Security researchers have put the spotlight on a little-known but growing group of people who make up a significant part of the cyber-criminal ecosystem, even though some of them may not even be aware that they’re actually taking part in illegal activities.
A collaborative research project by Czech Technical University in Prague, plus cybersecurity companies GoSecure and SecureWorks, analyzed the activities of people on the fringes of cybercrime, those behind projects like building the websites that end up being used for phishing attacks, affiliate schemes to drive traffic towards compromised or fake websites or writing the code that ends up in malware.
The people behind these projects are doing it because it’s an easy way to make money. But by doing this work, they’re laying the foundations for cyber criminals to carry out malicious campaigns.
The research, titled The Mass Effect: How Opportunistic Workers Drift into Cybercrime and presented at Black Hat USA, has its origins in analysis by Czech Technical University that revealed the inner-workings of Geost, a botnet and Android malware campaign that infected hundreds of thousands of users, which allowed researchers to examine chat logs of some of those involved.
They were able to trace people in these chat logs to online forums and other discussion platforms and gain an insight into what motivates them.
“We started to understand that, although they were involved in spreading malicious applications, they weren’t necessarily the mastermind behind it, but rather the informal workers, those who work on small gigs,” said Masarah Paquet-Clouston, security researcher at GoSecure.
But while these people are at the bottom of the hierarchy, they’re performing useful tasks for cyber criminals who use the websites and tools they build for malicious activities, including phishing and distributing malware.
“They are trying to earn a living and maybe crime is paying better so they go there, they drift into crime and come and go,” said Sebastian Garcia, assistant professor at Czech Technical University, who argues that more attention needs to be paid to the people who dance the line between cybercrime and legal activity.
“There is a mass of people in these public forums that the security community is not looking into, but these are the support, these are the people doing the majority of the work, building web pages for phishing emails, APKs, the encryption, the malware, the money mules,” he said.
If we always focus on ‘motivated offenders’, the masterminds who actually thought of building the botnet and making money through all of this, we forget the workers, warned Paquet-Clouston. “We as a community often forget that there are many people involved, but they’re not necessarily highly motivated people but rather just those who end up doing the activity,” she said.
However, this doesn’t necessarily mean that the people involved in these schemes should be treated as if they’re criminal masterminds, particularly when some may not even know that their skills are being exploited to aid cybercrime.
In fact, it could be possible to provide many of these people with opportunities to use their skills in a way that’s beneficial, rather than using them to help cybercrime.
“There is a lot of people that, maybe given the correct opportunity, they don’t have to drift into crime,” said Garcia.