The Business of Organised Cybercrime

By David Warburton, Senior Threat Research Evangelist, F5 Labs

Credit: ID 133722973 © Igor Stevanovic |

Cybercrime is a term that is thrown around a lot. For mainstream media the term can encompass everything from cyber warfare right the way through to the stereotypical loner, hacking from the dimly lit confines of their parents’ basement. In fact, the now cliché image of balaclavas and hoodies with faces lit up by computer screens often helps to perpetuate the myth that cyber criminals are working alone, unfocused and poorly funded. Nothing could be further from the truth. Cybercriminals are organised, well-resourced and make use of new and existing forms of communication to trade skills, exchange stolen data and launder money.

The two types of cybercrime

Illegal activities that get bundled into the term ‘cybercrime’ can be broadly divided into two camps. Cyber ‘enabled’ crime and cyber ‘dependant’ crime. The latter is what many of us think of when we hear the phrase cybercrime. It refers to those activities that are only possible with the advent of the web, including ransomware, denial of service attacks and cryptojacking. Cyber ‘enabled’ crimes refers to those carried out by career criminals. 

Those that have made a living from profiting from the sale of counterfeit goods and profoundly inhumane crimes such as child sexual exploitation and human trafficking. To them, the web has allowed them to easily and cheaply scale their operations. But lines are blurring. We are beginning to see organised crime groups focus more on cyber dependant crimes since it offers them easier ways to launder money with more anonymity and much better return on their investment.

Underestimating organised cybercrime

Organised crime groups (OCGs) can vary significantly in size but most have a wide range of skills provided by individuals based all around the world. Groups will employ a number of individuals that specialise in different areas of IT, network security and even human psychology.

Since the majority of attacks begin with some kind of social engineering campaign, it’s in the groups interest to understand how to make their attacks most effective. This will include trawling social media to look for personal information to be used in spear phishing campaigns as well as understanding a company’s busiest period to catch people when they have their guard down. OCGs even make use of unwitting members of the public to launder money or even help translate conversations between ransomware victims and their attackers. Roadside adverts offering individuals the chance to “work from home”, “no experience necessary” are clear giveaways.

Interestingly, the closure of major darknet markets, such as AlphaBay, Hansa and RAMP (the Russian Anonymous Marketplace) has forced even the smaller and ‘up and coming’ cybercrime gangs to find alternatives, like exchanging information on encrypted peer to peer messaging apps.

Unlike OCGs who commonly try to advertise their services and ask for help on darknet sites, career criminals are spotted less on the darknet, instead sticking to their previously existing methods of distribution and communication.

Understanding motivations and toolsets

My recent law lecturer told me, “if you want to understand ecommerce law, just follow the money” and the same is true of career criminals. The methods they employ to get to the money may differ but the goals are usually the same.

For example, financial institutions are typically well secured but one area attackers can still target are the individuals. That’s why, for 2018, the most common cause of data breach for the finance industry was access (phishing, credential stuffing and new account creation, for example). For retailers, however, the criminals target is often credit card details.

They accomplish this by attacking web servers or distributing malware which performs web injections. These malicious third-party scripts are capable of stealing user data as it is entered into shopping card checkout pages and then sending it to the criminals servers. This activity is almost impossible to spot by the organisation whose site has been targeted.

In almost all cases, however, attacks are automated. The organised cybercrime gang employs ‘network admins’ to monitor and manage their largescale botnets. These are compromised devices, often insecure IoT devices, which can reach over 400,000 in number. These largescale ‘Thingbots’ help scale the attack and make it extremely difficult for application defenders to detect and mitigate connections that comes from non-human users.

Combating organised cybercrime requires understanding of both the motivation but also the toolset used by these attackers. To better protect against attackers and protect your core assets it requires the involvement of people, process and technology:

  • Continuous staff training for phishing attacks. Understand the methods that attackers are now using, such as hosting phishing sites on
  • Perform frequent external code audits. Web injects take advantage of their code being invisible to enterprise perimeter defences.
  • Employ technology which can detect non-human users. Advanced web app firewalls should detect and block automated attacks before they even have a chance to begin.

The image of the teenage hacker in their parent’s basement has long outlasted its usefulness and might actually be causing many companies to underestimate the risk posed by cyber criminals.

Organisations from all industries can help combat the growing risk of organised cybercrime. With the average age of UK cyber criminals being just 17, it is easy to see how lack of a strong role model can lead them down more malicious paths. Public education, social outreach programs and internships can help young adults focus their love for hacking whilst channelling their skills for positive use.

Tags cyber warfarecybercriminalsf5 labs

Show Comments