Organized crime is nothing new. Mob gangsters and mafia families have been romanticized as the stuff of legend since the days of Prohibition. Just as the Internet has transformed the way we access information, shop, interact with each other, and conduct business, it has also completely altered the world of organized crime.
Crime is no longer confined to traditional brick and mortars--it’s all online. While the information and payout criminals are looking to attain are a bit different than in decades past, these are still thugs and true criminals. Now, however, they have the shield and anonymity of the Internet to hide behind.
It took a while for organized crime to adapt to cybercrime. I suppose it was a generational issue just as adoption of the Internet and cutting edge technologies are for the rest of society. Entrenched crime bosses probably shunned the Internet in favor of the proven business model they had used for decades. As younger criminals elevated through the ranks to take command, though, they saw the potential for crime on a massive scale with significantly less risk of arrest or physical harm.
It’s also possible that organized crime online is more or less organic—a logical evolution of Internet crime as cybercriminals band together to pool resources. The reality is probably somewhere in the middle—a combination of grassroots cybercrime organizations and traditional mafia operations transforming to embrace the Internet.
Evolution of Organized Cybercrime
J.J. Thompson, CEO of Rook Security, provided a description of what we generally perceive as organized crime. “’Mafia’ is typically defined as a hierarchically-structured secret organization allegedly engaged in smuggling, racketeering, trafficking in narcotics, and other criminal activities. Add in intimidation and proof of power through “enforcement”, and it reaches the levels we have become familiar with on television and in movies.”
The basic concept of the mafia has evolved to take advantage of the Internet. “History serves as a great teacher of how organized crime develops and ways criminals are able to locate their desired assets. In today’s world, the Internet creates a new playground for thieves,” explained Kevin Hickey, President and CEO of BeyondTrust. “They have exchanged explosives and guns for vulnerabilities and exploits. They have changed ski masks for the anonymity of the internet and are able to resell precious data in the dark and deep perils of the web. No matter their means of thievery, criminals have the same desired outcome in mind.”
Regardless of its origins, there’s a reason that crime naturally becomes organized to some extent. “Criminals form supply chain relationships just like businesses,” said Bethany Mayer, President and CEO of Ixia. “The person skilled at stealing data is not always as skilled at turning data into money. Professional criminal networks tend to form as a result to handle the ‘logistics’ and soon hierarchies are formed.”
Craig Hinkley, CEO of WhiteHat Security, talked about the basic approach of the traditional mafia and how they would target the smallest and weakest businesses in the community to extort money. When mafia enforcers encountered a business capable of defending itself and standing up to the demands they would move on. They might make an example of a defiant business just to prove a point, but the mafia understood the value-effort-reward-risk profile of the businesses they were targeting.
Hinkley suggests that Web applications are the modern-day equivalent of the low-hanging fruit that organized crime likes to go after. “It is natural that hackers would focus on the Web application security areas of the community to target, just as a mafia would send its members out into the community to find “easy pickings” businesses and milk them for all they could.”
Ransomware and many DDoS attacks are very reminiscent of the “protection money” mafias traditionally demand. Chris Drake, founder and CEO of Armor, talked about the impact of data breaches on the average person and how having financial or healthcare data compromised is a concern—but one we’ve become somewhat numb to as a society. “However, the Ashley Madison hack changed the game because it made hacking personal. Once the private details of your life are at stake, you’re much more willing to do whatever a hacker wants—even if it means paying a ransom to keep your secrets safe.”
Defending Against the Modern-Day Mafia
“Businesses affected by the Mafia couldn’t afford to hire enough muscle to protect themselves, much like modern companies can’t hire enough Web application security talent to protect themselves,” stated WhiteHat Security’s Hinkley. “The Mafia often had dirty cops on the payroll, analogous to the hacker organizations of today, which are often funded or even run by official agencies and governments—so you can’t turn to the official agencies for help.”
Hinkley believes that companies today need to have access to their own private security force. They need the ability to identify, assign risk ratings to, and remediate website vulnerabilities to make it harder for hackers to extract valuable information for extortion or blackmail. In essence, if businesses make it too hard for the “mafia” hacker of today to shakedown high-value websites, they’ll head elsewhere.
The online criminal syndicates are very similar to traditional mafias in terms of capabilities, and logistics with one big exception: organization. Cybercrime is organized to an extent, but it doesn’t usually have the central leadership or defined boundaries of operation. The central leadership and hierarchy of traditional mafia families helped law enforcement bring many of those organizations down. Without that structure in place law enforcement’s job is significantly more challenging when dealing with organized cybercrime.
BeyondTrust’s Hickey suggests that the short-term solution is to try to force the market to centralize. “It might seem counter-intuitive, but if you take down the smaller players, others similar in size will seek the protection and resources of the larger cybercriminal organizations. Once that consolidation begins, governments and law enforcement can bring to bear the full weight of their resources to combat the biggest ‘families’.”
Hickey summed up, “When crime families organized they did so to pool resources. The same thing could happen to cybercriminals—and that's our opportunity.”
