29
May 20

Career Choice Tip: Cybercrime is Mostly Boring

When law enforcement agencies tout their latest cybercriminal arrest, the defendant is often cast as a bravado outlaw engaged in sophisticated, lucrative, even exciting activity. But new research suggests that as cybercrime has become dominated by pay-for-service offerings, the vast majority of day-to-day activity needed to support these enterprises is in fact mind-numbingly boring and tedious, and that highlighting this reality may be a far more effective way to combat cybercrime and steer offenders toward a better path.

Yes, I realize hooded hacker stock photos have become a meme, but that’s the point.

The findings come in a new paper released by researchers at Cambridge University’s Cybercrime Centre, which examined the quality and types of work needed to build, maintain and defend illicit enterprises that make up a large portion of the cybercrime-as-a-service market. In particular, the academics focused on botnets and DDoS-for-hire or “booter” services, the maintenance of underground forums, and malware-as-a-service offerings.

In examining these businesses, the academics stress that the romantic notions of those involved in cybercrime ignore the often mundane, rote aspects of the work that needs to be done to support online illicit economies. The researchers concluded that for many people involved, cybercrime amounts to little more than a boring office job sustaining the infrastructure on which these global markets rely, work that is little different in character from the activity of legitimate system administrators.

Richard Clayton, a co-author of the report and director of Cambridge’s Cybercrime Centre, said the findings suggest policymakers and law enforcement agencies may be doing nobody a favor when they issue aggrandizing press releases that couch their cybercrime investigations as targeting sophisticated actors.

“The way in which everyone looks at cybercrime is they’re all interested in the rockstars and all the exciting stuff,” Clayton told KrebsOnSecurity. “The message put out there is that cybercrime is lucrative and exciting, when for most of the people involved it’s absolutely not the case.”

From the paper:

“We find that as cybercrime has developed into industrialized illicit economies, so too have a range of tedious supportive forms of labor proliferated, much as in mainstream industrialized economies. We argue that cybercrime economies in advanced states of growth have begun to create their own tedious, low-fulfillment jobs, becoming less about charismatic transgression and deviant identity, and more about stability and the management and diffusion of risk. Those who take part in them, the research literature suggests, may well be initially attracted by exciting media portrayals of hackers and technological deviance.”

“However, the kinds of work and practices in which they actually become involved are not reflective of the excitement and exploration which characterized early ‘hacker’ communities, but are more similar to low-level work in drug dealing gangs, involving making petty amounts of money for tedious work in the service of aspirations that they may one day be one of the major players. This creates the same conditions of boredom…which are found in mainstream jobs when the reality emerges that these status and financial goals are as blocked in the illicit economy as they are in the regular job market.”

The researchers drew on interviews with people engaged in such enterprises, case studies on ex- or reformed criminal hackers, and from scraping posts by denizens of underground forums and chat channels. They focused on the activity needed to keep various crime services operating efficiently and free from disruption from interlopers, internecine conflict, law enforcement or competitors.

BOOTER BLUES

For example, running an effective booter service requires a substantial amount of administrative work and maintenance, much of which involves constantly scanning for, commandeering and managing large collections of remote systems that can be used to amplify online attacks.

Booter services (a.k.a. “stressers”) — like many other cybercrime-as-a-service offerings — tend to live or die by their reputation for uptime, effectiveness, treating customers fairly, and for quickly responding to inquiries or concerns from users. As a result, these services typically require substantial investment in staff needed for customer support work (through a ticketing system or a realtime chat service) when issues arise with payments or with clueless customers failing to understand how to use the service.

In one interview with a former administrator of a booter service, the proprietor told researchers he quit and went on with a normal life after getting tired of dealing with customers who took for granted all the grunt work needed to keep the service running. From the interview:

“And after doing [it] for almost a year, I lost all motivation, and really didn’t care anymore. So I just left and went on with life. It wasn’t challenging enough at all. Creating a stresser is easy. Providing the power to run it is the tricky part. And when you have to put all your effort, all your attention. When you have to sit in front of a computer screen and scan, filter, then filter again over 30 amps per 4 hours it gets annoying.”

The researchers note that this burnout is an important feature of customer support work, “which is characterized less by a progressive disengagement with a once-interesting activity, and more by the gradual build-up of boredom and disenchantment, once the low ceiling of social and financial capital which can be gained from this work is reached.”

WHINY CUSTOMERS

Running a malware-as-a-service offering also can take its toll on developers, who quickly find themselves overwhelmed with customer support requests and negative feedback when a well-functioning service has intermittent outages.

Indeed, the author of the infamous ZeuS Trojan — a powerful password stealing tool that paved the way for hundreds of millions of dollars stolen from hacked businesses — is reputed to have quit the job and released the source code for the malware (thus spawning an entire industry of malware-as-a-service offerings) mainly to focus his skills on less tedious work than supporting hundreds of customers.

“While they may sound glamorous, providing these cybercrime services require the same levels of boring, routine work as is needed for many non-criminal enterprises, such as system administration, design, maintenance, customer service, patching, bug-fixing, account-keeping, responding to sales queries, and so on,” the report continues.

To some degree, the ZeuS’s author experience may not be the best example, because his desire to get away from supporting hundreds of customers ultimately led to his focusing attention and resources on building a far more sophisticated malware threat — the peer-to-peer based Gameover malware that he leased to a small group of organized crime groups.

Likewise, the cover story in this month’s Wired magazine profiles Marcus Hutchins, who said he “quickly grew bored with his botnets and his hosting service, which he found involved placating a lot of ‘whiny customers.’ So he quit and began to focus on something he enjoyed far more: perfecting his own malware.”

BORING THEM OUT OF BUSINESS

Cambridge’s Clayton and his colleagues argue the last two examples are more the exception than the rule, and that their research points to important policy implications for fighting cybercrime that are often discounted or overlooked: Namely, interventions that focus on the economics of attention and boredom, and on making such work as laborious and boring as possible.

Many cybersecurity experts often remark that taking down domain names and other infrastructure tied to cybercrime businesses amounts to little more than a game of whack-a-mole, because the perpetrators simply move somewhere else to resume their operations. But the Cambridge researchers note that each takedown creates further repetitive, tedious, work for the administrators to set up their sites anew.

“Recent research shows that the booter market is particularly susceptible to interventions targeted at this infrastructural work, which make the jobs of these server managers more boring and more risky,” the researchers note.

The paper takes care to note that its depictions of the ‘boredom’ of the untrained administrative work carried out in the illicit economy should not be taken as impugning the valuable and complex work of legitimate system administrators. “Rather, it is to recognize that this is a different kind of knowledge and set of skills from engineering work, which needs to be taught, learned, and managed differently.”

The authors conclude that refocusing interventions in this way might also be supported by changes to the predominant forms of messaging used by law enforcement and policy professionals around cybercrime:

“If participation within these economies is in fact based in deviant aspiration rather than deviant experience, the currently dominant approaches to messaging, which tend to focus on the dangerous and harmful nature of these behaviors, the high levels of technical skill possessed by cybercrime actors, the large amounts of money made in illicit online economies, and the risk of detection, arrest, and prosecution are potentially counterproductive, only feeding the aspiration which drives this work. Conversely, by emphasizing the tedious, low-skilled, low-paid, and low-status reality of much of this work, messaging could potentially dissuade those involved in deviant online subcultures from making the leap from posting on forums to committing low-level crime.”

“Additionally, diversionary interventions that emphasize the shortage of sysadmin and ‘pen tester’ workers in the legitimate economy (“you could be paid really good money for doing the same things in a proper job”) need to recognize that pathways, motivations, and experiences may be rather more prosaic than might be expected.”

“Conceptualizing cybercrime actors as high-skilled, creative adolescents with a deep love for and understanding of technology may in fact mischaracterize most of the people on whom these markets depend, who are often low-skilled administrators who understand fairly little about the systems they maintain and administer, and whose approach is more akin to the practical knowledge of the maintainer than the systematic knowledge of a software engineer or security researcher. Finding all these bored people appropriate jobs in the legitimate economy may be as much about providing basic training as about parachuting superstars into key positions.”

Further reading: Cybercrime is (often) Boring: Maintaining the Infrastructure of Cybercrime Economies (PDF).

Tags: , , , , , , , , ,

40 comments

  1. The Sunshine State

    I find that in the Facebook hacker groups, that it’s mostly young teenage boys wanting to learn to hack Most are unskilled and have delusional thoughts of being a highly skilled hacker in a couple of weeks.

    From the article “Many cybersecurity experts often remark that taking down domain names and other infrastructure tied to cyber-crime businesses amounts to little more than a game of whack-a-mole” This is what spam fighting pretty much has become in the last 15 years or so.

    I was inspired by “David Lightman “, that didn’t make me into a full fledged hacker breaking into government computers. Nice game of Chess anyone?

    • …malware used to have an algorithm that would connect to thousand of new new domains per hour…creating new domains became a cottage industry among cyber-criminals…

  2. Shout out to Vaibhav Garg and his ground-breaking work on treating this all as traditional crime, and addressing the different modes of crimes:

    Why Cybercrime?
    https://dl.acm.org/doi/pdf/10.1145/2809957.2809962
    How can cybercrime be prevented, decreased and mitigated? Extant
    anti-cybercrime efforts have concentrated on deterrence through
    criminal prosecution and technical mitigation. Deterrence-only
    strategies, however, may be more expensive for the network than
    for attackers” and discusses the role of poverty, income, and employment opportunities.

  3. Missing the big picture!

    One million people join the Internet every day. The majority of the next billion will be from economically struggling regions where people hustle to scratch a living every day and there are almost no opportunities to make money. Half the world makes less $10 a day and over 10% live on less than $2 a day.

    Unfortunately, Cybercrime-as-a-Service will see an explosion over the next few years as people with the greatest needs come online and see the Internet as an opportunity to sustain their family.

    Our discussion about tedium is irrelevant and myopic.
    For many, it will be an avenue for survival.

  4. Comment above this may be the next cyber crisis. very concerned about this over the horizon play out.

  5. I’m not sure “all the boredom you’re used to, but working for a big, faceless corporation, and by the way, taxes!” would be much motivation for a 16 year-old script monkey that can’t even get a real job for a few years.

    I think law enforcement is going to have to take another stab at PR for legitimate jobs.

  6. The people doing the boring jobs are the necessary foot-soldiers. The best and brightest need to be recruited by the NSA and CIA and FBI to protect our nation from cyber-warfare, cyber-terrorism. However, the problem right now is there existed some leadership with very poor and partisan traits that tarnished the reputation of those agencies. If that gets fixed, it would be a great thing for the best and brightest and they wouldn’t be bored at all in those agencies aspiring to work for a noble cause. That is a grand challenge.

    They could also have a dual role of being watch guards in those agencies, such as whistle blower Edward Snowden. The fellow exposed illegal activity that caused laws to be enacted to stop the overreaching government. Keeping our government reigned in from deep state activity is a very exciting and noble profession within a anti-cyber-crime career.

    Summary: there is plenty of excitement in government and military where the best and brightest are sorely needed. If you get old and bored there you can switch to industry for a time and consult or write a book. Overall, a very gratifying and rewarding career.

    What are you all waiting for?

    BTW, another great career for the best and brightest would be an investigative cyber-crime reporter like Brian Krebs. If you read his book “Spam Nation” and think about *his* career, it doesn’t get more exciting (and dangerous). There is room for more like him.. such journalism will inspire more journalism and that will inspire more people to try to help our country. Once you realize how evil lurks out there in huge quantities it’s unimaginable not to want to help — and some of us will become inspirational leaders, some amazing malware hunters, some inspiring journalists, and some, yes, some, will be foot soldiers doing the apparent (but absolutely vital) mundane – that role requires self-motivation and pride in your work. This is doable when one looks within one’s self. We are ultimately responsible for how bored we are, how we turn lemons into lemonade, how meek we are in challenging norms, and how we prod (or rise above) our leadership and management to think out of the box.

    • Most people working offsec for NSA & co are just clicky clicky monkeys following checklists, their jobs are the very definition of boring.

      There’s not a plenty of excitement for cyber operators in government and military. Odds are you’ll end up a foot soldier doing the same extremely mundane work every day.

    • Well said, Harry. Brian Krebs is amazing.

      Don’t forget … learning Russian is imperative for this kind of work.

  7. Elias Gonzalez

    I used to live in a 2 family house with my mom. And the apartment that’s downstairs from where we used live a friend of mine went there cause he know the dude from downstairs and my friend told me that the dude that lives downstairs from where we used to live at has a system that connects to his laptop that he can spy on people wherever they go my friend told me that he caught this dude spying on the government and that he also caught him spying on a 9 yr old boy taking a bath. And that the dude has a lot of hidden government secrets and child pornagraphy on his laptop and system and that he’s also spying on me cause the landlord told him to keep a eye on me. I don’t know why, when my friend saw what he was doing got upset and left and a lot of friends that I know told me that they keep recieving naked pictures of me cause threw out me living there I did my own investigation and this is what I found out about this person. His name it’s not in the mailbox cause of what he’s doing. I called the cops plenty of times to stop him from doing what he’s doing but everytime the cops come to his house they either don’t answer the door and stay quiet until they leave or the dudes father would answer the door and tell them that he doesn’t know English. So the cops always end up living without any investigation or arrest. My friend also told me besides him spying on kids and myself he also spies of the government with the equipment that he has. I need someone help cause if these people are spying on the government they can be dangerous to our country. Someone please help me stop this sicko

  8. I think the law of enforcement was going to had to take another stab at PR for legitimate jobs.great career for the best and brightest.

  9. Ray Antonelli

    It might be boring but it remains highly lucrative. A bazillion dollars is lost every year to these jerks. Boring yes. Then they get out with a pile of cash

    • Lots of money is lost, but how much money do they really make?

    • Billions may be stolen/defrauded/extorted every year, but the majority of the people doing the menial tasks likely don’t make much more than the average minimum wage.

  10. This isn’t surprising, but the TAM/SAM of the booter market just doesn’t seem very high to me.
    Compared to say, ransomware or the big one: ad fraud.

  11. “We had [cons] down to a business.

    ‘Course Chicago was a right town then. The fix was in. The dicks took their end without a beef. All the Wall Street boys wanted to make investments for us. Even had marks looking us up, thinkin’ they could beat the game.

    Yeh, kid, it really stunk.

    No sense in bein’ a grifter if it’s the same as bein’ a citizen.

    — Henry Gondorff, The Sting (1973)

  12. …In particular, the academics focused on botnets and DDoS-for-hire or “booter” services, the maintenance of underground forums, and malware-as-a-service offerings….

    By focusing on the most commoditized and saturated segment of the cybercrime supply chain, the researchers were able to determine the segment is commoditized, oversupplied and thus boring.

    This makes sense because of the obvious difficulties in obtaining data around cybercrime.

    I’d also note the making of the money tends to be less exciting the spending of the money.

    • Excellent point.

      If you look over into the commercial world, finding and retaining the right kind of talent is an ongoing work be it the hero or the foot soldier. With this strategy you might disincentivise the hero-type of employee but not the foot soldier.

      Anyone who can write sophisticated malware will feel the drudge of that kind of work and move on. Anyone who isn’t that smart, motivated or simply financially desperate will sign up and do that job with pleasure.

  13. Thanks for the post!

    Typo in first graph:
    may be a far more effective way combat cybercrime

    Needs a TO in there!
    Thanks for your work!

  14. richard stein

    Systems administration has always been an unexciting, repetitious activity. A largely thankless activity, no one recognizes your existence until an event arises that interferes with users or disrupts the customer experience. That one would become involved with a technologically-driven criminal enterprise suggests a deficit of guidance and poor civil values.

  15. Robert Scroggins

    Based on Bryan’s article, I see some outcomes:

    which one, cybercrime or cybersecurity will get disenchanted first and leave the field to the other?

    If both get disenchanted simultaneously, the result may be that only nation states will remain in the cyber arena!

    Regards,

  16. Rube Goldberg's Razor

    That 3 AM Gestapo knock and ensuing arrest is a thrill, though.

    P.S.: Brian Krebs for Homeland Security chief when our Twitterbomber-in-Chief regains the Oval Office in 2021!

  17. Hmmmmm intresting….

    xKB – KiLLenBordum

    Like anything else if you dont love what you do and there is no passion for the Round Robin then your making it boring go on the offensive…..Be like Dennis R on the rebound counter. B33 like A.I.
    from NewP VA – Ya’ll talking about pratice…..fux that put us grey2grays in the que and watch the point spread change….us
    vs

    .ca .ru –

    Full Stream Ahead damn the Tor – P – Toes

  18. Hi does this also include online trading, that runs in UK, USA, and Australia. They take your identity and as well as your money. Not only that you pay them in USD and they make your statement show it’s in AUD. They also use different websites.

  19. Many moons ago a police sergeant remarked to me that his clientele would make a lot more money if they bothered to take a regular job. The species hasn’t changed much in the intervening years.

    The researchers are on point about public messaging which credibly takes the shine off cyber-crime. An ounce of prevention is better than a pound of cure.

  20. These CybERRR – Punk$

    Seems much like the sims over a broken contruct of RT compared to the GodMode user Ad-HERE to the At0m1c Clk Clack to Tick the Reader enough to throw a double threat

    -Interesting? https://store.steampowered.com/app/1019310/VirtuaVerse/

    ^ No links no Gimmicks chk-DNS bounce it off 8.8.8.8

    I’m just saying excuses are like @$$hOles ….. if you find sitting at a PC reviewing logs, your not doing IT rite…you shouldn’t be sitting you should be standing…so we know that those with insomnia have a greater chance of falling to sleep if try to sleep in another spot they find comfortable….so you move you change up the variables….my brain knows bed=sleep but with insomnia in that basic 1&1 bed-sleep….= insomnia… So sometimes I literally go to my car and lean the bucket seat all the way back have a soffee t-shirt olive green to cover my face i crack the windows throw a ambient looped song ie youtube -> ( Zeldawave or 2 ) both are good, and I fall asleep without even knowing I did…Remember mind over matter, if you dont mind it wont matter literally environment (the bed) is already known very well by your subconcious so you dont need a sleeping pill or melatoine you just need to counter-logic and your brain gets thrown cause you changed the Meta bed=sleep sleep=bed sleep+bed=insomnia

    Get rid of insomnia

    bucketcarseat* will be bcs

    +bcs=sleep sleep=bed= V

    Variable{ change bed to bcs
    [if] }
    insomnia: get-bcs
    $push sleep

    wmic it take control or the controller will not act
    Anyone remember playing Street Fighter 2 Trubo….while the intro banner went across the screen if you could enter the code within that frame you could unlock a feature…..

    What you think I am going 2 tell u what is it or it was….
    ^ . . ^
    ==—–
    \. /
    NOO

    You2tube it yahogoole it….. kill boredum if you are bored at IT you must be boring ez forumla

  21. Mikey Doesn't Like It

    (Disclaimer: this is not meant as a political comment — just a statement of fact.)

    The U.S. decided to create the “Space Force,” supposedly the newest arm of our defenses, to address space warfare. For a “war” that may or may not materialize.

    But nowhere do we see a Cyber Force — a separate government arm to not only combat cybercrime — a war that we’re already deep into. And that could be just as dangerous.

    The Cyber Force could (as the Chinese and others have done) increase recruiting and training a new generation of highly skilled cyber experts that can harden military, government, business and citizens to protect against and hopefully defeat cyber warfare.

    We need to make it more attractive (financially and professionally) and remove some of the costly obstacles many people face if they want to get the education needed. If we need a Cyber Force, we certainly need a Cyber Army.

    • Well, there is this:

      https://en.wikipedia.org/wiki/United_States_Cyber_Command

      BTW, saying “cyber” non-ironically marks one as a tool.

      • And also there’s the “CISA” agency… https://www.cisa.gov/ a government arm, part of Homeland Security. Not too publicized, lots of resources for U.S. companies, but is more blue team than red.

        • Mikey Doesn't Like It

          I’m well aware of both. And there are other agencies, too.

          And that’s the problem: a fragmented series of agencies, each with a little piece of the pie.

          What I’m talking about is one overarching entity that encompasses all the things now being done — minus lots of overlapping and duplication of efforts — and provides a comprehensive strategic plan to elevate our hodge-podge of efforts into a well-oiled machine that accomplishes a lot more than what we now have.

    • …what rock do you live under?…

      …the us gov’t spends literally billions on cyber…most businesses ignore their advice…with the expected result…

      • Mikey Doesn't Like It

        @Security vet:

        Advice is cheap. We still don’t have a cohesive national strategy (read: tangible tactics) for protecting our critical infrastructure from attacks — both cyber and physical.

        We have all sorts of fancy documents and offer tons of advice — much of it redundant. But we’re way past the time when we should have been holding companies’ — and government agencies’ — feet to the fire. Get your ship in order or risk the downside (e.g., withholding government contracts or even penalties for failing security audits).

        It’s great that we have some good security companies out there, to provide some of these very services. For a hefty fee. But as we’ve seen from countless stories that Brian has published here, too many companies are reactive, rather than proactive, in hardening their cyber systems.

        Yes, the government spends billions — across a slew of different (and often redundant) agencies. The result is, for the most part, plenty of advice. But without any teeth. And look where it’s gotten us.

  22. Surely those boring things can be automated/scripted.

    • I was going to say similar, but I was going to point out that things will get very dicey once “cyber” criminals discover AI. God help us if they start wielding that weapon; it will make being a crook easier and easier. However it might not make joining the ill gotten goods with the criminal’s pocket any less difficult; that will continue to be the hard part.

      One thing for sure, it will take out the criminals that don’t adopt it, because they will never be able to compete.

  23. This is true for all types of crime, like good old fashioned robbery and racketeering. Any real life glamour in doing that is probably pretty minimal. But the allure of making a fast and easy buck is probably the biggest motivation for a life of crime.

  24. This all sounds very reminiscent of a chapter from the “Freakonomics” book titled, “Why do drug dealers still live with their moms?”

  25. Yeah, dumb people will focus on the hacking but once you think it through you see there isn’t a good exit strategy.

  26. The article emphasises the low-skill, low-pay that internet crims can expect (I disapprove of the use of the particle “cyber” to refer to anything other than the use of automation using feedback loops).

    Legitimate systems administrators are usually untrained. They mostly learn on the job. It’s usually not their main job – sysadmin is pure cost – their main job is usually software development, or some other revenue-earning trade. They’re usually behind the curve – the crims are ahead of them.

    Don’t become a sysadmin. If things go right, that’s what’s supposed to happen. Nobody will pat your back. If things go wrong, it’s you that’s on the spot, you have to work your butt off, you probably won’t get a complete fix, and even if you do, you still won’t get a pat on the back.

    I think it’s an enjoyable activity; I like fixing things. But a lot of it is “How do I connect my exotic email client?” or “When is the internet coming back?” Supporting mobile devices is a pain in the neck, for me. They’re all so different. I’m glad I was never a professional sysadmin.

    If you want to do this, and you know networks, get trained as a security consultant. They are well-paid, they’re scarce, and if they’re lucky they report directly to the Board.