Organized cybercrime: bad guys go pro, highlighting “customer service”

J003-Content-OrganizedCybercrime_SQBack when I was a police officer in suburban Texas, most of the criminals I dealt with weren’t very bright. Burglars and embezzlers, druggies and drunk drivers and domestic violence perpetrators, they had that in common. Even the ones who were well educated and held impressive job titles weren’t nearly as clever in carrying out their illicit activities. You see a lot of brilliant criminal masterminds in the movies but we didn’t see many of them in real life. But that was in Life 1.0, a.k.a. Life before the Internet.

One of the things that always made it easier for law enforcement to catch and prosecute the bad guys was the fact that the majority worked alone or with one or two fumbling, bumbling partners. From petty thievery to murder, most crimes weren’t well-thought-out. Criminal types were usually impulsive and consequently made a lot of mistakes that led to their downfall. The exception was organized crime, exemplified by the Italian Mafia – and members of those criminal organizations proved much more difficult to bring to justice.

Today we’re seeing a whole new breed of criminal that makes the old-style Mafia look disorganized and unprofessional by comparison. Or perhaps I should we’re not seeing them, because they don’t show their faces. They hide behind a computer monitor somewhere out there on the Internet, scattered across geographic jurisdictions but working together at a level of efficiency that most corporate entities would envy to steal data, which can include credit card information, user passwords for popular web sites and services, social security numbers, or even targeted information such as trade secrets or financial status information pertaining to a particular company or industry.

It recently came to light that Russian cybercriminals had stolen as many as 1.2 billion user name/password sets for the purpose of spamming, last year Target discovered that customers’ credit card information had been captured by malware surreptitiously installed in their payment system, and just this month two major supermarket chains announced that their customers’ credit card information may have been stolen in a network intrusion. This graphic illustrates some of the significant data breaches that have taken place over the past decade.

Cybercrime specialist and associate professor Tim Holt did a presentation at Defcon 22, the popular Las Vegas hacker conference, earlier this month. In that talk, he described how these Internet-based criminal organizations work. Of particular note is the similarity to legitimate businesses both in structure and in focus on traditional business concepts such as marketing, seller/buyer relationships and customer service.

We often envision hackers as loners who sit in mom’s basement and break into distant systems just for fun or to prove that they can. But hacking today is a multi-million dollar enterprise. When professional cybercriminals set out to capture credit card information or other personal data, it’s not necessarily so they can use that data to commit identity theft themselves. Rather, just as many drug dealers don’t partake of the product they hawk to others, cybercrime pros steal info in order to sell it.

But like anyone in the business of selling – whether the neighborhood pusher or the legit multi-national retailer – those who deal in stolen data have a two-part challenge: how to connect with customers who want what they’re selling, and how to keep them coming back for more.

People are people and it should come as no surprise that the same tactics that work to sell legal products are also useful when peddling illegal ones such as stolen data.  If you do a quick web search, you’ll find dozens of lists of “customer service best practices.” Of course they’re aimed at legal businesses, but savvy cybercriminals are taking them to heart.

Big companies spend big bucks on consultants who tell them how to be more customer-centric. And just as cybercriminals steal the data that makes up their “inventory,” they also steal those tricks for building their businesses. You might think those who deal with a criminal enterprise would be left in the lurch if the goods they buy turn out to be defective. After all, what are they going to do – complain to the Better Business Bureau? However, some cybercrime organizations are, interestingly, concerned about their “good reputations” and Holt described how one seller promises to replace any credit numbers that don’t work with good ones.

One way cybercriminals market their stolen data is through “underground” forums dedicated to that purpose. Some of these forums are run in a very professional manner (more so than some forums run by legitimate companies) and even solicit customer feedback. Admins even respond to complaints about sellers and remove those who get a lot of negative reviews.

It’s not just in these forums on the dark side of the web that cybercriminals market their goods and services, though. Some have, in the past, attempted to get the word out through social networks such as Twitter and Facebook. However, that’s not a very effective practice because such activity is likely to be reported and the accounts closed.

A trend that has been going on for the last few years in the cybercrime world is diversification. In the same way that traditional companies have seen the value of expanding their offerings, so organizations that once specialized only in stolen credit card data are now branching out, for instance offering a purchasing/forwarding service by which they will buy products with the stolen card on behalf of the buyer, so that the buyer doesn’t have to take the risk.

Criminals are also providing more targeted services to their buyers. For instance, instead of selling just a general “dump” of credit card numbers, they can sell a “custom made to order” group of numbers that consist of only certain card types, such as premium cards that have high or no charge limits, or cards issued in a particular country.

This increasing “professionalization” of the cybercrime industry is troubling for many reasons. It indicates that those involved in this type of crime are “smarter than the average bear,” and that’s going to make them more difficult to track and prosecute. It also gives them a sort of quasi-legitimacy in some eyes (including, most likely, their own). Finally, it makes this unlawful career path appear more attractive to young people looking for a way “up” in the world, since it carries less of the physical dangers of the drug trade but can result in similar monetary payoff.

It’s important for law enforcement to recognize that we’re dealing with a very different beast from the average “real world” criminal, and adjust their own tactics accordingly.