When reporting on criminal hackers, pictures of hoodies and glowing green light are not far. However, romanticized clichés about the exciting underground business of brilliant criminals who fool investigators usually have little to do with reality. A team of researchers at the Cambridge Cybercrime Center try in their publication “Cybercrime is (often) boring: maintaining the infrastructure of cybercrime economies”, to present a more realistic picture of the business with botnets, DDoS attacks and other forms of computer crime.
They analyzed which tasks are required in the cybercrime-as-a-service market. To do this, they evaluated forums and chats in which knowledge about tools was exchanged, services were offered and people working in the DDoS business were interviewed.
They come to the conclusion that the media image of cyber crime is characterized by a few cases in which brilliant individuals have received too much money. In reality, cyber crime is a mass business, “with boring, tedious maintenance and infrastructure work that is outsourced to poorly paid contractors”. For most, their activity is like an ordinary office job.
Much of the infrastructure work that keeps cybercrime businesses going is about supporting customers, answering forum posts, and providing usability and stability. On the other hand, they work to ensure that they are repeatedly banned from platforms that they use, for example, for communication and payment processing.
In an interview, a respondent who offers DDoS infrastructure said that he had lost motivation after almost a year: “It wasn’t challenging at all.” It was easy to build the tools, but annoying to operate.
Spectacular press releases don’t help anyone
The blog KrebsOnSecurity Richard Clayton, co-author of the paper said: “The way everyone looks at cybercrime is that they are all interested in rock stars and all the exciting things. The message conveyed is that cybercrime is lucrative and exciting. For most of those involved, this is absolutely not the case.” Law enforcement agencies would not do anyone a favor if they used press releases to inflate their investigative efforts against advanced offenders.
The bottom line is that it is also about showing those involved in cybercrime that there are “more socially useful, well-paid and far more exciting things” to do with computers than their current job as dissident system administrator or underground microslave .