Hacker Mules - Barely above the poverty line
- 05 April, 2019 11:09
During 2018 cybercrime generated around $1.5 Trillion Dollars (I just pictured a Dr Evil scene with his pinkie pose and laugh he had in the Austin powers movie from the late '90s in my head) for the underworld economy and possibly APT’s. Over half of this was generated via dark web markets where contraband is sold or bartered ($860 billion). You could then break it down further with Trade secret & IP theft ($500 Billion), data trading ($160 Billion), Crime-ware/Cybercrime-As-A-Service ($1.6 billion), Ransomware ($1 Billion). No matter how you look at it, that is a huge financial burden on the global economy.
Now I have joked around in a few of my previous articles that malicious actors are buying themselves nice new Lamborghini’s (or any other ridiculously priced supercar you want to insert here – Admittedly I am only saying ridiculously priced because there is no way that I can afford one of these ever). They would buy them in several different colours, so they can choose which one to drive based on their mood on any given day. We would not want them to have to drive the same car two days in a row, now would we?
Okay, I got a little sidetracked but you get what I am trying to get at, is it a realistic picture of how most malicious actors would live? After some comments on my “Day in the life of a hacker” article, I have done some further research into that exact fact and honestly most are not living like this at all. The people who are doing the malicious work are what we would call mules in the industry. These are very low-level members of cybercrime gangs or Criminal syndicates in general, that are used by the malicious actors to do all the work. This is a particularly common scenario in Russia and Ukraine, many of these are not even willing volunteers but are forced to do this work for what could be considered very poor work conditions and remuneration. Certainly won’t be getting a dental plan form this employer let alone a nice shiny new Lambo…
Many of them do it under personal threat/duress to them and their family’s or they have no other source of income to support them and their families. So even though they are the ones doing the crime they are not the ones cashing in on the money train that is cybercrime, it is their bosses and bosses, bosses or even their bosses, bosses, bosses (that’s a bit of a mouthful) but you get what I am trying to say. These mules are usually the ones who go to jail for the crimes, not the higher-ups, who actually get all of the money.
Is this the more realistic picture of how cybercrime is in the real world? To some extent yes it probably is but there would still be some out there cashing in on these opportunities not linked to crime gangs or APT's that are our government-sponsored teams (in some countries they may actually be the same entities – now that is the scarier scenario and I can think of a few that could fit in that category). I think it is good to look at all scenarios so we can get a better understanding of how this all works and truly try to consider what options we have to fight these groups.
It is a sad cycle really that is costing us all too much money but what can we do to solve this problem? It is a hard problem to resolve and what we are doing is not really working. We need to find a better approach or we will never be able to win the cyber war (yes it is a cyber-war) that is taking place all around us between the good guys and the bad guys (It’s getting harder to tell who is who these days) but none the less that is the battle that is being waged.
Amanda-Jane Turner - the Brisbane AISA branch executive, made a very good point during a presentation at the BrisSEC19 conference recently that “Technology will not be the solution to cybercrime” and I think she is correct, we need to look at how we can approach this issue from a completely different angle, the solution may come from a totally different insight or industry and it may be so obvious that when we do have someone suggest it, we will all think “why didn’t we think of that”.
Someone reading this article may have the solution we are looking for; we just have to get that idea into the mainstream and action it. Let us stop the talk and make a plan to get this problem stamped out. If we do not find a solution to this growing issue, we may lose control altogether and the internet that is starting to look more like the Wild West may become so unsafe that it will lose the benefit that it was envisioned for.
If you have any ideas lets discuss it and consider its implications if it has potential, let's find a way to get it moving towards its end goal, if that fails let's just try again and again until we gain back some sort of balance to this fight.
As always, disagree with me, tell me what you think and let us act.
Till next time...