Industry of Anonymity

Inside the world of profit-driven cybercrime

“Organised Cybercrime”

There sometimes appears to be about as many definitions for the concept of “organised crime” as there are organised crime groups in the world. Almost every country has their own approach, often reflecting the specific challenges facing their law enforcement agencies. This means that those investigating whether there is such as thing as “organised cybercrime” face a very difficult task. Not only is there very limited hard information on the organisation of cybercriminal groups, but there is no singularly accepted definition of organised crime to apply to them.

At minimum, most definitions of an organised crime group include some basic features: 1) more than one person involved; 2) some semblance of structure; 3) a level of continuous operation beyond a one shot deal or job; 4) an element of profit motivation. When talking about online cybercriminal groups, it is possible that some would meet such broad definitions. In my research, one of the most regular types of cybercriminal “organisation” that pops up is something akin to a “crew”. Just like crews that physically knock over banks with shotguns, some cybercriminals appear to operate in similar small online groups. They have a loose hierarchy, sometimes with a leader of sorts, operate together for up years at a time with certain constant members, and have a clear financially motivated goal. These groups can be involved in anything from fraud, hacking, identity theft, malware, extortion of companies, spamming or a whole range of other activities.

But such definitions of organised crime are so broad that they lump together very diverse groups. A crew of three teenage thieves may be more “organised” than a lone wolf operator, but such a crew is also quite distinct from other “organised” groups like drug cartels and mafias. This is why some attempting to define organised crime also include a notion of violence and coercion as part of the business. Others go further, such as the economist Thomas Schelling who argues that organised crime is not simply “crime that is organized”. In explaining his approach, Schelling has provided the famous account of why organised burglars do not fall into the category of organised crime:

…burglars are never reported to be fighting each other in gangs for exclusive control over their hunting grounds. Burglars are busy about their burglary, not staking claims and fighting off other burglars. It is when a gang of burglars begins to police their territory against the invasion of other gangs of burglars, and makes interloping burglars join up and share their loot or get out of town, and collectively negotiates with the police not only for their own security but to enlist the police in the war against rival burglar gangs or nonjoining mavericks, that we should, I believe, begin to identify the burglary gang as organized crime.

What this approach appears to be getting at is that organised crime is a form of governance within the criminal world. In this conception, organised crime groups attempt to regulate and control some form of illegal industry. As I noted in my previous post on trading forums as mafias, even criminals need some form of rules and order, or else things fall apart…

So can online cybercrime groups be classified as fully fledged organised crime groups under this more rigid approach? Despite suggestions of such organised crime on the web, there are a number of obstacles to applying this classification. First, violence is at the heart of traditional organised crime groups’ regulation and control of various markets, but in the context of the Internet, there appears to be no directly analogous and effective tool for enforcing order. Second, issues of territory, and control over that territory, are also central to conceptions of traditional organised crime, but something akin to physical territory is difficult to find online and anything similar (hosting, domain names, private online spaces) practically operates in quite different ways. Third, online groupings larger than small crews tend to very fragile, being both difficult to form and to hold together in the dynamic environment of the Internet. Finally, perhaps for similar reasons, providing criminal governance for aspects of seemingly infinite cyberspace appears an extremely challenging task for such groups to undertake.

While some hints of “organised cybercrime” might present themselves online, we don’t know enough to paint a clear picture. There is still a lot of speculation on what cybercriminal groups actually look like and not that much real data on them.  Continuing definitional debates over what constitutes organised crime don’t help the task much either. While broad definitions of organised crime are probably met by known cybercrime groupings, the more rigid definitions applying to traditional organised crime groups appear a bridge too far. But in the end, given the novel landscape of cyberspace, we should not necessarily expect exact replicas of traditional criminal organisation online. Crime remains crime, but we have reached a new frontier.

Read more about “Organised Cybercrime” in “How Organised is Organised Cybercrime?”

Honour Among Cyberthieves

Most people would not look to active criminals when seeking out an honourable and trustworthy person to do business with. It is assumed that those who deal in theft, deceit and sometimes violence do not make good partners. Yet for the criminals themselves, they have little choice. They must build working relationships with other criminals to carry out their enterprises and to trade in illegal goods and services. Along with a good reputation, one of the most useful tools conventional criminals have for building trust with other criminals is the option of physical enforcement. If a partner steps out of line, they get “paid a visit”.

But cybercriminals do not have things as easy. How do cybercriminals build trust online when they often don’t even know who they are dealing with? How do they trade goods and services when their partners could potentially scam them without fear of violent retribution? These are the complex questions facing cybercriminals online, in an environment where anonymity is as much a cost as it is a benefit.

In a previous post, I discussed how cybercriminals require ways of “spotting the fed” in the online meeting places where illicit business is done. I argued that, without knowing it, cybercriminals try to unmask undercover agents by looking for what sociologists and others call “discriminatory signals”, statements and actions that are very costly to fake. And I noted the well-known example of a discriminatory signal of the suspected poisoner proving his innocence by drinking the “poison”. A real poisoner would be unlikely to take the drink, knowing death would follow.

In practice, cybercriminals use similar signaling mechanisms for trying to differentiate a trustworthy partner from a possible “ripper”. First, they might just ask for a display of trustworthiness. This could be some sort of smaller exchange that, if performed well, could lead to a larger deal. In the case of money mules, who help transfer ill-gotten gains around the world, this would be the movement of a small sum of money at first, but followed by incremental increases in the amount the mule is trusted with as they demonstrate they are worthy over time. Of course, sometimes there is no honour among thieves, and the mules simply run off with the money. But in a surprising number of cases, they stick around, probably recognizing that they have more to gain in the long run by establishing trust with a regular customer (or building a reputation in a community), than cheating them in a specific instance.

Yet building trust through such practices is still inherently risky, particularly in the early exchanges. As a result, cybercriminals often use other tools to reinforce cooperation as well. They are quite fond of referrals, regularly vouching for each other, whether for general purposes or for joining specific groups/forums or criminal enterprises. They may also “dox” each other, drawing up another user’s online footprint, and decide for themselves whether the trail of interactions suggests a trustworthy partner or not. But it is also a world full of ego and demonstrations of prowess can often be important for showing trustworthiness in terms of ability, as much as ethics. One way of demonstrating prowess, particularly with regard to other less experienced/competent users, is to post some form of tutorial on the appropriate part of a forum.

The cybercriminal trading forums themselves formalise some of these mechanisms used by cybercriminals to buttress trust. Certain forums have ranks of members based on their trustworthiness (such as the imaginatively titled “Trusted Member”). Promotion to these ranks is usually down to a good track record and being vouched for by other forum members. Forums also often maintain a “name and shame” section where scammers can be outed. These systems put reputations out into the open, thereby reducing the need for potential collaborators to carry out various investigations themselves or require references.

Cybercriminal trust mechanisms are surprisingly effective at weeding out scammers and posers. They make good tests of trustworthiness because they often have a public component and/or are verifiable: referrals can be easily checked with the referee; it is very difficult to mimic a communication trail left on the web; displays of prowess are publicly posted and therefore open to critique and ridicule; good and bad reputations are widely advertised on forums. While “ripping” certainly occurs quite regularly, there appears to be some degree of honour even among cyberthieves. In fact, one former spammer who now works as a security professional told me that he was never scammed during his spamming career: “I’ve been ripped off more times by corporates and commercials, companies I am working for legitimately with a f***ing contract, than I have by people that you would consider to be scum of the earth”.

Read more about honour among cyberthieves in “Trust in the World of Cybercrime”.

Spot the Fed

In the early days of the major hacker conference Def Con, a game developed called “Spot the Fed”. Designed to playfully poke fun at law enforcement operatives believed to be collecting intelligence at the gathering, its rules are quite simple. As explained by The Dark Tangent (aka Jeff Moss), the founder and organiser of Def Con, they are as follows:

If you see some shady MIB (Men in Black) earphone penny loafer sunglass wearing Clint Eastwood to live and die in LA type lurking about, point him out. Just get my attention and claim out loud you think you have spotted a fed. The people around at the time will then (I bet) start to discuss the possibility of whether or not a real fed has been spotted. Once enough people have decided that a fed has been spotted, and the Identified Fed (I.F.) has had a say, and informal vote takes place, and if enough people think it’s a true fed, or fed wanna-be, or other nefarious style character, you win a “I spotted the fed!” shirt, and the I.F. gets an “I am the fed!” shirt.

Def Con has been known to attract hackers of all types and stripes, including some cybercriminals. Nonetheless, the likelihood of law enforcement agents making arrests at the conference is relatively low.  “Spot the Fed” is more a matter of fun than anything serious.

But for cybercriminals operating in an online environment, spotting the fed becomes an important business. On the Internet, it is more of an occupational hazard than a game. Anonymity is as much of a benefit to law enforcement as it is for cybercriminals. If an undercover agent is able to build a credible cover and ingratiate him/herself among cybercriminals, the criminals could soon be out of business and in gaol.

So how do cybercriminals attempt to differentiate between the real deal and law enforcement imposters? Perhaps without knowing it, they look for what sociologists and others call “discriminatory signals”, statements and actions that are very costly to fake. One well-known example of a discriminatory signal is a suspected poisoner proving his innocence by drinking the “poison”. A real poisoner would be unlikely to take the drink, knowing death would follow.

Some “tests” used by cybercriminals don’t do a good job of discriminating between bona fide criminals and law enforcement. For instance, like any other subculture, cybercriminals have their own patterns of behaviour and language, an important part of “fitting in”. But with time, experience and the benefit of being behind a computer screen, law enforcement agents have shown themselves able to mimic such patterns. They have also shown themselves able to gather the knowledge and contacts to locate and infiltrate the shadowy online places where cybercriminals congregate, and which the average user would never happen upon by accident.

Instead, the more effective signals for distinguishing undercover agents from genuine cybercriminals are ones that require individuals to demonstrate evidence of actual criminality. This is because many law enforcement agencies bar their operatives from committing crimes in the course of their undercover assignments. If an online figure is happy to chat, share and participate in the community, but refuses to involve themselves in actual cybercrime, they are probably not a cybercriminal (or are a very discrete one).

Different types of cybercriminal have worked this out already. In the same way that online paedophile rings request pornographic images of children in order to join, certain for-profit cybercriminal forums have required the provision of compromised credit card details. For instance, DarkMarket required prospective members to provide details of 100 compromised credit cards, which would then be tested by two reviewers who would write reports on whether the person should be admitted or not. Although only indirectly linked to criminality, other forums request an entry fee that can be quite a large sum of money, supposed proof that each member is a serious operator. Law enforcement can raise such money, but it certainly provides a bureaucratic hurdle.

Along with asking for proof of criminality by provision of illegal goods/services, cybercriminals can also perform background checks on each other. One method is to “dox” someone by pulling up a user’s online footprint and then comparing it to information they have drawn out of that person directly. Another method, employed by online forums, is to require that one or more existing members vouch for new members. The stricter forums require the vouchers themselves to be of a certain standing within the community.

While these mechanisms appear to present stricter tests, they have all been breached by law enforcement and security researchers in different forums. Ultimately, it is a game of cat and mouse. As law enforcement overcome existing tests, criminals attempt to invent more discriminatory ones. When the undercover FBI agent Joseph Pistone (aka Donnie Brasco) infiltrated the Bonanno crime family in New York in the late 1970s, he built such trust with the family that he was under consideration to become a “made” man. When the operation ended, the mafia was so horrified at how far a mole had made it into their organisation, that they changed the rules and required prospective candidates to carry out a murder before being admitting into La Cosa Nostra. That, at least, is one test cyber feds don’t have to worry about online…

Read more about how cybercriminals spot feds in “Trust in the World of Cybercrime”.