www.counter-fraud.com

August/September 2015

Online, invisible and criminal

Adaptability is the mark of humankind and nowhere more marked than in criminal behaviour evolving to and in an online world where restraints are more likely to be imposed by peers than traditional, real-world forces of law and order. Monty Raphael QC , Celia Marr and Kate Parker of Peters & Peters reboot thinking on cybercriminal motivations and profi les.

Th e Metropolitan Police Service’s 2015 report on online theft and fraud concludes that law enforcement agencies “do not know enough about those committing online crime”. [1] Th e US has the same problem: “we don’t have enough information to make that really good profi le [on cybercriminals]. We’re at that anecdotal stage where we’ve collected some information, but I don’t think we have enough,” says Steve Branigan, founding member of the New York Electronic Crimes Task Force. [2] internet as an electronic crime scene, and looking for indicators of signature behaviours […] that allow us to paint a picture of An apparently lawless world of the individual who’s responsible”. [6] It must be borne in mind, opportunity however, that a century or more of criminological study has still Th ere are many reasons why information on cybercriminals not led to the discovery of reliable predictive factors. is scarce: only 11% of cyber-crimes are ever reported, and for those charged conviction rates are extremely low. [3] New weapons for veterans Indeed, part of the lure of cybercrime lies in its anonymity Cybercriminals divide into two categories: those with a criminal compared to “real world” crime. Data can be encrypted and record (Category One), and fi rst time off enders (Category Two). digital footprints wiped. Added to this is the perception that Recent research [7] suggests that 60% of cybercriminals fall into policing of cyberspace is weak. According to one “old style” the former category: “those who have criminal tendencies to criminal turned cybercriminal: “no-one really seems to be on begin with […] then learn about using computers [and] fi gure top of it. And to be honest [sic] [it] seems to be pretty much out how to apply [them] to their trade”. [8] For committed risk-free”. [4] Another reports, “it’s a known fact that people criminals, cybercrime is perceived as ‘low-risk, high reward’ who commit cybercrime are hard to track down. Th ere is less without requiring sophisticated computer literacy. [9] YouTube risk hacking a bank than walking in with a gun and robbing channels and online forums off er guidance on how to initiate it”, a perception which applies to white collar crime more hacking and Distributed Denial of Service (DDOS) attacks: generally. [5] As a result, the social profi le of cybercriminals is the recent Police and Crime Committee report concludes that diversifying, as increasing numbers of people are attracted to extending criminal activity into cyberspace requires “no more the perceived lawlessness of cyberspace. Whilst their goals may skill than to be able to log on”. [10] However, young people are be vastly dissimilar (overthrowing governments, defrauding digital natives. It is likely that, in future, those with criminal civilians, political activism, etc) they are united by their use impulses will be more inclined to turn to cybercrime earlier as of cyberspace as their method of achieving them. Th is shared their technological skills become sophisticated at a younger age attraction is worthy of further attention. Viewing any crime and they feel instinctively comfortable within an online space. from a criminological perspective may help understand why Keith Bristow, head of the National Crime Agency, predicts it has been committed, and how it can be prevented. In the that the next generation of criminals will operate more or less words of Professor Marcus Rogers, cyberforensics researcher at exclusively online rather than “smashing windows and grabbing Purdue University: “it’s about looking at the computer and the television sets”. [11] No doubt this transition will present

Follow us on Twitter @fi nreguk and join discussions in our LinkedIn group a serious and growing challenge to law enforcement internet in its scope and intensity, was attributed to a agencies as the skills and expertise of the young continue 16-year old schoolboy. [20] Th ere was no tangible reward to outstrip our policing capacity. Resources will need to for this crime: no money was earned nor data harvested be enhanced and redistributed. Th e current police tactic (a currency as valuable as money on the internet). of targeting “potential young cybercriminals with home Hackers of this school fl ex their digital muscles simply visits [and] letters to parents” is unlikely to suffi ciently to see the global impact they make. counter the threat. [12] Twisted ethics Young guns A third type of hacker, perhaps not gifted with the Th e second category of cybercriminals arrive at the intelligence of the Manghams of this world, hacks “for the computer before they arrive at the crime. Again, reports lulz”. [21] Derp, a hack-to-order group, operates within show that these perpetrators subdivide into two categories: this category. In the words of a Derp hacker interviewed by those with a dishonest intent to pursue an ill-gotten - Th e Guardian: “we like to target games companies because often monetary - gain, and those who, in the experience of game players have a strong reaction. But mostly, we do Branigan, “get into computers fi rst and […] start hacking it because it’s fun”. [22] Derp hacks are not particularly [through] curiosity”. [13] Former Lulzsec hacker Ryan sophisticated: it responds to internet users who have Ackroyd describes his trajectory: “I wanted to learn how “call[ed] or text[ed] a request” (according to its Twitter computers worked. Th en it snowballed out of control. It page), and proceeds to execute a DDOS attack against started with cheating in online games […] Th e next thing the proposed victim until their social media account/ I know I’m breaking into services. It’s addictive”. [14] website/gaming platform drops offl ine at signifi cant According to the Deputy Mayor for Policing and Crime, reputational and/or fi nancial cost. [23] In the words of there are 28 organised cybercriminal groups in London journalist Simon Parkin, “it is the electronic equivalent who “specialise” in “banking and credit card fraud, account of graffi ti with a vaguely anti-establishment theme”. [24] takeover, phishing, identity theft and payment card crime”, Derp recently hit headlines for targeting online games all of which are “traditional” crimes within an online presenter James Varga: every time he live-streamed a space. [15] Th e second subgroup are more interesting, video of himself playing an online game, the gaming and are broadly defi ned by their thirst for recognition platform would be attacked by Derp and eventually crash. (if not actual identifi cation) and their disassociation from Media-savvy Varga recognised the publicity potential: he traditional criminality. made a deal with Derp that if he lost the game, it would Whilst the success of the committed cybercriminal publicly crash the site, but if he won, it would let him lies in their ability to fl y under the radar (the widely continue to the next level. But Derp went a stage further: publicised JPMorgan hack was enabled by malware that it discovered Varga’s home address and bombarded him lay undetected in the bank’s computer system for months, with pizza deliveries, eventually sending over the police gradually harvesting the data of 76 million clients), hacks on the pretext of “a hostage situation”. Followers of the that are ethically or politically motivated are often measured interchange reacted to this news with anger and, in turn, by the publicity they attract. [16] Hacks, like terrorist private details of the Derp ringleader were posted online, attacks, are “claimed” by particular “hactivist” groups in alongside those of his parents. Interestingly, the gaming order to further their cause. Hactivism is championed community felt that a line had been crossed when Derp’s by its perpetrators as a disrupting force against existing attacks transitioned into “real time” instead of when Derp power structures: “for the young and disillusioned, it’s an began illegally hacking (and retaliated with action which eff ective way to lash out at the system, be it video game was, itself, illegal). To those operating within the perceived companies employing unpopular business models, or lawlessness of cyberspace, there is clearly a hierarchy to governments that teenagers feel powerless to [infl uence] criminal activity and perhaps the emergence of an organic in any other way”. [17] “moral” code.

It’s not (always) about money Online off ences, real world But for every political hack, there are those who hack consequences for the intellectual challenge alone or simply “because So what type of criminal behaviour is perceived they can”. [18] In 2011, 26-year old Glenn Mangham as “less criminal” when committed in cyberspace? infi ltrated Facebook from his parents’ home. His Gaming platforms can be fertile ground for developing motivation was not fi nancial but intellectual, and cybercriminals: behaviour which is obviously criminal if his “achievement” was recognised by Facebook, who committed offl ine can be easily redressed as “adventurous” have reportedly off ered him employment once his or “creative” in the context of an online game. As a prison sentence is served. [19] Similarly, the infamous consequence, “there are some sorts of criminality that Spamhaus attack, credited with nearly breaking the youngsters don’t think of as serious […] It would be

2 August/September 2015 www.counter-fraud.com hard to imagine a knock on the door from a policeman alike. Computer scientist Solomon Saleh, a member of because you’ve stolen a sword off your friend in World of the LulzSec group responsible for attacks against the Warcraft”. [25] But weapons in World of Warcraft, a major Serious Organised Crime Agency, the National Health multi-player online role-playing game, are purchased with Service, the CIA, Sony and News International, boasted “real world” money: any attempt to dishonestly deprive a to a reporter of his “ethical attacks”. [32] Notorious US player of that weapon is still theft, regardless of the fact hacker Kevin Mitnick described his cybercrime as “social that it takes place online. engineering”. [33] Th is disassociation is not new: Lloyd Th is type of behaviour is concerning. Th e relative ease Blankenship’s “Hacker Manifesto”, written after his arrest with which these crimes can be committed and the absence for cybercrime in 1986, is considered a cornerstone of of any obvious deterrent eff ectively raises young people hacking culture and celebrated by hackers globally. Lines within an online moral vacuum. Casual criminality learnt include: “my crime is that of curiosity […] My crime online could easily manifest itself in the real world, which is that of outsmarting you, something you will never risks creating a situation in which criminals start online forgive me for”. [34] Any passing visit to hacker forums and “progress” to offl ine crime. Secondly, it perpetuates exposes the culture of self-aggrandisement and bravado an increasing disassociation from the concept of harm that inspires these acts. Anonymity allows users to invent and applauds gamers who push moral boundaries. Users superhuman monikers behind which to operate: unveiled are desensitised to the distinction between “right” and cybercriminals chose the soubriquets ‘Dark Dante’ (Kevin “wrong”, and instead become emboldened to transgress Poulsen), ‘Mafi aBoy’ (Yan Romanowski), ‘Th e Darkside legal thresholds in cyberspace. One expert consulted by Hacker’ (Kevin Mitnick), ‘Resilient’ (Jeanson James the Police and Crime Committee for their latest report Ancheta). [35] described cybercrime as “fraud at a distance. You do not have to look someone in the eye and do something horrible to Intelligence sharing them”. [26] Without having to confront - or even consider Th e very existence of these forums enhances the - a victim’s suff ering, cybercrime becomes that much more cybercriminal’s success. Whilst individual anonymity palatable, attracting those who are otherwise unlikely to see may be one weapon against detection, the shared fl ow the inside of a magistrates’ court: “you would be amazed at of knowledge between cybercriminals is the envy of law the people who are at it. Th ey are middle class, respectable enforcement agencies. According to Patrick Gray from people. [Th ey] are midwives”. [27] Internet Security Systems, “the hacking community shares Th e perceived victimlessness of cybercrime is illusory. information with each other all the time. If a hacker is On a personal scale, “being tricked by an online fraudster having a problem accessing a router or getting through or having your identity stolen can leave victims feeling a fi rewall, he’ll throw it onto the table […] looking for embarrassed, insecure and vulnerable”. [28] On a help. People are more than willing to help him complete public scale, “a high-end cyber-attack against fi nancial the hack”. [36] By contrast, police operations are often institutions could have a far-reaching impact on our thwarted by the embarrassment of corporations, who economy. Small and medium sized businesses can be refuse to admit their vulnerability to cybercrime at the risk bankrupted by a cyber-attack with owners and staff losing of reputational damage. Such corporations increasingly their jobs”, according to the National Policing Lead for opt to insure themselves against the risk of cyberattack Cybercrime, Peter Goodman. [29] Cybercrime costs rather than taking proactive steps to prevent attacks and the global economy up to $500 billion annually. [30] potentially incurring negative publicity. Facebook refused Given the globalised, boundless nature of the internet, to confi rm the Mangham hack into its source code: its cybercriminals can raise obstacles to having to confront intellectual property is its core worth, and its jeopardy their delinquency in the unlikelihood that their conduct aff ects its fl otation. is pursued legally: alongside scarce resources, “there are issues with jurisdiction, issues with extradition. Computer criminals […] throw up a lot of smokescreens between Any justice will be rough themselves and their victims, and the authorities on the Ironically, the reluctance of corporations to reporting other end”. [31] cybercrime helps perpetuate it by reducing the information available to the police and thereby limiting their capacity to intervene. From a criminological perspective, this The exploit – so often it’s about ‘me’ creates a fascinating new landscape in which the policing If the disassociation from harm is considered a of cyberspace remains “up for grabs”. Crimes are punished characteristic of cybercrime, then the disassociation from by crimes: individuals retaliate against transgressive hackers traditional criminality is a characteristic of Category by posting their personal details online, leaving them Two cybercriminals. Politically motivated hackers exposed to identity fraud and the psychological trauma of often act in response to what they regard as criminal the world knowing their home address. Companies, too, activity committed by governments and corporates have stepped into the breach: in response to a notorious

© Informa UK Ltd 2015 3 gamer known as “DarkSide” who routinely hacked his 12. Ibid way to victory, gaming platform ArenaNet “took over his 13. ‘Profi ling Cybercriminals’ account […] Darkside was stripped down to his underwear 14. ‘Cybercrime: Facing the Legal Risk’ and forced to jump off a high bridge before all of the 15. ‘Tightening the net’ characters associated with his account were deleted”. [37] 16. Business, 2014, ‘JP Morgan sees 76 million customer Th ose exacting rough justice begin to mark out the moral accounts hacked’, BBC [online]: ‘JP Morgan sees 76 million boundaries of a new, online community. customer accounts hacked’: http://www.bbc.co.uk/news/ business-29470381 [accessed 05.06.15] 17. Parkin, Simon, 2014, ‘Inside the mind of Derp, a hacking Known unknowns group with a taste for cyber chaos’, Th e Guardian [online], The government likes to assure us that the levels http://www.theguardian.com/technology/2014/aug/28/ of traditional crime (with a few exceptions) are derp-inside-hacking-group-cyber-attacks-phantomlord decreasing, but whilst cybercrime remains under- [accessed 05.06.15] 18. Ibid reported and enforcement agencies struggle to keep 19. Sandip Patel QC seminar, 12 March 2015, ‘Cybercrime pace with the transition of criminal activity to the Webinar’ online environment, we have to consider how much 20. ‘Cybercrime Webinar’ this is true or whether crime is simply becoming less 21. ‘Inside the mind of Derp’ visible. Tackling these sorts of crimes must be a priority 22. Ibid for those involved in law enforcement, starting with 23. Ibid establishing a reliable body of information on who 24. Ibid these people are and how they come to join the ranks 25. ‘‘World of Warcraft’ fraudsters: cyber-crime chief warns of of the cybercriminal. new threat’ 26. ‘Tightening the net’ 27. Ibid Notes 28. Ibid 1. Police and Crime Committee, 2015, ‘Tightening the net: 29. National Crime Agency, 2015, ‘57 arrested in Th e Metropolitan Police Service’s response to online theft nationwide cybercrime strike week’ [online]: http://www. and fraud’ [online]: https://www.london.gov.uk/sites/ nationalcrimeagency.gov.uk/news/news-listings/560-57- default/fi les/Tightening%20the%20net.pdf [accessed arrested-in-nationwide-cyber-crime-strike-week [accessed 05.06.15] 05.06.15] 2. Bednarz, Ann, 2004, ‘Profi ling cybercriminals: A promising 30. Warnick, Jennifer, 2015, ‘Digital Detectives, Microsoft but immature science’, Network World [online]: http://www. [online]: https://news.microsoft.com/stories/cybercrime/ networkworld.com/article/2327820/lan-wan/profiling- index.HTML cybercriminals--a-promising-but-immature-science.html 31. ‘Profi ling cybercriminals’ [accessed 05.06.15] [accessed 05.06.15] 32. Henry, Robin and Dowling, Kerry, 2011, ‘Hacker suspect 3. Warrell, Helen, 2015, ‘Britain’s crooks take criminal careers vanishes after boasting of attacks’, Th e Sunday Times [online]: online’, Financial Times [online]: http://www.ft.com/ http://www.thesundaytimes.co.uk/sto/news/uk_news/Tech/ cms/s/0/e3c8e486-ece7-11e4-a81a-00144feab7de.html article695788.ece [accessed 05.06.15] [accessed 05.06.15] 33. Technology, 2015, ‘Top ten most famous hackers’, 4. 6 King’s Bench Walk seminar, 14th May 2015, ‘Cybercrime: Th e Telegraph [online]: http://www.telegraph.co.uk/ Facing the Legal Risk’ technology/6670127/Top-10-most-famous-hackers.html 5. Ibid [accessed 05.06.15] 6. ‘Profi ling cybercriminals’ 34. Blankenship, Lloyd, 1986, ‘Hacker Manifesto’, Phrack [on- 7. ‘Tightening the net’ line]: http://phrack.org/issues/7/3.html [accessed 05.06.15] 8. ‘Profi ling cybercriminals’ 35. ‘Top ten most famous hackers’ 9. Prince, Rosa, 2015, ‘Traditional crooks including 36. ‘Profi ling cybercriminals’ violent off enders turn to cyber crime’, Th e Telegraph 37. Vaas, Lisa, 2015, ‘Game hacker stripped, shamed and given [online]: http://www.telegraph.co.uk/news/general- in-game death sentence’, Naked Security [online]: https:// election-2015/11579044/Traditional-crooks-including- nakedsecurity.sophos.com/2015/05/11/game-hacker- violent-off enders-turn-to-cyber-crime.html [accessed stripped-shamed-and-given-in-game-death-sentence/ 05.06.15] [accessed 05.06.15] 10. ‘Tightening the net’ 11. Peachey, Paul, 2015, ‘‘World of Warcraft’ fraudsters: cyber- ■ Monty Raphael QC (+44 (0)20 7822 7777, montyr@ crime chief warns of new threat’, Th e Independent [online]: petersandpeters.com) is Special Counsel, Celia Marr http://www.independent.co.uk/news/uk/crime/world- (+44 (0)20 7822 7739, [email protected]), a of-warcraft-fraudsters-cybercrime-chief-warns-of-new- trainee solicitor and Kate Parker , a paralegal at Peters & threat-10030202.html [accessed 05.06.15] Peters.

4 August/September 2015