August 7, 2020

Cybercrime: The Road to Market (II) Criminal Bend of Mind

Expect the Unexpected as you witness the cyber dystopia unfurl, from the very eyes of the cyber criminals. On this Jamais vu journey, you will realize how faulty your online security assumptions have been.

Cybercrime: The Road to Market (II) Criminal Bend of Mind

TYPE #1 [HACKER]

Hi guys, I am a hacker, and today, I want to tell you my story-

I know that simply by reading the above line, you have formed a stereotypical image of me in your mind. You must be imagining that the author of this piece is someone who looks like this:

Man sitting in front of laptop against a dark background
Hackathon? Anyone?

A nerdy geek dude with a hood, excellent at programming, with lots of knowledge of the internet occupying a basement near you? Right? Those of you with better imagination might want to imagine me with a refrigerator full of beer, a computer table equipped with stands for nachos and cold drinks and a high-end hardware powered machine. Right?

Now while all that might have been true less than a decade ago, unfortunately it is not like that today. Things have evolved rapidly ever since. For instance, this is how I look:

Man walking in front of office building while holding black coat
Hacker? Nah! A Reputed IT Professional
Puzzled? Yes, I look exactly like you, your friend, or any other office going professional around the world.

And I don’t operate out of a basement either, anymore. I have an office and a cubicle just like you do. In fact, it might be an office next to yours. You might even have passed me by someday.

Things have changed drastically, haven't they?

Now you must be wondering how and why so?

If I am so fond of operating out of a regular office, have been attending a regular office, and have the technical know-how, then why don’t I avail myself a regular job the way the rest of you do?

office table top with assorted laptops, headphones, external hard disks and other office ware
My Desktop: So similar to yours. See no beer, just coffee

There are reasons for that:

One is - I was born in a poor country with a highly limited IT Industry and Infrastructure. Jobs worthy enough of providing a platform for talent are limited, scarce to be precise. Sources, recommendations and bribery are given precedence over capability.

Second is - Educational opportunities being pretty limited and restricted, I was never able to attend a university for a formal degree, thus limiting my chances at a proper job. For all my skill, you can say that I was earmarked for petty thievery or swindling.

Third is - I, being strong with logic and good with programming, can easily do things like this. I, despite my conditions, have always nurtured that "learner" within me; he learned from every free/affordable source that was available

Lastly - IT PAYS OFF WELL. That’s pretty much the reason why you find yourself employed. I can typically expect anywhere between $50,000 to $150,000 an year, depending upon seniority, experience, consignments at hand and other similar factors, as against the American IT Industry average of $40,000 to $1,30,000.

Moreover, we can expect promotions far quicker than you do.

HOW TO STOP US? Well, don't even TRY! Wanna Join? I know you must have been tempted too.

Remember: “The Blossom falls, even though we like it, and the weed grows, even though we don’t like it.”

TYPE #2 [MALWARE MARKETER]

"W. . What happened?" Asked me, still wondering what could have happened since it was not every day I am used to being greeted by my wife’s frosty look at the door.

“Paul McMillian”, the tone being stern, “we need to talk.” Comes the reply.

“B. . . But what happened?”, I try again, this time considerably less confident as compared to last.

“What happened is exactly what you need to explain to me!” she retorts, still furious.

“I was visited by the feds today.”

beautiful woman with a frosty, angry and irritated look
A Frosty Greet!

The feds? Wasn't their piece sent over to them? Why in the world would they want to create new problems when everything is going down well and everyone is happy? I wondered. However, right now it was the moment of truth for me.

“Paul! You are a goddamn Business Development Executive! A true gentleman- as harmless and innocent as anybody else. Why are the feds after you? Have you been lying to me?” She began.

“No, I don't lie! And I hate liars.”

“After what happened, you might be tempted to think that I have been lying to you all this while, but that is not so!”

Yes, I am a BDA- I get along easily and have so many friends around the place- I have everything a person could ever want and am just the next usual American Corporate Salaryman around.

smiling man in black formals standing between brown concrete buildings at daytime
True happiness comes with a successful business deal

But, It's just the detailed nature of my employment which involves such risks. I am a Business Development Executive- but I work for an underground Cyber Crime Organization. That, however, doesn’t imply that my day to day operations are any different- I do exactly what a usual BDE does, and that involves:

  • Looking up potential clients and establishing contact with them.
  • Pitching my product.
  • Finalizing the deal.

The problem doesn't lie with the nature of my work, the problem lies with my product. Yes, I sell Malware. Malware that can completely compromise your system and every other unlucky enough to be on the same network.

I sell services too- Hacking, Phishing, DDOS, Scripting, anything you want done to eliminate competition, steal their technology, blackmail them into submission or bring their website to its knees, simply contact me.

My Salary is 4 times that of a usual BDE while converting a client is 3 times easier in comparison. Most of the time, it's the customers who contact me, instead of me taking pains.

One thing that plagues my life is the fact that nobody makes direct contact with a hacker- it has to be through me. This puts a tremendous risk on my person as I am highly likely to get apprehended by law enforcement.

“And that is exactly what happened today, right?”

Right, but do you know what's better? My organization- though a Cybercrime Syndicate- has all my legal expenses covered. Let me show you, give me 5 minutes- one little call . . .

Man in black formals looking at his wrist watch
5 minutes, that's it!

“Yes, David, some feds visited my home today, while I was away. Yes, my wife had a word with them. No, I wasn’t there. No, I don't believe they have picked up any dirt on me. Yeah, Sure, man! Thanks!”

“They won’t be troubling us anytime soon. I’ve had the word. These feds were fresh transfers and have little idea of how things operate here in the valley. I'll be making myself some coffee, wanna join?”

TYPE #3 [PIGGYBACKER]

Let me begin by asking you a simple question- “How do you define the term- Internet? What exactly comes to your mind when someone uses it?”

Yes, while you must have come across definitions such as the internet being a network of interconnected devices and their connecting points, or maybe a mesh of connections knitting the planet together, I’d abruptly say: “NO!”

And No, I’d argue again: “The Internet to me is an open trove of immeasurable treasure!”

Treasure? . . . . Trove? . . . . How? . . . . Where? . . . .

But, mind you, this trove, like the ones containing Spanish gold that were hidden across the Caribbean by good Ol’ Queen Anne’s Era Pirates, requires cleverness, hardwork and persistence if it is ever to be retrieved.

Man in pirate dress brandishing a sword at the reader
Captain Flint? No, just a lookalike.

Enough of imagery, coming to serious business- how?

So, first things first, allow me to introduce myself. I am a Piggybacker- a cybercriminal. Although I'm not too good at coding, I am an integral part of the cybercrime ring. I own and rock the industry in my own special way.

So what exactly do I do? Well, as I said I hunt for treasure. The treasure is real, the stakes are high and the process is complicated. Allow me to break it down into steps for ye.

The first step is tracking down the target. Although we got a whole checklist for determining who qualifies as a target and who doesn’t, this particular step generally involves extensive use of Social Media for online stalking of the target. This step is frustrating and time-consuming at times but it is crucial.

Desktop monitor with a wallpaper of a man looking through binoculars, a depiction of social stalking
Social Stalking

Once we have the target on radar, the stalking operations are stepped-up. That is, we regularly comb through the target’s Social Media Posts, Channels, Reddits, Hobbies, Interests and any other data available online. The motive is to obtain a clearer idea regarding the target’s hobbies/interests/weaknesses/vulnerabilities that can be exploited.

It is quite a possibility that a failure at either of these steps might lead you back to square one, but you see, like anywhere else, persistence is the key.

Once I have enough information on the target’s patterns, the bait is prepared. Just like Don Vito Corleone from Godfather: “I'm going to make him an offer he can't refuse."

A Monochrome image of Don Veto Corleone's face from Godfather
Don Veto Corleone

Since I know the target’s wants, fears, prejudices and dispositions, I can easily get him/her to click on the link that I want. The link that would fire the malware and cause it to wreck his machine/network. While I have a large number and variety of malware at my disposal, Ransomware is my personal favorite. The sneaky trojan based malware spreads behind the back and takes control of all aspects of the target machine. The next time the victim boots up he will be greeted by an “encrypted” (locked down) system.

As you might already have guessed, the key to unlock is with me. Now the victim has two choices, one is to forfeit his/her entire data- personal plus professional or pay me for the key. I call it a “donation” or “protection money” rather than ransom, as the latter sounds too “criminal”.

Regardless to say, all transactions are carried out in cryptocurrency. After the “donation” has been received, I generally invest 40% of the proceeds back into the very cybercrime organization I bought the Ransomware from, allowing for them to hire more/better hackers, purchase better hardware and upskill their current workforce.

This completes the chain and as I said, I am an intrinsic part of the system. Cheers!