Profiling cybercriminals: A promising but immature science

The original hacker stereotype is a smart, lonely deviant - a teenage or adult male who's long on computer smarts but short on social skills. But like most stereotypes, it doesn't begin to tell the whole story.

Some computer criminals are techie mavericks who take pleasure in writing and releasing destructive viruses. Others are suit-wearing professionals who steal copies of their employers' customer databases to take with them when they quit. Some are con artists with plans to scam personal information from consumers and use it for financial gain.

Main index: Profiling cybercrime: Network threats and defense strategies

Experts agree knowing more about the different skills, personality traits and methods of operation of computer criminals could help the folks pursuing these criminals. But a lack of information hinders efforts to create substantive, reliable profiles of the people behind today's computer crimes.

"Like in traditional crimes, it's important to try to understand what motivates these people to get involved in computer crimes in the first place, how they choose their targets and what keeps them in this deviant behavior after the first initial thrill," says Marcus Rogers, an associate professor at Purdue University in West Lafayette, Ind., where he heads cyberforensics research in the university's department of computer technology.

Rogers' expertise spans technology and behavioral sciences. He has identified eight types of cybercriminals, ranging from "newbies" with limited programming skills who rely on pre-written scripts to conduct their attacks, to well-trained professional criminals and cyberterrorists with state-of-the-art gear (see graphic, below).

In addition to skill, these criminals differ in their motivations. Some computer criminals are motivated by status or money, others by revenge, says Rogers, who worked as a detective in a computer crimes unit in Canada and earned his doctorate in forensic psychology at the University of Manitoba.

"The kid who's running pre-written scripts, his motivation is not to collapse the American economy. He's usually driven by experimentation, looking for a thrill. It's like cyberjoyriding." Whereas for a professional criminal, the motivation is income, Rogers says. "He doesn't want to brag or be all over the press. He wants to be very quiet and fly under the radar as long as possible."

One man’s hacker taxonomy

Marcus Rogers has identified eight types of cyber-criminals, distinguished by their skill levels and motivations. Rogers is an associate professor at Purdue University in West Lafayette, Ind., where he heads cyberforensics research in the university's department of computer technology.
Limited computer and programming skills.
Rely on toolkits to conduct their attacks.

Can cause extensive damage to systems since they don't

understand how the attack works.
Looking for media attention.
Capable of writing their own software.
Have an understanding of the systems they are attacking.

Many are engaged in credit card number theft and

telecommunications fraud.
Have a tendency to brag about their exploits.
a) Disgruntled employees or ex-employees
May be involved in technology-related jobs.

Aided by privileges they have or had been assigned as part of their

job function.
Pose largest security problem.
b) Petty thieves
Include employees, contractors, consultants .
Computer literate.
Opportunistic: take advantage of poor internal security.

Motivated by greed or necessity to pay off other habits, such as

drugs or gambling.

Act as mentors to the newbies. Write the scripts and automated

tools that others use.
Motivated by a sense of power and prestige.
Dangerous — have hidden agendas, use Trojan horses.
Old guard hackers
Appear to have no criminal intent.
Alarming disrespect for personal property.
Appear to be interested in the intellectual endeavor.
Professional criminals
Specialize in corporate espionage.
Guns for hire.

Highly motivated, highly trained, have access to state-of-the-art

Information warriors/cyber-terrorists

Increase in activity since the fall of many Eastern Bloc intelligence

Well funded.
Mix political rhetoric with criminal activity.Political activist
Possible emerging category.
Engage in hacktivism.

Companies aren't going to solve computer security issues just by throwing technology at the problem, agrees Steven Branigan, president of security company CyanLine and author of High-Tech Crimes Revealed: Cyberwar Stories from the Digital Front. "It's about understating where the risks are and understanding how people behave," he says.

Hackers are motivated to do what they do for different reasons, such as money, ego, revenge and curiosity, says Branigan, a founding member of the New York Electronic Crimes Task Force. "My experience has been that those who get into computers first, and then start hacking, are more motivated by curiosity," he says. "Those who have criminal tendencies to begin with, when they learn about using computers, they then figure out how to apply that to their trade."

Some wind up being more destructive than others. Script kiddies aren't generally driven to be destructive, but they'll take advantage of some weakness that exists in an operating system, Branigan says. Cybercriminals looking to make money aren't bent on being destructive either, he says. "[Like] any parasite, they don't want to kill the host."

"The people I've found to be the most dangerous are the ones seeking revenge," Branigan says.

Insider criminals - those who go after things like customer and supplier databases, business pipeline information, future product prototypes and strategic business plans - are particularly good at exploiting companies' vulnerabilities. "They have the most access, they know how systems work, and they really know where to hit you," Branigan says.

Of course, not all experts view the hacker nation through the same discriminating lens. For Patrick Gray, there's really only one driver that matters today: Money.

Motivations have changed dramatically in the last decade, says Gray, who is director of X-Force operations at Internet Security Systems (ISS). X-Force is the R&D division of ISS, responsible for vulnerability and threat research.

"We've gone from five or 10 years ago, where hackers were dabbling in other people's systems to see how they were configured and really not doing anything wrong in those systems, to now where it's become incredibly malicious. We've come a full 180 degrees."

Instead of being driven by curiosity, hackers today are driven by money. "They're trying to get anything of value that they can market," Gray says. "The stereotypical image of the lone hacker sitting up in a loft somewhere, eating Ding Dongs, drinking Jolt cola until it comes out of his ears, and just hacking away, is gone."

The hard part

Digging into the parallels that exist between crimes committed in the physical and electronic worlds could unlock some of the mystery of who's behind the computer crimes.

Rogers and others like him want to see traditional criminal profiling adapted for use in computer forensic investigations. "It's about looking at the computer and the Internet as an electronic crime scene, and looking for indicators of signature behaviors and MOs that allow us to paint a picture of the individual who's responsible," Rogers says. "We can do a fairly good job of this in the physical world - can we do a fairly good job in the electronic world?"

The next step is to take that understanding and use it in practical ways, such as to harden systems and improve investigation techniques.

But what's missing is sound data. People have spent a lot of time developing theories, but there isn't a lot of solid information, Rogers says. "We really have to . . . study it with scientific rigor."

Branigan agrees. "Ultimately, right now we don't have enough information to make that really good profile," he says. "We're at the anecdotal stage, where we've collected some information, but I don't think we have enough."

One obstacle is victims' reluctance to report computer crimes.

"My biggest gripe is that we don't share information very well," Gray says. "The hacking community shares info with each other all the time. If a hacker is having a problem accessing a router, or getting through a firewall, he'll throw it on the table, into the channels, looking for help. People are more than willing to help him complete the hack."

The same type of information sharing doesn't happen among businesses, Gray says. "Until we recognize the need to share information with one another, we're going to continually be reacting to the whims of this hacking community," he says.

Extortion, in particular, goes unreported, says Marty Lindner, a senior member of technical staff at the CERT Coordination Center at Carnegie Mellon University. "That's very hard to document, very hard to prove. Most companies won't talk about that," he says.

But experts agree it's on the rise. Organized criminals in areas such as Eastern Europe are increasingly penetrating businesses' systems and threatening to release sensitive corporate data if they aren't paid money, Gray says. They're also launching denial-of-service (DoS) attacks to interrupt companies' electronic business operations. "Then they say, 'We'll stop this DoS attack on your company and let you back on the Internet if you pay me.'"

From conversations with law enforcement, Gray estimates only about 10% of online extortions are being reported.

Hoping to reverse the trend of unreported computer attacks, CERT offers a venue for companies to talk without being identified publicly. Companies understand they can talk to CERT without worrying what they say will be attributed to their companies, Lindner says. "We can take that info, make it non-attributional and then push it out to others so that they know what to look for now."

When companies don't report crimes, they miss an opportunity to potentially protect the criminals' next targets. "I've seen cases where three or four companies - all of a similar kind - have been attacked in the exact same way," Lindner says. "But none of them was willing to tell the others about the style of the attack. If they had, the first guy would have been hit, but the other guys might have had a better chance."

In today's world, the number of computer criminals successfully captured and prosecuted is embarrassingly low, says Gary Jackson, founder and CEO of Psynapse Technologies. A spinoff of the American Institutes for Research, Psynapse makes intrusion-protection products that are designed to respond to the behavior of attackers - even anticipate the actions of site visitors by assessing their intent.

M. Rogers"Very few cases actually come to trial. I've seen estimates as low as one out of 300 or 400 actually get caught," Jackson says. That's one reason more traditional criminals are getting into computer crimes. "There aren't the penalties. If you get caught, more often than not it's a misdemeanor," he says.

Plus the small percentage of computer crimes that do get attention tend to be those perpetrated by less-skilled deviants, which doesn't do much to shed light on the highly skilled and more dangerous criminals operating in the world.

"I'm not really worried about the kid sitting in his basement running the latest SQL Slammer attack," Rogers says. "I'm concerned about organized crime. I'm concerned about its use in white-collar crime and in the dark side of information warfare - that being the ability to launch terrorist attacks. But the groups that we unfortunately only tend to see are at the real low end of the skill spectrum."

Looking ahead

Changing that scenario is going to require a concerted effort to collect and share data about the types of computer crimes being committed and the people doing it. But it won't be easy.

"Trying to obtain enough data that we can start making enough meaningful comparisons is not an overnight effort," Rogers says. "Collecting good data is important, and it has to be done worldwide."

In the past, global roadblocks have contributed to hackers' veils of anonymity, Rogers says. "There are issues with jurisdiction, issues with extradition. Computer criminals can throw up a lot of smokescreens between themselves and their victims, and the authorities on the other end."

Fortunately that's starting to change. There's some momentum behind international movements to harmonize computer crime statutes, Rogers says.

And those pursuing the bad guys are getting better at what they do. "Law enforcement is a lot more technically savvy than the public and underground community give them credit for," Rogers says.

Vigilance is a must. "What we've learned as professionals is that we can never, ever underestimate the creativity out there," Jackson says. "A lot of hackers tend to be very bright, very focused. They might have a string of college degrees behind them, and they might be as good as the people protecting the systems," he says.

Senior Editor Phil Hochmuth contributed to this story.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT