The common perception of the modern hacker is a lone wolf operating out of their basement, but the reality could hardly be more different. Crime groups today, such as Superzonda in South America, Business Network in Russia and the global Shadow Crew are increasingly connected and sophisticated. Indeed, they often use, and extend business techniques from legitimate enterprises to create global teams that are incredibly efficient, setting the kind of best practice behaviors that might in another world be the subject of a Harvard Business School case study.
Speed of response is often a central part of this, with phishers rapidly developing e-mails asking for donations to the ‘Red Cross’ in response to the 2010 earthquake in Haiti. Such scammers are also using text to donate methods to swindle people out of money. What is perhaps most interesting, however, is in the organizational structure of cybercriminals.
Mob vs flashmob
In the past, we would perhaps assume that the modern criminal takes a leaf out of the Godfather’s book, with a top-heavy hierarchy complete with dons and capos. The reality of the modern cybercriminal is much more fluid though, and indeed more like Al Qaeda in style, with loosely affiliated cooperative networks that come together for projects and disband soon after. New research from Michigan State University highlights how common this style is among the modern cybercriminal.
"It's not the 'Tony Soprano mob boss type' who's ordering cybercrime against financial institutions," the researchers say. "Certainly, there are different nation states and groups engaging in cybercrime, but the ones causing the most damage are loose groups of individuals who come together to do one thing, do it really well - and even for a period of time - then disappear."
Whereas historic crime families often have a reputation established over many years, and a documented history to match, the online space is typically much harder to trace. The research found that there are strong levels of organization among cybercriminals, but that the style and approach varies considerably depending on the nature of their work. For instance, it’s rare for there to be organizations that have persisted over many years, or even multiple generations, as in other organized crime networks.
Instead, cybercriminal networks are often made up of loose coalitions of hackers who come together because of their unique skill sets, collaborate together on a particular crime, and then disband again. This may see one person with an expertise in password encryption teaming up with another who is fluent in a certain programming language working together to do more damage as a unit than either would individually.
"Many of these criminals connected online, at least initially, in order to communicate to find one another," the researchers explain. "In some of the bigger cases that we had, there's a core group of actors who know one another really well, who then develop an ancillary network of people who they can use for money muling or for converting the information that they obtained into actual cash."
Such criminals also increasingly turn to niche locations to find specific expertise. For instance, Dubai is known to offer the best talent for laundering money. This requires almost constant networking to have a web of talent to tap into, and in this sense, it’s not a million miles from the way Hollywood film studios constantly scout for the best acting talent for any given film. It’s vital that criminals in ID theft know how to find criminals able to replicate the holograms on ID cards, for instance.
As in other forms of professional life, it’s also true that many cybercriminals are driven more by intrinsic motivation than extrinsic. Sure, with the risks involved, the money has to be there, but for many, the motivation is less about the money than it is about the intellectual challenge of cracking into a sophisticated security system, or the moral requirement to attack specific targets who they believe go against what they believe in.
In another nod to the businesses that have emerged during the Internet era, many cybercriminals are also only too well aware of the ‘long tail’, that provides fruitful exploits away from the big, blockbuster heist. The modern cybercriminal is only too well aware that significant riches are available in smaller, repeatable operations. Many credit card hacks, for instance, follow this approach, with purchases on the smaller side and laundered through a ‘mule’, who might not even be aware they’re part of the scam. Add these small transactions up by thousands and you get to a large heist.
It’s clear that the methods of cybercriminals are changing markedly from the organized criminals of the past, and many now adopt the significant and agile approaches of the most sophisticated legitimate businesses of today. It’s vital that law enforcement agencies appreciate this so that they can better crack down on them.
"As things move to the dark web and use cryptocurrencies and other avenues for payment, hacker behaviors change and become harder to fully identify, it's going to become harder to understand some of these relational networks," the researchers conclude. "We hope to see better relationships between law enforcement and academia, better information sharing, and sourcing so we can better understand actor behaviors."