Industry of Anonymity

Inside the world of profit-driven cybercrime
December 23, 2013

The Human Cybercriminal

A person checking his email opens an attachment, installing a virus that disables his computer. A major news site goes down after a distributed denial-of-service attack. An international bank’s systems are compromised, spewing out fraudulent transfers worth millions of dollars.

These and other similar stories have become familiar in our networked age. And yet as common as they now are, there is still much that is unknown, not least of which is: Who is behind such incidents?

In the past, the image that sprang to mind was of the lonely hacker sitting at his computer, tapping away feverishly in a dark room—a pimply, nerdy, maladjusted teenager in his mother’s basement. That teenager has since been joined by new stereotypes: an unemployed IT graduate from a far-off land; an idealistic political agitator toying with his opponents; a techie with links to a criminal syndicate; an intelligence operative of a foreign government.

The truth is we have very little real knowledge of cybercriminals. These electronic ghosts often remain an anonymous and mysterious threat: They could be almost anyone, anywhere.

As the threat of cybercrime has risen, an enormous amount of time, effort, and resources has been invested in developing solutions. But what emerged as a new technical threat has, up to this point, been fought largely by technical means. Defenders work tirelessly to plug holes that could allow hackers into a system, while others work to disable malicious code or develop tools to filter out unwanted traffic and communications. But few stop to think in any detail about the people behind the technical threats: where they live, how old they are, how many and how organized they are, what their motivations are.

Although new computer crime laws have been developed over the years, our primary practical response has been focused on the technology side. It looks at the specific technical threats, such as hacking, viruses, and spam, and works to address them through technical means. In the face of such challenges, we have developed security systems to counteract cybercriminal tools directly. In response, the cybercriminals developed better tools and the technology arms race has cycled on to this day.

A good example that most people are familiar with is anti-virus software. The purpose of such software is to identify malware that has infected your computer. The companies behind such software work hard to stay up to date with the latest viruses and other forms of malware. But as new viruses are continually developed, it becomes an endless task consuming enormous time and resources.

This technological response to cybercrime is fairly common at all levels of society, from the individual up through business and government. It’s effectively a fortress model of protection. The idea is to make defenses so strong that nothing can get through. Little attention is paid to who the attackers are or why they are attacking—just the how is important. It’s akin to building a whole suburb of castle-like houses to deal with a gang of thieves operating in the area, rather than trying to identify the thieves and deter or arrest them.

There is obviously great value in developing the best technological tools to thwart cybercriminals. Technological responses continue to be a very effective way of putting costs on cybercriminal behavior and should be an integral part of ongoing security efforts. But we need to augment and enhance this approach with some more human-centered elements.

So what exactly does such a strategy look like? At the core of this approach is a greater focus on attribution—the “who” behind various attacks. This could be attribution in specific cases, unmasking the perpetrators involved. But more generalized attribution would also be valuable. This would mean acquiring a better understanding of the types of people who are cybercriminals, the methods by which they operate, and their motivations and agendas.

Without some knowledge of the humans behind the attacks and their agenda, framing sensible responses is virtually impossible. Trying to comprehend attackers’ motives from the technical logs of the victim’s system alone is not good enough: You don’t know if you are dealing with a teenager down the street, sophisticated professional criminals, or an agent of a foreign government. Deeper investigations can consume significant resources, both for the victim and law enforcement, but there is no other way to diagnose an event and impose an appropriate and effective sanction, or improve risk strategies, let alone identify the proper avenues for dealing with the case in the first place.

In the fight against cybercrime, technology alone can take us only so far without the help of other perspectives. It’s time for a more human-centered approach in the way we think about, and attempt to counteract, the threat of cybercrime. Such an approach would acknowledge that cybercriminals, like traditional criminals, are human beings rather than merely anonymous sources of cyberattacks. We need to increase our understanding of their behavior, so that we can develop better means of discouraging and disrupting it.

Read more about a more human focussed approach to cybercrime in “Electronic Ghosts“.

November 11, 2013

Call Me i$Hm@eL

For cybercriminals, everything hangs on a nickname.

At the peak of his career in the late-2000s, a mysterious online figure from Eastern Europe attained the position of administrator of DarkMarket. He had climbed to the highest rung of one of the most significant cybercriminal forums—where stolen credit-card data and other illicit goods and services are traded—in history. But before he could do all that, he had to choose a nickname.

For Pavel Kaminski, the reputed Warsaw-based spammer, getting his nickname right was the first step into one of the most elite circles of online criminality. His choice: an homage to a Teenage Mutant Ninja Turtles character, the rat sensei Master Splinter. But Kaminski customized the spelling to exude a certain “hackerish” quality. The handle, Master Splyntr, had no particular significance for its creator; but there was thought and strategy in its invention. In fact, for Keith Mularski, the real person behind Pavel Kaminski, there had to be.

Not only was Master Splyntr a creation; so too was the Polish spammer. Mularski was an FBI agent who had fabricated this cover with help from the spam-fighting organization Spamhaus. The agent was not working out of Warsaw but the offices of the National Cyber-Forensics and Training Alliance, in Pittsburgh. It amused Mularski that he had turned to an underground rat for his nickname. With the rat’s help, soon DarkMarket would be down, and major global cybercriminals would be in jail.

IN CYBERCRIME, IT IS difficult for criminals to establish bona fides. They can’t rely on their reputation in the neighborhood, or chest-pounding prowess. They have to build a virtual identity. In this, as one FBI agent who has spent time undercover online told me, a good nickname is “basically all that you have.”

The key to cybercriminal nicknames is less in the specific choice—the actual name hardly matters—than in the intricate function that they play. An effective handle provides anonymity, and can’t be easily used to identify the cybercriminal behind the name. This is the feature that allows users to advertise their criminality openly online. But a nickname is also the foundation of a cybercriminal’s reputation—of what amounts to a trusted brand. Without it they have no presence online. They’re just a newbie—a “noob.”

On the dark Web, it’s difficult to know who you are really talking to: maybe a Polish spammer or an FBI agent in Pittsburgh. Take the elite hacker Max Butler, aka Max Ray Vision. By the end of his dark digital career, he had accumulated at least five cyber identities: Ghost23, Generous, Iceman, Digits, and finally Aphex. Ghosts are a common trope online, but names Generous and Digits, used by Butler when vending stolen credit-card data, implied attractive profits for customers.

As Wired editor Kevin Poulsen explained in his biography of Butler, Kingpin, Butler took on the handle of Iceman when he established the forum CardersMarket—which would become a rival to DarkMarket. He chose Iceman specifically because it wasn’t unique: There were other Icemen floating around the dark Web. Butler thought that if he ever attracted heat from law enforcement, the multiplicity might thwart efforts to identify him. He further spread his risk by keeping his vendor identity, Digits, separate from his administrator identity, Iceman—in case one or the other was “apprehended.” Ultimately, a damaged reputation was what led to Iceman’s demise: He had started a cyberturf war with other carding forums, attracted media attention, and (ironically) made unproven accusations that the honorable Master Splyntr was a fed. So Butler retired Iceman, and up stepped Aphex as the “new” boss of CardersMarket.

Butler and Mularski both put some strategy into their handles. But one former American hacker told me handles are often simply what “sounds cool,” at the time. Veteran carder and film buff David Thomas used the online nickname El Mariachi as a tribute to the Robert Rodriguez film; Robert Schifreen, who hobby-hacked before it was illegal, in 1980s Britain, went by the name Triludan the Warrior, a reference to the antihistamine medication he used.

TO BUILD A TRUSTED brand, there is an incentive to maintain the same nickname over time, but that increases the risk of being caught. Cybercriminals have to carefully balance these competing interests.

One British identity thief I talked with tweaked his handle up to 20 times over his career—but maintained an identifiable (to the right people) strain throughout. The undercover FBI agent knows of Russian cybercriminals who replaced their nicknames every three months. But even these guarded types must subtly alert select collaborators to their new identity, or face starting from scratch.

Then there are those that value reputation over risk, like the hacker and former spammer I met with in Southeast Asia: He has used the same handle, chosen at random from the dictionary, since he was a teenager, through his forays into crime, and even after going straight. “I mean, I’ve got a reputation, I’ve got friends—people trust me,” he explained. Giving it up, he said, would be akin to relinquishing his identity in the physical world and starting again. Today, he works as what is called a penetration tester, a legal hacker of sorts, hired to find holes in a client’s system before a real attacker does. Some clients have discovered his past, and his long-established online reputation. But they seem pleased. They figure it means he’s more effective at his job.

This article was originally published in the Nov/Dec 2013 edition of Pacific Standard.

September 20, 2013

Where the Money Is

When I interview people from a US law enforcement background, it is clear that the Willie Sutton legend has a special place in their hearts. The story goes that a reporter asked Sutton, an infamous bank robber from the mid-twentieth century, why he robbed banks. Sutton’s reply was to the point: “because that’s where the money is”. Leaving aside the fact that Sutton may never have actually uttered these words, for many the “Sutton principle” has become essential for understanding contemporary cybercrime. The money is now moving online, so it’s only natural that crime would migrate there too.

Cybercrime has come a long way since the early days of hacking, with its focus on intellectual curiosity and recreational pursuits. The first hackers were creative problem solvers and pioneers, experimenting with a new frontier. A strong sense of openness, freedom and information sharing defined their world… and sometimes a degree of mischief. But those “golden years” are largely in the past now. While some hobby hackers still remain and hacktivists continue to operate with great visibility, there is no doubt that cybercrime has become big business. It is a difficult to precisely estimate how much business is being done…but it’s a lot!

Cybercrime has “corporatised”, adopting a strong profit-motivation, greater organisation and a sense of professionalism. While there was some money-making to be done in earlier days, much of this turn to profit began to emerge at the end of the 20th century. Online theft of credit card data was one of the first major prizes for economically motivated hackers. With the birth of cybercriminal trading forums like CarderPlanet in 2001, where online criminals could meet, share information and trade stolen credit card data among other illicit goods/services, a real market had emerged.

Cybercriminal forums demonstrate that what began as world centred on hackers, has now evolved into an industry that includes a wide range of people who perform a wide range of functions, some without strong computing skills at all. There are still elite coders but also business savvy front men; there are bot herders (who control botnets) but also “cashing out” specialists who may have a toe in more traditional forms of crime. Cybercriminals have become increasingly professional and, for many, the old hacking ethos seems to matter little as the call for profit takes over.

So how did this corporatisation of cybercrime take place? One model might be found in the corporatisation of street gangs in the United States. About fifteen years ago the sociologist Sudhir Venkatesh and the economist Steven Levitt famously noted a shift that took place in Chicago gangs: they had moved away from the social activities and minor delinquency that previously defined them, towards a more organised criminal network, with a strong hierarchy, clearly defined roles and a spirit of entrepreneurialism. Some gangs were even keeping books accounting for all their financial activities, just like a regular business. The introduction of crack cocaine onto the market in 1986 appeared to be the key driver behind this shift. Crack was cheap, highly addictive and well suited to distribution by gang networks with widespread street presence and control over local “turf”. So a number of gangs gradually altered their DNA and went where the money was.

There is no doubt that some of “the money” is now on the Internet and cybercriminals are capitalising on this opportunity. This “money” is essentially performing the same role that crack did for street gangs. The massive shift of business operations and financial and other personal data into cyberspace in recent years has created enormous profit-making potential for those who have, or want to develop, the right skills. Some are old school hackers adapting to a new world of opportunity, but others have little connection to that world and have come for the money alone. In either case, they have increasingly developed their organisation and operations for business functions.

But “the money” being on the Internet is not the sole explanation for how cybercrime has corporatised. One other key factor is that the architecture of the Internet needed to evolve to allow greater online congregation and collaboration. For instance, one former hacker I spoke with, who operated in Britain in the 1980s before hacking had been criminalised, had very little collaboration with other hackers. What collaboration he did have with his hacker friends was offline: meeting for meals every few months to discuss their activities and “share passwords”. At this early point there were few alternatives, as the Internet had not been developed in the way that it is now and there were hardly any online meeting places, such as forums and encrypted chat rooms. Even with an increased drive for profit, greater cybercriminal organisation could not have taken place without the online means for doing it.

Finally, an increase in Internet security in recent years paradoxically may have made hobby hacking more difficult and pushed cybercrime further towards the profit-driven professionals. A former American hacker I have interviewed suggested it was becoming increasingly difficult to operate as a pure hobby hacker who didn’t have financial motivations. When this hacker was operating as a high schooler in the 2000s, security was much more lax and it took little experience for successful hacks. But now that the security situation has tightened up considerably, he believed there has been a major decline in the number of hobby hackers around, as it’s simply not worth the trouble any more. Exploits are only useful for a very short period of time, before the security industry is onto them, so “you better make a ton of money off it and move off to something else…”

This is a summary of a paper titled “The Corporatisation of Cybercrime” presented at the ECPR General Conference 2013 in Bordeaux.