{"id":13110,"date":"2018-08-15T07:10:03","date_gmt":"2018-08-15T15:10:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/08\/15\/news-6877\/"},"modified":"2018-08-15T07:10:03","modified_gmt":"2018-08-15T15:10:03","slug":"news-6877","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/08\/15\/news-6877\/","title":{"rendered":"Under the hoodie: why money, power, and ego drive hackers to cybercrime"},"content":{"rendered":"

Credit to Author: Wendy Zamora| Date: Wed, 15 Aug 2018 14:00:00 +0000<\/strong><\/p>\n

Just one more hour behind the hot grill flipping burgers, and Derek* could call it a day. Under his musty hat, his hair was matted down with sweat, and his work uniform was spattered with grease. He knew he\u2019d smell the processed meat and smoke for the next three days, even after he\u2019d showered. But it was money, he supposed.<\/p>\n

\u201cDerek!\u201d His manager slapped him on the shoulder. \u201cA little bird told me you were good with computers. I\u2019ve got a job for you, if you\u2019ll take it.\u201d<\/p>\n

The next day, with routers and cables bought and paid for by his manager, Derek networked his boss\u2019 entire home. After one hour of work, he was handed a crisp $100 bill. Derek made a quick calculation: He\u2019d have to put in three full shifts at the burger joint to take home the equivalent.<\/p>\n

Unfortunately, not all of Derek\u2019s clients had his manager\u2019s money. Like him, his classmates came from a modest middle-class background, and they often couldn\u2019t afford the latest video games, DVDs, and albums. But Derek had something not even his boss had: the ability to hack.<\/p>\n

Mostly, his classmates looked for video game hacks, like unlimited life, or access to boatloads of free music. Sometimes they needed expensive cables to set up LAN parties, and Derek could McGyver a cat-5 so that his friends only had to pay him $10, instead of the $50 they cost at Best Buy.<\/p>\n

Sometimes, Derek took on work that was a little more dangerous or challenging\u2014like scamming other scammers to get onto their networks and drop malware or redirecting browser traffic to personal eBay storefronts\u2014and he proved himself adept at this type of problem solving. Everyone knew Derek was the man to go to for these things\u2014and he liked that. What\u2019s not to like? Money, popularity, and a quiet \u201cscrew you\u201d to the man.\u00a0He was proud of his ability to hack into and modify programs built by professionals.<\/p>\n

\n

\u201cThere was ego involved, of course. It was like, \u2018Ha! Look what I did that I wasn\u2019t supposed to be able to do,\u2019\u201d said Derek, who today works as an engineer at a security company, but sometimes still participates in less-than-legal activities online. \u201cSome 13-year-old kid just beat a 30-year-old programmer.\u201d<\/p>\n<\/blockquote>\n

Derek\u2019s hacking hobby soon became more than a pastime. The stars had aligned for him to step into the world of cybercrime.<\/p>\n

What makes a cybercriminal?<\/strong><\/h3>\n

Some of Derek\u2019s actions might sound familiar to those who tapped into the early, Wild West-esque days of the Internet. Pirating and counterfeiting music, video games, and DVDs was par for the course in the mid and late 1990\u2019s, until the Napster lawsuit and subsequent shutdown opened the nation\u2019s collective eyes to the fact that these actions were, in fact, unlawful.<\/p>\n

Today, we know better. Those who can game the system are called hackers<\/a>, and the term is often used interchangeably with cybercriminals. However, hackers are merely people who know how to use computers to gain access to systems or data. Many hackers do so with altruistic purpose, and they are called white hats.<\/p>\n

White hats are considered the good guys. They\u2019re experts in compromising computer systems, and they use their skills to help protect users and networks from a criminal breach. White hats often work as security researchers, network admins, or malware analysts, creating systems to capture and analyze malware, testing programs for vulnerabilities, and identifying weaknesses in companies\u2019 infrastructures that could be exploited and\/or infected. Their work is legal, sanctioned, and compensated (sometimes handsomely). But sometimes, even white hats can find themselves in compromising positions.<\/p>\n

\"\"<\/p>\n

Good guys (and girl): The Malwarebytes intel team<\/em><\/p>\n<\/div>\n

Jared* got his start in IT as a technician, working at a mom-and-pop shop that he had frequented often when putting together his own machine. \u201cI was a computer hobbyist,\u201d he said. \u201cI bought and built my first one, and I kept going to the same store for parts. Eventually, I ended up working there.\u201d<\/p>\n

Jared built up his skills working in the shop, eventually moving up to enterprise work at a larger chain store. It was there that he was introduced to a software developer that was making an anti-malware product designed to rip spyware out of people\u2019s machines. He was hired on to add definitions (the code that helps antivirus programs detect malicious software).<\/p>\n

But soon, Jared started to sense that something was off. Despite the fact that the company owners kept departments siloed\u2014the user interface (UI) people didn\u2019t know what the product development people were doing, and none of them knew what the marketing people were up to\u2014Jared started asking uncomfortable, ethical questions in meetings that made him rather unpopular.<\/p>\n

\n

\u201cI had the horse blinders on. I knew that there was stuff taking place that I was not comfortable with, and I chose to ignore it because it wasn\u2019t the product I was working on,\u201d he said. \u201cBut, that mental gymnastics got harder and harder and harder, until I finally realized that some aspects of the company I was working for were super scummy.\u201d<\/p>\n<\/blockquote>\n

What Jared came to realize after moving into a Q\/A position was that he was, in fact, working for a potentially unwanted program (PUP) maker\u2014a product created mostly to rip people off. He might not have been trying to participate in cybercrime, but he was complicit.<\/p>\n

Despite trying to fight the corruption from the inside, Jared was stuck. He needed this job to stay financially afloat. Finally, after six years at the company, he was actively looking for a new job in IT when he was approached by a legitimate security company\u2014and that\u2019s where he is today. His bosses at the PUP maker, however, knew exactly what they were doing. And that\u2019s why they\u2019re considered black hats.<\/p>\n

Black hats are the bad guys; the cybercriminals. They use a similar skill set as white hats, but their intentions are not to protect systems. Instead, they look to cause damage to their targets, whether that\u2019s stealing personal data for monetary gain or coordinating attacks on businesses for revenge. Black hats\u2019 criminal activity ranges from targeting individuals for state-sponsored espionage to widespread corporate breaches, and their efforts may be conducted from outside an organization or embedded within as an insider threat.<\/p>\n

But the world is not black and white. A third set of hackers exists between opposite ends of the moral spectrum, and they are known as gray hats. They may not be trying to cause intentional harm, but they\u2019re often operating outside the law. Gray hats might identify as cybervandals or rogue researchers, publicly announcing vulnerabilities to bring attention to a problem. For example, a gray hat could compromise a system without an organization\u2019s permission, but then inform the organization after the fact in order to help them fix the problem. You might consider Jared a gray hat during his tenure at the PUP maker, even though he entered and left the establishment with the best of intentions.<\/p>\n

What sets a cybercriminal apart from a security researcher, then, comes down to motive. Ethical hackers look to improve the security of software programs to protect users and their online experiences, whereas cybercriminals seek to undermine the integrity of those systems and programs for their own gain. It\u2019s why<\/em> people hack that shapes the nature of their being.<\/p>\n

Putting together the profile <\/strong><\/h3>\n

Without knowing the identity of cybercriminals (as most do a good job of covering their tracks), criminal profiling becomes a useful tool to begin drawing more accurate pictures of the people behind the proverbial hoodies.<\/p>\n

Criminal profiling is a psychological assessment that includes personality and physical characteristics. “Fitting the profile” doesn’t necessarily mean a person committed the crime, but it can help narrow the field of suspects and exclude others from suspicion. Profilers use both inductive profiling (statistical data involving known behavioral patterns and demographic traits) and deductive profiling (common sense testing of hypotheses related to forensics, crime scene evidence, and victimology) to create personas of criminals. They are then able to identify criminals based on an analysis of their behavior while they engage in the crime.<\/p>\n

Online, however, gathering this type of data can be nearly impossible<\/a>. How can criminal profilers identity the crime scene, for example, when a victim might not even know how, when, or where he was infected?<\/p>\n

According to an article in CIO<\/a>, criminal profiling has a success rate of 77 percent in assisting traditional investigations. Unfortunately, no such headway has been made for cybercrime. Instead, both corporate and individual would-be victims rely on a combination of cybersecurity awareness (aka street smarts for computers) and technologies to prevent the crime from happening in the first place. These technologies include firewalls, encryption, two-factor authentication, antivirus, and other more advanced forms of cybersecurity software.<\/p>\n

And while technology has been the main defense against cyberattacks, experts say<\/a> a better understanding of the psychological, criminological, and sociological side of the equation can help fortify protection and possibly catch thieves in the act.<\/p>\n

\n

\u201cThose that get caught never invest in sensible growth funds or get their families out of the country. They buy sports cars,\u201d said William Tsing, Head of Intel Operations at Malwarebytes, whose work includes coordinating with law enforcement to take down cybercriminals. \u201cFlorida has had success getting people with outstanding warrants by the classic giveaways of sports cars and boats. These men have very specific ideas of who they\u2019re \u2018supposed\u2019 to be, and buying expensive toys plays to their ego. They steal what they think they deserve.\u201d<\/p>\n<\/blockquote>\n

That being said, only 5 percent<\/a> of cybercriminals are actually apprehended.<\/p>\n

To better understand their psychological, criminological, and sociological motives, former police officer and IT professional Deb Shinder<\/a> put together a set of characteristics she says that most cybercriminals exhibit. These include:<\/p>\n