The Boring Life of Cybercriminals

1. British researchers have been digging deeper into how cybercriminals work, hoping to inspire new methods of preventing cybercrime. As it turns out, they say “Cybercrime is (often) boring,” they say.[1]

Many cybercriminals are parallel-universe office workers eking out a living — a far cry from the stereotype of creative outlaws using wicked technical skills to win big. By focusing on dissatisfaction in the ranks of cybercrime, the researchers say, law enforcement could come up with new countermeasures ranging from crime prevention publicity campaigns to targeted disruption strategies.

Cybercrime-as-a-Service

At today’s scale, cybercrime typically operates as a service business — not unlike a managed service provider that digitally enables a legitimate company’s retail or healthcare operations. In the underground market, though, products and services include botnets to rent for distributed denial-of-service (DDoS) attacks, ransomware-as-a-service, channels to monetize stolen data and “bulletproof” hosting that protects illicit activity from law enforcement. These and other infrastructures, tools, scripts and methods of cyberattack are packaged up for use by customers with low to no technical skills. Likewise, many of the workers who maintain and market the services are low-skilled and low-paid.

Cyber experts were already well aware of the many implications of this industrialization of cybercrime, including its acceleration of the growth of cyberattacks. “These markets are easy for almost anyone to get involved in — at least at the most basic levels,” according to the Rand Corporation, a think tank.[2]

Taking this understanding to a new level, research from the University of Cambridge and the University of Strathclyde focuses on how much a job in cybercrime can differ from the expectations of excitement and prestige that might lead people to this unfortunate career choice. The hierarchy of criminal enterprises is described as top-down, with a very small core of actors developing exploits, several levels of people handling the operations and customers buying services to launch cyberattacks.

“Providing these cybercrime services requires the same levels of boring, routine work as is needed for many non-criminal enterprises, such as system administration, design, maintenance, customer service, patching, bug-fixing, account-keeping, responding to sales queries and so on,” the research states.

Frustrating, Low-Level Jobs

The British research cites posts from online forums describing one criminal enterprise as “a place where you learn nothing new and don’t go much of anywhere” and calling another “a sweatshop, really.” In most of these enterprises, it’s difficult to advance to the next level, whether you’re a “script kiddie” working with prepackaged exploits or a “money mule” transferring stolen funds to offshore accounts.

Adding to job dissatisfaction and burnout is the risk that the competition will knock your organization offline, as some criminal organizations are known to do, resulting in customer complaints that have to be handled, extra work on remediation and possible job loss. Another risk is that law enforcement will shut you down.

Still, many people need work, with some countries suffering chronically high unemployment and others experiencing economic slowdowns. In India, for instance, “the slim chances of detection, and the even slimmer chances of facing prosecution, have seemed to make scamming a career option, especially among those who lack the qualifications to find legitimate employment,” The New York Times recently reported about scam callers.[3] In the U.S., the FBI reported an increase in money-mule schemes,[4] some luring in people with “Make $$ Working from Home” ads during the COVID-19 pandemic.[5]

New Methods of Preventing Cybercrime

Many cybersecurity and law enforcement strategies have focused on the motivations, behaviors and decision-making of the highly skilled actors at the top of the cybercriminal hierarchy. The British research suggests greater focus on the more mundane, rote aspects of the work that supports illicit enterprises.

One recommendation is to encourage burnout. This idea embraces “whack-a-mole” approaches to cybercrime infrastructure that might otherwise be seen as pointless (since the offending systems just pop up again elsewhere). “Every time there is a takedown there is further repetitive, tedious work for the administrators to set up their sites anew,” the researchers point out. “Encouraging even a few administrators to quit can cause substantial destabilization.”

Another recommendation is to debunk the romanticized image of cybercriminals with mad skills and bags of money. Messaging that emphasizes the tedious, low-skilled, low-paid, low-status reality of much of the work could dissuade some youths from joining criminal enterprises.

Ultimately, though, “there is much still to be done to establish quite how to leverage this new understanding effectively,” the researchers write.

The Bottom Line

To date, the effort to stem cyberattacks has overlooked a key behavioral trait in the growing ranks of low- and no-skill cybercriminals. Many are bored with what they had thought would be exciting work, according to recent research. Law enforcement could leverage this finding into new methods of preventing cybercrime.

[1] “Cybercrime is (often) boring,” University of Cambridge and University of Strathclyde

[2] “The Motivations of Cyber Threat Actors and Their Use and Monetization of Stolen Data,” Rand Corporation

[3] “Who’s Making All Those Scam Calls?,” The New York Times

[4] “Fraudsters Prey on Emotions and Bank Accounts in Money Mule Schemes,” FBI

[5] “Money Mules in Sheep’s Clothing,” The Wall Street Journal