The face of today's cybercriminal looks surprisingly familiar. He has an expansive network of partners and technology geeks. He's contracted out research and development to write his software and middle managers to make sure everyone in his organization is doing their part to rake in the dough. He's a smart businessman who is able to leverage others' skill sets to turn a profit.
Sounds like someone you can relate to, right--someone embracing the entrepreneurial spirit? That's precisely the problem. That character is emblematic of the new wave of cybercriminals who are taking over the internet, making millions off the backs of honest business owners and consumers around the world.
"Over the past year, cybercriminals have been more financially motivated than ever," says Neil Daswani, co-founder and chief technology officer of security firm Dasient. "Cybercriminals are very entrepreneurial indeed, although they are surely not moral."
And the way things have transpired, these shadowy cybercriminals don't even need to be tech whizzes to steal from you. "The underground economy has evolved with specific roles that are sought after and paid for," says Michael Sutton, vice president of security research for cloud security provider Zscaler. "This has allowed criminals without a technical background to benefit from web- and e-mail-based attacks. They don't need to create the attacks themselves--they simply purchase an exploit kit in the underground and it handles the heavy lifting for them."
Today's cybercrime economy is made up of a complicated mix of specialists, each of whom makes money doing one thing really well. It's classic capitalism at play. There are people who write malware kits to scan the internet and infect computers automatically. There are those who use that malware to gather infected machines and control them in a collective computing pool called a botnet. There are others who rent out botnets to run larger attacks against banks, or to steal big pools of identities. There are still more criminals who use stolen identities to actually go to ATM machines and steal the money.
And then there are the kingpins. Typically operating in Eastern Europe or China, beyond the law enforcement reach of Western countries, they take all the different resources available and come up with the business plans to put fraudulent schemes into action. They either put the specialists on their payroll or hire them as contractors to do their individual parts.
"They piece it all together," says David Koretz, CEO and president of security firm Mykonos Software. "They go to one group to write the virus, a second group to take the virus and use it to build a big network, a third group to find a vulnerability in an e-commerce site and a fourth group to attack that site and do tens of thousands of transactions in a few minutes by using a wide range of bots. Now all of a sudden they've done a million dollars of theft in a few minutes."
As a case study in the organic development of a free-market economy, the evolution of the modern hacking ecosystem is fascinating. It's also horrifying, because it comes at the expense of small businesses. According to security experts, small businesses are ideal targets for the cybercrime syndicate because they tend to have more computers, stored data and money to steal from than the average consumer, and much fewer security protections in place than larger enterprises.
"The sweet spot really is the small business," says Kevin Haley, director of Symantec Security Technology and Response.
One of the big misconceptions that small-business owners and sole proprietors tend to have is that they can't possibly be targeted by the bad guys. It's hard enough to get customers to find your website, so how's a crook from Estonia going to find you? The thing to remember is that these criminal entrepreneurs have completely automated their hacking schemes, says Chester Wisniewski, senior security advisor at security firm Sophos.
"We need to understand that Bob's lawn mower business isn't being targeted by criminals--they're just looking for every single instance of a vulnerable website on the internet, and if they can find one, they infect it," Wisniewski says. "So the thought that 'I'm too small, they're not going to hit me' isn't really a valid defense. Certainly you aren't going to be targeted the same way that Sony was targeted. But that doesn't mean you won't be targeted--you're just going to be targeted by an automated bot."
Clearly, you're the hunted in all of this. And just as animals evolve to develop camouflage and protections from predators, you need to adjust your business to avoid becoming lunchmeat.