Cybercrime pathways: Why do hackers turn to the dark side?

Researchers peel back the stereotypical black hoodie to prevent kids from taking the wrong path

Privacy-enabling technologies continue to mask illegal activity under the assumed guise of anonymity, creating millions of online fraud victims, as global governments and police forces race to upskill in a digital world.

Indeed, in a speech to delegates at this year’s NCSC CyberUK conference, then British Home Secretary Amber Rudd highlighted the UK’s growing problem with such offenses – 1.7 million cybercrimes were recorded last year, according to a law firm specializing in prosecutions under the Computer Misuse Act.

“Anonymity emboldens people to break the law in the most horrifying ways with platforms that enable dangerous crimes and appalling abuse,” said Rudd as she launched a £50 million ($65 million) training program aimed at improving the cybercrime units of British law enforcement at national, regional, and local levels.

The UK government, under the National Crime Agency (NCA), has consistently made industry-wide efforts to combat the current $600 billion lost to cybercrime every year. Aside from police training, endeavours include a £1.9 billion five-year scheme aimed at preventing internet-enabled crime.

But whether present legislation and the tools designed to improve enterprise security have been successful at ‘making the UK the safest place to live and do business online’ is inconclusive, as reports of data breaches rise and successful convictions, at least in Britain, fall – from 57 in 2016 to 47 in 2017.

These new forms of crime, whether minor video game hacks or serious offences like child pornography, have led researchers to examine the human element, specifically why misconduct in the digital sphere happens in the first place.

Sowing the seeds

“One of the first questions I had is: What makes people do this?” said Wendy Zamora, a researcher at Malwarebytes, who recently completed a month-long research project into the socio-economic factors driving cybercrime. These are factors not particularly well understood, and that often get lost in the extensive evidence illustrating data breach costs.

“People were interested in pulling out the data about how well cybercriminals are paid against those who are in white hat positions,” Zamora told The Daily Swig.

“That kind of gave me the shove I needed to explore this from an angle of actually talking to the folks and professionals in the field.”

Zamora spoke at length to those working in infosec – some reformed criminals, others still actively engaged in illicit online behaviour – aiming to delve deeper into the personality and physical characteristics that make up a cybercriminal’s identity.

“A lot of people think of hackers as wearing hoodies and being recluses who are down [living] in their parent’s basement,” she said. “I wanted to peel that back and see how true that was.”

A 2017 report by the NCA’s cybercrime prevention unit is one of the few attempts at criminal profiling for the digital age – a psychological forensic technique that becomes effectively void when anonymity tends to play such a large role in how cybercriminals operate.

“I think it’s important to see these people as people,” Zamora explained. “Profiling can obviously work against folks as well and be construed in a negative way, so it’s not just about why they [cybercriminals] do what they do, but what would make them change.”

The NCA report found no socio-demographic bias to date for cybercrime offenders, but that the allure of such wrongdoing was predominately built on the low likelihood of an encounter with law enforcement.

“I found that the entry tended to be video game hacking, or illegal copying of DVDs and music,” Zamora said.

She interviewed individuals predominately living in North America, building on an initial survey by Osterman Research, which found that 12% of employed security specialists have considered participating in illicit activity to solicit additional finances.

Research by both Zamora and the NCA, on the other hand, highlights how monetary gains are not always the primary motivators for young people’s entry into the world of cybercrime.

Anonymity and a disconnection from real-world consequences were also major factors for attracting teenagers who were unlikely to be perpetrators in offline environments.

“Sometimes [it was] just stealing cable, or things of that nature, really petty stuff, and that would then sometimes lead to malware creation and stuff they saw as victimless crimes,” said Zamora.

“I think there’s not as much a barrier to entry when you’re talking about physical crime versus cybercrime, and that the anonymity absolutely opens up a door.”

For the lulz

The emotional turmoil of stealing someone’s identity is a lot easier to ignore when you don’t have to see a victim’s face. And for those who do get caught, the ramifications of their actions can be a harsh reality that no present education system has prepared them for.

“If you look at this glowing rectangular box for long enough, that becomes your world and you get desensitized,” said Jake Davis, a British hacker who was arrested in 2011 for his involvement with the notorious hacktivist group LulzSec.

Speaking to The Daily Swig at the recent Electromagnetic Field (EMF) hacking festival in the UK, Davis reflected on pleading guilty to counts of computer misuse and conspiracy, which were attributed to LulzSec’s attacks on Sony Pictures, News International, and the CIA, to name a few.

“Shock imagery and text, audio, and visuals – it all becomes the same, and to a kid, that’s very desensitizing,” he said. “Taking down the CIA’s website, for instance, might feel the same, in terms of brain chemicals, as playing a game or watching something on YouTube. They [kids] forget that there’s a difference because it all looks the same on a screen.”

Davis, who is currently employed as a security consultant, puts part of the onus of cybercrime participation on naivety, and another on a hacking culture where identity is founded on ego and without much mentorship.

“When we were like 13 and 14, maybe it would have been cool to have an older hacker come into the school and talk to us about opportunities,” he said. “You have to ask what young hackers want. They don’t want to be criminals. They don’t want to do crime. That’s not part of their thinking. They want a challenge and kudos from their peers.”

Prevention efforts also need to focus on education and on leading children down a better path, Zamora added.

This includes a shift in how teachers and parents approach digital subjects, as well as the re-establishment of trust with those who have been criminalized for exercising their computer skills without understanding the consequences.

“Those that are attracted to cybersecurity are the types who aren’t necessarily your traditional learners,” Zamora explained.

“They find their community here [online], whether in the world of cybercrime or on the white hat side, and the motivations attracting them to cybercrime in the first place was that they weren’t given the tools to do good in the right way.”