at least 7% of over 21 thousand members of the 'informal workforce' did use platforms associated with cybercrime. Due to their tendency to drift between informal platforms and criminal platforms, those users were dubbed 'drifters.'
Going even further, the team collected data on drifter online activity, spanning from 2012 till 2020, to assess where the life of criminality begins.
The research shows that 75% of so-called drifters tend to stick to informal and non-criminal platforms over time, mainly posting there. However, 15% of drifters started by posting and commenting on informal platforms but gradually shifted towards the openly criminal platform. 12% of drifters started on informal platforms but turned to criminal ones rapidly.
Paquet-Clouston, Olivier Paquette, Sebastian Garcia, and Maria Jose Erquiaga from the Czech Technical University found that the vast majority of people are only curious about cybercrime but tend to stick to the informal economy, earning extra cash with maybe too few questions about where their work is used.
A quarter of people gravitate towards criminal-only activity over time, supporting the masterminds behind the cybercrime pandemic. The key takeaway is that these people do not directly take part in cybercrime but offer their services. This means they have vastly different motivations compared to those of criminals spreading the malware.
After the conference came to an end, we sat down with Masarah to discuss the implications of the research the team presented and how to combat the ongoing cybercrime pandemic.
Workers who have skills but don't necessarily have job opportunities may drift because they lack options. So, one way to kind of fight cybercrime would be to ensure that these individuals are given opportunities,Masarah Paquet-Clouston.
Your Black Hat presentation mentions the term 'drifter' to define people on the fence between the informal economy and illicit activities. Could you explain a little bit more, what do you mean by that?
In the presentation, 'drifter' is an individual who takes part in discussions on the informal forums that we studied but also has been on the cyber-crime forums. The concept of drifting comes from criminology, and it says that before committing a crime, people have to kind of release moral restraints. At that stage, some of those moral restraints are being relieved.
We're not sure whether they committed criminal acts. We have no idea, as they only spoke on a cybercrime forum. But if the cybercrime forum is self-proclaiming to be criminal, it gets obvious. And at least we know that they, drifters, have released their moral restraints. There's a difference between browsing at the criminal forum but commenting on it is another step.
This analysis is not going in their conversations to see whether or not they acknowledge that they're committing a crime. That would be the next step, checking out what they're doing. But it's the idea that some of those people are on the line. So far, we know that some people, given a good opportunity to make money, will drift.
Do you think that people you researched were aware that some of the services they supply were meant for criminal or illicit?
They knew it was shady. They talked about the shady applications, and they were kind of aware that something was wrong. However, whether you put something on a website, be it something good or not, it doesn't change anything. It's not like you're hitting somebody in the head or doing something overtly criminal. The line is really gray.
You also spoke about how around a quarter of people do drift towards spending their time in criminal forums over time. What does this finding point to, what can we make of it?
The next step is to go in and see whether or not we can differentiate these people who stay with an informal realm from those who drift. I think the key takeaway from this specific analysis is to see that even if some people may drift, they favor informality over cyber-crime forums. It tells us that if they potentially had a choice, they would probably instead be making money legally or at least informally.
That's something I particularly liked in your presentation, that the majority of people probably don't want to go and do criminal activity. Do you think there is a way to target people that are not masterminds behind the operation, but support the ecosystem that masterminds use?
I think so. Workers who have skills but don't necessarily have job opportunities may drift because they lack options. So, one way to kind of fight cybercrime would be to ensure that these individuals are given opportunities.
And I know it's something that we see right now. From interviews I do with individuals, for example, in Russia, I learned that cybersecurity firms hire a lot of people. And that helps because you have opportunities in cybersecurity. So why would you drift into crime if you can do it legally? So yes, I think that a way to fight this is actually to give them jobs.
More from CyberNews:
Subscribe to our newsletter