Companies experienced a deluge of cyberattacks in 2017 and the first part of 2018 has proven no different. In 2016, the cost to the global economy was 450 billion[i] from cybercrime. Since then, attacks have increased not only in frequency but also in sophistication. Cybercrime damages are expected to continue to increase, eventually reaching 6 trillion annually by 2010[ii]. However, the cybercrime playbook is relatively well known and there are predictable factors that have fostered the growth of cybercrime and the formation of cybercrime organizations.
It is relatively easy for cybercriminals to begin performing some of the most fundamental scams and attacks. Many start careers performing scams and eventually move to other types of attacks or into different roles within cybercrime organizations.
The most basic cybercriminals, what I term the entry-level cybercriminals, use simple techniques such as advance-fee fraud, stranded traveler fraud, romance fraud, and ransomware. The advance-fee fraud, for example, involves a scammer promising the victim a large sum of money. The victim, however, must first pay fees, taxes or shipping charges. The victim is asked for more and more money until they do not pay anymore. In the wake of Hurricane Irma, scammers offered loans to victims if they first paid closing fees, deposits, or insurance. Victims, some of whom had already been through tragedy, never received their loans[iii].
Similarly, the stranded traveler scheme uses hacked or fake social media or email accounts to solicit funds from victims. Fake accounts are created with public photos and other information, and then friend requests are sent to the person’s friends, followed by a description of their dire situation and need of money.
A third technique is romance fraud, a scam where fake profiles on a dating site are used to form an online relationship with victims. Criminals may operate dozens or hundreds of such accounts as they move relationships along to the point where they can request money from the victim to pay for a tragedy, plane ticket or technology to stay in touch. Victims are devastated because they are hit with the emotional loss, the violation of trust, and the financial loss. Another variation is known as sextortion. Sextortion scams usually targets men and they involve attractive females who approach men on social networks and get them to perform sexual acts. Unbeknownst to the victim is that they are recorded. Victims are later blackmailed with the threat that the video will be released on apps such as WhatsApp and Facebook. Some victims have been so scared of these threats that they commit suicide[iv].
Cybercriminals vary and blend their scams to take as much as they can from victims. For example, one Kentucky woman was taken for $620,000 by a person whom she became romantically involved with on Facebook. The scammer pretended to be a US Army sergeant and said he needed the money to get $10 million in gold and jewels out of Ghana[v].
Ransomware is the final tool used by entry-level cybercriminals, and it is used effectively by more experienced criminals as well. Ransomware became Ransomware is malicious software that encrypts or prevents access to data and then demands payment to make the data available again.
As entry-level criminals gain experience, they often move into attacks such as business email compromise, tax fraud, and bot herding.
Business email compromise (BEC) is a phishing attack targeting employees with an email masquerading as an email from an executive such as a CEO in 30% of cases or a president in 17% of cases[vi]. A TrendMicro investigation found that CFOs are targeted in 40% of BEC cases. The email instructs employees to perform a wire transfer or to make some other payment to the criminal’s account. It relies on an understanding of the people within an organization and at least a limited understanding of payment processes for it to be effective. According to the FBI, BEC scams increased by 2,300%[vii] from 2015 to 2016 with total losses of over five billion dollars since 2013.
Tax fraud is also a popular way for criminals to steal money. Some schemes file fake tax returns while others try to convince businesses that they need to pay fraudulent fines or they’ll be taken to court. Information for tax fraud can be obtained from data breaches such as the recent Equifax breach[viii] that exposed 145 million customer’s social security numbers, or purchased through the deep web black market. The Federal Trade Commission estimates that tax fraud represents almost 30% of identity theft[ix].
More experienced cybercriminals may take up bot herding. Herding is a tedious job of continually infecting machines with bots, keeping bots hidden from security systems and preventing other bots from infecting the same machines. Bots wait to receive instructions from the herder and can utilize the computing, storage and/or internet resources of infected computers to perform attacks or processing for bot herders. An interview a bot herder who called himself throwaway revealed that the bot herder was currently a college student and he had been hacking for two years. He managed a herd of 10,000 computers that he had infected with the ZeuS Trojan[x].
Bot herders classify their herd according to their capabilities. Those with powerful processors or graphics cards might be used to mine cryptocurrency or crack passwords while those with large internet connections may be used to send spam, denial of service or host illegal content. Once the herd is classified, herders lend portions to other members of their criminal organization or lease the herd on deep web black markets.
The most advanced cybercriminals perform attacks using advanced persistent threats (APT) and advanced ransomware threats (ART). An advanced persistent threat is an attack in which the attacker gains access to the network of an organization and stays there undetected for a long period of time. These attacks are typically performed with a lofty goal in mind. The process of moving throughout the organization, obtaining the required information and credentials and eventually acquiring the loot can take a long time and sophisticated hacking techniques, so these attacks are left to the more experienced hackers.
Similarly, advanced ransomware threats[xi] are attacks with a lot of effort and preparation put into them in order to maximize damage and gain maximum monetary benefits for the attackers. ARTs take hold of a company’s most valuable data assets after ensuring that copies or backups are not available so that companies have no choice but to pay staggering ransom demands. The most recent Equifax breach represents an advanced persistent threat because the attackers had access to Equifax systems for a long time as they gathered the access privileges and information for their end goal of stealing information on 145 million people.
Several key factors have worked together to fuel the growth of cybercrime. These include the availability of human resources, anonymity technologies, and hacking tool availability.
Every industry needs a workforce and cybercrime is finding many candidates among those unemployed and underemployed globally. There are currently over 200 million unemployed[xii] people worldwide and countless more underemployed. A portion of these unemployed and underemployed people are tech-savvy and they have found a way to make a living through cybercrime.
Some cybercriminals formerly worked in the tech industry and found life in cybercrime after being laid off. The prototypical case[xiii] of unemployment burgeoning the cybercrime industry is the large number of Russian tech workers who became cybercriminals in the 1990s following the fall of the Soviet Union. This has happened in many other places around the world, albeit on a much smaller scale.
Other cybercriminals being their life of crime right out of college. New college graduates are often faced with difficulties in finding a job of their liking or one that can pay the bills. Cybercrime tempts them with the allure of easy money, a flexible schedule and sometimes the feeling that they are getting back at those who may be more fortunate than them. This is especially true for graduates in developing countries. For example, West Africa has been enormous growth in cybercrime partially because it is so easy to recruit criminals when half of university graduates cannot find a job[xiv].
The second growth factor is a collection of technologies that aid in cybercrime anonymity. By employing technologies such as Tor, bulletproof hosting services, encrypted communications, decentralized messaging and cryptocurrencies, cybercriminals can mask their illegal activities, preserve their illicit gains and avoid apprehension by law enforcement.
- Tor: Tor is like cyber note passing. It is used to engage in anonymous communication by passing connections through a web of different participating devices so that the original source cannot be determined. While the purpose of Tor is to protect the privacy and information of users, it is heavily used to conduct illegal online activities as well.
- Bulletproof Hosting: Bulletproof hosting services do not have restrictions on the data that can be hosted with them. They retain no logs of activity and operate in countries with limited or no oversight, and little cooperation with law enforcement. Criminals pay a premium to host with such services, but this allows them to stay in business, hosting content such as command and control servers for malware, ransomware payment portals, phishing sites and/or illegal software.
- Encryption: Criminals have access to a large variety of encryption packages and technologies that are used to prevent others, such as law enforcement, from viewing their data or communications.
- Decentralized Messaging: Decentralized messaging eliminates a central server that could potentially read messages exchanged by participants, and it is widely used in the cybercrime world. In West Africaxii, cybercriminals use messaging services to share information freely on techniques for defrauding victims. This has helped them improve their techniques by learning from the successes and failures of other criminals.
- Cryptocurrency and Mixing Services: Cryptocurrencies have been instrumental in the increase of cybercrime. Digital currency can be moved quickly and digital wallets can be created without providing any identifying information. This makes cryptocurrency harder to track back to an individual. Cryptocurrency transactions are further obscured by mixing services or cryptocurrency tumblers. These services combine tainted funds with others to make tracking the currency more difficult.
Hacking Tool Availability
The third growth factor of cybercrime is the relative ease at which criminals can acquire hacking tools. Cybercriminals use keyloggers to steal credentials from infected machines, crypters to modify malicious code to bypass antivirus detection and email extractors to harvest email addresses that can be used to send phishing messages or be sold on the black market.
Ransomware as a Service (RaaS)[xv] has been instrumental in the rapid rise of ransomware attacks. RaaS provides criminals with advanced tools and techniques at a low cost. Those with even a limited technical skillset can purchase and use ransomware at a price lower than what is charged for a single ransom. Those using these services are responsible for distributing the ransomware and then the RaaS does the rest, sometimes taking a commission on the proceeds.
Lastly, botnets, along with bulletproof hosting, are the infrastructure criminals use to launch attacks. Criminals can easily scale their operations by leasing the space they need from bot herders. They do not need to keep infrastructure around and control of the bots returns to the herder when they are done with their attack.
The deep web is the marketplace and hub of the digital underground. This is where criminals can buy and sell stolen data, hacker tools, and rented botnet resources. There is a consistent demand for Personally Identifiable Information (PII) on deep web markets. Information like credit card numbers, social security numbers, and medical information can be purchased to create fake identities, make false purchases or file phony tax returns. Other, more detailed information is sold to criminals for social engineering. These details can include likes and dislikes, hobbies, names of friends and family, medical conditions and so forth. Access to the deep web has equipped cybercriminals with another way to make money through cybercrime and a way to equip themselves to target even more victims.
The scale and complexity of cyberattacks require a coordinated effort of many people working together for cybercrime organizations. Digital crime has demonstrated its ability to bring about enormous illegal profits, a fact which has not gone unnoticed by existing criminal elements. Established criminal groups have added cybercrime to their portfolio of illegal activities, and they have leveraged their existing infrastructure and money laundering capabilities to maximize returns.
New groups have also formed from real life interactions and online relationships. These groups are single-minded in their pursuit of financial gain at the expense of others. They have no ties to the methods of the past and ruthlessly employ the most advanced tools to accomplish their ends.
There is also a host of low-skilled script kiddies or criminal enthusiasts who attempt attacks on their own. Some have learned and succeeded in their attempts and can conduct complex attacks. Others are quickly caught by law enforcement before they can do much damage, or they are brought into the fold of larger criminal organizations.
Some of the illegal enterprises of today were born out of existing organized crime groups. Others have developed as skilled cybercriminals realized that coordination in the digital and physical world was required to conduct increasingly sophisticated and lucrative attacks and to stay out of reach from law enforcement agencies.
Cybercrime organizations function in part like corporations. These organizations conform to the mafia, triad or yakuza hierarchy. There is a group of people similar to a board of directors at the top. The board finances initial operations and its members maintain connections to other cybercrime groups and to a network of paid persons in law enforcement, politics, and businesses who can provide services to the group. Varying levels of other criminals perform tasks as defined by leadership.
Low barrier to entry and access to powerful tools has made it possible for individuals or small groups[xvi] to perform cybercrime. Anywhere else and these would be called petty criminals, but the activities of small cybercrime groups can be called anything but trivial. Small criminal groups perform much of the basic and moderate fraud and send a significant portion of worldwide spam.
Small, agile cybercrime groups routinely conduct online fraud and hacking while still evading detection. These organizations typically have a leader with several individuals beneath the leader who carry out different activities such as fraud, finance, and operations.
As the saying goes, “everyone has a role to play.” This is also true for cybercrime. Cybercrime organizations, large and small, require specific talents to undertake scams, fraud, theft, and attacks.
First, there are those who make it possible to operate. They procure or create the resources required by other criminals and sell off the loot. Programmers write malicious code or program exploits. Operations personnel maintain the systems that criminals use to communicate, store data and host code. Traders list stolen items or goods for sale on black market sites, purchase goods and services for the team from black market contacts and maintain relationships with upstream and downstream providers. Money mules launder money by moving currency or goods around without knowing that they are doing something illegal.
Next, there are the people who perform attacks. Hackers exploit network vulnerabilities and weaknesses in systems or applications. Fraudsters phish and execute con games on victims to defraud them. Fraudsters also recruit money mules with make-money-quick schemes and distributors spread ransomware, malware, and bots to victims or take over sites for drive-by attacks.
Lastly, leaders direct the team, ensuring that members are compensated and that the necessary resources are in place. Leaders maintain order and sanction members who do not obey the rules, such as those who call too much attention to themselves or who pick fights with other groups or taunt law enforcement.
Cybercrime is a thriving business. Criminal organizations know the attacks and scams that work, and they employ them on a mass scale. Victims are plentiful, but you don’t have to be one of the statistics. Protect your company from cybercrime with a robust cybersecurity program.
This article was sponsored by TCDI, a cybersecurity, computer forensics, and eDiscovery company.
[i] Cybercrime costs the global economy $450 billion: CEO, CNBC,
[ii] Top 5 cybersecurity facts, figures and statistics for 2017, CSO,
[iii] Don’t pay for the promise of a loan!, Florida Politics,
[iv] Cyber-police crackdown draws sexual extortion out of the Middle East’s online shadows, The New Arab,
[v] ‘A tragic story.’ She thought it was love, but he took more than $600,000 from her, Lexington Herald Leader,
[vi] Billion-Dollar Scams: The Numbers Behind Business Email Compromise, Trend Micro,
[viii] Equifax Underestimated by 2.5 Million the Number of Potential Breach Victims, Fortune,
[ix] Facts + Statistics: Identity theft and cybercrime, Insurance Information Institute,
[x]Confessions Of A Botnet Herder, Forbes,
[xi] The 6 stages of an Advanced Ransomware Threat attack, Fight Ransomware,
[xii] Global unemployment hits 200 million, UN says in report, Daily Sabah,
[xiii] Crimicon Valley: Russia’s Cybercrime Underground, Ed Cabrera,
[xiv] Cybercrime in West Africa, Trend Micro and INTERPOL,
[xv] Cybercriminals turn to DIY kits and Ransomware as a Service (RaaS), Security Thinking Cap,
[xvi] Cybercrime and cyberwar: A spotter’s guide to the groups that are out to get you, ZDNet,