The business of cybercrime

Cybercrime seems an invisible, victimless crime — maybe because it’s remote and non-violent. But every crime has a human perpetrator and victim. In his book Industry of Anonymity, Jonathan Lusthaus, Director of the Human Cybercriminal Project, University of Oxford, lifts the veil on the world of cybercriminals, the lives they lead and the vast international industry they have created.

Ahead of RiskConnect Virtual 2020, he spoke with Web Shield to dispel some common cybercrime myths and explain how criminals cooperate effectively in a low-trust environment. This article will be published in the upcoming RiskConnect 2020 Magazine.

It’s a seemingly simple question yet has provoked years of passionate debate: what is cybercrime?

“It’s a very broad concept. It’s old types of crime carried out in new ways. If we think about crimes that have existed throughout human history — whether it’s fraud, extortion or theft — these are the very same things that are done virtually,” says Lusthaus. In his view, this applies to technical tools like malware or DDoS attacks, which seem like new crimes, but are actually just novel methods for carrying out, for instance, banking fraud or extortion.

So much for the crime, what about the criminals? The most common misconception about cybercriminals is that they are young, socially awkward hackers in their parents’ basement. These people do exist. However, in the seven years fieldwork for his book, Lusthaus encountered an increasingly sophisticated type of offender, sometimes highly educated, not dissimilar to IT professionals found in legitimate industry.

“People have this very simplistic stereotype of what a cybercriminal is, when actually this world is a lot more complex. It involves a whole range of different actors from different backgrounds, countries and life stories. That’s really the most important thing to take into account. There’s no such thing as one type of cybercriminal.”

“When you’re operating in an environment where there isn’t a lot of opportunity or a pool of high-paying jobs in tech, what you see is the creation of new cybercriminal start-ups,” explains Lusthaus. These businesses are organized in a similar way to those in the legitimate economy. They are increasingly professional with a clear hierarchy, organisation and division of roles.

The history of profit-driven cybercrime is encapsulated neatly in the title to chapter 2 of Industry of Anonymity. ‘From Lone Wolves to Industrialization’ explains how hobby hacking evolved into profit-driven cybercrime. It tracks the rise of online trading forums which contributed to the growth of cybercrime, its professionalization and industrialization. This in turn led to increased specialization on the forums, fragmentation of the market and a new need to cooperate effectively to carry out cybercriminal activities.

No honour among thieves?

Cooperation within different functions of an organization and between organizations inside and outside the payments industry is a key theme of RiskConnect. But how do profit-driven cybercriminals work together within the framework of commercial behaviour? How do they cooperate effectively?

There are two major barriers to cooperation. First, how do you trust people, who are themselves criminals and rip others off for a living? Is there any honour among thieves? Second is the problem of anonymity. How do you cooperate with people when you don’t know who they are? You don’t know where they live and may have little recourse if a deal goes wrong. People may not be what they seem online. How do you not only assess the competence of a potential partner but ascertain that they are not an undercover law enforcement agent?

“When I was researching my book, I was looking for and expecting to find particularly innovative ways in which cybercriminals cooperate. In terms of their operations, the techniques and tactics they use, they can be very innovative. But in terms of cooperation, I was actually quite surprised that they didn’t offer anything particularly new,” says Lusthaus.

Just as they have looked to legitimate business for organizational and operational structures, so cybercriminals have leveraged legitimate cooperation mechanisms. Reputation is as important among the cybercriminal fraternity as it is in the legitimate economy. How long you’ve known someone, whether you’ve worked with them before, what you and your social network know about them carries weight.

US investor Warren Buffet famously said that it takes 20 years to build a reputation and five minutes to ruin it, and if you think about that you’ll do things differently. In terms of building trustworthiness in a low-trust environment, time spent online counts for a lot. The longer a cybercriminal has been online, the more trustworthy they become as they’ve invested in their reputation and profile, which will cost them dearly to lose.

Performance is another way to build credibility and demonstrate competence and trustworthiness. Cybercriminals may start with a small job to test a partner out. Or conduct a test buy on a sample of goods to assess the quality. This is similar to how tenders are let, and orders placed in conventional commerce.

Linguistic competence also builds credibility. “If you’re trying to create a persona of someone who is an English-or Russian-speaking cybercriminal, then you have to be able to speak those languages well. Google Translate is not going to cut it in those circumstances,” explains Lusthaus. “You need a fluent or native-level command of those languages to be able to present yourself as a person who truly speaks them. That’s another element, as with time spent online, that requires a lot of investment. It’s probably very hard to fake.”

Finally, cybercriminals have also been effective in building external systems of enforcement. This creates an environment where it’s safe to trade and cooperate, familiar to us from conventional business. These centre mostly around escrow, where a trusted third party holds funds before the transaction is completed to the satisfaction of both parties. And arbitration in the case of disputes, where cybercriminals can make a complaint, evidence is presented, and an adjudication is made by a third party appointed for that purpose. “Again, this is not something brand-new. It’s an application of something that has existed in other aspects of human life, such as through the court systems. What we’re seeing is the application of it to cybercrime,” says Lusthaus.

Evolution not revolution

Cybercrime changes — yet much slower than people think. This is partly due to the nature of the underlying crimes committed. When cybercriminals carry out fraud, theft or extortion, they are mostly refining existing business models of how to do this effectively, rather than inventing new crimes.

From a technical perspective malware changes often, maybe even daily, to evade countermeasures. Online forums may get taken down or replaced. Yet there is still a market for stolen card data and different skills and services wanted within the cybercriminal underground. Change within the cybercrime scene is more an evolution than a revolution.

Cybercriminals react to opportunity. So, when opportunities change, they shift accordingly. The biggest recent opportunity is naturally the Coronavirus pandemic. This has changed user behaviour significantly. For example, more people are working from home and shopping online, including from websites and locations that may be new to them. This changes the cybersecurity threat landscape.

“Under normal circumstances, I would say that cybercrime is unlikely to change significantly in the next five years. I would expect that whatever is happening now is probably going to be happening to some degree in the next five years but in a more refined way, or a way that has been shaped by certain changes in user behaviour, industry approaches or countermeasures. But with the pandemic, there are key questions of whether this has changed how people are interacting with the internet, commerce and e-commerce. Whether these changes are here to stay is going to play some role in the evolution of cybercrime,” concludes Lusthaus.