People made unemployed and looking for work as a result of the coronavirus pandemic have been increasingly turning to cyber crime to make money easily and quickly, according to recent findings from cyber security researchers at Check Point.
After studying a range of dark web and hacking forums, the researchers discovered that many people are offering to work for cyber crime organisations in return for prompt cash payments. In fact, the researchers estimate that between 10 and 16 posts from desperate job seekers are posted on these forums every month.
In these posts, budding cyber criminals are asking for everything from $200,000 one-time cyber crime contracts to paid monthly roles. But why are people going to these lengths, what risks are they taking, and is there a way to solve this problem?
Due to the devastating economic challenges caused by the coronavirus pandemic, millions of people have been placed on furlough or left unemployed. And with no choice but to look for new ways to make money, some have turned to cyber crime.
“Unfortunately, many people have fallen on hard times, with many unable to find employment,” says Sean Wright, application security lead at software firm Immersive Labs. “While not an excuse, it’s understandable that some may turn to cyber crime to make some money to survive.”
Wright says there are many reasons why people may be drawn to cyber crime in the pandemic.
“Given some of the lenient sentences given for cyber crime, it does make it one of the lower-risk crimes to commit, and sometimes has a suitable payout as well,” he says. “There’s also the disconnect from the victim, making it easier on a personal level to commit the crime for some. Some may even view it as victimless, when in reality it’s not.”
But he credits the dramatic rise in cyber crime during the coronavirus pandemic to experienced cyber criminals and cyber crime organisations, rather than people without any prior experience. Wright tells Computer Weekly: “In terms of how widespread the issue is, we’ve seen an increase in cyber crime since the start of the pandemic, but I think that’s largely organised criminal groups.
“In the West, I think we are still yet to see the full impact of the restrictions which have been in place since the start of the pandemic. We will likely start seeing more and more once government support ends and people are left with very few options.”
Jake Moore, a security specialist at cyber security firm ESET, agrees that the financial difficulties brought about by the pandemic may give some people no option but to commit cyber crime.
“Difficult times have generated desperate measures and when services such as ransomware as a service [RaaS] are so widely and easily available, it is understandable that numbers have increased and becoming more difficult to manage,” he says.
“Cyber crime has never been so easy to experiment with especially when services advertise openly on Instagram and other social networks. It is often marketed as low risk and sold with ways of avoiding being caught which simply amplifies the temptation. The risks, however, are still there.”
Nicola Whiting, co-owner and chief strategy officer at configuration analysis specialists Titania, describes the Check Point findings as unsurprising. “The risk of future criminal conviction is perceived as low, whereas the ease – a quick download, and the reward – instant money, means the risk/reward ratio could be enticing,” she says.
“People feeling financially vulnerable or marginalised or that they’re falling through the cracks of society are more likely to focus on their immediate needs rather than future consequences. It’s Maslow’s Hierarchy of Needs in action.”
While cyber crime might seem like a quick and easy way to earn money during tough times, there are many risks involved. “Taking a job in cyber crime is a huge risk. It could be a scam in which you receive no payment. You could end up facing charges in court,” says Paul Bischoff, privacy advocate at Comparitech.
“You could be unfairly treated or overworked with no recourse. You could end up stuck in a situation where your employer threatens to publicise your illegal activity or report you to the police if you quit.”
Joshua Burch, head of cyber security for the Europe, Middle East, India, and Africa region at FTI Consulting, says the biggest risk is that people cannot simply turn back after performing an act of cyber crime. “Once they have committed a crime and are engaged in the networks, other cyber criminals can use this as leverage over them,” he says. “Suddenly they can be blackmailed to be kept compliant. It’s a slippery slope.”
Terry Greer-King, EMEA vice-president at SonicWall, says inexperienced cyber criminals will struggle to avoid detection by the authorities and risk lengthy prison sentences when they are eventually caught.
“Cyber criminals can hide their tracks easily and launch attacks that go unnoticed until it’s too late,” he says. “Yet while this is easy enough for a seasoned professional, your Average Joe hacker may not have the necessary skills [and] if caught, cyber criminals face up to 10 years in prison for unauthorised access.
“Yet, it’s not prison sentences alone that people risk. It’s also the risk to reputation, future job prospects, impact on family, loss of additional money and, most importantly, the risk of becoming associated with an undesirable crowd.”
James Pleger, manager of special operations services at Sumo Logic, says risks involved with pursuing a cyber crime career include prison time, asset forfeiture, blackmail, being targeted by other cyber criminals, and even physical violence.
“What I will say is that as an industry and from a legislative point of view we as a society have not made it more difficult, more costly or riskier for cyber criminals to engage in illegal activity,” he says. “If anything, over the past 10 years, it has become easier, more anonymous and lucrative for criminals to carry out cyber crime.
“I think that going forward, the industry has to remind people that short term gains might not be worth the risk, since if you are caught doing cyber crime, you will essentially become unemployable in any technology role,” says Pleger.
“Sure, there are specific examples of people who have broken the mould, but for every one of those people there are hundreds more who have had to find new careers.”
Tackling the issue
With the demand for cyber security professionals constantly increasing, some unemployed people have a chance to re-skill and find legitimate opportunities in the high-growth cyber sector. But is the cyber security industry doing enough to support and encourage them to take up cyber careers?
“The industry has complained about the lack of cyber talent, yet in less than 12 months cyber criminals have recruited from all industries,” says FTI’s Burch. “Although we have seen an uplift in experienced hires into the industry, we must provide a pipeline in parallel to bring in talented people with no prior cyber security experience.”
Shlomie Liberow, principal solutions architect at bug bounty platform HackerOne, points out that ethical hackers can also make lots of money. “Ethical hacking can be just as lucrative or even more so than cyber crime, but with the risks removed – hackers earned over $40m in bounties last year with 10 hackers reaching over $1m in total earnings on the HackerOne platform. This presents a more realistic career choice,” he says.
However, he says the motivation to hack also goes beyond financial gain. “We see many hackers actively participating in vulnerability disclosure programs for businesses with no monetary reward. Nearly half of hackers on the platform (47%) say that they are motivated by the desire to protect and defend businesses and individuals from increased cyber threats,” says Liberow.
“Hackers are also keen to develop their skill sets – 85% hack with the desire to learn and 62% hack to advance their career. It’s clear that many would rather enjoy a long, prosperous career in ethical hacking than risking it all for cyber crime.”
Greer-King at SonicWall says the industry has an essential role in helping channel latent security talent into ethical hacking roles. “With the rise of cyber risks, global ransomware attacks rose by 62%, with 304.6 million attacks worldwide and IoT devices became the backdoor for hackers, with attacks skyrocketing 66%; security teams are thin on the ground,” he says.
“In 2021, recruitment is the key to tackling cyber crime. The industry needs to invest in hiring security professionals and reduce the number of people turning to cyber crime. Additional hires will also help reduce burnout across security teams and enable organisations to protect against attacks.”
Oded Vanunu, head of product vulnerabilities research at Check Point – whose team conducted the initial research – says there are many ways that cyber security suppliers can convince people to choose ethical hacking over cyber crime. He explains that firms can provide talented people with opportunities to deal with cyber attacks, host ethical hacking conferences to showcase different challenges, and offer bug bounty programmes that reward ethical hackers who find and report vulnerabilities.
“Companies who work on the defence side of cyber security hire people who think like hackers to provide security from them and so we do invest large sums of money every year in education and training of people that have a passion for this to further expand their credentials in the cyber defence world,” he says.
Immersive Labs’ Wright believes that the cyber security industry should encourage people to put their skills and energy to good use instead of committing cyber crime. “One way is to encourage them to look to things such as bug bounties where they can earn a legitimate income,” he says.
“Another option is to get them to start applying for jobs, cyber security is perhaps one of the few industries which has seen limited impact from the pandemic and in some cases even seen growth,” says Wright.
“There is plenty of free training available as well, encouraging people to take it and obtain a full-time job. Communities are a great way to accomplish this, helping others with information and guidance while helping to ensure people stay on the right side of the law.”
Covid-19 has resulted in financial hardship for many people across the world. While it’s understandable that people are desperate to make money, cyber crime is not the answer. Instead, those affected by unemployment should turn their attention to legitimate job opportunities in cyber.