FBI Cyber Division Describes Criminal Specialization

In any economy of scale role-based activities become standard. Specialists who stand out from others are known as ‘masters of their trade’. In tribal, prehistoric or stone age times, the specializations may have included a flint knapper, someone who makes the stone tips for arrows or spears, so the hunter can go and do their job with more efficiency. Being recognized as a master tradesman or specialist reinforces the tribal member’s importance to the tribal organization and is a driver of excellence.

The more things change the more they stay the same

According to FBI Cyber Division Director Chabinsky’s keynote speech last week the supporting elements of a somewhat clannish and tribal entity such as a cybercrime organization are also specialized and diverse in the 21st century:

  • Here are the ten specializations we see in a typical cyber crime.

  1. First, we have the coders or programmers, who write the malware, exploits, and other tools necessary to commit the crime. Contrary to popular belief, coders are not protected by the First Amendment when they knowingly take part in a criminal enterprise—and they go to jail just like the rest of the enterprise.
  2. Second, we have the distributors or vendors, who trade and sell stolen data, and act as vouchers of the goods provided by the other specialties.
  3. Third, we have the techies, who maintain the criminal infrastructure, including servers, bulletproof ISPs, and encryption; and who often have knowledge of common database languages and SQL servers of course.
  4. Coming in fourth on my list, there are the hackers, who search for and exploit application, system, and network vulnerabilities to gain administrator or payroll access.
  5. Fifth, there are the fraudsters, who create and deploy social engineering schemes, including phishing, spamming, and domain squatting.
  6. Meanwhile, and sixth for those keeping track, there are hosters, who provide “safe” hosting of illicit content servers and sites, often through elaborate botnet and proxy networks.
  7. Seventh, we also have the cashers, who control drop accounts and provide those names and accounts to other criminals for a fee, and who also typically control full rings of our eighth category, money mules.
  8. [Money Mules are eighth and consist of amateurs as well as career criminals who often come stateside on student or work visas to ply their trade. -JET]
  9. Ninth, we have the tellers, who help with transferring and laundering illicit proceeds through digital currency services and between different world currencies.
  10. Finally, logging in at number 10 on the specialty list, there are leaders—many of whom don’t have any technical skills at all. They’re the “people-people.” They choose the targets; choose the people they want to work each role; decide who does what, when, and where; and take care of personnel and payment issues.
  • This specialization has been extremely beneficial to cyber criminals. Rather than having hundreds of people who dabble in all aspects of cyber crime, the cyber underground now consists of subject matter experts that can focus all their time and energy on improving their techniques, their goods, and their services.

Consider also the evolution of cybercrime, or the evolution of the threat as Jeff Debrosse often puts it. To bring this comparison full circle, it seems we’ve moved out of the opportunistic criminal methods used in the late 20th Century and into concentration and specialization not unlike the upper Paleolithic period:

  • Starting at the transition between the Middle to Upper Paleolithic period, some 80,000 to 70,000 years ago, some hunter-gatherers bands began to specialize – concentrating on hunting a smaller selection of (often larger than had previously been hunted) game and gathering a smaller selection of food. This specialization of work also involved creating specialized tools like fishing nets and hooks and bone harpoons.

My thoughts

First, a good part of my criminal investigative background dealt with burglary recovery. Specialization in burglary crews meant people who could drill locks, defeat a burglar alarm system (mostly analog and POTS configured), fence the goods and/or be a ‘handler’ for the inside resource. Everybody else involved were within the circle of trust of either the insider or the leader and mainly did the heavy lifting.

Second, the Director’s statements tell me that cybercriminals employ tradecraft and counterintelligence methods of plain language communication which show a compartmentalized and possibly formally trained background.  There was only one burglary crew I worked which was that airtight and practiced that type of discipline, but the leader knew instantly on contact which resource we had turned and that guy got a nonfatal but life-changing bullet.

Third, a point I didn’t cover here is that I would be more surprised that former intelligence agency staff were not working with these entities than if they were. Whether it was written from first hand experience or from a ‘best practices’ mindset passed down after the fall of the Iron Curtain I can’t discern. Then again there’s always the chance that crime has evolved so that the smart bad guys always do their competitive research but that level of detail originates in the Cold War tradecraft. To quote Al Pacino in the 1990s movie Heat, “At the drop of a hat these guys will rock and roll.”

We’ll be examining each of these criminal roles in more detail throughout the coming weeks and I’ll be interviewing some of the heavy-hitting cybercrime resources here in San Diego for their opinions and related case studies.

Securing Our eCity Contributing Writer

Hat tip to CircleID for the post about the keynote speech.

Author , ESET

Comments are closed.

Follow us

Copyright © 2017 ESET, All Rights Reserved.