Research Shows How Organized Cybercrime Operates
The stereotypical picture most of us have of cybercriminals are young men in dark hoodies staring at laptop screens in their parents’ basements. But that image just isn’t accurate. Cybercrime is a business, and it’s big business. Cybercriminal networks are sophisticated, organized, and ready to take any opportunity to steal money and data.
See How Cybercriminal Networks are Organized with Peter Taylor for a complete transcript of the Easy Prey podcast episode.
Peter Taylor is known as “the fraud guy.” He started his career in law enforcement, spending most of his time working with major UK companies to deal with traditional fraud, such as insurance fraud and employee fraud. Eventually, he got bored of fraud and found a new interest in organized cybercrime. He funded some research into organized cybercrime. Since he was familiar with drug-related organized crime and organized insurance fraud, he wanted to compare cybercrime with those more well-known methods.
The usual academic approach is very victim-centered, and Peter wanted to do something different. He wanted to treat it like a police investigation. The project involved interviews with former cybercriminals, former fraudsters, and people in the car fraud and cybercrime industries. At the end, he put together a research paper that was peer reviewed by academics working in the field of cybercrime and fraud. Surprisingly, they told him he’d found a few things they weren’t aware of. Since then, Peter has been busy helping people who are developing solutions, having cybersecurity problems, and dealing with fraud.
Interesting Findings from Cybercrime Research
During the course of his research project, Peter came up with several new and interesting findings. That is partially because he used unique research methods. Most cybercrime research focuses on the victims. Often, it doesn’t focus on individual people who got scammed, but on larger victims like financial institutions. Researchers can get a lot of data from them.
The typical research method involves asking the victims for information, recording and analyzing that information, and coming up with statistics. One university spent a lot of time studying insurance fraudsters. They identified that the typical insurance fraudster is a 42-year-old man who wears a tie to work. It’s an interesting statistic, but at the end of the day, knowing that information won’t help prevent insurance fraud.
What I think gets ignored is, what can the cyber criminals tell us? … That’s where I came from, the police background and watching the criminals, so I wanted to watch the criminals.Peter Taylor
Peter didn’t want to just focus on the victims. With his police background, he was used to analyzing the criminals themselves. So that’s what he wanted to do with his own cybercrime research project. He wanted to talk to the cybercriminals (and former cybercriminals) and learn how organized cybercrime works directly from them.
We Know What They’re Doing
One of the most surprising things that Peter found is that generally, we know what the cybercriminals are doing. They’re not trying to hide it. If you have the skills, you can go online and see exactly what they’re up to. The virtual network of cybercriminals is anonymous, so you could even infiltrate the cybercrime gangs if you wanted to.
We know what they’re doing, and they’re not being secretive about it. The problem is that so few people are acting on this information. Peter keeps seeing warnings that cybercriminals are watching us. They are, and they’re good at it, too. But we have the ability to watch them back. We just don’t.
Cybercriminal Gangs are Marketplace-Based
One of the more well-known types of organized crime are drug gangs. Compared to drug gangs, cybercrime gangs have a different basis. Drug gangs are based around a family or a particular neighborhood. Cybercrime gangs are based around specific marketplaces. If everybody who used eBay was a criminal, for instance, they would be the eBay gang.
If you look at gangs of cybercriminals, eighty percent of them are built around marketplaces like Silk Road. You can log into those marketplaces to see what’s going on. There are tools to scrape and analyze data, and we can see what’s going on in their marketplaces.
The Cybercrime Triangle
One of the former cybercriminals Peter spoke to was Brett Johnson, one of the founders of ShadowCrew, the model now used by most organized cybercrime gangs. Together, Brett and Peter came up with what they call the Cybercrime Triangle. Police are interested in it because it shows how the cybercrime gangs operate and how they’re different from drug gangs.
The Cybercrime Triangle has three functions. Function one is to steal, hack, or otherwise obtain data, put it on the marketplace, and sell it. Function two is to buy data and then enhance that data through social engineering or through “crime as a service” – teaching people how to commit cybercrime. These are the people actually committing fraud. Function three is cashing out – turning what they’ve gained into legitimate assets.
Steal the data and sell it on the marketplace, buy the data and use it to commit fraud, and turn ill-gotten gains into legitimate assets. It really is that simple. Most gangs are structured this way, revolving around the marketplace.
An Increase in Heist Gangs
Another interesting trend Peter saw in his research was an increase in heist gangs. If you were going to rob an art museum, you’d need to put together a team. You’d want someone who could deal with alarms, someone who could handle the security cameras, someone to plan logistics and get weapons, someone who can use the weapons, a getaway driver, and someone who could help you turn your stolen art into cash. It’s like something you might see in Ocean’s 11. That’s a heist.
What we’re seeing now is cyber heists. Cybercriminals are putting together heist teams of people with different abilities and skill sets to hit a specific target. They’re a bit like a terrorist cell, brought together specifically for the heist. They’ll use all their cybercrime knowledge and tools to target one specific bank, business, or other organization.
Now we’re getting more and more cyber heists, where you put a gang together to hit a particular bank, a particular business owner, or a particular organization.Peter Taylor
What’s interesting about these heist gangs is that they often don’t know who each other actually are. Since so much of organized cybercrime is anonymous, they may work together to hit one particular target, but they may not know the real identities of anyone they’re working with.
The Cyber Arms Race
In trying to combat cybercrime, we’ve created a cyber arms race of sorts. But that’s really getting it wrong. The point of a race is to get to the finish line before the other party. Cybercrime isn’t a race like that. Cybercriminals are getting more sophisticated, and we good guys keep trying to become more sophisticated just to keep up. That’s not a race.
It can also cause big problems. One of which is that though cybercriminals are getting more sophisticated, the actual cutting-edge cybercrime is a very small percentage of the total. Most of it are scams and frauds that are two or three decades old. It’s 2022, and cybercriminals can steal your cookies from a site you made a purchase on and trick that site into thinking they’re you, logged in and ready to make another purchase. But we’re also still seeing the decades-old Nigerian Prince scam.
With fraud and cybercrime, when something new comes along, the old stuff doesn’t stop.Peter Taylor
Criminals will still try to use the most common methods to steal our money. There are still people out there buying usernames, passwords, and credit card details to commit fraud. A lot of retro things are coming back into fashion, and cool kids have started using checks. Now criminals are back to stealing mail and stealing checks. We can’t ignore the new stuff, but we also can’t stop doing what we’ve been doing to stop the old stuff, either.
Why the Nigerian Prince (419) Scam Works
One of the most well-known scams is the 419 scam, also known as the Nigerian Prince scam due to a large number of 419 scammers claiming to be Nigerian princes. It started through postal mail, then via fax, and now it’s almost exclusively on email. An early version of this scam existed in the seventeenth century. And yet this old scam still works.
The psychology behind the scam is all about triggering emotions in the reader. This could be a positive emotion, like the opportunity to get a lot of money. Or it could be a negative emotion, like the opportunity to lose a lot of money. Sometimes the scammer threatens to release embarrassing or explicit photos if you don’t send the money. When someone hits a big lottery jackpot, scam emails often pretend to be the winner offering to share some of their winnings. The scam could even feed on someone’s desire to do something benevolent. Regardless of the reason, once your emotions are caught, it’s easy to let down your guard. Scammers are professionals and know how to poke at your motivations to get you to hand over some money.
We suffer this delusion that because we know, everybody knows. They don’t. They just don’t unless we tell them.Peter Taylor
The best way to combat fraud and scams of all kinds is to talk to people about it in person. Go talk to your mom, your auntie, or your uncle. Talk to younger people in your life, too. The narrative is that old people are the ones falling for fraud, but often it’s people under thirty. Peter talks to his kids about scams and fraud. Share what you know, because many people won’t know these things unless someone tells them.
It’s About the Money … Until It Isn’t
For many cybercriminals, it’s about the money. Cybercriminals love cryptocurrency because it’s very difficult to trace and impossible to refund. Fluctuating cryptocurrency values have always been an issue for them, and the recent cryptocurrency crash has been a huge problem. Their cybercrime earned them a lot of money in one type of cryptocurrency, and then the value went down and it’s worth hardly anything. For those who are in it for the money, that’s an issue.
I’d rather see somebody lose the money or lose assets than actually go to prison, because I do think it’s about the money.Peter Taylor
On the other hand, some cybercriminals reach a level of success where it’s no longer about the money. It’s about ego more than anything. As an example, a drug dealer in Peter’s area is now behind bars for a very long time. He was arrested for chasing a man down the street with a machete because the man owed him £20. The drug dealer wasn’t hard up for cash. It wasn’t about not getting the £20. It was about the blow to his ego that someone would dare not pay him.
When we try to put ourselves into the heads of the cybercriminals, we have one major drawback: We put our own standards into their heads. What gets in the way of investigations is thinking things like, “They wouldn’t do that, they wouldn’t go through the trouble.” But people involved in cybercrime don’t think the same way the average person does. They aren’t worried about getting caught. They think they’re too smart to get caught, or they care more about the short-term fun than the long-term consequences. Life is more uncertain now, especially with the rise of the gig economy, and cybercrime is the ultimate gig economy.
To Reduce Cybercrime, Focus on the Money
Back in Peter’s police days, they had a saying about burglaries: If you want to cut the burglary rate in an area, don’t target burglars, target the handlers. If burglars don’t have anyone to sell their stolen stuff to, burglaries drop. The same is true of cybercrime. There are only so many ways for money to get in and out of our financial system. When Peter talked to banks, they were worried about their ability to control money laundering. When he talked to cybercriminals, they were worried about banks catching them laundering money. This indicates to Peter that watching the money will be a priority area.
Using AI and Machine Learning
Artificial intelligence and machine learning can be helpful tools in monitoring the money to catch cybercrime. Many financial institutions are already using it. Peter had a credit card that he used only to pay for fuel that he kept in his car. One day, he was out to make a purchase, and had forgotten his wallet. Since his credit card that he used for fuel was in his car, he used that to purchase a bunk bed. An algorithm flagged it as an unusual purchase, and he got a call from his credit card company to confirm if it was a legitimate purchase. These tools can help catch cybercrime when it happens.
However, the downside of that is an over-reliance on data. One person Peter talked to who works in the automotive industry says that no matter how good your automated solutions are, they should always have human supervision. Computers can make mistakes. Tools like data mining, machine learning, and AI are all dependent on the data sets you’re using and what rules you put in. If it’s using the wrong data or applying the wrong rule, it might miss something important.
More Secure Online Shopping
In online shopping, most of the emphasis is on stopping cybercrime at the point of transaction. There’s very little attention paid to anything else on the website. But there are other ways to prevent cybercrime. From a technology standpoint, behavioral data is a much more reliable way to prove who you are on a website than putting in a password. (We may even see the end of passwords altogether soon.) Using behavioral data can help prevent cybercrime like refund fraud. A lot of refund fraud is done as a service, and the person claiming the refund didn’t purchase the product. Checking methods could compare behavioral data from where the purchase happened and where the refund was applied for to confirm if it’s a legitimate refund request.
Car Theft and Why We Need a Different Approach
The reason Peter went into fraud investigation in the first place was because there were a lot of cars being stolen in the UK. At the time, the entire population of the UK was less than 60 million, but they were having 1.5 million cars stolen every year. Peter went into fraud because he realized most of those “stolen” cars weren’t actually being stolen.
In the UK, people are required to have car insurance. When a car was at the end of its lifespan, people could pay £200 to have it scrapped. But many people decided that instead of paying for that, they would instead put in an insurance claim for a stolen car and get a few thousand pounds from their insurance. Reducing this form of insurance fraud, combined with manufacturers putting a lock button in car fobs so they could be easily locked from the outside, brought car theft in the UK from 1.5 million cars stolen per year to less than 100,000 per year.
The same thing is starting to happen with technology. Your laptop comes with anti-malware and other protections automatically. Website security is becoming more important as a basic function, as well. The security features are becoming obligatory, and that’s part of the answer. In the end, it will probably reduce costs overall, as manufacturers compete to produce a secure product for a cheaper price.
A Holistic Approach to Combating Cybercrime
We need a more holistic approach if we want to reduce cybercrime. When looking at a transaction, we can’t just look at the moment money changed hands. What happened before? What happened after? We need to use more intelligence and data and use it in a better way. It’s there, and we can use it for future planning. Peter also thinks we should be using that data to improve and develop products.
Cybercrime is heading towards a $10.5 trillion industry. If it was a country, it would have the fifth biggest economy in the world. The question we should be asking is, how can we stop it? How can we reduce it? What steps can we take to gather data and follow the money? How can we make it so cybercrime just doesn’t pay? Those are the steps we need to focus on to reduce cybercrime.
We’ve got to protect the customers, we’ve got to protect people, and we’ve got to protect ourselves.Peter Taylor
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Online Privacy
- Online Safety
Cybersecurity is a relatively young field, but businesses are embracing its importance. However, the newness of the…[Read More]
In today’s digital age, it is common for people to rely heavily on their mobile devices for…[Read More]
fter exploring the CR Security Planner, ourselves, we’ve learned the best way to use it and know...[Read More]
We all know malicious websites are out there. Scammers and fraudsters want to steal our information and…[Read More]
The average person has no idea about the data breaches that occurred in 2022 and how many…[Read More]