by Marc Goodman
TECHNICAL SUPPORT
Sometimes running criminal software campaigns can be hard. Just as we must frequently reboot our computers, ask for help from our corporate IT department, or visit the Best Buy Geek Squad, so too must criminals. Thus modern cyber-crime syndicates offer technical support for both their employees and their affiliates.
DIRECTOR OF HUMAN RESOURCES
Successfully running a global crime campaign worth hundreds of millions of dollars, such as Innovative Marketing, requires people, lots and lots of people. The HR team helps recruit the criminal foot soldiers and worker bees necessary to perform the day-to-day operations of the criminal enterprise. It sets up Web portals to handle “human capital management,” including job applications, pay and benefits, and the online training required to carry out a successful malware infection campaign. The director of human resources will place ads in the digital underground to recruit the affiliates who very much know they are working as part of a criminal enterprise. HR will also help recruit another type of employee, so-called mules, who may or may not even know they are working for Crime, Inc. Ads for mules promise high earning potential, flexible hours, and the ability to work from home and are often placed on Craigslist or even on legitimate employment Web sites. The criminal HR staff handle inbound phone calls from prospective job applicants and are quick on their feet, ready to answer questions about job benefits and 401(k) plans (promised after the first successful year of employment).
MONEY MULES
Key to the growth of any illicit organization is the successful laundering of criminal proceeds. All the cash generated, whether through narcotics, scareware, or identity theft, must be properly transformed into ostensibly legitimate assets. To accomplish this goal, “money mules” are recruited via front companies to help move money anonymously from one account, bank, or country to another. Mules naively respond to ads for jobs with titles such as regional assistant, company representative, or accounts receivable. They are told they will be responsible for “payment processing” and are instructed to open two accounts in their own names—one for salary and one for the funds they will be processing, usually via Western Union. Mules, who generally receive between 3 and 10 percent of funds handled, must provide a photocopy of government ID, a completely logical legitimate business requirement that makes it easier for Crime, Inc. to track down any snitches at a later date.
Mules are the face of cyber crime and operate in true name, meaning they have a very short shelf life. Before long, police come calling, and it is only then that these housewives, students, and long-term unemployed, previously happy to look the other way and not ask too many questions, learn for certain that they have been involved in a criminal enterprise. By then, the money and their “bosses” operating under pseudonyms are long gone. According to one money-mule expert, the lack of available mules is the key bottleneck facing Crime, Inc. today. Breaking into systems is easy; where to cash the checks is the hard part. Experts estimate that the ratio of stolen account credentials to available mules could be as high as ten thousand to one. In other words, with sufficient mule and HR capacity, losses attributable to cyber crime could be ten thousand times worse.
The Lean (Criminal) Start-Up
The structure of Crime, Inc., like that of any modern techno-centric organization, is not fixed in time and space but rather constantly in flux. In his book The Lean Startup: How Today’s Entrepreneurs Use Continuous Innovation to Create Radically Successful Businesses, Eric Ries outlines methods by which budding entrepreneurs can create new products “under conditions of extreme uncertainty.” For criminals, uncertainty is where they excel, never knowing when the next police raid or rival gang drive-by shooting will take place. Outlaws are constantly adapting and innovating to overcome obstacles and meet the latest market demands. They build, measure, and learn by using data-driven Web analytics and keeping good metrics on their products and suppliers. But not all online criminal enterprises are directed from management down to worker bees; some are much more ad hoc and lean.
These criminal organizations are much more in line with the world Tim Ferriss describes in his 4-Hour Workweek, which espouses streamlining business activities by eliminating overhead and automating systems. Heavy organizational structures and obvious leadership are shunned in deference to just-in-time products and services that can often self-assemble on demand. These underground online actors may be much more interested in work-life balance, or lifestyle design, allowing them to balance crime and play while maximizing the opportunities in both. They come together in swarms, groups of individuals in constant motion, contributing specific skill sets toward a common goal. Their assembly is both ephemeral and amorphous, making enforcement extremely difficult. Once the criminal task has been achieved, such as the takedown of a major data broker or retailer, the group can dissipate until reassembling with others for the next criminal engagement.
Actors in these online crime swarms sometimes form in hubs, based on criminal specialty. For example, an identity-theft ring might spontaneously form a hub using the skill sets of multiple swarms. One group of actors with deep technical skills might take responsibility for hacking into a corporate data system; the next group would serve as a data broker, distributing the stolen personal information to counterfeit-document experts, who would make driver’s licenses, credit cards, checks, and passports with the information. The swarms of low-level thugs executing the actual financial frauds would forward any funds received to a mule network, which in turn would collaborate with a money-laundering network to ensure all criminal parties were paid for their services and received their cut of criminal proceeds.
In the worlds of both Crime, Inc. and swarm criminal networks, operational security is paramount. Work and communications are carried out remotely, obviating the need to ever meet in person. Work is compartmented and layered to ensure low-level participants don’t know the true identities of other parties to the crime. Underground online hacking forums and communications channels serve as the main introduction, recruitment, and assembly points for the criminal conspiracies and enable coordination for the swarm as necessary to complete work on specific projects.
A Sophisticated Matrix of Crime
As the United States attorney in Manhattan, I have come to worry about few things as much as the gathering cyber threat.
PREET BHARARA, U.S. ATTORNEY FOR THE SOUTHERN DISTRICT OF NEW YORK
Whether organized cyber-crime groups structure themselves along the lines of corporations, such as Innovative Marketing, or more nimble self-assembling swarms, one thing is clear: they are deeply sophisticated in their approach to business and their “customers.” They have appropriated the latest legitimate corporate strategies and are well versed in supply chain management, global logistics, creative financing, just-in-time manufacturing, workforce incentivization, and consumer needs analysis. The result is the modern cyber-crime enterprise, a full-service, multiproduct, highly profitable global organization capable of taking down any individual, company, or government at will. As noted previously, there are at least fifty such online Crime, Inc. organizations currently in operation around the world.
I’ve seen this sophistication firsthand while working with Interpol and the Brazilian Federal Police on cases involving stolen credit cards throughout Latin America. In the favelas outside Rio de Janeiro, organized cyber-crime groups sold software programs on DVDs containing tens of thousands of compromised credit card numbers and user details. The crime start-ups sold their DVDs to other criminals, offering discounts when bought in bulk. They also included service-level agreements with their software, assuring that at least 80 percent of our stolen credit card numbers would work or “your money back!” The Brazilians even provided phone numbers for technical support for other criminals who were trying to figure out how to use the software but ran into technical difficulties. “Sir, have you tried rebooting your computer?”
Some Crime, Inc. organizations actually use customer relationship ma
nagement (CRM) software to track customer requests and build brand loyalty among criminal clients, as was the case with the proprietors whose start-up created the banking Trojan Citadel. The malware, a variant of the infamous Zeus Trojan, allowed criminals to steal banking information, log user keystrokes, and install other forms of crimeware on a victim’s machine. When the Citadel hackers sold their malware to fellow criminals, they wanted to ensure their customers were happy with the crimeware they had created. Borrowing a page from Marshall Field and Harry Gordon Selfridge, the Citadel gang pledged, “Our products will be improved according to the wishes of our customers,” and they meant it. Their developers created a CRM user interface that allowed fellow criminals using the Citadel banking malware to file bug reports, propose and vote on new features for upcoming versions of the software, and even submit and track trouble tickets for the developers. Technical support was available via instant messenger on ICQ and Jabber, and trouble tickets were addressed in a timely manner. The Citadel “crime-trepreneurs” even built a social network to allow “like minded people” using their banking Trojans to come together to discuss “projects of mutual interest,” such as robbing you and me.
Crime, Inc. can be strangely reasonable and rational, utilizing proven tactics to keep its competitive advantage and ensure the continuity of its operations. In the digital underground, this means keeping close track of the competition and potential business disruptions, in particular law enforcement. As seen previously, criminal hackers are not only monitoring the activities of relevant police agencies and officials but also gathering open-source intelligence to uncover any threats to their massive profits. One group of cyber thieves responsible for hacking JetBlue, 7-Eleven, JCPenney, and the Nasdaq stock exchange created a system of “trip wires” to provide an early-warning system to notify them if news of their exploits had become public. Specifically, they created a series of Google alerts with carefully selected keywords covering their targeted victims so that if any news stories were released about “Nasdaq hacked,” they could pull up stakes and get out before tracked by police. Hackers have become the new Mafia and are contributing daily to the ever-increasing industrialization and professionalization of crime.
Honor Among Thieves: The Criminal Code of Ethics
If you were going to be successful in the world of crime, you needed a reputation for honesty.
TERRY PRATCHETT, FEET OF CLAY
In order to maintain a well-ordered and functioning criminal underground economy, Crime, Inc. must observe certain rules of the road. As such, there is indeed honor among thieves, and some elements of Crime, Inc. actually publish “codes of conduct” to help reassure fellow criminal customers. These cyber black markets are well structured and self-policed, with buyers and sellers constantly reporting on and validating each other’s reputations. Some digital criminal marketplaces actually have star-reputation systems so that fellow hackers can rate stolen credit cards, fake driver’s licenses, and computer viruses with zero to five stars, just like on eBay or iTunes.
On the lower end of the online criminal marketplace, those levels that are easiest to access, violations of the code of conduct are not uncommon. These individuals are known as “rippers” and fail to deliver promised criminal goods or services as much as 30 percent of the time. Once identified, however, they are quickly reported, banned, and driven from the marketplace—just like a seller on eBay or Amazon who fails to deliver on his promise. To help alleviate these problems of trust, cyber criminals have actually established clearinghouses and escrow services, just like the ones you use when buying or selling a home. These honest, but criminal, brokers help verify that the illegal product or stolen data on offer are actually delivered—only then do they release the funds, after taking a 5 percent transaction fee for their services.
At the higher echelons of Crime, Inc., new entrants to the cyber underground are well vetted and must be vouched for by a trusted party, just like drug dealers working themselves up the food chain. Here, where the big boys play, violations of the code of conduct are rare and the consequences high. All parties know it is in their best interests to follow the rules. Just as retaliation is common with traditional organized crime, so too does it occur in the cyber underground. Though “whacking” the competition and dumping them with cement shoes in the East River is more a trademark move of old-school gangsters, their digital equivalents have their unpleasant methods as well. Digital drive-bys do occur, such as the two-day spree carried out by Max Ray Vision (a.k.a. Iceman), who infamously trained his keyboard guns on his competitors and wiped them out. From his apartment in San Francisco, Iceman was able to commandeer the information databases of his criminal competition, absorb their content, and use it to create his own massive site, CardersMarket, which grew to be six thousand members strong. Using the data stolen from his competition, CardersMarket amassed more than two million pilfered credit cards and racked up $86 million in fraudulent charges. Superior technical skills count in the world of Crime, Inc., and hackers are forever studying and learning to improve their capabilities.
Crime U
Hackers are not born; they are trained, supported, and self-taught by an enormous amount of free educational material in the digital underground. Crime, Inc. is a learning organization, and there are online tutorials for everything from defeating firewalls to cloning credit cards. Criminals have access to their very own massive open online courses where they can learn how to launch phishing and spamming campaigns as well as how to use crimeware exploit kits. All of this training amounts to a sort of online criminal university (Crime U) that has accelerated the sophistication and skills of individual criminal hackers. Interestingly, student tutors, in the forms of fellow hackers, will often come together to help support newbies learn the art and craft of digital criminality. Numerous wikis are set up throughout the cyber underworld that provide detailed links, arranged by category, on how to hack every possible device, app, software, and operating system in existence.
Of course not all delinquent and illicit computer training takes place in the free world. Often thought of as “finishing schools” for criminals, prisons offer very little in the way of reform but much in the way of a graduate education in criminality. In fact, a study by Ohio University showed that “individuals with an incarceration history earn significantly higher annual illegal earnings than those who do not have such a history, bringing in on average an additional $11,000 per year of illicit income.” Just as college improves the earning potential of those working in the lawful economy, so too does the graduate education received behind bars.
Thus it may be surprising that more and more prisons are offering computer and coding training to inmates. While such skills might be the key to a legitimate career post-incarceration, they can be useful for illegal purposes as well, even while still in jail. Such was the case with Nicholas Webber, who, while serving time in Her Majesty’s Prison Isis in south London, used his computer skills during his IT training class to hack the prison’s computer system. At the San Quentin maximum-security prison just outside Silicon Valley’s backyard, corrections officials have even created a start-up incubator for those behind bars with entrepreneurial ambitions. With the support of the local technorati, inmates take part in “demo days” and pitch start-up ideas judged by Silicon Valley executives for their potential. While the intent of these programs is commendable, from a practical perspective the results may turn out differently from those expected.
Innovation from the Underworld
A key ingredient in innovation is the ability to challenge authority and break rules.
VIVEK WADHWA
Criminals, forced to work outside the legitimate systems of power, have always been expert at innovating new solutions to difficult problems and thinking outside the box. Time and time again, they have shown deep inventiveness in their business practices and creative use of resources. In his short story “The Blue Cross,” G. K. Chesterton summed it up nicely by declaring, “The criminal
is the creative artist; the detective only the critic.” The dark side of this creativity plays out daily in the world of Crime, Inc. The challenge for the rest of society is that technological innovation is proceeding at an exponential pace, and, importantly, Moore’s law works for criminals too.
Technological innovation from the underworld is thriving, and the criminal hive mind is leaving antivirus companies, technology vendors, and law enforcement in the dust. No longer is hacking the province of a select few digital masters; rather, today it has become democratized with all necessary information readily available at Crime U. Modern criminals are innovating not just technologically but in their business models as well. Crime, Inc. has incorporated subscription models for malware services, gamification for staff members, and open-source software development for banking Trojans. To drive sales, Crime, Inc. offers fellow crooks stripped-down versions of illicit software tools or even provides them for free. If their felonious clients are happy with the product, they can pay more and upgrade to full versions—a strategy known as freemium pricing.
