Who Are Today's Cybercriminals?
Just ask Barrett Lyon, founder of Prolexic Technologies, a company dedicated to protecting businesses from distributed denial of service (DDoS) attacks. Last year, Lyon spent several months posing as an online crook to infiltrate a Russian crime syndicate that had used DDoS attacks to bring down several legal online gambling and retail sites after at least some of those sites refused to pay extortion money.
Lyon's work helped detectives at the UK's National Hi-Tech Crime Unit secure the July 2004 arrest of Ivan Maksakov--a 21-year-old Russian mechanical engineering student at the time--and several others. According to sources at the U.S. State Department, Maksakov has confessed in full to his role in the scheme and is participating in the investigation.
Lyon says that at least ten other individuals seem to have been involved in Maksakov's group. "From what I understood, he and a bunch of his friends hung out in chat rooms, and he was being hired to attack companies," Lyon says.
Lyon's undercover work--done with the assistance of Dayton Turner, a Prolexic senior engineer--gives him insight into just who is behind financially motivated attacks. "The guys who used to be after bragging rights are now after money," Lyon says. (Turner is on the right in the picture of the two men, left.)
How It Works
This scenario is typical, according to many security experts. "Generally, what we've seen is a form of compartmentalization, from the top down," says Shane Coursen, senior technology consultant with Kaspersky Lab, a maker of security software. At the top of the food chain is someone who has the financial means to organize a group, Coursen says. This individual, acting as the criminal kingpin, puts together a plan and then assembles the necessary technologically savvy individuals.
The resulting group or team may not have a centralized organization, says Gary Iwatani, president and COO of Cloudmark, a provider of e-mail security products. "People think of these criminal activities as being carried out by centralized organizations, but really it is much more of a difficult problem to fight because it is decentralized."
How do these groups work together without central organization? Many members are recruited through acquaintances; others are found online, as Lyon says Maksakov was. Individuals use Web sites, online forums, and IRC channels to advertise their services and meet their colleagues. Many others visit these sites to learn how to get started in the business.
"The scene is always looking for rooters, scanners, curriers [various hacking specialties], but how does one learn these skills? I've not been able to find much information about those topics," reads a recent post in the Hacking-Security forum on Addict3D.org. Several posters replied, offering suggestions of where to look online to learn such skills; one post pointed out that a simple Internet search would uncover several Web sites that offer tips on how to learn the tricks of the hacking trade.
Once they've learned those skills, hackers commonly operate as freelancers, working on projects in an area of expertise--whether it be writing exploits, building botnet networks, or designing fake Web sites--says Dimtri Alprovitch, a research engineer with CipherTrust, an e-mail security company.
And like legitimate businesspeople and freelancers, they must build a reputation before they can get hired for lucrative work. "If you're just getting started, you let people sample your work," says Jimmy Kuo, a McAfee fellow. "You slowly establish your credibility and your value gets higher."