Cybercrime doesn't pay: well it does, and very well

Cybercrime doesn't pay: well it does, and very well

Summary: A large part of me is worried about writing this post because in some way, I could be considered as promoting the idea or inciting people to commit cybercrime. Well, that's not my intention as such - instead I'm taking a more back seat approach to denounce why people commit cybercrime and what people get out of it.

SHARE:

A large part of me is worried about writing this post because in some way, I could be considered as promoting the idea or inciting people to commit cybercrime. Well, that's not my intention as such - instead I'm taking a more back seat approach to denounce why people commit cybercrime and what people get out of it.

As a criminologist and sociology student, the way people interact with society, other people and how society lives and works together, whilst comparing that to crime and the law gets my juices flowing nicely. If it didn't provoke my academic mindset, it would most certainly give me the horn instead.

The considerations of cybercrime

Where do you start... it doesn't take much work or effort to start your basic cybercrime campaign. If you wanted to start off on a basic level, phishing still works relatively well. Between May 2004 and May 2005, nearly $1 billion was stolen in phishing attacks, with it escalating every year since. You create a fake website which looks like an online banking interface, buy a list of emails from a marketing company (consider this an "investment") and mass email out a fake email claiming that you are their bank, link to that website and harvest the account details as they come in.

Relatively simple really. Get someone with the know-how and split the profits... or kill them and take it all (after all, if you're going to be a criminal, you may as well go whole-hog).

You could consider pornography as a easy way to make a shed load of cash.Forget copyright and intellectual property; you're a cybercriminal, you don't need to worry about things like that. Download a fine selection of grainy, jumpy porn from a selection of free websites, host it on a web server, lock the front page with a few free tasters to get people enticed, then put a PayPal screen up to exchange access for money. Use the aforementioned spam technique to promote yourself, or invest in online advertisements to draw in the viewers.

Cybersquatting is a costly yet intriguing concept. Find the next best thing online - take Cuil, for example, the search engine which got a lot of news coverage at the time but never took off. Take the supposed website name, in this case it would be www.cuil.com and go about buying very similar domains which sound or look similar. This could include:

www.ciul.com - www.kewl.com - www.seeuil.com - etc.

From there, you can laden your websites with high-paying advertisements or referrals for products to download. The more press coverage and the stupider the person wanting to try it out in hope they get the address wrong is the main factor to making this work. One postman from Cardiff, Wales, spent around $35 on a website domain only to demand in excess of $16,000 from companies before they hand it over.

The anonymity factor

Most people seem to think that having this aura of anonymity on the web gives us the excuse to say things we wouldn't normally say in person. Criminals also use this theory because they see people on the Internet as "not real people";instead they are screenames, aliases and avatars. Because of this, an ailing conscience of those purporting attacks and committing cybercrime is a lot less than in real life, in thery there anyway.

An essay which I wrote for my core criminology module this year consisted of the differences between online and offline crime. Those who commit fraud in person, seeing the faces of their victims, will have a different level of effect on their conscience than that of those who commit online crime and see no faces - again, in theory.

The white hat approach

Now this is what I really wanted to get round to. Something closer to home for me, as an example which works quite well: the UK (as well as the US) are under constant fire and electronic attack from other nations such as China and Russia. In turn, these nations are under attack from other countries themselves; it's a constant, on-going battle.

The US cyber-security industry has expanded rapidly over the last decade, with government and non-governmental organisations working together in forming not necessarily a single solution, rather a mesh of preventative measures to protect the electronic infrastructure of each respective countries. When Obama took office, this was one of the main steps he wanted to take in his presidency.

By working with these people; once hackers and cybercriminals are now turning "white hat" - working towards defeating their once-were colleagues and tightening up security using their background knowledge. For example:

"Launching the strategy earlier Lord West, who has been appointed as the UK's first cyber security minister, said the government had recruited a team of former hackers for its new Cyber Security Operations Centre, based at the government's secret listening post GCHQ, in Cheltenham, to help it fight back."

What did make me giggle when reading through this was what it said afterwards:

"They had not employed any "ultra, ultra criminals" but needed the expertise of former "naughty boys", [Lord West] added. "You need youngsters who are deep into this stuff... If they have been slightly naughty boys, very often they really enjoy stopping other naughty boys."

He also confirmed that the government had developed the capability to strike back at cyber attacks, although he declined to say whether it had ever been used."

Become a hacker, then a spook - to become a hacker spook: pays well, government pension, save the world every day, sounds alright to me.

Which side to stick with

Cybercrime does pay very well, if you get it right; not only for the criminals starting the attacks but also for the security industry aiming to seal up breaches and minimise fallout as a result.Considering that cybercrime awareness and law enforcement departments are opening up to the new waves of online crime, including fraud, phishing, child abuse imagery and media and suchlike and the sort, you might want to consider staying on the good side of the security industry. At least this way, you can make money out of cybercrime without any of the side-effects of criminality... such as being buggered in the showers at prison.

Would you try and get a job in the security industry, with no guarantee you'll get it or stay there, or head over to the dark side and live life in a dark shadow of crime?

Topics: Browser, Government, Government US, Security, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • Not all of them paid.

    The cyber-crimes with country support doesnt have to pay. BTW, is there a law in UK to permit such "fighting-back against cyber-crimes"? Otherwise, they r cybercrime too.
    binyo66
    • It's OK to fight back

      It's always OK to fight back cyber criminals. If your country can not protect you, you have the right to protect yourself. As long as your "revenge" is not for profit.
      Strathclyde-Forensics
      • well, sort of

        As long as you are under-equipped and out-manned, it's legal in the UK to protect yourself.
        trent1
  • stupid, stereotypical article

    one step up from copy-paste reporting..
    Htalk
    • Why?

      You didn't really go into much detail...
      zwhittaker
  • Funny you mention Obama...

    [i]...government and non-governmental organisations working together in forming not necessarily a single solution, rather a mesh of preventative measures to protect the electronic infrastructure of each respective countries. When Obama took office, this was one of the main steps he wanted to take in his presidency.[/i]

    What did he [b]actually[/b] do when he took office? Appointed [b]czars[/b] for all his pet projects -- positions that are accountable to nobody with complete lack of transparency. The exact [b]opposite[/b] of the way he promised things would go.

    (This does not mention the thug-like tactics from his administration, forcing politicians in his own party to comply with his wishes and sing his praises, else they receive no money or help during their next election cycle.)
    Speednet
    • Sore loser...?

      Voted Republican by any chance? :P
      zwhittaker
      • LOL!

        Took the words right out of my mouth!
        MGP2
      • We are all losers now

        Ha, ha, very funny.

        The country is being shoved in the toilet while you snicker about another person's politics as if your favorite sports team just beat theirs.
        Speednet
  • white hat reporting?

    I dont think ytou should feel too worried about reporting this, unless you live in a repressive regime.

    Lets be blunt - the guys that are running around doing this sort of stuff have skills that have taken a long time to put together.

    The casual reader here will probably be concerned with other things in life, and read this piece with interest, if not intent.

    There are plenty of far more explicit posts floating around, if one knows where to look, so on a scale of 1 to 10, 10 being threats to national security and infrastructure, I'd have to say this article rates very, very low.

    What would have been of more interest to me, frankly, is how the criminals can do what they do and not expect to get caught. Their evasion techniques, to be precise.

    I'm guessing these people setup their sites using stolen credit cards to begin with, so there isnt a trail back to them in THAT way. There is always an electronic trail though (DNS records, ISP's, etc), and it must surely be a case of resources used by the governments to intercept them, along with whatever jurisdictional issues have been deliberately implemented to thwart investigation, eg offshore companies, unnamed directors, trust mechanisms, crooked government officials, etc etc.
    roberto_maietta@...
  • look - please SPELL CHECK...

    do they not teach grammar and composition over there in
    Kent?? it may seem like nit-picking but it's very very
    ditracting to find ovbious erors sprinkled throughout your
    article - NO print publication would let this pass moreover
    - so ZDnet - YOU are complicit in this as well! this is not
    the first time that i've had felt the need to complain about
    this, if ZDnet expects to be taken seriously as a business
    publication - online or otherwise - then they really really
    need to step up the level of professionalism here...
    just my $.02
    sincerly.
    bennett
    bennettvonbennett
    • Examples?

      To be fair, it's a university - they don't teach spellchecking. As far as I could tell, there was only one misspelling in this article: "thery" which should be "there" which I have now corrected. I do an online and offline spell check before I publish any article. Perhaps if there were many spelling mistakes, I could understand your response - but it was literally one letter out of place.
      zwhittaker
    • How about practicing what you preach?

      [i]...but it's very very ditracting ...[/i]

      ditracting? Did YOUR spell checker miss that?

      [i]...in this as well! [b]this[/b] is not...[/i] Did YOUR schools not teach capitalization at the beginning of a sentence? For the record, you only capitalized one sentence in your whole biotch post.

      [i]...then they really really need to step up the level of professionalism here...[/i]

      Hey, once you learn to use spell check, and then learn capitalization, maybe you can learn punctuation, and put some commas between your "really really really" comments.

      And YOU are going to criticize someone about grammar and composition? GIVE ME A $()#&$ BREAK! I got more distracted reading YOUR crappy post than I did reading the article.

      And for the record, you could have avoided all this hypocritical embarrassment if, instead of calling him out publicly, you instead clicked on his bio and sent him a private email.
      MGP2
      • Look at his past history...

        If you care to take a look at bennettvonbennett's past comments on the network, you'll see it's very much of the same calibre.

        Having a go at spelling/grammar:
        http://talkback.zdnet.com/5208-17923-0.html?forumID=1&threadID=64901&messageID=1222416

        Random rant in the style of some skewed Vietnam war veteran:
        http://talkback.zdnet.com/5206-9595-0.html?forumID=1&threadID=65626

        More spelling bashing:
        http://talkback.zdnet.com/5208-17923-0.html?forumID=1&threadID=65005&messageID=1222410

        Just seems like somebody has a little too much time on their hands, yet ironically not enough time getting themselves laid.
        zwhittaker
        • WOW!

          [i]ironically not enough time getting themselves laid[/i]
          Wow - aren't you the professional, throwing stones in glass houses.
          t0mmyt@...
  • Legal reasons

    Cybercrime is not popular because the average criminal
    thinks less of the victims as people. Pop psychology
    there - i.e zero objective studies and not even any
    subjective (self-serving) interviews.

    The simple reasons are - no live witnesses for the
    prosecution meaning almost always a shadow of doubt,
    usually good separation in time between act and
    reporting to authorities, no chance of physical
    confrontation with victim or security or law
    enforcement.

    Plus in most countries cybercrimes are classified as
    insurance-fraud crimes meaning very low penalties if
    convicted.

    To be truly honest most countries truly do encourage
    home grown cybercriminals as growing cybersoldiers and
    technology for a future cyberwar. All the old
    superpowers are up to their necks in it. Plenty of
    precedent - just look at how criminals became spies,
    sabateurs, or commandos in WWII and other major wars.
    wellduh
  • RE: Cybercrime doesn't pay: well it does, and very well

    Point is, if you can get away it, what's stopping you from doing it?
    megamanx
  • RE: Cybercrime doesn't pay: well it does, and very well

    Good article Zack,

    I was on the team last year for a project by Mcaffe called 'Super Spam Me' it was a global study of spam.

    I am starting to think that a lot of the hype about making money on line is in fact just that - hype.

    There was an interesting article I read here

    http://www.caspianit.co.uk/how-to-not-be-an-idiot-online-online-gold-rush-exposed/

    It makes an interesting point
    Sci-Fi Si
  • RE: Cybercrime doesn't pay: well it does, and very well

    Starbucks is a great place to hide when creating a lot of web traffic that you don't want tracked back.
    MadWhiteHatter