Cybercrime, from another point of view
Cybercrime itself has become a lucrative domain – a large number of dark net forums and marketplaces exist so that criminals can share and monetize the data of individuals, companies and institutions. Such websites distribute malware and information about vulnerabilities to would-be hackers that often pay heft sums to stay ahead of the best cybersecurity practices. They also serve as rally points for hackers to organize themselves at – hackers who are oftentimes sponsored by nation-states and corporations. They are constantly trying to take down targets that will provide them with plentiful bounty or outstanding reputation. John Mcafee is among the high-profile targets of such groups – the inventor of the first antivirus has claimed multiple times that some of his social media accounts have been compromised, as the hackers consider such an achievement to be a badge of honor.
But just how profitable is cybercrime?
Dr. Michael McGuire has recently published a report that attempts to answer this very question. His findings show that crime, as present on the Internet, has blossomed into an ecosystem of its own – the word ‘business’ is no longer a sufficient description. Cybercrime is now a genuine economy, that not only leeches value from its legitimate counterpart, but also adds to the profits of the companies and governments that use it. The author claims that, despite it being in its infancy, cybercrime already generates at least 1.5 trillion USD every year.
Online markets that peddle illegal goods generate the most revenue by far. However, most of this ‘dark’ version of e-commerce falls beyond the scope of cybersecurity. At the same time, it’s worth noting that almost half of the total is generated by means that take advantage of companies and individuals who fail to implement proper security.
Intellectual property and trade secret theft rack in a staggering 500 billion dollars worth of revenue. Most of this money is re-invested into equipment required for further criminal activities. While some of this comes in the form of software or hardware meant for cybercrime, some criminals finance weapons and human trafficking, as well as terrorism in their quest for ever-more profits. The fact puts extra strain on law enforcement operating offline, thus incurring losses to governments and their tax payers.
While all sectors grow by reducing inefficiency and increasing productivity, cybersecurity needs to expand as a reaction to cybercrime. Costs inflicted by cybercriminals include, but aren’t limited to stolen money, lost productivity, destruction and theft of sensitive data such as intellectual property or personal information, embezzlement, disruption of the normal course of business both during and after the attack, forensic investigation, deletion of hacked systems are restoration of IT systems, as well as damage to reputation.
A lot has changed since 47 years ago, when a young Bill Gates was caught breaking into a company’s computer and forced to give up computing for a year. No one thought much of hackers back then – there wasn’t a whole lot one could gain from exploiting computer systems, other than the chance to sit next to pretty girls. Fast forward to the year 2017, when hackers caused companies and individuals around the globe damages in excess of $600 billion.
Cybercrime is no longer the domain of curious geeks that playfully toy around with computers; it has become a lucrative career for highly intelligent and determined professionals. Bitcoin wallets associated with WannaCry ransomware received a total of 53.94 BTC (and growing). This amount is worth well over 340,000 USD at the time of writing and was worth up to 80% more in the past. The Equifax breach saw the personal details of 145.5 million Americans make their way into the hands of hackers. Since one SSN goes for about 1 USD on the dark markets, the attackers could have gotten away with nearly $146 million from this one incident.
Yes, the hackers of today stand to make a lot of money from meddling in other people’s computers – and it’s not just the really good ones, either. Dr McGuire’s research reveals that low earners on the dark web make more than 3,500 USD every month, while middle-earners can bring home in excess of $75,000. A talented white-hat (this is a hacker paid to break into a company’s system so that he can identify and fix vulnerabilities) is paid roughly $99,000 every year.
Traditional crime operates in the real world – it is perpetrated by individuals who can be traced to a certain point in time and space. It deals with physical objects; things that one can touch. There’s only so much space one person can cover in a given time and there’s only one place a person can be in at a given time. Cybercrime does not follow the same rules.
Every packet of information that is sent across the Internet contains some data pertaining to its source and destination. This is the closest equivalent to location the Internet can provide. A clever attacker can avoid detection by modifying this data to look as if the packet is coming from some place other than it really is. Wired reports that, while investigating the Mirai botnet, the FBI were led to the computer of a French child with an interest in anime. It was later discovered that the hackers had compromised the boy’s computer and were using it to mislead those that would try to trace them.
The FBI managed to track down and prosecute the creators of the Mirai botnet, but not before the culprits had released the code into the wild, in an attempt to cover their tracks. This gesture gave rise to the largest distributed denial of service attack the Internet had ever seen – an attack Anna-Senpai & Co are not guilty of and which has not been successfully attributed to anyone.
Most attackers are never caught. CSO reports that for every 1 hacker that gets caught, 10,000 others go free. There are a few factors responsible for this daunting statistic – among them, the attribution problem and issues related to jurisdiction and legislation are the most important. The attribution problem refers to the fact that it is next to impossible to pin an attack on a perpetrator. This is so hard, in fact, that Eugene Kaspersky of Kaspersky Labs has publicly stated they do not even attempt to do active attribution; their time is better spent contacting law enforcement and mitigating the attack. Even if respondents manage to pinpoint the source, they would still have to provide evidence that a certain person was behind the keyboard when it happened. Add to this the fact that the legal system is not yet prepared to properly handle cybercrime and a grim picture begins to emerge.
The bad guys communicate and collaborate, yet most cybercrime is never reported. The amount of resources required to go after each individual hacker far outweighs the damages they cause – trying to catch the perpetrator of a $500 ransomware attack makes no economic sense for investigators. A consequence of this is that a crushing majority of reports get filed, but nothing more is done about them. Discouraged by their reports rarely amounting to anything, victims are less likely to go through the hassle of contacting law enforcement.
Once a weakness is discovered, it is immediately shared among the underground communitiy – either for free or at a cost. Soon after, automated scripts are created and left to run, scanning the Internet for machines that can be compromised through said vulnerability. The Satori botnet, a tweaked variant of Mirai, infected over a quarter million devices within twelve hours of it going online – a feat which cannot be achieved through manual labor alone. Most attacks follow this script. The hacker is not so much an active perpetrator as he is a patient listener.
So far we’ve shown that cybercriminals have a great deal of incentive to carry out cyberattacks. There is a lucrative market for their activity, oftentimes sponsored by nation states or corporations. They have the element of surprise on their side, they can work from the shadows and enjoy the support of a community, while being notoriously difficult to prosecute, should they ever be caught at all.