Cybercrime Inc. Hackers Model Themselves On Big Business
The clichéd image of a cybercriminal is one of a lone hacker, huddled over a computer in their parent's basement. Today, that stereotype couldn't be further from the truth, because, now more than ever, cybercrime is carried out by gangs running sophisticated operations.
The most organized criminal groups, such as those active on the dark web, are operating like legitimate businesses, with departmentalized teamwork, collaboration tools, training, and even service agreements between malicious software providers and their hacker customers.
"When you start to see malware kits that have customer service agreements and warranties associated with them, you know that you've moved into a pretty professional space," says Nathaniel J Gleicher, former director for cybersecurity policy for the White House's National Security Council.
Like the legitimate software market, cybercrime is now a huge economy in its own right, with people with a range of skillsets working together towards one goal: making money with illicit hacking schemes, malware, ransomware, and more. It's essentially an extension of 'real world' crime into cyberspace, and it's come a long way in recent years as groups have become bigger, more specialized, and more professional.
"There's been a substantial amount of improvement and innovation in the way attackers go after networks and, as cybercrime has professionalized, you've seen individuals develop a particular set of skills which fit into a broader network," says Gleicher, now head of cybersecurity strategy at Illumio.
"You have people who are managing and distributing credit card information, people who are cracking bank accounts, people who are managing remote access toolkits, to people who specialize in social engineering. There're very specific skillsets," he adds.
But it's not just gangs of hackers anymore: the cybercriminal ecosystem has evolved to the extent that it supports roles you'd expect to find in any large business.
"Advanced cybercrime groups now mirror legitimate organizations in the way they operate, with networks of partners, associates, resellers, and vendors. Some groups even deploy call center operations to ensure maximum impact for their scamming efforts," says Sian John, chief strategist for EMEA at Symantec.
That overlap with the world of business is also true of the tools cybercriminals use to communicate and collaborate, with different groups, whether they're responsible for orchestrating phishing campaigns or stealing and cloning card data, coordinating their actions for maximum effect.
"They're very much acting like a business. We're seeing that they very much collaborate and communicate via encrypted instant messaging systems," says Jens Monrad, senior intelligence analyst at FireEye.
However, such systems aren't open to anyone, as the dark web is still very much a closed space. "They're still using various internet forums, some which are only available if you have enough street credibility or that you have to pay for to demonstrate how you're willing to collaborate on their terms," Monrad says.
Terms and conditions have very much become a part of the increasingly professionalized world of cybercrime, where cybercriminals are now leasing out or franchising their malicious software as a service and making just as much money, if not more, than when they were selling it themselves.
"The franchises take that technology, but rather than hosting it in the country where it's being developed, they'll ask the developers if they can take some of their services and host them in places they can't get to and let them take a cut. It's exactly the same as an independent software company: they have their own channel programme," says Bharat Mistry, cybersecurity consultant at Trend Micro, who describes such operations as "full-on enterprises on the underground".
This practice of hosting services to allow foreign cyber-attackers to more easily commit cyberattacks against local targets has been observed in China and Russia. It's systemic of what has become a global trade meaning, like the largest enterprises, cybercriminal outfits are able to operate around the clock.
With 24-hour operations in what looks increasingly like a service-based business, cybercriminals are even recruiting people to work as customer service operatives -- although many of these 'employees' will be unaware they're working for a criminal group.
"Some groups deploy call center operations to ensure maximum impact on their scamming efforts and, in some instances, employees of the call center are oblivious to the fact they are working for criminal groups executing low-level campaigns like tech support scams," says Symantec's Sian John.
If traced by the authorities, the people unwittingly aiding these criminal activities might be fined or worse. But while these individuals might be discovered, the gangs they are working for often remain in the shadows.
Cybercrime Credentials
While those at the bottom are unskilled, the professionalization of cybercrime has brought about another initiative you'd expect to see in any legitimate business operation: training courses. These programs are offered on the dark web in exchange for Bitcoin, the preferred currency of organized cybercriminal groups.
"There are online training courses you can pay for which show you how to go about hacking a website and infiltration. Everything which happens in physical enterprises is happening in the cybercriminal underground," says Trend Micro's Mistry, adding "it's only a matter of time" before this becomes a widespread activity within the professional cybercriminal economy
"We should assume any training techniques which are being used in legitimate organizations are being used in cybercriminal organizations as well," agrees Illumio's Gleicher.
Gleicher investigated and prosecuted cybercriminals during his time at the US Department of Justice and therefore has first-hand experience of just how sophisticated these schemes have become.
"What I found most interesting in the rise of professionalization is, as you're tracking these institutions, you quickly find they're based in multiple countries and they have sophisticated coordination frameworks to work together," he says.
What he took away from the experience was that cybercriminal operations are becoming increasingly niche, with groups conducting every type of cyber-fraud using strategic business techniques that rival those used within corporations.
"They're working together in this really clockwork way, they'll specialize. So if you see an organization which runs fraud scams, something as simple as selling fake cars online, they're going to specialize in that and they're going to have teams of people creating legitimate looking websites, and teams of people communicating with prospective buyers who have effective enough English to appear legitimate," Gleicher says.
These trends suggest that hacking and cybercrime are no longer the domain of individuals seeking to make a nuisance of themselves. Cybercrime is now an industry involving major criminal groups, with ecosystems as well-structured as the corporations they're likely attempting to target. Organizations must therefore ensure their own defenses are up to fighting this threat.