We know that cybercriminals are almost always seeking financial gain, but it seems that this is not usually what young cybercriminals have in mind when they take their first steps over to the “dark side”.
For example, an interesting report by the UK’s National Crime Agency (NCA) found that many are not necessarily motivated by financial reward. In fact, recognition from their peers, popularity in the forums they belong to, and a sense of success, are bigger influencing factors.
“The sense of accomplishment at completing a challenge, and proving oneself to peers are the main motivations for those involved in cybercriminality,” the authors of the paper stated.
As an example, the report includes the testimony given by an 18-year-old who was arrested for unauthorized access to a US government website. At the time of his arrest he said: “I did it to impress the people in the hacking community, to show them I had the skills to pull it off … I wanted to prove myself.”
A sense of impunity?
There is another major factor that tempts many youngsters to get involved in the world of cybercrime: a feeling that it isn’t a crime in the ‘traditional sense’, and that they won’t be arrested for carrying out a cyberattack.
In fact, the NCA is certain that many British teenagers who get involved in cybercrime wouldn’t get involved in ‘traditional crimes’, based on the lack of prior convictions among the country’s cyberattackers. “Perception of the risk of law enforcement intervention remains low,” the agency reports.
A third factor that attracts them is the ease with which they can start launching attacks or malicious activites. There are all kinds of tools available online which are neither expensive nor difficult to use.
Recently we talked about the cybercrime business model, which consists in selling packages of tools that can easily be used by anyone, even those with little technical knowledge. Hence new phenomena like ransomware-as-a-service have appeared, offering the sale of ransomware services and other forms of fraud, attacks, and malware “as a service”.
This means teenagers can pay a fixed price, for example $175 in the case of the Karmen ransomware, and buy tools that will allow them to infect other users relatively easily.
An even easier way for beginners to get started, according to the NCA, is to get involved in video game cheat websites and modding forums (for modifying games), from where they may “progress” to forums dedicated to cyberattacks, where such things are discussed openly.
“Very little skill is needed to begin criminal activity online. With tools such as booters and Remote Access Trojans (RAT), users can make a small payment (or often no payment) and begin breaking the law,” the report states.
Unfortunately, the availability of step-by-step tutorials and video guides makes the transition to criminality all too easy. “Once the law is broken, subsequent transgressions become easier,” the NCA continues.
However, the agency firmly believes that the guidance of a mentor and early intervention can dissuade these young people from entering into the world of cybercrime. This way, the gap between them and the authorities would be closed.
In cybercriminal forums though, the law and its consequences are rarely discussed—if the topic arises it is quickly dismissed. These youngsters only become aware of the consequences of their actions when someone they know is arrested.
The search for a mentor
The people who took part in the study said they didn’t have a mentor to guide them toward a more positive path and get them “on the right track,” since the person they tend to follow is the revered cybercriminal who carries out the community’s most complex attacks.
The NCA stated: “Ex-offenders who managed to cease their activities and gain an education or career in technology have credited this change to a positive mentor, or someone who gave them an opportunity to use their skills positively.”
On this latter point though, the analysis gets a little weaker. In truth, there are always opportunities to work “on the positive side” in technology; in fact, we are constantly talking about the lack of cybersecurity professionals and how there aren’t enough people to fill the posts available. Why then do these youngsters feel the need to try out the “dark side” before someone comes along and rescues them?
Of course, lots of security professionals experimented with hacking in their youth and perhaps even took it beyond mere fun before deciding what they wanted to do with their knowledge. In the corporate world though, people naturally ask themselves, “Can it really be a good idea to hire someone young who has developed a piece of malware, has run a botnet, or made money by infecting people with ransomware?”
The debate on whether or not to hire self-confessed “hackers” has been raging for years and will likely never end – the answers as to whether it is a good idea or not generally depend on the particular context of each case.
In conclusion, the worrying thing about this report is that it is so easy for young people to get involved in the world of cybercrime and that they may see it as being risk-free (as well as feeling that they lack opportunities and positive role models).
Well, we are some of the people who can see a great many good reasons to work in security and we keep trying every day to nurture people’s interest in this career.
by Sabrina Pagnotta, ESET We Live Security