eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
When people think of cyber-crime, the typical image being pushed today is that of highly organized criminal operations. New research, however, suggests the underbelly of cyber-space may be less mafia-like than some think.
In an effort to improve the level of understanding of today’s black hats, security researchers Fyodor Yarochkin and “The Grugq” have spent several months looking at Russian hacker forums.
“It is an ongoing project that we started about 18 months ago,” Grugq told eWEEK. “Originally it started when Fyodor investigated some service offerings from Russian hacker forums for a specific project that I was working on. It turned out to be extremely interesting and amusing, so we discussed doing more long-term monitoring on the forums. It grew from there into what is now a continuous monitoring program.”
Their research was presented last month at the Hack in the Box 2010 conference in Amsterdam. What the two found was that the image of a highly organized cyber-underworld run by hardcore criminals is not the order of the day. Instead, the dozen or so hacker forums they analyzed illustrated that many of the users are “geeks, not gangsters,” the researchers said.
“Basically, from what we’ve seen on the forums much of what goes on with the sales of services is much more petty criminal activity, or crimes of opportunity,” Grugq said. “Often poor students who like to hack for fun will sell access to a server they’ve owned. Many don’t even realize that this is an illegal activity. This sale will be for $20 or $30, which is a lot of money for a poor student in Russia, but for a hardened criminal mastermind bent on destroying Western civilization-not so much.”
Similarly, many of the sales of stolen assets tend to be at a very low price point, Yarochkin said. Even a distributed denial of service attack only costs $80 a day to carry out, he added.
“These are not prices that are attractive to serious criminals,” he said.
“In terms of percentage, there’d be two to three guys working on stuff professionally, versus 10 to 20 hobbyists,” he continued. “Most of the activity is essentially petty criminal activity where guys are trying to make a little extra cash on the side. You can think of it as a self-organizing hierarchical system with needs and people able to provide goods and services to satisfy the needs.”
Boss of All Bosses?
Other security pros agreed with the researchers’ general characterization. Though there are “top-feeders” that set up affiliate programs to maximize their profit and let lower-level criminals do the dirty work, these are the closest examples of “mob bosses” to be found, said Joe Stewart, director of malware research at SecureWorks’ Counter Threat Unit.
Most participants are students with computer skills that have “grown up with this underground economy and have found a niche for themselves in the criminal marketplace,” he said.
“Given the ease of anonymous money transfer in Russia, there’s no need for criminals to be part of a classic mafia gang where they work for a boss, everyone meets in person and there is some sort of trust/fear relationship that protects the organization and its leaders,” Stewart said. “What you have these days is organized but they don’t necessarily know each other’s real name or ever meet in person, and trust is earned by reputation in past transactions.”
The level of discourse on the forums is typically similar to 4chan or other online communities where users bicker and snipe at each other, Grugq said. Users who are respected are blessed with endorsements; those who aren’t can be blacklisted, he said.
Just about everything is for sale: Skype accounts, botnet software, domain names and dedicated servers, and much, much more.
“Credit cards [are] getting more attention from authorities,” Yarochkin said. “So for credit card trading, there are mostly specific, closed forums where you’d need to buy your access. Everything else is being traded in open.”
Yarochkin noted that there are criminal groups operating outside the forums the two analyzed that would therefore be invisible to the duo.
“From what we can guess,” Grugq said, “any [mob] involvement is more along the lines of some people at the very top of the stack have to pay off the real gangsters. … So, for example, if you are organizing a massive credit card cash-out scam which nets millions of dollars, you’ll have to pay protection money to the mob to not get robbed. It doesn’t look like the mob itself is organizing these cash-outs though.
“We’re not disputing that organized crime is involved with cyber-crime, but the popular conception of leather jacketed thugs running around with firearms and laptops is not in line with what we have observed from the actual communities,” he said. “It seems like it is very useful for some companies to popularize the scary idea of Russian cyber-gangsters, but honestly the involvement seems to be much more hands off.”