Thursday, April 28, 2011
Hacking has become a lucrative profession
In the early 90’s, hacking was all about fun and fame. Hackers liked to demonstrate their technical prowess to one and all by creating viruses or defacing websites. They primarily hacked companies which they felt overcharged, and published these hacks on websites to be used by a large number of amateurs. Some defaced websites to support a cause. In the early 21st century there has been an exponential growth in malware, yet few claimants to fame. Website defacements have reduced drastically, and are limited to cross border conflicts such as Pakistani hackers attempting to deface Indian government sites.
So what changed?
Money is the new game not fun and fame.
With the growth of business to consumer commerce, banking, auctions, stock broking and so on, hackers found that it was easier to make money by stealing credentials. Hackers partnered with non tech savvy fraudsters who used this information to conjure a wide range of scams to defraud victims. Hackers also provided fraudsters with elaborate technical methods, tools, malware and scam execution frameworks. This evolution saw the creation of several intermediaries in an organized underground market place for the theft & trade of credentials, malware, and execution of online scams, which vastly enhanced the revenue a hacker made. According to reports in some countries fraudsters fuel the economy of small towns.In parallel with government and consumers becoming sensitive to security breaches, a new market for blackmail was created where hackers stole personal data and returned it to companies for a premium. Hackers in the last two years migrated from solitary individuals to well funded organized crime rings dedicated to create and establish infrastructure to subvert the online world.
As these markets for hackers evolve so do regulatory and technical security mechanisms which serve to punish or limit the return a hacker obtains. Hackers react by becoming more innovative and moving away from mass targeting to selective choice of victims. My post "Fraudster uses Hackers and Spammers in "Pump and Dump" securities scam" demonstrates how innovative scams can be. Of late, I have seen paid hackers active in assisting companies in corporate espionage and sabotage of competitors. I believe this line of business will grow rapidly in the years to come with plenty of opportunity as we build smart homes, smart governments and broadband mobile access.
Hackers run a business; targeting maximum return, low risk with full access to an underground marketplace. The way to get hackers end their ways is not simply to catch and punish but to make it uneconomical for them to run their business. To do so we need software free of vulnerabilities, security awareness and quick deployment of patches from product vendors. We also need accurate figures on how big the cybercrime industry is, to ensure it receives the focus and attention from law agencies and lawmakers.