The hackers turned pro: A brief history of cybercrime

Author: Ariel Waissbein
Senior Researcher

One can only speculate where the cybercrime market will go. Market efficiency will probably pave the way. And if that happens, a positive result would be a stop in the hacking of assets that underlie no profits.

In this article, we establish that the history of computer security in this century is mainly governed by profit; while providing color into how this evolution has taken place.

With the advent of online shopping and the dot-com bubble, the Internet grew to host brands and commerce, and many (criminal) hackers saw the opportunity that came along with this change. During this time, professionals transformed the petty crimes of ye ole defacements into a growing business with well-defined parties at play.

Despite advances in detection, prevention, and protection, hacking for profit perseveres.

One may recount this history –the history of computer security– perhaps skipping a few chapters, starting from the Morris worm incident 33 years ago, when Robert T. Morris created a worm that infected a significant portion of ARPANET (Internet's predecessor). The worm compromised computers exploiting a bug in sendmail (a mail routing application) or a bug in fingerd (a program allowing ARPANET users to obtain information from other users). Once a computer was compromised, the worm would download its source code, compile for the OS at hand, and finally attempt to infect other computers. Allegedly, Morris created his worm to seize the network and not to cause damage.

There followed firewalls that would have prevented the damage done by Morris's work and a few years of attacks that targeted unsecured servers. Defacement, denial of service, and data theft were preferred back then. At this time, incidents were more scattered and typically caused more harm and losses to the victims than returns to the attackers. Eventually, servers were sufficiently secured, and other targets became the weaker links.

The days of fun and profit transformed into profit and more profit.

At the start of the century, the weakest links were desktops, and then it was the time of client-side exploits (e.g., like Melisa or I-love-you viri). It was then, roughly, that exploits became commodities, e.g., an exploit against the new Windows 7 was cashing for at least USD10,000. Not only were exploit writers (i.e., people who write robust and reusable exploit code) professionalized, but other occupations also became profitable. Credit card theft was on the rise, which perhaps had its zenith in Albert Gonzalez's great cyberheist. There were hackers obtaining credit card information and selling it, buyers centralizing and validating this information, others buying this information and printing the credit cards and using them (or using them over the Internet), etc. By then, one could make a living from these activities.

Parties then realized there was profit to be made; fun, espionage, hacktivism, and even state-sponsored hacking became a smaller portion of the computer security incidents every year.

With desktops falling by the thousands, botnets became functional to a new business model that grew from the early 2000s onto the second decade of this century. In this new business model, botnets were used as a source of spam to execute distributed denial of service attacks (DDOS) to extort companies. The spam services were sold to advertisers along with others. Again, numerous occupational opportunities were created by this new venture: exploit writers provided the exploit code, somebody else a payload that would sit undetected in the computers taking part of the botnet and obey orders, somebody else provided the command and control software, others assembled all this and provided the spam service, or the DDOS service, etc.

We also do not forget about espionage (e.g., the trans-siberian oil pipeline explosion or Hillary Clinton's presidential campaign email hack), assistance in money laundering and services to the mafia, and cyberterrorism. These have been active and employing a small number of experts for decades. Similarly, the growth of cryptocurrencies and DApps has made DApps and their users the targets of attacks that yield hundreds of millions of dollars–although these keep occupied a small yet growing number of people.

For the last ten years, ransomware (e.g., CryptoLocker, WannaCry) has been the preferred way for hackers to monetize; and the inception of Bitcoin and other cryptocurrencies has bumped this up significantly. New opportunities originated thus, including the sale of (control over) isolated desktops or mobile devices, people handling communications with the victims, support service for the paying victim, etc. Meaning that these workers are doing office hours! Even hacking tools are being sold and advertised on the dark web, where stolen data can be bought and money laundering can be procured. In the days of clouds, there is even a ransomware as a service offering where clients get access to a ransomware package that is maintained and updated with the pay-as-you-use pricing model.

Moreover, carefully set workflows and management are used to make these criminals' businesses efficient and profitable. If we note that the computer security market grew to USD 153.16 billion in 2020, then it is unquestionable that a comparably valuable and well-organized industry sits on the other side.

In closing, we want to say a few words on the future of cybercrime. One can only speculate where the cybercrime market will go. Market efficiency will probably pave the way. And if that happens, a positive result would be a stop in the hacking of assets that underlie no profits.

It's uncertain if cryptocurrencies will continue to be the preferred currency for extortion schemes (ransomware or other). Banning companies from paying ransomware with cryptocurrencies has been proposed, but it is unlikely to stop the trend. Cryptos will likely continue to be used until there is a better option.

Cybercrime is also sure to evolve by including technology to circumvent modern defenses. So perhaps now, as artificial intelligence and machine learning are used to piece together logs to trigger alarms, we will see data scientists employed in the cybercrime market. Specialization shall continue to grow as the market pushes for efficiency and role definitions are polished and standardized.

I see no other way of closing this post but with the quote from Hunter S. Thompson that inspired its title: "When the going gets weird, the weird turn pro."

Contact us