26th February 2016
“I got V&” – Young People & Cyber Crime
Cyber crime and online fraud is a real and growing threat to people and businesses in the UK. In recent months there have been a string of high profile hacks and attacks against individuals and companies that have caused widespread damage and public concern. Many have subsequently been the subject of criminal investigations and some have led to the arrest of those suspected of being behind the attacks.
When arrests are made, one feature that recurs again and again is that those arrested are extraordinarily young. In fact, it is often the case that those accused of the most serious and technically complex cyber-attacks are, in the eyes of the law, children.
To date, five individuals have been arrested in connection with the notorious Talk Talk hack in October 2015. The five include two adults of 20 and 18 years old respectively but also include a 15 year old boy from County Antrim and two 16 year olds from London and Norwich.
Even more recently, in February 2016, a 15 year old boy was arrested in the East Midlands by the South East Regional Organised Crime Unit on suspicion of involvement with the hacking collective “Crackas with attitude.” Media reports suggest that this group was behind a number of high profile attacks, including gaining unauthorised entry to the emails of John Brennan, the Director of the CIA, as well as those of James Clapper, the US Director of National Intelligence and publishing the personal data of 20 000 employees of the FBI on the web after gaining access to the Department of Justice’s Intranet.
On a smaller scale, children and young adults are increasingly being duped by others into laundering the proceeds of online crime. Communicating online and through mobile messaging apps with people they have never met, they may be promised a cash payment for sharing their bank and PayPal account details and allowing the fraudsters to log on to their computers remotely. Their accounts receive the proceeds of the scam which are then transferred onwards by the fraudsters. Typically, they never receive their promised cash, but instead are left with nothing more than a paper trail that ensures that they will be the starting point for any subsequent investigation.
Why are young people at such high risk of becoming involved in cyber crime?
Firstly, the opportunities are ever present. The internet is now pervasive within our society and is accessible through a wide range of devices. In contrast to offline behaviour, the ubiquity of connectivity means that it is now very difficult for parents to monitor, much less control, online behaviour that might be cause for concern. Today’s children have access to levels and types of contacts and data that were unimaginable to their parents’ generation. They can often be poorly equipped to deal with the dangers posed by this power.
In addition, cyber crime can be seen by those committing it as a relatively victimless activity. There is both a physical and a moral distance from the harm caused and the effect of your actions on others when criminality can be committed without leaving the comfort of your own home.
Cyber crime is also, at present, easy to commit. Perhaps counterintuitively, many successful hacks and data breaches do not necessarily require a great degree of technical knowledge on the part of the attacker. User friendly hacking tools can simply be bought online, giving relatively unsophisticated customers the ability to set up their own attacks. Furthermore, hacks often rely for their success on a surprising level of weakness and basic mistakes on the part of the defender rather than any particular skill from the attacker.
There is also a widely and deeply held, but erroneous, belief that technological knowledge and the use of anonymising software such as the TOR web browser and good “OpSec” effectively makes a good hacker totally untraceable and therefore invulnerable to law enforcement agencies. The perception that they can operate with impunity can mean that many simply never consider any potential consequences of getting caught.
Take “Crackas with attitude’s” hack of the CIA. Whilst they may have boasted afterwards that “a five year old could do it” with some justification, it is hard to understand a mentality of a group that believed it could hack the Director of the CIA and not face consequences. Just because you can do something, doesn’t mean you should.
It is increasingly prevalent that in online crime where a specific target has been chosen, this naivety can express itself as ideology. Online chatrooms can connect people of similar views and aims wherever they may be in the world. These discussions can quickly become an echo chamber, with dissenters chased away. It is easy to see how individuals can become “radicalised” and come to see the world in Manichean terms. Thus Lizard Squad cast themselves as nemesis to Sony, Cracka posted the stolen details of FBI employees online with a message supporting a free Palestine, Anonymous cast themselves as the mortal foes of ISIS and the Silk Road darknet marketplace operated under an extreme libertarian ethos permitting users to sell almost any product, lawful or not.
That sense of belonging to a community and the acceptance, respect and kudos that it can bring should not be underestimated, particularly if that individual’s home life or standing in the “real world” is precarious.
What can be done to protect children and young people and to prevent them from getting involved in online crime?
The most important step that can be taken is to educate children in respect of the dangers posed by the internet to them and to ensure that they understand that actions and words placed online have consequences offline.
This approach can not only help to reduce the instances of online bullying and harassment through social networks which are increasingly common, but can also ensure that the perception of online invulnerability that persists amongst young cyber criminals is fatally punctured.
A recent example of this approach in practice can be seen in the National Crime Agency’s “Operation Vivarium” which in September 2015 targeted users of the “Lizard Stresser” tool, an application offered for sale by the hacking group “Lizard Squad” that enabled purchasers to carry out their own Distributed Denial of Service (DDOS) attacks on websites. Whilst individuals who had used the Lizard Stresser to carry out attacks were arrested in the raids, a new and interesting tactic adopted by the NCA officers was that 50 or so additional individuals who were identified as being registered on the Lizard Squad website but who were not thought to have taken part in any attacks, also received visits from the investigators. Over one third of the individuals identified were under 20 years old.
Those receiving visits were warned of the potential consequences of taking part in illegal cyber attacks and Tony Adams, Head of Investigations at the NCA’s National Cyber Crime Unit said “One of our key priorities is to engage with those on the fringes of cyber criminality, to help them understand the consequences of cyber crime and how they can channel their abilities into productive and lucrative legitimate careers.”
Another useful strand of this approach might be for authorities to adopt a more “zero tolerance” approach to low level instances of online crime. It is increasingly common for online bank or Paypal accounts to be hijacked and funds used to order fast food deliveries or to purchase goods from Amazon.com. There is, at present, little will on the part of investigators to look into these low value thefts and the victim is usually reimbursed by the website in question. However, it seems obvious that becoming involved in this type of activity is likely to be a starting point or gateway to future, more serious crime, particularly when the experience reinforces the perceptions held that crime of this nature has no adverse consequences. Given that the investigation of these matters would be relatively straightforward (follow the Pizza!) long term benefits might well accrue from pursuing these relatively less significant crimes.
Finally, one relatively straightforward way to reduce levels of online crime is for individuals and corporations to be much more conscious of their IT and data security and to make it much more difficult for a successful attack to target them. This need not involve investment in expensive software, but rather in ensuring that cultures and procedures are in place to prevent the basic errors that allow attacks to succeed. This can include awareness of how to spot Phishing scams so that malware is not introduced to otherwise secure systems through carelessness and also ensuring that staff understand how scammers use social engineering and spoofing techniques to trick them into disclosing sensitive data.
The importance of ensuring good data security cultures cannot be overstated, nor can the impact of not doing so be underestimated.